Citibank Korea Inc. PRIVACY NOTICE

Pursuant to Article 30 of Personal Information Protection Act, Citibank Korea Inc., (hereinafter as “Citibank”) has established Citibank Privacy Notice as follows in order to safeguard personal information and rights of the data subjects and efficiently deal with any grievances faced by them with respect to personal information.

• ARTICLE 1. PURPOSE OF HANDLING OF PERSONAL INFORMATION

  Citibank uses personal information for any of the purposes described below. Any personal information processed shall not be used for purposes other than stated below; provide, that your prior consent will be sought in case there are changes to originally prescribed purposes unless such changes are permitted by relevant laws and regulations.

  • 1. For the purpose of processing (financial) transactions

    Citibank uses personal information for the purpose of making inquiries on personal credit information through credit information companies or credit information centralization agencies pertaining to (financial) transactions, making a decision on building a (financial) transaction relationship, establishing·keeping·executing·managing a (financial) transaction relationship, investigating financial incidents, resolving disputes, addressing customer complaints or fulfilling statutory obligations.

    (financial) transaction refers to bank business (loan, deposit, domestic and foreign exchange, etc.), universal banking (trust, fund, bancassurance, credit card, etc.), other business (guarantee, factoring, and safe-deposit box, safe deposit of securities certificates, etc.)

  • 2. For the purpose of promoting and selling products and services

    Citibank uses personal information for the purpose of surveying customer satisfaction to develop new services and offer customized ones, delivering services and posting advertisements in a way that meets demographic characteristics of target customers, verifying effectiveness of services, bringing benefits to them and opportunities for engagement by giving out free gifts or running customer promotions, identifying frequency of customer visits to our website or getting statistics concerning service utilization by our web members.

  • 3. For the purpose of acquiring and maintain membership

    Citibank uses personal information for the purpose of accepting membership applications, giving access to member-only services, verifying identity of users on limited information as legally required, identifying individual users, preventing illegitimate or unauthorized uses, confirming customer’s intention for membership sign-up, checking consent of a legal guardian to collect personal information of children under 14 and thereafter verifying identity of the legal guardian, investigating incidents, resolving disputes, addressing customer complaints or provide disclosures to customers.

  • 4. For the purpose of dealing with online transactions

    Citibank uses personal information for the purpose of tracing and searching details of electronic financial transactions or referring to statistics to develop security measures, as obliged in Articles 21 and 22 of Electronic Financial Transactions Act.

• ARTICLE 2. PERIOD OF PROCESSING AND RETENTION OF PERSONAL INFORMATION
  • Citibank shall use retain personal information for the period according to the retention and utilization period set forth by the law or the period of retaining and using personal information agreed upon when collecting personal information from the data subjects.
  • Each information retention and utilization period is as follows.
  • ① Personal (credit) information with respect to (financial) transactions shall be retained·used for the period from the date of consent to information collection·utilization until 5 years after the date of termination of (financial) transactions for above-stated purposes; provided that such information shall be kept·used only for investigating financial incidents, resolving disputes, addressing customer complaints, fulfilling legal obligations or performing risk management operations of Citibank after the date of termination of such (financial) transactions.
  • ② Personal (credit)information gleaned for the purpose of personal (credit)information inquiry shall be kept·used for the period from the date you agree to the collection·utilization of personal (credit)information to the end date of such consent; provided that such information shall be kept·used only for investigating financial incidents, resolving disputes, addressing customer complaints or fulfilling statutory obligations on or after the end date of your consent to providing personal information and authorizing inquires to be made thereon.
  • ③ Personal (credit) information pertaining to promotion or sale of products and services shall be kept·used for the period from the date of consent to the collection·use of such information to the date of termination of (financial) transactions or the date of withdrawal of the consent; provide, that such information shall be retained·used only for investigating incidents, resolving disputes, addressing customer complaints or fulfilling statutory obligations with respect to purposes stipulated in ARTICLE 1 after the date of termination of (financial) transactions or the date of withdrawal of the consent.
  • ④ Personal (credit)information gleaned for administering website signups and membership shall be kept·used for the period from the date of membership subscription to the date of unsubscription; provided that such information shall be kept·used only for investigating incidents, resolving disputes, addressing customer complaints or fulfilling statutory obligations with respect to purposes articulated in ARTICLE 1 on or after the date of exit.
  • ⑤ Personal (credit)information pertaining to online transactions shall be kept·used for the period determined by ARTICLE 12 of Enforcement Decree of Electronic Financial Transactions Act.
• ARTICLE 3. DISCLOSURE OF SOURCES OF PERSONAL INFORMATION, etc.
  • ① In case of processing personal information gathered from sources other than the subject of the information, Citibank shall notify the subject of their rights to demand that Citibank disclose sources and processing purpose of the information or suspend information processing within three (3) days from the demand, unless Citibank has valid reasons to do otherwise.
  • ② In accordance with each subparagraph of Paragraph 4 of Article 20 of Personal Information Protection Act, in case Citibank rejects demand of a data subject made in accordance with Paragraph ①, Citibank, without justifiable causes to the contrary, shall inform the subject of the ground and reason of the rejection within three (3) days from the demand.
• ARTICLE 4. PROVISION OF PERSONAL INFORMATION TO A THIRD PARTY
  • ① Citibank uses your personal information within the scope of purposes determined in Article 1 herein and, without your prior consent, shall not exceed the prescribed scope or provide such information to a third party; except for the following cases where personal information may be used for purposes beyond the original scope or furnished to a third party unless such act may unreasonably prejudice interests of you or the third party :
    • 1. you have given prior consent to provision or disclosure of personal information to a third party ;
    • 2. there are special regulations of other laws permitting such act ;
    • 3. it is clearly deemed necessary for urgent protection of life, body or property of you or a third party in cases where you or your legal representative is not in a state to express yourselves or you are not reachable for prior consent for reasons including but not limited to unknown address
  • ② Citibank furnishes personal information as follows :
    • 1. Recipients
      • Credit information centralization agencies and credit information companies
        • Credit information centralization agencies : Korea Credit Information Services, etc
        •  Credit information companies : Korea Credit Bureau, NICE Information Service Co.,Ltd., Korea Rating & Data, etc.
      • Alliance partners In detail
      • Citibank Korea Inc. and its affiliates including Citigroup HQ & Overseas supervisory institutions
        • Citigroup affiliates: Citigroup Inc., Citibank N.A. etc.
        • Overseas supervisory institutions: OCC, Fed(US)
    • 2. Purpose of receiving personal information
      • To provide to credit information centralization agencies or credit information companies
        • Concentrated collection/retention/provision of credit information about financial institutions
        • To use as a basis to determine creditworthiness of individuals or for policy making at public institutions
        • For other uses prescribed by the provisions of the same law and/or other laws.
      • To provide to alliance partners
        • To use for promotion and sale of products and services in alliance
        • Click on above “1. Recipients – Alliance partners in detail” to see the purpose of providing personal information to each partner.
      • Provision to Citibank Korea Inc. and its affiliates including Citigroup HQ & Overseas supervisory institutions
        • Used as and provided for internal reporting, audit and inspection of respective financial institution
    • 3. Personal information provided
      • Provided to credit information centralization agencies and credit information companies
        • Personal identifiers, information on credit transactions, credit ability, and credit rating, and other information required to access creditworthiness.
      • Provided to alliance partners
        • Any information other than personal identifiers, details of (financial)transactions or personal identifiers stated on transaction application forms, or any other information given by you (such as on housing, family status, length of residence, household members, marital status, etc)
        • Click on above “1. Recipients – Alliance partners in detail” to see the list of provided personal information to each partner.
      • Provision to Citibank Korea Inc. and its affiliates including Citigroup HQ & Overseas supervisory institutions
        • Information whose collection/usage are consented which is specifically required for inspection and audit purpose

          Personal (credit) information gleaned prior to the consent herein shall be included.

    • 4. Period of retention of personal information
      • Personal (credit)information shall be retained·used for the period from the date of provision until the date of withdrawal of consent or until when the purpose of such provision is fulfilled. On or after the day when such consent is withdrawn or the purpose of provision of personal information is met, such information shall be retained·used only within the scope required for investigating financial incidents, resolving disputes, addressing customer complaints or performing statutory obligations with respect to the above-stated purposes.
  • ③ Citibank shall not notify you of your rights to make demands in relation to each subparagraph of Paragraph 2 of Article 17 of Personal Information Protection Act or demand access to personal information, correction·deletion thereof or suspension of processing of such information if you have provided prior consent thereto or furnished personal information pursuant to Subparagraphs 2, 3 and 5 of Paragraph 1 of Article 15.
• ARTICLE 5. OUTSOURCING OF PERSONAL INFORMATION PROCESSING
  • ① Citibank outsources personal information processing as follows:
    • 1. Outsourced vendors In detail
      • Service providers for establishing·keeping·executing·managing (financial) transactions
      • Marketing companies for promotion and sale of products and services
      • Customer appreciation and promotional event companies
      • Research firms to survey customer satisfaction
      • Vendors for asset sales, etc
      • Click on above “1. Outsourced vendors In detail” for more details
    • 2. Purpose of outsourced work
      • Vendors shall undertake outsourced services that are required for establishing·keeping·executing·managing (financial) transactions
      • Vendors shall undertake outsourced services that are required for promoting and selling products and services, giving out giveaways, customer appreciation and promotional events or customer satisfaction survey.
      • Consultative works for asset sales, etc
      • Click on above “1. Outsourced vendors In detail” for more details
    • 3. Personal information provided
      • Personal identifier : unique identifiers such as name and resident registration number, nationality, job, contact information such as address, email or phone number, etc
      • Information on (financial)transaction: product type, terms of transaction(interest rate, maturity, security, etc), date of transaction, transaction amount, etc.
      • Information stated on transaction application form or given by you other than personal identifiers: residence, family status, length of residence, household members, marital status, etc.
      • Click on above “1. Outsourced vendors In detail” for more details

      Personal (credit)information gleaned prior to the consent herein shall be included.

    • 4. Period of retention of personal information
      • Click on above “1. Outsourced vendors In detail” for more details
  • ② In contracting outside vendors, Citibank clarifies their contractual obligations to abide by laws and regulations governing personal information protection, prohibition of personal information provision to a third party and their liability in the contracts that are documented and kept both in writing and electronically by Citibank. Citibank will disclose any changes in the content of outsourcing by modifying Citibank Privacy Notice.
• ARTICLE 6. DATA SUBJECT & LEGAL REPRESENTATIVE’S RIGHTS & OBLIGATIONS AND WAYS TO ENFORCE THEM
  • ① You are entitled to demand access to personal information handled by Citibank pertaining to you or children aged under 14 (only if you are their duly authorized legal guardian).
  • ② You may demand that Citibank correct or delete personal information you have read in case the information differs from the truth or is not verifiable unless such information shall be collected, as regulated in other laws or regulations.
  • ③ You may demand that Citibank suspend processing your personal information; provided that Citibank may reject such demand for suspension of information processing by giving you the reason of rejection if :
    • 1. either there are special regulations in laws or Citibank cannot but process your information to fulfill our obligations that are required by laws and regulations ;
    • 2. suspension of information processing may harm life·body of another person or unreasonably prejudice property or other interests of another person ; or
    • 3. our failure to process personal information interferes with our performance of contract with you including but not limited to failure to provide contracted services to you in cases where you have not explicitly expressed your intention to terminate the contract.
  • ④ The data subject can exercise rights such as access, correction, and deletion requests through Citibank’s branch (written submission), call centers (phone call submission), or Citibank website (online submission). The legal representative of a child under the age of 14 may exercise the right to request for viewing, correction, or deletion of the child’s personal information to Citibank and an data subject who is a minor over the age of 14 may exercise his or her rights himself or herself or through a legal representative. In case of a representative, the rights can be exercise through a branch office.
• ARTICLE 7. ITEMS OF PERSONAL INFORMATION REQUIRED

  Citibank collects minimum necessary and optional information as follows which is required for establishing·keeping·executing·managing (financial)transactions and offering products and services.

  • 1. Necessary information
    • Personal identifier : unique identifiers including name, resident registration number, nationality, job, contact information such as address, email or phone number, etc
    • Information on (financial)transaction: product type, transaction terms (interest rate, maturity, security, etc), date of transaction, transaction amount, etc.
    • Information required for credit assessment (only for loan transactions)
      • Information on credit ability: total asset·liability·income, records of taxes paid
      • Determinant of credit rating: delinquency, subrogated performance, substitute payment, bankruptcy, occurrence of affiliated person, etc.
      • Information on credit transaction and other information to access creditworthiness
    • Any other information generated from consulting for establishing·keeping·executing·managing financial transactions and collection.
  • 2. Optional information
    • Information stated on transaction application forms other than personal identifiers, or any other information given by you (such as on housing, family status, length of residence, household members, marital status, etc)
    • Personal information that is not essential to a contract but affects terms of transaction (such as interest rates, limit, etc.) or is required to provide additional benefits.
  • 3. Information collected pursuant to Electronic Financial Transaction Act
    • Your user ID, date and time of log-in, IP address, phone number, or information on electronic devices and access medium (such as HDD serial, MAC address, personal firewall installation, type of operating system, browser version, etc.), electronic financial transactions, etc.

    Citibank does not collect sensitive information that may infringe your privacy; provided that we collect such information, as needed, with your separate consent and make limited use of it only for purposes you consent to.

  • 4. Collection Methods
    • Directly from customers who visit our branches
    • Website, written forms, fax, phone, Q&A message board, email, entry for promotional event, request for delivery
    • Collection tool for information populated
    • Inquiries received at Contact Center
• ARTICLE 8. INSTALLATION, OPERATION, AND REJECTION OF THE AUTOMATIC COLLECTION OF PERSONAL INFORMATION
  • Citibank uses cookies that save and retrieve user information to track users’ website visit history and does not use that information for any purpose other than its intended purpose or provide it to third parties. Cookies are small amounts of information that the server (http), used for running a website, sends to users’ computer browsers that can be stored on the hard disk of users’ PC.
  • Purpose of Use of Cookies
    It is used to provide optimized information to users by having access to visit history, such as visit frequency and visit time.
  • Installation, operation, and rejection of cookies
    Customer can change its option from your internet browser to accept all cookies, or confirm whenever it is saved or deny all cookies.
    For internet explorer: One can reject cookies by setting options on the menu at the top of the web browser by clicking Tools > Internet Options > Privacy. However, if a user chooses the option to reject saving of cookies, it may cause inconvenience when using the service.
• ARTICLE 9. PROCEDURES AND METHODS OF PERSONAL INFORMATION DESTRUCTION
  • ① In case the retention period of personal information expires, Citibank shall destroy without any delay personal information on or after the day when such information becomes of no use for reasons such as expiration of retention period, fulfillment of purpose of personal information handling, discontinuation of relevant services or closure of business, etc. unless :
    • 1. credit information centralization agencies or credit information companies retain personal credit information (only for the allowed retention period) for the purpose of centralized management·utilization of credit information or assessment of personal creditworthiness;
    • 2. credit information companies, etc. retain personal credit information for the period of effectiveness of civil·criminal obligations or for the period under a statute of limitations or hold personal credit information as evidence to resolve disputes;
    • 3. Citibank is obliged to preserve personal information in accordance with Article 33 of Commercial Act; or

      Foundation for preservation / Personal information item preserved

      Foundation for preservation	Personal information item preserved
      Article 33 of Commercial Act	- Important documents related to business, such as contracts, transaction applications, etc.
      Article 20-2 of Use and Protection of Credit Information Act	- Financial transaction information, such as deposit transaction details and loan transaction details.
      Article 201-10 of Enforcement Decree of the Income Tax Act	- Information for the issuance of a pension certificate, such as the amount of payment and withdrawal from the pension account.
      Article 5-4 of Act on reporting and using specific Financial Transaction Information	- Materials such as financial transactions that can confirm the actual name of the other party - Financial transactions, etc. subject to reporting - Information, etc. about the remitter and the recipient

    • 4. there are any other reasonable causes similar.
  • ② Personal information in printed format shall be destroyed by shred into particle or incineration and personal information in electronic format shall be permanently destroyed by the way that cannot be restored.
• ARTICLE 10. SECURITY MEASURES TO PROTECT PERSONAL INFORMATION

  Citibank takes technical / managerial and physical measures necessary for obtaining security as follows, as prescribed by Article 29 of Personal Information Protection Act.

  • ① Encryption of personal information
    • Your pin number is accessible only by you because it is stored and managed through encryption. Files and transmission data containing important data are protected via separate security measures including encryption or file locking.
  • ② Technical measures against hacking
    • To prevent any leakage or destruction of personal information triggered by hacking or computer viruses, Citibank has security programs installed and updated·monitored on a periodic basis while placing a system in an access restricted area and conducting technical/physical monitoring and access block from outside.
  • ③ Restricted access to personal information system
    • Citibank takes measures required for restricting access to personal information by authorizing, modifying or terminating access to database system which processes personal information.
  • ④ Minimize and train personal information handlers
    • Handlers of personal information shall be designated and be exclusively provided with minimum personal information.
• Article 11. PROCESSING PSEUDONYMOUS DATA
  • ① Purpose of processing pseudonymous data
    • Pursuant to Article 28.2 of 「Personal Information Protection Act」, personal information may be pseudonymized without the consent of data subjects for statistical purposes (including commercial purpose), scientific research purposes (including industrial purpose), and archiving purposes in the public interest, etc. Click on below ‘⑥ Pseudonymization of Data in Detail’ to see Citibank’s purpose of processing pseudonymous data.
  • ② Items of pseudonymized personal information
    • Click on below ‘⑥ Pseudonymization of Data in Detail’ to see type, item, and purpose of pseudonymized data processed by Citibank.
  • ③ Processing and retention period of pseudonymous data
    • Pseudonymous data will be kept ∙ used only for the period (time) during which the purpose set forth by the initial plan for processing pseudonymous data is fulfilled. Click on below ‘⑥ Pseudonymization of Data in Detail’ to see Citibank’s processing and retention period for pseudonymous data.
  • ④ Provision of pseudonymous data to a third party
    • Click on below ‘⑥ Pseudonymization of Data in Detail’ to see provision of pseudonymous data to a third party
  • ⑤ Measures to ensure the safety of pseudonymous data
    • Managerial measure: Establishment and implementation of internal management plans and training employees regularly, etc.
    • Technical measure: Authority and access control to pseudonymous data, prevention of re-identification, and installment of security programs.
    • Physical measure: access control to computer rooms and data storage rooms
  • ⑥ Pseudonymization of Data In detail
• ARTICLE 12. ADDITIONAL USAGE AND PROVISION CRITERIA
  • Pursuant to Article 15.3 and 17.4 of 「Personal Information Protection Act」 and considering Article 14.2 of 「Enforcement Degree of the Personal Information Protection Act」, Citibank can additionally use∙furnish personal information without the consent of the data subject.
  • Citibank considered the following to additionally use and provide personal information without the consent of data subject.
    • a. Whether the purpose of additionally using and providing personal information is related to the original purpose of collection
    • b. Whether there is predictability for additional usage and provision of personal information in light of the circumstances in which personal information is collected or the processing practices.
    • c. Whether the additional usage and provision of personal information unfairly violates the interests of the data subject.
    • d. Whether necessary measures to secure safety, such as pseudonymization or encryption, have been taken.
• ARTICLE 13. CHANGE OF Citibank Privacy Notice

  In case of any changes to Citibank’s Privacy Notice, the timing of amendment and effectuation as well as details of changes shall be constantly disclosed. Comparison of before and after changes shall be disclosed to help you better grasp details of the changes.

• ARTICLE 14. REMEDIAL MEASURES FOR VIOLATION OF RIGHTS AND INTERSTS

  If you want to report or consult infringement of privacy, please contact the following agencies :

  • ① Personal Information Dispute Mediation Committee(www.kopico.or.kr / 1833-6972)
  • ② Cyber privacy center of Korea Internet Security Agency (privacy.kisa.or.kr / 118(no area code))
  • ③ Supreme Prosecutor’s Office (www.spo.go.kr / 1301(no area code))
  • ④ Korea National Police Agency (ecrm.cyber.go.kr / 182(no area code))
• ARTICLE 15. PEROSNAL INFORMATION PROTECTION OFFICER AND CONTACT INFORMATION OF GRIEVANCE HANDLIND DIVISION, etc.
  • ① Personal information protection officer of Citibank, as prescribed in Paragraph 1 of Article 31 of Personal Information Protection Act is as follows: Personal Information Protection Officer
    • Compliance Div. : Han-Suk Kim
    • Email: counseling
    • TEL: 02-2004-1566
  • ② Please contact us at the number below for any inconvenience with your personal information including requests for access to your personal information. We will do our best to take care of it at the earliest possible time. Citibank Citiphone
    • For banking services: 1588-7000
    • For Internet Banking: 02-3704-7700
    • For Citicard : 1566-1000
    • Personal Information counsel : 02-2004-1566

• Customer Center