Citibank Korea Inc. PRIVACY NOTICE

Citibank Korea Inc., (hereinafter as “Citibank”) processes and safely manages personal information in accordance with the Personal Information Protection Act and related laws and regulations to protect the freedom and rights of data subjects. As such, pursuant to Article 30 of the Personal Information Protection Act, Citibank establishes and discloses the following Personal Information Privacy Notice to inform data subjects of the procedures and standards for processing and protecting personal information and to promptly and smoothly handle grievances in this regard.

• Article 1 (PURPOSE OF PROCESSING PERSONAL INFORMATION)

  Citibank uses personal information for any of the purposes described below. Any personal information processed shall not be used for purposes other than stated below, and necessary measures, such as seeking separate consent, etc., is planned to be taken if there are changes to the originally prescribed purposes in accordance with Article 18 of the Personal Information Protection Act.

  • 1. For the purpose of processing (financial) transactions

    Citibank uses personal information for the purpose of making inquiries on personal credit information through credit information companies or credit information centralization agencies pertaining to (financial) transactions, making a decision on building a (financial) transaction relationship, establishing·keeping·executing·managing a (financial) transaction relationship, investigating financial incidents, resolving disputes, addressing customer complaints or fulfilling statutory obligations.

    (financial) transaction refers to bank business (loan, deposit, domestic and foreign exchange, etc.), universal banking (trust, fund, bancassurance, credit card, etc.), other business (guarantee, factoring, and safe-deposit box, safe deposit of securities certificated, etc.)

  • 2. For the purpose of promoting and selling products and services

    Citibank uses personal information for the purpose of surveying customer satisfaction to develop new services and offer customized ones, delivering services and posting advertisements in a way that meets demographic characteristics of target customers, verifying effectiveness of services, bringing benefits to them and opportunities for engagement by giving out free gifts or running customer promotions, identifying frequency of customer visits to our website or getting statistics concerning service utilization of customers.

  • 3. For the purpose of acquiring and maintain membership

    Citibank uses personal information for the purpose of accepting membership applications, giving access to member-only services, verifying identity of users on limited information as legally required, identifying individual users, preventing illegitimate or unauthorized uses, confirming customer’s intention for membership sign-up, checking consent of a legal guardian to collect personal information of children under 14 and thereafter verifying identity of the legal guardian, investigating incidents, resolving disputes, addressing customer complaints or provide disclosures to customers.

  • 4. For the purpose of dealing with online transactions

    Citibank uses personal information for the purpose of tracing and searching details of electronic financial transactions or referring to statistics to develop security measures, as obliged in Articles 21 and 22 of Electronic Financial Transactions Act.

  • 5. For the purpose of statistics, scientific research, and archiving in the public interest

    For statistical purposes, scientific research purposes, and archiving purposes in the public interest, etc. the personal information can be pseudonymized according to Article 28(2) of the Personal Information Protection Act

• Article 2 (PERIOD OF PROCESSING AND RETENTION OF PERSONAL INFORMATION)

  • Citibank shall use retain personal information for the period according to the retention and utilization period set forth by the law or the period of retaining and using personal information agreed upon when collecting personal information from the data subjects.
  • Each information retention and utilization period is as follows:
  • ① Personal (credit) information with respect to (financial) transactions shall be retained·used for the period from the date of consent to information collection·utilization until 5years after the date of termination of (financial) transactions for above-stated purposes; provided that such information shall be retained·used only for investigating financial incidents, resolving disputes, addressing customer complaints, fulfilling legal obligations or performing risk management operations of Citibank after the date of termination of such (financial) transactions.
  • ② Personal (credit) information gleaned for the purpose of personal (credit) information inquiry shall be retained·used for the period from the date you agree to the collection·utilization of personal (credit)information to the end date of such consent; provided that such information shall be retained·used only for investigating financial incidents, resolving disputes, addressing customer complaints or fulfilling statutory obligations on or after the end date of your consent to providing personal information and authorizing inquires to be made thereon.
  • ③ Personal (credit) information pertaining to promotion or sale of products and services shall be retained·used for the period from the date of consent to the collection·use of such information to the date of termination of (financial) transaction or the date of withdrawal of the consent; provide, that such information shall be retained·used only for investigating incidents, resolving disputes, addressing customer complaints or fulfilling statutory obligations with respect to purposes stipulated in Article 1 after the date of termination of (financial) transactions or the date of withdrawal of the consent.
  • ④ Personal (credit) information gleaned for administering website signups and membership shall be retained·used for the period from the date of membership subscription to the date of unsubscription; provided that such information shall be retained·used only for investigating incidents, resolving disputes, addressing customer complaints or fulfilling statutory obligations with respect to purposes articulated in ARTICLE 1 on or after the date of exit.
  • ⑤ Personal (credit) information pertaining to online transactions shall be retained·used for the period determined by Article 12 of Enforcement Decree of Electronic Financial Transactions Act.
  • ⑥ ‘Pseudonymized personal information’ for the purpose of statistics, scientific research, and archiving in the public interest is retained and used only until the point (time) when the intended goals of the pseudonymization plan are accomplished.

• Article 3 (ITEMS OF PROCESSED PERSONAL INFORMATION)

  Citibank collects and uses personal information within the minimum scope necessary for the establishment, maintenance, performance, and management of (financial) transactions, as well as for the provision of products and services.

  • ① Items of personal information processed without the consent of the data subject
    Citibank processes the following categories of personal information without obtaining the consent of the data subject.
    • Where processing is unavoidable for compliance with statutory obligations

      table

      Legal Basis	Purpose of Processing Personal Information	Items of Processed Personal Information
      Article 3(1) of the Act on Real Name Financial Transactions and Confidentiality	Verification of the customer’s real name at the time of a financial transaction.	Real-name information such as name and resident registration number, contact information
      Article 5-2 of the Act on Reporting and Using Specified Financial Transaction Information and Article 10-4 of the Enforcement Decree thereof	Fulfillment of customer due diligence (CDD) obligations and performance of identity verification.	Real-name information such as name and resident registration number, address, contact information, date of birth, gender, account number
      Article 29 of the Enforcement Decree of the Banking Act	Performance of the matters prescribed in each subparagraph of Article 29(2) of the Enforcement Decree of the Banking Act.	Resident registration number, alien registration number

  • ② Items of personal information processed with the consent of the data subject
    Citibank collects and processes the minimum necessary mandatory and optional personal information required for the establishment·maintenance·performance·management of (financial) transactions, as well as for the provisions of products and services, with the consent of the data subject, in accordance with Article 15(1)1 and Article 22(1)7 of the Personal Information Protection Act, as set forth in each of the following items:
    • 1. Necessary information
      • Personal identifiable information: name, personally identifiable information (resident registration numbers, driver’s license numbers, passport numbers, alien registration numbers), domestic residence numbers, CI(Connecting Information), nationality, occupation, address (home, work), email address, contact information (home, work, phone number, etc.), etc.
      • Information on (financial) transaction: product type, transaction terms (interest rate, maturity, security, etc.), date of transaction, transaction amount, etc.
      • Information required for credit assessment (only for loan transactions)
        • Information on credit ability: total asset·liability·income, records of taxes paid, other similar information, etc. that can determine credit ability
        • Determinant of credit rating: information that can determine credit rating, such as default, delinquency, insolvency, subrogated performance, substitute payment incurred in connection with commercial transactions such as financial transactions and information that can determine credit worthiness, such as the amount, occurrence, and resolution timing related to destabilization of sound practices in credit transaction by other fraudulent means.
        • Information on credit transaction: information that can identify the details of credit transaction, such as loans, debt guarantees, credit cards, checking (household checking) accounts, financial transaction information, financial transaction details, transaction dates, etc.
        • other information to access creditworthiness: other information required to assess one’s credit, such as health insurance premium payment, national pension premium payment, credit score, rating information, etc.
      • Any other information generated from consulting for establishing·keeping·executing·managing financial transactions and collection.
    • 2. Optional information
      • Information stated on transaction application forms other than personal identifiers, or any other information given by you (such as on housing, family status, length of residence, household members, marital status, etc.)
      • Personal information that is not essential to a contract but affects terms of transaction (such as interest rates, limit, etc.) or is required to provide additional benefits.
    • 3. Information collected pursuant to Electronic Financial Transaction Act
      • Your user ID, date and time of log-in, IP address, phone number, or information on electronic devices and access medium (such as HDD serial, MAC address, personal firewall installation, type of operating system, browser version, etc.), electronic financial transactions, etc.

      Citibank does not collect sensitive information that may infringe your privacy as a general rule; provided that we collect such information, as needed, with your separate consent and make limited use of it only for purposes you consent to.

  • ③ Collection Methods
    • Directly from customers who visit our branches
    • Website, written forms, fax, phone, Q&A message board, email, entry for promotional event, request for delivery
    • Collection tool for information populated
    • Inquiries received at Contact Center

• Article 4 (PROCESSING OF PERSONAL INFORMATION OF CHILDREN UNDER THE AGE OF 14)

  • ① In order to process the personal information of children under the age of 14, Citibank shall inform the legal representative of the child at a branch office, etc. for the processing of personal information, including the collection and utilization of the minimum amount of personal information required to perform the service, and obtain the consent of the legal representative.
  • ② The information on the name and contact of the legal representative of a child may be collected directly from the child to obtain the consent of the representative, pursuant to paragraph 2 of Article 22-2 of the Personal Information Protection Act.
    • Collected items: name, relationship, and contact information of the legal representative
  • ③ The legal representative of a child under the age of 14 may exercise rights such as requesting access to, correction of, or deletion of the child’s personal information.

• Article 5 (NOTIFICATION OF COLLECTION OR SOURCES. ETC., OF PERSONAL INFORMATION)

  • ① In accordance to Article 20 of the Personal Information Protection Act, in case of processing personal information gathered from sources other than the subject of the information, Citibank shall notify the subject of their rights to demand that Citibank disclose sources or withdraw the content and processing purpose of the information or suspend information processing within three (3) days from the demand, unless Citibank has valid reasons to do otherwise.
  • ② In accordance with each subparagraph Article 20(4) of the Personal Information Protection Act, in case Citibank rejects demand of a data subject made in accordance with Paragraph ①, Citibank, without justifiable causes to the contrary, shall inform the subject of the ground and reason of the rejection within three (3) days from the demand.

• Article 6 (PROVISION OF PERSONAL INFORMATION TO A THIRD PARTY)

  • ① As a general principle, Citibank processes the personal information of a data subject within the scope of the purposes specified in Article 1, and provides personal information to third parties only in cases falling under Articles 17 and 18 of the Personal Information Protection Act, such as where the consent of the data subject has been obtained or where there are special provisions under applicable laws. Except in such cases, Citibank does not provide the personal information of the data subjects to third parties.
    In any of the following cases, personal information may be used for purposes other than those originally intended or provided to third parties, unless there is a risk of unjustly infringing upon the interests of the data subject or a third party:
    • 1. Has obtained separate consent from the data subject;
    • 2. There are special regulations of other laws permitting such an act;
    • 3. It is clearly deemed necessary for urgent protection of life, body or property of the data subject or a third party; or
    • 4. Where it is urgently necessary for public safety and well-being, including public hygiene, etc.
  • ② For the purposes of providing services smoothly, Citibank provides personal information within the minimum necessary scope, with the consent of the data subject, in accordance with Article 17(1)1 of the Personal Information Protection Act, as set forth in each of the following items.
    • 1. Recipients
      • Credit information centralization agencies and credit information companies
        • Credit information centralization agencies: Korea Credit Information Services, etc.
        • Credit Information Companies: Korea Credit Bureau, NICE Information Service Co., Ltd., Korea Rating & Data, etc.
        • Other public institutions etc. requiring submission under the same law or other laws.
      • Alliance partners In detail
      • Citibank Korea Inc. and its affiliates including Citigroup HQ & Overseas supervisory institutions
        • Citigroup affiliates: Citigroup Inc., Citibank N.A. etc.
        • Overseas supervisory institutions: OCC, Fed (US)
    • 2. Purpose of receiving personal information
      • To provide to credit information centralization agencies or credit information companies
        • Concentrated collection/retention/provision of credit information about financial institutions
        • To use as a basis to determine creditworthiness of individuals or for policy making at public institutions
        • For other uses prescribed by the provisions of the same law and/or other laws.
      • To provide to alliance partners
        • To use for promotion and sale of alliance products and services
        • Click on above “1. Recipients – Alliance partners in detail” to see the purpose of providing personal information to each partner.
      • Provision to Citibank Korea Inc. and its affiliates including Citigroup HQ & Overseas supervisory institutions
        • Used as and provided for internal reporting, audit and inspection of respective financial institution
    • 3. Personal information provided
      • Provided to credit information centralization agencies and credit information companies
        • Personal identifiers, information on credit transactions, credit ability, and credit rating, and other information required to access creditworthiness.
      • Provided to alliance partners
        • Any information other than personal identifiers, details of (financial)transactions or personal identifiers stated on transaction application forms, or any other information given by you (such as on housing, family status, length of residence, household members, marital status, etc.)
        • Click on above “1. Recipients – Alliance partners in detail” to see the list of provided personal information to each partner.
      • Provision to Citibank Korea Inc. and its affiliates including Citigroup HQ & Overseas supervisory institutions
        • Information whose collection/usage are consented which is specifically required for inspection and audit purpose
    • 4. Period of retention of personal information
      • Personal (credit) information shall be retained·used for the period from the date of provision until the date of withdrawal of consent or until when the purpose of such provision is fulfilled. On or after the day when such consent is withdrawn or the purpose of provision of personal information is met, such information shall be retained·used only within the scope required for investigating financial incidents, resolving disputes, addressing customer complaints or performing statutory obligations with respect to the above-stated purposes.
      • Details regarding Alliance partners can be checked by clicking “Alliance Partners in detail” above.
  • ③ Citibank may provide personal information to relevant institutions, etc., without obtaining the consent of the data subject, as set forth below.

    table

    Legal Basis	Recipient	Purpose of Provision	Provided Items
    Article 17(1)2 and Article 15(1)2 of the Personal Information Protection Act (Special provisions under other laws), Article 36(6) of the Act on the Coordination of International Tax Affairs (Exchange of tax and financial information)	National Tax Service (NTS)	Periodic exchange of financial information pursuant to information exchange agreements	Financial Information and other information of data relating to financial transactions (name, address, jurisdiction of residence, taxpayer identification number, date of birth, account number, account balance, total amount of interest, total amount of dividends, total amount of other income arising from assets held in the account, total transaction amount, and total amounts paid to or credited to the account holder)
    Article 17(1)2 and Article 15(1)2 of the Personal Information Protection Act (Special provisions under other laws), Article 165 of the Income Tax Act (submission of supporting documents for income deductions and tax credits and administrative guidance)	National Tax Service (NTS)	Issuance of supporting documents for simplified year-end tax settlement	Name, resident registration number, contribution amounts for personal pension savings/pension savings/individual IRP/housing subscription savings, repayment details of principal and interest on lease deposit loans and long-term mortgage loans, debit card and credit card usage records
    Article 18(2)2 of the Personal Information Protection Act (special provisions under other laws), Article 4 of the Act on Real Name Financial Transactions, Article 215 of the Criminal Procedure Act	Competent police agency or prosecutor’s office	Requests made pursuant to warrants for seizure, search, or inspection.	Information within the scope of the request.

  • ④ Citibank may provide personal information to relevant authorities, without the consent of the data subject, in cases where emergency situations arise, such as disasters, infectious diseases, incidents or accidents that cause imminent danger to life or body, or urgent loss of property.

    table

    Classification	Legal Basis	Recipient	Provided Personal Information
    Disaster Response	Article 74-3 of the Framework Act on the Management of Disasters and Safety (Request for Provision of Information)	Central Disaster and Safety Countermeasures HQ or Local Disaster and Safety Countermeasures HQ	Name, resident registration number, address, phone number (including mobile number) debit/credit card transaction date/time and location for tracking movement routes and conducting search and rescue
    Prevention and Control of Infectious Diseases	Article 76-2 of the Infectious Disease Control and Prevention Act (Request for Provision of Information and Verification of Information)	Korea Disease Control and Prevention Agency (KDCA) or metropolitan and provincial governments	Name, resident registration number, address, phone number (including mobile number) debit/credit card transaction details pursuant to the Specialized Credit Finance Business Act for the purpose of tracking movement routes
    Location of Missing Children, Persons with Mental Disabilities, Patients with Dementia, etc.	Article 9 of the Act on the Protection and Support of Missing Children (Conduct of Search or Investigations)	Police Agencies	Internet address, identity verification-related information
    Response to Crisis Situations such as Severe Financial Hardship	Article 7-2 of the Emergency Aid and Support Act (Locating Persons in Critical Situations)	Central governments and local governments	Minimum information necessary to identify persons eligible for emergency livelihood support in cases of financial hardship or similar crisis situations
    Protection of Persons at Risk of Suicide	Article 19-3 of the Act on the Prevention of Suicide (Requests for Provision of Information to Rescue People in Need of Emergency Rescue)	Police Agencies Korea Coast Guard Fire agencies	Name, resident registration number (or date of birth if no RRN exists), address, phone number, user ID, email address of the emergency rescue target
    Processing of Personal Information Related to Crimes such as Kidnapping or Unlawful Confinement	Article 18-2-2 of the Personal Information Protection Act (Restriction on Repurposing Personal Information and Provision Thereof)	Police Agencies	Video information such as CCTV footage
    	Article 83 of the Telecommunications Business Act (Protection of Confidentiality of Communications)	Investigative Agencies	User’s name, resident registration number, address, phone number, user ID, date of subscription or termination

• Article 7 (OUTSOURCING OF PERSONAL INFORMATION PROCESSING)

  • ① Citibank outsources personal information processing as follows with:
    • 1. Outsourced vendors In detail (including sub-contractors)
      • Service providers for establishing·keeping·executing·managing (financial) transactions
      • Marketing companies for promotion and sale of products and services
      • Customer appreciation and promotional event companies
      • Research firms to survey customer satisfaction
      • Vendors for asset sales, etc.
      • Click on above “1. Outsourced vendors In detail” for more details
    • 2. Purpose of outsourced work
      • Vendors shall undertake outsourced services that are required for establishing·keeping·executing·managing (financial) transactions
      • Vendors shall undertake outsourced services that are required for promoting and selling products and services, giving out giveaways, customer appreciation and promotional events or customer satisfaction survey.
      • Consultative works for asset sales, etc.
      • Click on above “1. Outsourced vendors In detail” for more details
    • 3. Items of personal information provided
      • Personal identifier: unique identifiers such as name and resident registration number, nationality, job, contact information such as address, email or phone number, etc.
      • Information on (financial) transaction: product type, terms of transaction (interest rate, maturity, security, etc.), date of transaction, transaction amount, etc.
      • Information stated on transaction application form or given by you other than personal identifiers: residence, family status, length of residence, household members, marital status, etc.
      • Click on above “1. Outsourced vendors In detail” for more details
    • 4. Period of retention of personal information
      • Click on above “1. Outsourced vendors In detail” for more details
  • ② When entering into an outsourcing agreement, Citibank specifies matters concerning responsibilities such as the prohibition of processing personal information for purposes other than the performance of the outsourced tasks, technical and administrative safeguards, restrictions on sub-outsourcing, management and supervision of the service provider, and liability for damages in written documents including the contract, in accordance with Article 26 of the Personal Information Protection Act. Citibank also supervises whether the service provider processes personal information safely.
  • ③ Pursuant to Article 26(6) of the Personal Information Protection Act, if the service provider sub-contracts Citibank’s personal information processing tasks, the service provider must obtain Citibank’s prior consent. Citibank discloses the sub-service providers and the details of the details of the sub-contracted tasks through this Privacy Notice.
  • ④ Any changes to the scope of outsourced services or the service providers will be disclosed through this Privacy Notice.

• Article 8 (OVERSEAS TRANSFER OF PERSONAL INFORMATION)

  Where outsourcing and storage of personal information overseas are necessary for the conclusion and performance of contracts with data subjects, Citibank transfers personal information to overseas countries. For detailed information, please refer to the section titled ”Overseas Transfer in detail” below by clicking “In detail”.
  Overseas Transfer In detail

• Article 9 (PROCEDURES AND METHODS OF PERSONAL INFORMATION DESTRUCTION)

  • ① In case the retention period of personal information expires, Citibank shall destroy without any delay personal information on or after the day when such information becomes of no use for reasons such as expiration of retention period, fulfillment of purpose of personal information handling, discontinuation of relevant services or closure of business, etc. unless:
    • 1. credit information centralization agencies or credit information companies retain personal credit information (only for the allowed retention period) for the purpose of centralized management·utilization of credit information or assessment of personal creditworthiness;
    • 2. credit information companies, etc. retain personal credit information for the period of effectiveness of civil·criminal obligations or for the period under a statute of limitations or hold personal credit information as evidence to resolve disputes;
    • 3. Where retention is required for compliance with statutory obligations; or
    • 4. Other similar instances with justifiable reasons.
  • ② Even after the retention period agreed upon by the data subject has expired or the purpose of processing has been achieved, if personal information must continue to be retained pursuant to subparagraph 3 of paragraph (1), that is, in accordance with other applicable laws, such personal information shall be transferred to a separate database (DB or table) or stored separately in a different location.
    • Legally mandated cases of retention

      Foundation for preservation / Personal information item preserved

      Basis for retention	Items of retained Personal information	Retention period
      Article 33 of Commercial Act	Commercial books and records, contracts, and other important documents related to business (including electronic records)	10 Years from termination of financial transactions and other commercial relationships
      Article 201-10 of Enforcement Decree of the Income Tax Act	Information for issuance of pension certificate, such as amount of annual payment, withdrawal, payment conversion, confirmed tax-exempt amounts, etc.	Permanent

      Pursuant to Article 20-2 of the Act on the Use and Protection of Credit Information and Article 17-2 of the Enforcement Decree thereof, where all financial transactions have been terminated, personal information shall be stored separately from the information of other data subjects for up to five years and shall be deleted upon the expiration of the retention period prescribed by applicable laws.

  • ③ Procedures and Methods for the Destruction of Personal Information are as follows:
    • Destruction Procedures:
      Citibank selects personal information for which grounds for destruction have arisen and destroys such personal information upon obtaining approval from the responsible officer.
    • Destruction Methods:
      Citibank destroys printed materials and written documents containing personal information by shredding or incineration and destroys personal information in electronic file form by methods that render restoration impossible.

• Article 10 (DATA SUBJECT & LEGAL REPRESENTATIVE’S RIGHTS & OBLIGATIONS AND WAYS TO ENFORCE THEM)

  • ① Data subjects are entitled to demand access to personal information handled by Citibank pertaining to themselves or their children aged under 14 (only if you are their duly authorized legal guardian)
  • ② Data subjects may demand that Citibank correct or delete personal information they have read in the case where the information differs from the truth or is not verifiable. However, if such information shall be collected as regulated in other laws or regulations, the data subject cannot request deletion.
  • ③ Data subjects may demand that Citibank suspend processing their personal information; provided that Citibank may reject such demand for suspension of information processing by giving the data subjects the reason of rejection if:
    • 1. either there are special regulations in laws or Citibank cannot but process your information to fulfill our obligations that are required by laws and regulations;
    • 2. suspension of information processing may harm the life·body of another person or unreasonably prejudice property or other interests of another person; or
    • 3. if failure to process personal information interferes with our performance of contract with data subjects including but not limited to failure to provide contracted services to data subjects in cases where they have not explicitly expressed their intention to terminate the contract.
  • ④ Citibank verifies whether the person who makes a request for access, correction or deletion, suspension of processing, or inspection, etc., pursuant to the rights of the data subject, is the actual data subject or a duly authorized representative.
  • ⑤ Where the data subject has consented to the fact that automated decision-making is carried out, or where such fact has been notified in advance through a contract, etc., or where there are explicit provisions in applicable laws, refusal of automated decision-making shall not be permitted, and only requests for explanation and review shall be allowed. In addition, a request for refusal or explanation regarding automated decision-making may be denied where there are legitimate grounds to believe that such request may unduly infringe upon the life, body, property, or other interests of another person.
  • ⑥ The data subject can exercise rights such as access, correction, and deletion requests through Citibank’s branch (written submission), customer call centers (phone call submission), or Citibank website (online submission). The legal representative of a child under the age of 14 may exercise the right to request for viewing, correction, or deletion of the child’s personal information to Citibank and a data subject who is a minor over the age of 14 may exercise his or her rights himself or herself or through a legal representative. In case of a representative, the rights can be exercise through a branch office.

• Article 11 (SECURITY MEASURES TO PROTECT PERSONAL INFORMATION)

  Citibank implements the following administrative, technical, and physical measures necessary to ensure the security of personal information in accordance with Article 29 of the Personal Information Protection Act.

  • ① Administrative Measures
    • Establishment and implementation of an internal management plan
    • Operations of a dedicated organization: operation of a dedicated department consisting of specialized personnel and responsible officers in charge of information security and personal information protection
    • Minimization of personnel handling personal information and regular training: designation of employees who handle personal information, minimization of the number of such personnel, and provision of regular personal information protection training to those employees.
  • ② Technical Measures
    • Access rights management: control of access to personal information through the granting, modification, and revocation of access rights to personal information processing systems.
    • Operation of access control systems: control of unauthorized access from external sources by using intrusion prevention system.
    • Encryption of personal information: unique identification information, passwords, and biometric information are stored in encrypted form using secure encryption algorithms. Where personal information is transmitted or received through information and communications networks, including internet network sections, such information is encrypted using secure encryption algorithms.
    • To prevent any leakage or destruction of personal information triggered by hacking or computer viruses, security programs are installed and updated·monitored on a periodic basis while placing a system in an access restricted area and conducting technical/physical monitoring and access block from outside.
    • Vulnerability assessment: regular vulnerability assessments of the website are conducted.
  • ③ Physical Measures
    • Establishment and operation of access control procedures for physical storage locations such as computer rooms.
    • Storage of documents, auxiliary storage media, etc., in secure locations equipped with locking devices.
    • Implementation of security measures to control the removal and entry of auxiliary storage media.

• Article 12 (INSTALLATION, OPERATION, AND REJECTION OF THE AUTOMATIC COLLECTION OF PERSONAL INFORMATION)

  • Citibank uses cookies that save and retrieve user information to track users’ website visit history and does not use that information for any purpose other than its intended purpose or provide it to third parties. Cookies are small amounts of information that the server (http), used for running a website, sends to users’ computer browsers that can be stored on the hard disk of users’ PC.
  • Purpose of Use of Cookies
    It is used to provide optimized information to users by having access to visit history, such as visit frequency and visit time.
  • Installation, operation, and rejection of cookies
    Customers can change its option from your internet browser to accept all cookies or confirm whenever it is saved or deny all cookies. However, if a customer chooses the option to reject saving of cookies, it may cause inconvenience when using the service.

    Web Brower (example)
    Chrome: Select at the upper right corner of the web browser -> New Incognito Window (shortcut: Ctrl+Shift+N)
    Microsoft Edge: Select at the upper right corner of the web browser -> New InPrivate window (shortcut: Ctrl+Shift+N)

• Article 13 (ADDITIONAL USAGE AND PROVISION CRITERIA)

  • Pursuant to Article 15.3 and 17.4 of 「Personal Information Protection Act」 and considering Article 14.2 of 「Enforcement Degree of the Personal Information Protection Act」, Citibank can additionally use and provide personal information without the consent of the data subject.
  • Citibank considers the following items to additionally use and provide personal information without the consent of data subject:
    • a. Whether the purpose of additionally using and providing personal information is related to the original purpose of collection;
    • b. Whether there is predictability for additional usage and provision of personal information in light of the circumstances in which personal information is collected or the processing practices;
    • c. Whether the additional usage and provision of personal information unfairly violates the interests of the data subject;
    • d. Whether necessary measures to secure safety, such as pseudonymization or encryption, have been taken.

• Article 14 (PROCESSING PSEUDONYMOUS DATA)

  • ① Purpose of processing pseudonymous data
    • Pursuant to Article 28-2 of the Personal Information Protection Act, personal information may be pseudonymized without the consent of data subjects for statistical purposes (including commercial purpose), scientific research purposes (including industrial purpose), and archiving purposes in the public interest, etc. Click on below ‘⑥ Pseudonymization of Data in Detail’ to see Citibank’s purpose of processing pseudonymous data.
  • ② Items of pseudonymized personal information
    • Click on below ‘⑥ Pseudonymization of Data in Detail’ to see type, item, and purpose of pseudonymized data processed by Citibank.
  • ③ Processing and retention period of pseudonymous data
    • Pseudonymous data will be kept ∙ used only for the period (time) during which the purpose set forth by the initial plan for processing pseudonymous data is fulfilled. Click on below ‘⑥ Pseudonymization of Data in Detail’ to see Citibank’s processing and retention period for pseudonymous data.
  • ④ Provision of pseudonymous data to a third party
    • Click on below ‘⑥ Pseudonymization of Data in Detail’ to see provision of pseudonymous data to a third party
  • ⑤ Measures to ensure the safety of pseudonymous data
    • Managerial measures: Establishment and implementation of internal management plans of pseudonymous data and training employees regularly, etc.
    • Technical measures: Separate storage of pseudonymous data and additional information, destruction of additional information when it is no longer necessary, separation of access rights to pseudonymous data and additional information, installation of access control systems and other related protective measures, retention and inspection of records of processing and access to pseudonymous data, and installation of security programs, etc.
    • Physical measures: access control to computer rooms and data storage rooms where pseudonymous data is stored
  • ⑥ Pseudonymization of Data In detail

• Article 15 (PROCESSING OF CONNECTING INFORMATION (CI))

  Citibank processes the data subject’s Connecting Information (CI) pursuant to Article 23-5 of the Act on Promotion of Information and Communications Network Utilization and Information Protection (Creation and Processing of Connecting Information). Citibank hereby informs the data subject of matters concerning the legal basis for processing Connecting Information, the purposes of collection and use thereof, and the retention and use period thereof, as set forth below. Matters not specified herein shall be governed by other provisions of this Privacy Notice.

  • ① Basis for Processing Connecting Information
    Citibank processes Connecting Information with the consent of the data subject pursuant to Article 23-5(4) of the Act on Promotion and Communications Network Utilization and Information Protection (Creation and Processing of Connecting Information).
  • ② Purpose of Collection and the Use of Connecting Information
    Citibank collects and uses Connecting Information for the purpose of identification, authentication, and linkage of the data subject in relation to (financial) transactions.
  • ③ Retention and Use Period of Connecting Information
    Citibank retains and uses Connecting Information for the retention period corresponding to each purpose of processing as set forth in Article 2 (Period of Processing and Retention of Personal Information) of this Privacy Notice.
  • ④ Obligation to Implement Security Measures for Connecting Information
    In order to safely process the data subject’s Connecting Information, Citibank implements separate administrative, technical, and physical measures for Connecting Information in accordance with Article 23-6 of the Act on Promotion of Information and Communications Network Utilization and Information Protection (Obligation to Take Safety Measure for Connecting Information) including Article 29 (Duty of Safeguards) of the Personal Information Protection Act.
    • Establishment of an internal management plan for the safe processing of Connecting Information
    • Minimization of personnel authorized to access Connecting Information and provision of training to such personnel
    • Separate storage and management of Connecting Information from resident registration numbers (scheduled to be implemented by 2026)
    • Use of encrypted communication channels when transmitting or receiving Connecting Information over internet network sections
    • Encryption of Connecting Information using secure algorithms when stored (scheduled to be implemented by 2026)
    • Establishment and implementation of response plans in the event of infringement incidents such as loss of theft of Connecting Information

• Article 16 (PERSONAL INFORMATION PROTECTION OFFICER AND CONTACT INFORMATION OF GRIEVANCE HANDLIND DIVISION, etc)

  • ① Personal information protection officer of Citibank, as prescribed in Paragraph 1 of Article 31 of the Personal Information Protection Act is as follows: Personal Information Protection Officer
    • Compliance Div. : Han-Suk Kim
    • E-Mail : counseling
    • Tel. : 02-2004-1566
  • ② Request for access to personal information pursuant to Article 35 of the Personal Information Protection Act can be made through branches and internet banking.
    • Branches: Visit a branch to request to access (business hours: 09:00 ~ 16:00)
    • Internet banking website (www.citibank.co.kr): After logging in, click setting (upper right corner) -> My Profile > Edit Profile > Manage Customer Information
  • ③ Also, Please contact us at the number below for any inconvenience with your personal information including requests for access to your personal information. We will do our best to take care of it at the earliest possible time. Citibank Customer Center
    • For banking services : 1588-7000
    • For Internet Banking : 02-3704-7700
    • For Citicard : 1566-1000
    • Personal Information counsel : 02-2004-1566

• Article 17 (REMEDIAL MEASURES FOR VIOLATION OF RIGHTS AND INTERSTS)

  If you want to report or consult infringement of privacy, please contact the following agencies:

  • ① Personal Information Dispute Mediation Committee (www.kopico.go.kr / (no local code needed) 1833-6972)
  • ② Cyber privacy center of Korea Internet Security Agency (privacy.kisa.or.kr / (no local code needed) 118)
  • ③ Supreme Prosecutor’s Office (www.spo.go.kr / (no local code needed) 1301)
  • ④ Korea National Police Agency (ecrm.police.go.kr / (no local code needed) 182)

• Article 18 (CHANGE OF CITI PRIVACY NOTICE)

  • In case of any changes to Citibank’s Privacy Notice, the timing of amendment and effectuation as well as details of changes shall be constantly disclosed. Comparison of before and after changes shall be disclosed to help you better grasp details of the changes.
  • This Privacy Notice is effective as of December 26, 2025.
  • The previous Privacy Notice can be found below.

* Compliance Review No. 2512-06-093 (2025.12.19)

• Customer Center