Citibank Korea Inc. PRIVACY NOTICE

Citibank Korea Inc., (hereinafter as “Citibank”) processes and safely manage personal information in accordance with the Personal Information Protection Act and related laws and regulations to protect the freedom and rights of data subjects. As such, pursuant to Article 30 of the Personal Information Protection Act, Citibank Bank establishes and discloses the following Privacy Policy to inform data subjects of the procedures and standards for processing personal information and to promptly and smoothly handle grievances in this regard.

• ARTICLE 1. PURPOSE OF HANDLING OF PERSONAL INFORMATION

  Citibank uses personal information for any of the purposes described below. Any personal information processed shall not be used for purposes other than stated below; provide, that your prior consent will be sought in case there are changes to originally prescribed purposes unless such changes are permitted by relevant laws and regulations.

  • 1. For the purpose of processing (financial) transactions

    Citibank uses personal information for the purpose of making inquiries on personal credit information through credit information companies or credit information centralization agencies pertaining to (financial) transactions, making a decision on building a (financial) transaction relationship, establishing·keeping·executing·managing a (financial) transaction relationship, investigating financial incidents, resolving disputes, addressing customer complaints or fulfilling statutory obligations.

    (financial) transaction refers to bank business (loan, deposit, domestic and foreign exchange, etc.), universal banking (trust, fund, bancassurance, credit card, etc.), other business (guarantee, factoring, and safe-deposit box, safe deposit of securities certificates, etc.)

  • 2. For the purpose of promoting and selling products and services

    Citibank uses personal information for the purpose of surveying customer satisfaction to develop new services and offer customized ones, delivering services and posting advertisements in a way that meets demographic characteristics of target customers, verifying effectiveness of services, bringing benefits to them and opportunities for engagement by giving out free gifts or running customer promotions, identifying frequency of customer visits to our website or getting statistics concerning service utilization by our web members.

  • 3. For the purpose of acquiring and maintain membership

    Citibank uses personal information for the purpose of accepting membership applications, giving access to member-only services, verifying identity of users on limited information as legally required, identifying individual users, preventing illegitimate or unauthorized uses, confirming customer’s intention for membership sign-up, checking consent of a legal guardian to collect personal information of children under 14 and thereafter verifying identity of the legal guardian, investigating incidents, resolving disputes, addressing customer complaints or provide disclosures to customers.

  • 4. For the purpose of dealing with online transactions

    Citibank uses personal information for the purpose of tracing and searching details of electronic financial transactions or referring to statistics to develop security measures, as obliged in Articles 21 and 22 of Electronic Financial Transactions Act.

  • 5. For the purpose of statistics, scientific research, and archiving in the public interest

    For statistical purposes, scientific research purposes, and archiving purposes in the public interest, etc. the personal information can be pseudonymized according to Article 28(2) of the Personal Information Protection Act

• ARTICLE 2. PERIOD OF PROCESSING AND RETENTION OF PERSONAL INFORMATION
  • Citibank shall use retain personal information for the period according to the retention and utilization period set forth by the law or the period of retaining and using personal information agreed upon when collecting personal information from the data subjects.
  • Each information retention and utilization period is as follows.
  • ① Personal (credit) information with respect to (financial) transactions shall be retained·used for the period from the date of consent to information collection·utilization until 5 years after the date of termination of (financial) transactions for above-stated purposes; provided that such information shall be kept·used only for investigating financial incidents, resolving disputes, addressing customer complaints, fulfilling legal obligations or performing risk management operations of Citibank after the date of termination of such (financial) transactions.
  • ② Personal (credit)information gleaned for the purpose of personal (credit)information inquiry shall be kept·used for the period from the date you agree to the collection·utilization of personal (credit)information to the end date of such consent; provided that such information shall be kept·used only for investigating financial incidents, resolving disputes, addressing customer complaints or fulfilling statutory obligations on or after the end date of your consent to providing personal information and authorizing inquires to be made thereon.
  • ③ Personal (credit) information pertaining to promotion or sale of products and services shall be kept·used for the period from the date of consent to the collection·use of such information to the date of termination of (financial) transactions or the date of withdrawal of the consent; provide, that such information shall be retained·used only for investigating incidents, resolving disputes, addressing customer complaints or fulfilling statutory obligations with respect to purposes stipulated in ARTICLE 1 after the date of termination of (financial) transactions or the date of withdrawal of the consent.
  • ④ Personal (credit)information gleaned for administering website signups and membership shall be kept·used for the period from the date of membership subscription to the date of unsubscription; provided that such information shall be kept·used only for investigating incidents, resolving disputes, addressing customer complaints or fulfilling statutory obligations with respect to purposes articulated in ARTICLE 1 on or after the date of exit.
  • ⑤ Personal (credit)information pertaining to online transactions shall be kept·used for the period determined by ARTICLE 12 of Enforcement Decree of Electronic Financial Transactions Act.
  • ⑥ ‘Pseudonymized personal information’ for the purpose of statistics, scientific research, and archiving in the public interest is retained and used only until the point (time) when the intended goals of the pseudonymization plan are accomplished.
• ARTICLE 3. ITEMS OF PERSONAL INFORMATION REQUIRED

  Citibank collects minimum necessary and optional information as follows which is required for establishing·keeping·executing·managing (financial)transactions and offering products and services.

  • 1. Necessary information
    •  Personal identifiable information: name, personally identifiable information (resident registration numbers, driver’s license numbers, passport numbers, alien registration numbers), domestic residence numbers, CI, nationality, occupation, address (home, work), email address, contact information (home, work, phone number, etc.), etc.
    • Information on (financial)transaction: product type, transaction terms (interest rate, maturity, security, etc), date of transaction, transaction amount, etc.
    • Information required for credit assessment (only for loan transactions)
      • Information on credit ability: total asset·liability·income, records of taxes paid, other similar information, etc. that can determine credit ability
      • Determinant of credit rating: : information that can determine credit rating, such as default, delinquency, insolvency, subrogated performance, substitute payment incurred in connection with commercial transactions such as financial transactions and information that can determine credit worthiness, such as the amount, occurrence, and resolution timing related to destabilization of sound practices in credit transaction by other fraudulent means.
      • Information on credit transaction: information that can identify the details of credit transaction, such as loans, debt guarantees, credit cards, checking (household checking) accounts, financial transaction information, financial transaction details, transaction dates, etc
      • other information to access creditworthiness: other information required to assess one’s credit, such as health insurance premium payment, national pension premium payment, credit score, rating information, etc.
    • Any other information generated from consulting for establishing·keeping·executing·managing financial transactions and collection.
  • 2. Optional information
    • Information stated on transaction application forms other than personal identifiers, or any other information given by you (such as on housing, family status, length of residence, household members, marital status, etc)
    • Personal information that is not essential to a contract but affects terms of transaction (such as interest rates, limit, etc.) or is required to provide additional benefits.
  • 3. Information collected pursuant to Electronic Financial Transaction Act
    • Your user ID, date and time of log-in, IP address, phone number, or information on electronic devices and access medium (such as HDD serial, MAC address, personal firewall installation, type of operating system, browser version, etc.), electronic financial transactions, etc.

    Citibank does not collect sensitive information that may infringe your privacy; provided that we collect such information, as needed, with your separate consent and make limited use of it only for purposes you consent to.

  • 4. Collection Methods
    • Directly from customers who visit our branches
    • Website, written forms, fax, phone, Q&A message board, email, entry for promotional event, request for delivery
    • Collection tool for information populated
    • Inquiries received at Contact Center
• ARTICLE 4. MATTERS CONCERNING THE PROCESSING OF PERSONAL INFORMATION OF CHILDREAN UNDER THE AGE OF 14
  • ① In order to process the personal information of children under the age of 14, Citibank shall inform the legal representative of the child at a branch office, etc. about the processing of personal information, including the collection and utilization of the minimum amount of personal information required to perform the service, and obtain the consent of the legal representative.
  • ②The information on the name and contact of the legal representative of a child may be collected directly from the child to obtain the consent of the representative, pursuant to paragraph 2 of Article 22-2
    • Collected items: name, relationship, and contact information of the legal representative
  • ③ The legal representative of a child under the age of 14 may exercise rights such as requesting access to, correction of, or deletion of the child’s personal information.
• ARTICLE 5. DISCLOSURE OF SOURCES OF PERSONAL INFORMATION, etc.
  • ① In case of processing personal information gathered from sources other than the subject of the information, Citibank shall notify the subject of their rights to demand that Citibank disclose sources or withdraw the content and processing purpose of the information or suspend information processing within three (3) days from the demand, unless Citibank has valid reasons to do otherwise.
  • ② In accordance with each subparagraph of Paragraph 4 of Article 20 of Personal Information Protection Act, in case Citibank rejects demand of a data subject made in accordance with Paragraph ①, Citibank, without justifiable causes to the contrary, shall inform the subject of the ground and reason of the rejection within three (3) days from the demand.
• ARTICLE 6. PROVISION OF PERSONAL INFORMATION TO A THIRD PARTY
  • ① Citibank uses your personal information within the scope of purposes determined in Article 1 herein and, without your prior consent, shall not exceed the prescribed scope or provide such information to a third party; except for the following cases where personal information may be used for purposes beyond the original scope or furnished to a third party unless such act may unreasonably prejudice interests of you or the third party :
    • 1. you have given prior consent to provision or disclosure of personal information to a third party ;
    • 2. there are special regulations of other laws permitting such act ;
    • 3. it is clearly deemed necessary for urgent protection of life, body or property of you or a third party in cases where you or your legal representative is not in a state to express yourselves or you are not reachable for prior consent for reasons including but not limited to unknown address
  • ② Citibank furnishes personal information as follows :
    • 1. Recipients
      • Credit information centralization agencies and credit information companies
        • Credit information centralization agencies : Korea Credit Information Services, etc
        • Credit information companies : Korea Credit Bureau, NICE Information Service Co.,Ltd., Korea Rating & Data, etc.
        • Other public institutions etc. requiring submission under the same law or other laws.
      • Alliance partners In detail
      • Citibank Korea Inc. and its affiliates including Citigroup HQ & Overseas supervisory institutions
        • Citigroup affiliates: Citigroup Inc., Citibank N.A. etc.
        • Overseas supervisory institutions: OCC, Fed(US)
    • 2. Purpose of receiving personal information
      • To provide to credit information centralization agencies or credit information companies
        • Concentrated collection/retention/provision of credit information about financial institutions
        • To use as a basis to determine creditworthiness of individuals or for policy making at public institutions
        • For other uses prescribed by the provisions of the same law and/or other laws.
      • To provide to alliance partners
        • To use for promotion and sale of products and services in alliance
        • Click on above “1. Recipients – Alliance partners in detail” to see the purpose of providing personal information to each partner.
      • Provision to Citibank Korea Inc. and its affiliates including Citigroup HQ & Overseas supervisory institutions
        • Used as and provided for internal reporting, audit and inspection of respective financial institution
    • 3. Personal information provided
      • Provided to credit information centralization agencies and credit information companies
        • Personal identifiers, information on credit transactions, credit ability, and credit rating, and other information required to access creditworthiness.
      • Provided to alliance partners
        • Any information other than personal identifiers, details of (financial)transactions or personal identifiers stated on transaction application forms, or any other information given by you (such as on housing, family status, length of residence, household members, marital status, etc)
        • Click on above “1. Recipients – Alliance partners in detail” to see the list of provided personal information to each partner.
      • Provision to Citibank Korea Inc. and its affiliates including Citigroup HQ & Overseas supervisory institutions
        • Information whose collection/usage are consented which is specifically required for inspection and audit purpose

          Personal (credit) information gleaned prior to the consent herein shall be included.

    • 4. Period of retention of personal information
      • Personal (credit)information shall be retained·used for the period from the date of provision until the date of withdrawal of consent or until when the purpose of such provision is fulfilled. On or after the day when such consent is withdrawn or the purpose of provision of personal information is met, such information shall be retained·used only within the scope required for investigating financial incidents, resolving disputes, addressing customer complaints or performing statutory obligations with respect to the above-stated purposes.
• ARTICLE 7. OUTSOURCING OF PERSONAL INFORMATION PROCESSING
  • ① Citibank outsources personal information processing as follows:
    • 1. Outsourced vendors In detail
      • Service providers for establishing·keeping·executing·managing (financial) transactions
      • Marketing companies for promotion and sale of products and services
      • Customer appreciation and promotional event companies
      • Research firms to survey customer satisfaction
      • Vendors for asset sales, etc
      • Click on above “1. Outsourced vendors In detail” for more details
    • 2. Purpose of outsourced work
      • Vendors shall undertake outsourced services that are required for establishing·keeping·executing·managing (financial) transactions
      • Vendors shall undertake outsourced services that are required for promoting and selling products and services, giving out giveaways, customer appreciation and promotional events or customer satisfaction survey.
      • Consultative works for asset sales, etc
      • Click on above “1. Outsourced vendors In detail” for more details
    • 3. Personal information provided
      • Personal identifier : unique identifiers such as name and resident registration number, nationality, job, contact information such as address, email or phone number, etc
      • Information on (financial)transaction: product type, terms of transaction(interest rate, maturity, security, etc), date of transaction, transaction amount, etc.
      • Information stated on transaction application form or given by you other than personal identifiers: residence, family status, length of residence, household members, marital status, etc.
      • Click on above “1. Outsourced vendors In detail” for more details

      Personal (credit)information gleaned prior to the consent herein shall be included.

    • 4. Period of retention of personal information
      • Click on above “1. Outsourced vendors In detail” for more details
  • ② In contracting outside vendors, Citibank clarifies their contractual obligations to abide by laws and regulations governing personal information protection, prohibition of personal information provision to a third party and their liability in the contracts that are documented and kept both in writing and electronically by Citibank. Citibank will disclose any changes in the content of outsourcing by modifying Citibank Privacy Notice.
• ARTICLE 8. OVERSEAS TRANSFER OF PERSONAL INFORMATION

  Personal information is transferred overseas when it is necessary to entrust processing and storage for the conclusion and fulfillment of a contract with the data subject.
  Overseas transfer In detail

• ARTICLE 9. PROCEDURES AND METHODS OF PERSONAL INFORMATION DESTRUCTION
  • ① In case the retention period of personal information expires, Citibank shall destroy without any delay personal information on or after the day when such information becomes of no use for reasons such as expiration of retention period, fulfillment of purpose of personal information handling, discontinuation of relevant services or closure of business, etc. unless :
    • 1. credit information centralization agencies or credit information companies retain personal credit information (only for the allowed retention period) for the purpose of centralized management·utilization of credit information or assessment of personal creditworthiness;
    • 2. credit information companies, etc. retain personal credit information for the period of effectiveness of civil·criminal obligations or for the period under a statute of limitations or hold personal credit information as evidence to resolve disputes;
    • 3. Citibank is obliged to preserve personal information in accordance with Article 33 of Commercial Act; or

      Foundation for preservation / Personal information item preserved

      Foundation for preservation	Personal information item preserved
      Article 33 of Commercial Act	- Important documents related to business, such as contracts, transaction applications, etc.
      Article 20-2 of Use and Protection of Credit Information Act	- Financial transaction information, such as account opening and transaction history
      Article 201-10 of Enforcement Decree of the Income Tax Act	- Information for issuance of pension certificate, such as amount of annual payment, withdrawal, payment conversion, excluded taxable, etc.
      Article 5-4 of Act on reporting and using specific Financial Transaction Information	- Materials such as financial transactions that can confirm the actual name of the other party - Financial transactions, etc. subject to reporting - Information, etc. about the remitter and the recipient

    • 4. there are any other reasonable causes similar.
  • ② Personal information in printed format shall be destroyed by shred into particle or incineration and personal information in electronic format shall be permanently destroyed by the way that cannot be restored.
• ARTICLE 10. DATA SUBJECT & LEGAL REPRESENTATIVE’S RIGHTS & OBLIGATIONS AND WAYS TO ENFORCE THEM
  • ① You are entitled to demand access to personal information handled by Citibank pertaining to you or children aged under 14 (only if you are their duly authorized legal guardian).
  • ② You may demand that Citibank correct or delete personal information you have read in case the information differs from the truth or is not verifiable unless such information shall be collected, as regulated in other laws or regulations.
  • ③ You may demand that Citibank suspend processing your personal information; provided that Citibank may reject such demand for suspension of information processing by giving you the reason of rejection if :
    • 1. either there are special regulations in laws or Citibank cannot but process your information to fulfill our obligations that are required by laws and regulations ;
    • 2. suspension of information processing may harm life·body of another person or unreasonably prejudice property or other interests of another person ; or
    • 3. our failure to process personal information interferes with our performance of contract with you including but not limited to failure to provide contracted services to you in cases where you have not explicitly expressed your intention to terminate the contract.
  • ④ The data subject can exercise rights such as access, correction, and deletion requests through Citibank’s branch (written submission), call centers (phone call submission), or Citibank website (online submission). The legal representative of a child under the age of 14 may exercise the right to request for viewing, correction, or deletion of the child’s personal information to Citibank and an data subject who is a minor over the age of 14 may exercise his or her rights himself or herself or through a legal representative. In case of a representative, the rights can be exercise through a branch office.
• ARTICLE 11. SECURITY MEASURES TO PROTECT PERSONAL INFORMATION

  Citibank takes technical / managerial and physical measures necessary for obtaining security as follows, as prescribed by Article 29 of Personal Information Protection Act.

  • ① Encryption of personal information
    • Your pin number is accessible only by you because it is stored and managed through encryption. Files and transmission data containing important data are protected via separate security measures including encryption or file locking.
  • ② Technical measures against hacking
    • To prevent any leakage or destruction of personal information triggered by hacking or computer viruses, Citibank has security programs installed and updated·monitored on a periodic basis while placing a system in an access restricted area and conducting technical/physical monitoring and access block from outside.
  • ③ Restricted access to personal information system
    • Citibank takes measures required for restricting access to personal information by authorizing, modifying or terminating access to database system which processes personal information.
  • ④ Minimize and train personal information handlers
    • Handlers of personal information shall be designated and be exclusively provided with minimum personal information.
• ARTICLE 12. INSTALLATION, OPERATION, AND REJECTION OF THE AUTOMATIC COLLECTION OF PERSONAL INFORMATION
  • Citibank uses cookies that save and retrieve user information to track users’ website visit history and does not use that information for any purpose other than its intended purpose or provide it to third parties. Cookies are small amounts of information that the server (http), used for running a website, sends to users’ computer browsers that can be stored on the hard disk of users’ PC.
  • Purpose of Use of Cookies
    It is used to provide optimized information to users by having access to visit history, such as visit frequency and visit time.
  • Installation, operation, and rejection of cookies
    Customer can change its option from your internet browser to accept all cookies, or confirm whenever it is saved or deny all cookies. However, if a user chooses the option to reject saving of cookies, it may cause inconvenience when using the service.

    Web Brower (example)
    Chrome : Settings -> Privacy and security -> third-party cookies -> selecting options (allowing or blocking cookies)
    Microsoft Edge : Settings -> Cookies and site permissions -> Manage and delete cookies and site data -> selecting options (block cookies or allow sites to save and read cookie data)

• ARTICLE 13. ADDITIONAL USAGE AND PROVISION CRITERIA
  • Pursuant to Article 15.3 and 17.4 of 「Personal Information Protection Act」 and considering Article 14.2 of 「Enforcement Degree of the Personal Information Protection Act」, Citibank can additionally use∙furnish personal information without the consent of the data subject.
  • Citibank considered the following to additionally use and provide personal information without the consent of data subject. In the event of additional use or continuous use of personal information, Citibank will disclose the judgement criteria for the consideration of each of the following items in advance in the privacy notice.
    • a. Whether the purpose of additionally using and providing personal information is related to the original purpose of collection
    • b. Whether there is predictability for additional usage and provision of personal information in light of the circumstances in which personal information is collected or the processing practices.
    • c. Whether the additional usage and provision of personal information unfairly violates the interests of the data subject.
    • d. Whether necessary measures to secure safety, such as pseudonymization or encryption, have been taken.
• Article 14. PROCESSING PSEUDONYMOUS DATA
  • ① Purpose of processing pseudonymous data
    • Pursuant to Article 28.2 of 「Personal Information Protection Act」, personal information may be pseudonymized without the consent of data subjects for statistical purposes (including commercial purpose), scientific research purposes (including industrial purpose), and archiving purposes in the public interest, etc. Click on below ‘⑥ Pseudonymization of Data in Detail’ to see Citibank’s purpose of processing pseudonymous data.
  • ② Items of pseudonymized personal information
    • Click on below ‘⑥ Pseudonymization of Data in Detail’ to see type, item, and purpose of pseudonymized data processed by Citibank.
  • ③ Processing and retention period of pseudonymous data
    • Pseudonymous data will be kept ∙ used only for the period (time) during which the purpose set forth by the initial plan for processing pseudonymous data is fulfilled. Click on below ‘⑥ Pseudonymization of Data in Detail’ to see Citibank’s processing and retention period for pseudonymous data.
  • ④ Provision of pseudonymous data to a third party
    • Click on below ‘⑥ Pseudonymization of Data in Detail’ to see provision of pseudonymous data to a third party
  • ⑤ Measures to ensure the safety of pseudonymous data
    • Managerial measure: Establishment and implementation of internal management plans and training employees regularly, etc.
    • Technical measure: Authority and access control to pseudonymous data, prevention of re-identification, and installment of security programs.
    • Physical measure: access control to computer rooms and data storage rooms
  • ⑥ Pseudonymization of Data In detail
• ARTICLE 15. PEROSNAL INFORMATION PROTECTION OFFICER AND CONTACT INFORMATION OF GRIEVANCE HANDLIND DIVISION, etc.
  • ① Personal information protection officer of Citibank, as prescribed in Paragraph 1 of Article 31 of Personal Information Protection Act is as follows: Personal Information Protection Officer
    • Compliance Div. : Han-Suk Kim
    • Email: counseling
    • TEL: 02-2004-1566
  • ② Request for access to personal information pursuant to Article 35 of the Personal Information Protection Act can be made through branches and internet banking.
    • Branches : Visit a branch to request to access (business hours : 09:00 ~ 16:00)
    • Internet banking website (www.citibank.co.kr) : After logging in, click setting (upper right corner) -> My Profile > Edit Profile > Manage Customer Information
  • ③ Also, Please contact us at the number below for any inconvenience with your personal information including requests for access to your personal information. We will do our best to take care of it at the earliest possible time. Citibank Customer Center
    • For banking services: 1588-7000
    • For Internet Banking: 02-3704-7700
    • For Citicard : 1566-1000
    • Personal Information counsel : 02-2004-1566
• ARTICLE 16. REMEDIAL MEASURES FOR VIOLATION OF RIGHTS AND INTERSTS

  If you want to report or consult infringement of privacy, please contact the following agencies :

  • ① Personal Information Dispute Mediation Committee(www.kopico.go.kr / 1833-6972)
  • ② Cyber privacy center of Korea Internet Security Agency (privacy.kisa.or.kr / 118(no area code))
  • ③ Supreme Prosecutor’s Office (www.spo.go.kr / 1301(no area code))
  • ④ Korea National Police Agency (ecrm.cyber.go.kr / 182(no area code))
• ARTICLE 17. CHANGE OF Citibank Privacy Notice
  • In case of any changes to Citibank’s Privacy Notice, the timing of amendment and effectuation as well as details of changes shall be constantly disclosed. Comparison of before and after changes shall be disclosed to help you better grasp details of the changes.
  • This Privacy Notice is effective as of September 14, 2023.
  • The previous Privacy Notice can be found below

• Customer Center