Privacy Policy

Privacy Policy

Data Protection Information for Customers of KEB Hana Bank (D) AG

1.         Content 

With this data protection information, we inform you, our customers, in accordance with the European General Data Protection Regulation (GDPR) and the Federal Data Protection Act (BDSG), about the processing of your personal data by us as well as about your rights. These notices will be updated as necessary and published at www.kebhana.de/datenschutz

If you are not yourself our customer but an representative of the customer (for example, board member, managing director), employee, or beneficial owner of our customer, these data protection notices apply to you as well. 

Which data are processed in detail and how they are used depends on the respective agreed services. 

Please also pass on this data protection information to authorized representatives, employees, beneficial owners, or agents.

2.         Controller and Contact 

The controller is us, your employer, 

KEB Hana Bank (D) AG

Bockenheimer Landstr. 33–35

60325 Frankfurt/Main

Telephone: +49 69 7129-0

info (at) kebhana.de 

The contact details of our Data Protection Officer are: 

thomas.helbing (at) datenschutz-helbing.de

 This data protection information also apply to our legally dependent branches, for example in Poland. These are part of the entity mentioned above and are not independent controllers within the meaning of the GDPR.

3.         Categories of Data

We process data that we receive from the business relationship with you. We receive the data directly from you or from the customer, for example in the context of account opening, contract initiation, and conclusion of the contract. 

Specifically, we process in particular the following categories of data: 

3.1.      Master data: Basic information about you, such as name, address and contact details, bank account, occupation, marital status, your role or function with the customer, any status as a politically exposed person (PEP)

3.2.      Identification data: Data processed for the purpose of identifying you (for example, personal details to be collected for identification purposes as well as ID data and unique identifiers such as tax numbers or national identification numbers)

3.3.      Transaction data: Data in connection with the execution of contracts between us and the customer (for example, orders), including payment transaction and trade finance data (SWIFT/SEPA/TARGET, letters of credit, collections, forfaiting), interbank/correspondent banking data

3.4.      Tax data: Tax-relevant data (for example, for withholding tax and exemption orders, non-assessment data, church tax deduction feature)

3.5.      Contract data relating to other products: Contract data, for example relating to concluded credit agreements

3.6.      Correspondence data: Data from correspondence with you (for example, written communication with you)

3.7.      Marketing and sales data: Data relating to marketing activities by us towards you (for example, products that may be of interest to you)

3.8.      Technical data (if used): Log files, access logs, IP addresses, device identifiers, session data, and other IT security-related information. 

4.         Obligation to Provide Data

 Within our business relationship, you are only required to provide those personal data that are necessary for the establishment, performance, and termination of a business relationship with the customer or which we are legally obliged to collect. 

Without these data, we will generally be unable to conclude the contract or execute the order due to lack of feasibility or to continue an existing contract and may have to terminate it. In particular, under the provisions of anti-money laundering law, we are obliged to identify you prior to establishing the business relationship, for example on the basis of your identity card, and to collect your name, place of birth, date of birth, nationality, and residential address. To enable us to comply with this legal obligation, you must provide us with the necessary information and documents under the Money Laundering Act and promptly notify us of any changes arising during the course of the business relationship. If you do not provide us with the required information and documents, we may not establish or continue the business relationship you request.

5.         Sources of Data

 We receive the data directly from you or from the customer or from your contractual partners or correspondent banks. 

Where permissible, we may also obtain data from public sources (for example, land registers, commercial and association registers, press, media, internet), from credit agencies, business information services, and public authorities (for example, residents’ registration offices) or from our parent company, Hana Bank Co., Ltd. (trading as KEB Hana Bank), 35 Eulji-ro, Jung-gu, Seoul 04523, Republic of Korea (“Parent Company”). 

6.         Purpose of Processing and Legal Basis 

We process personal data in accordance with the provisions of the GDPR and the BDSG. Below, we inform you about the purposes for which and the legal bases on which we process your data. 

6.1.      For the Fulfilment of Contractual Obligations (Art. 6 para. 1 lit. b GDPR) 

We process your data for the performance of our contracts with our customers or for pre-contractual measures, that is in particular for account management, execution of credit agreements, trade finance processing, foreign exchange transactions, and execution of your orders as well as all activities required for the operation and administration of a credit and financial services institution. 

The purposes of data processing depend in detail on the specific product and the contractual documentation. 

6.2.      Within the Scope of the Balancing of Interests (Art. 6 para. 1 lit. f GDPR) 

We also process your data beyond the actual fulfilment of the contract on the basis of a balancing of interests to safeguard our legitimate interests or those of third parties. This takes place, each within the limits of what is legally permissible, for the following purposes:

  • general business management and further development of services and products
  • advertising, market and opinion research
  • assertion of legal claims and defense in legal disputes and securing of relevant evidence
  • prevention and investigation of criminal offenses
  • ensuring IT security and IT operations
  • ensuring effective and efficient compliance with statutory and regulatory provisions and demonstrating compliance
  • identification, assessment, and control of risks
  • prevention, detection, and termination of fraud and abuse
  • preparation of analyses, reports, and evaluations for the development and improvement of our products, services, and internal processes and for business management. 

The interests in the respective processing arise from the aforementioned purposes and also include:

  • improvement of our internal processes as well as our services and products (for example, for better customer service)
  • increase of efficiency and profitability (for example, through centralization and standardization of processes and functions within the KEB Hana Group as well as through the use of modern IT systems and specialized service providers)
  • promotion of sales
  • protection of assets (for example, against fraud), property, and health
  • ensuring information security and data protection. 

6.3.      Based on Your Consent (Art. 6 para. 1 lit. a GDPR) 

Where you have given us consent to process personal data, this consent constitutes the legal basis for the processing referred to therein. This applies in particular to your possible consent to receive marketing communications. 

6.4.      Based on Legal Obligations (Art. 6 para. 1 lit. c GDPR) 

We are subject to various legal obligations, that is statutory requirements (for example, the German Banking Act (KWG), Anti-Money Laundering Act (GWG), tax laws, foreign trade law, sanctions regimes, payment system regulations) as well as supervisory requirements (for example, of the European Central Bank, European Banking Authority, Deutsche Bundesbank, and Federal Financial Supervisory Authority). The purposes of processing include identity, fraud, and money laundering prevention, prevention of terrorist financing, compliance with tax control and reporting obligations, and the assessment and management of risks. 

7.         Nature of Processing, Profiling 

Within the scope of the aforementioned processing operations, we may, in compliance with legal requirements, also use data for the development, training, application, improvement, and monitoring of artificial intelligence models and systems. Possible areas of application include, for example, the recording and classification of data (for example, in incoming documents), the recognition of patterns and relationships in large data sets (for example, for combating fraud or in customer consulting, support, and sales), and support for process automation (for example, in customer service). 

We may process your data partly automatically with the aim of evaluating certain personal aspects (so-called “profiling” according to Art. 4 No. 4 GDPR). We may use profiling, for example, in the following cases: Based on statutory, regulatory, and sanctions-related requirements in the context of combating money laundering and terrorist financing, prevention of criminal acts that may endanger our assets, and compliance with sanctions requirements, we are obliged to take precautions which also include data analyses of your identification data, transaction data, and tax data, for example in relation to your transactions. These measures also serve to protect you. 

8.         Data Recipients 

Your data will only be disclosed in compliance with banking secrecy and only insofar as a legal basis permits this (in particular for the execution of your orders). 

Within our bank, those departments receive your data which require them to fulfil our contractual and legal obligations or to perform their respective tasks (for example, credit department, customer service, anti-money laundering officer). 

In addition, the following entities may receive your data where and insofar as a legal basis exists:

  • processors used by us (Art. 28 GDPR), in particular in the area of IT services, which process your data on our instructions
  • public authorities and institutions (for example, Deutsche Bundesbank, Federal Financial Supervisory Authority, European Banking Authority, European Central Bank, tax authorities) where a legal or regulatory obligation or another legal basis exists
  • other credit/financial institutions, correspondent banks, clearing/settlement institutions (for example, within SEPA, TARGET, SWIFT)
  • our Parent Company, which provides certain IT systems to us as a processor, for example
  • external lawyers, data protection officers, courts, arbitration and mediation bodies, auditors and auditors-in-charge
  • credit agencies and business information services (for example, within the scope of permissible inquiries by us)
  • consulting firms and outsourcing service providers, as well as
  • other entities to which you have given us your consent to transfer data.

9.         Retention Period

 Where necessary, we process your personal data for the duration of our business relationship, which also includes the initiation and execution of a contract between us and the customer. It should be noted that our business relationship with the customer is often a continuing obligation (credit agreements, account management) that is intended to last for years.

Your data will be regularly deleted once they are no longer required for the fulfilment of contractual or legal obligations or you have withdrawn your consent to processing, unless further processing is necessary for the following reasons: Retention and documentation obligations a rising, among other things, from the Commercial Code (HGB), the Fiscal Code (AO), the Banking Act (KWG), or the Anti-Money Laundering Act (GWG). The periods prescribed therein for retention or documentation are two to ten years. 

According to the statutory limitation periods, which under §§ 195 et seq. of the Civil Code (BGB) generally amount to three years but may in certain cases be up to thirty years.

10.      Transfer to Third Countries 

We transfer your data to countries outside the European Economic Area (EEA) (so-called “third countries”) only insofar as this is necessary for the performance of our contract with the customer or the execution of your orders (for example, transfers), or required by law, or you have given us your consent, or within the scope of processing by a processor. 

Insofar as we transfer data to our Parent Company in Korea, the following applies: The European Commission determined by Decision (EU) 2022/254 of 17 December 2021 that the Republic of Korea (South Korea) ensures an adequate level of protection for personal data in accordance with the GDPR. 

If we transfer data to companies in the USA that are certified under the EU–US Data Privacy Framework, this ensures an adequate level of protection. 

In all other cases, unless otherwise stated, we have concluded a contract with the data recipients in the third country based on the EU Standard Contractual Clauses to ensure an adequate level of protection. You may request a copy of the EU Standard Contractual Clauses used from us. 

11.      Rights of the Data Subject 

Under the respective legal conditions, you have the following rights concerning your personal data:

  • right of access (Art. 15 GDPR, § 34 BDSG),
  • right to rectification (Art. 16 GDPR),
  • right to erasure (Art. 17 GDPR, § 35 BDSG),
  • right to restriction of processing (Art. 18 GDPR),
  • right to data portability (Art. 20 GDPR),
  • right to withdraw consent (Art. 7 para. 3 GDPR),
  • right to lodge a complaint with a data protection supervisory authority (Art. 77 GDPR in conjunction with § 19 BDSG), and
  • the following rights to object (Art. 21 GDPR):

 

Right to object due to a particular situation in case of balancing of interests


You have the right, on grounds relating to your particular situation, to object at any time to the processing of personal data concerning you which is based on Art. 6 para. 1 lit. f GDPR (data processing on the basis of a balancing of interests). This also applies to profiling based on this provision within the meaning of Art. 4 No. 4 GDPR. 

If you object, we will no longer process your personal data unless we can demonstrate compelling legitimate grounds for the processing which override your interests, rights, and freedoms, or the processing serves the establishment, exercise, or defense of legal claims. 

Right to object to data processing for direct marketing purposes


We may also process your data for direct marketing purposes within the framework of statutory provisions. You have the right to object at any time to the processing of personal data concerning you for such advertising purposes. This also applies to profiling insofar as it is associated with such direct marketing.If you object to processing for direct marketing purposes, we will no longer process your personal data for these purposes. 

The objection may be made in any form. You can find our contact details under section 1.

 

 

 

 

Tags: ,

ASIA No.1 BANK

Bank of the Year 2015 - Asia Pacific

Selected by The Banker, the world's leading authority under financial journals.

2015 Bank of the Year in Asia Pacific

Latest News

Place of Business

Bockenheimer Landstr. 33-35
60325 Frankfurt/Main
+49 (69) 7129-0
+49 (69) 7129-122
info@kebhana.de
Mo-Th | 08:00 - 12:00 & 13:00 - 16:00
Fr | 08:00 - 12:00 & 13:00 - 15:00