Woori Bank Vietnam – Privacy Policy

Woori Bank Vietnam (hereinafter referred to as the “Bank”) is committed to protecting customers’ personal data in compliance with applicable laws and regulations of Vietnam.

This Privacy Policy has been developed in accordance with the Vietnamese legal framework on personal data protection (including the Law on Personal Data Protection and its implementing Decree, the Law on Data and its implementing Decree, the Law on Cybersecurity and its implementing Decree, the Circulars of the State Bank of Vietnam, the Law on Protection of Consumer Rights, and other relevant financial regulations).
It shall be subject to updates and amendments as required by law and shall apply to all financial products and services of the Bank within Vietnam.

1. Purpose of Personal Data Collection and Use

1.1 The Bank collects and uses customers’ personal data only within the necessary scope for one or more of the following purposes:

  • Banking Transactions and Service Provision:
    For the purpose of providing and executing the Bank’s core services and contracts, including account opening and management, loan appraisal and disbursement, credit card issuance, and electronic banking transactions.
  • Customer Identification and Regulatory Compliance:
    For fulfilling legal and regulatory obligations such as Know-Your-Customer (KYC), anti-money laundering (AML), and suspicious transaction monitoring as required by financial and banking laws.
  • Customer Support and Service Improvement:
    For responding to customer inquiries and complaints, notifying customers of transaction details, improving service quality, and conducting internal training, statistics, and market analysis.
  • Marketing and Product Promotion:
    For providing information on new products, events, and promotional activities.
    (Such processing will be conducted only with the customer’s prior separate consent, and the customer may withdraw consent at any time.)
  • Compliance with Industry Standards, Internal Policies, and Regulatory Requirements:
    To ensure adherence to professional financial and banking standards, internal requirements and procedures, and all applicable laws, regulations, guidelines, directives, and requirements issued by competent authorities (both domestic and international).
  • Protection of the Bank’s Legitimate Rights and Interests:
    To exercise and defend legal rights and claims of the Bank, its parent company, subsidiaries, and affiliates, and to resolve disputes or establish appropriate remedies.
  • Other Legitimate Purposes:
    To perform necessary activities related to the purposes stated above, as well as other specific purposes defined in the terms and conditions applicable to each product or service offered by the Bank, which have been duly notified to and consented by the customer.

1.2 The Bank will not use customers’ personal data beyond the purposes specified above.

If the processing purpose changes or the data is to be used for any purpose other than those explicitly stated, the Bank will notify the customer in advance and obtain consent where required.

2.Types of Personal Data Collected and Methods of Collection/Processing

2.1 Types of Personal Data Collected and Processed

The types of personal data collected and processed by the Bank, as well as the specific methods of collection, are described below.
These may vary depending on applicable laws, regulations, and supervisory requirements.
In principle, the Bank collects the following categories of personal data.
The examples provided below are illustrative and not exhaustive — additional data may be collected depending on the nature of products and services, customer requests, or interactions with the Bank:

  • Categories of Personal Data:
    Basic personal information required for customer identification and transactions (e.g., full name, date of birth, nationality, gender, ID/passport number, photograph, signature, vehicle registration number, personal tax identification number, social insurance number, health insurance number, etc.);
    Contact details (e.g., address, telephone number, email, social media ID, etc.);
    Employment and occupational information;
    Financial transaction information (e.g., account number, card number, transaction details, balance, loan information, etc.);
    Credit information (e.g., credit rating, credit transaction history);
    Electronic financial transaction information (e.g., location data, biometric data, online banking ID, access logs, IP address, etc.);
    and other information provided during the process of applying for or using the Bank’s services.
  • Sensitive Personal Data:
    Where the data falls under categories legally defined as Sensitive Personal Data, the Bank may collect such data when it is necessary for the Bank’s operations.
    For example, biometric data (such as fingerprints or facial data) may be collected with the customer’s explicit consent for the purpose of identity verification in electronic financial transactions.
    Similarly, customer credit information obtained from credit bureaus (such as transaction history, loan or delinquency records) is regarded as sensitive information under applicable law and will be processed in compliance with lawful procedures.
    (Further details on the processing of sensitive personal data are provided in Article 7 of this Policy.)

2.2 Methods of Collection

The Bank collects personal data through:

  • Information directly provided by customers in application forms or during transaction processes;
  • Information automatically collected through electronic channels such as online banking or mobile applications; and
  • Information lawfully provided by third parties in accordance with applicable laws and regulations.

For example, personal information may be collected via physical or electronic forms when opening an account or applying for a loan.
During the use of electronic banking services, connection and access data may be collected through cookies or log files.
In addition, for credit assessment purposes, the Bank may obtain customers’ credit evaluation information from licensed credit information agencies, subject to the customer’s separate consent.

Customers have the right to provide consent selectively (Opt-in) for each specific purpose and category of personal data.
Such consent is valid only within the agreed purpose and scope.
Customers may withdraw their consent, in whole or in part, at any time.

2.3 Data Accuracy and Processing Methods

The Bank endeavors to maintain personal data accurate and up to date, and may request customers to update their information when necessary.

Personal data is processed by means such as collection, recording, analysis, verification, storage, editing, disclosure, combination, access, retrieval, encryption, decryption, copying, sharing, transfer, provision, transmission, deletion, destruction, or anonymization, in accordance with legal requirements.
The Bank will take appropriate and timely measures to ensure data protection at all times.

Personal data processing may occur automatically when customers interact with the Bank’s digital platforms, or manually when required for a specific processing purpose.
Such processing may be performed directly by the Bank or, where permitted by law and the Bank’s internal regulations, entrusted to authorized third parties under lawful contractual arrangements.

3.Retention and Processing Period of Personal Data

3.1 The Bank retains and uses collected personal data only for the duration necessary to achieve the purposes of processing, and for the retention period required by applicable laws and regulations.
The specific retention period may vary depending on the nature of the personal data and the purpose of use.
Major examples include:

  • Financial Transaction Data:
    Records related to financial transactions such as accounts and loans shall be retained for a period prescribed under Vietnamese financial regulations even after the completion of such transactions (e.g., at least five (05) years of retention for transaction records as required by the Law on Anti-Money Laundering).
  • Credit Information:
    Data collected for credit evaluation or assessment purposes shall be retained only for the period required under relevant laws after such purposes have been fulfilled, and shall thereafter be deleted.
  • Electronic Banking Transaction Data:
    In accordance with relevant laws on electronic transactions, details of electronic transactions and access logs shall be retained for a certain period of time before being securely deleted.
  • Other Statutory Requirements:
    Personal data may also be retained for a prescribed period if required under other applicable laws such as those governing taxation, accounting, or consumer protection.

3.2 Once the above retention period expires or the processing purpose has been achieved, the relevant personal data shall be promptly deleted or anonymized.
However, exceptions may apply where:
(i) a separate retention period has been explicitly agreed upon with the customer’s consent; or
(ii) the Bank is subject to statutory retention obligations under applicable laws and regulations.

4.Provision of Personal Data to Third Parties (Partnerships)

4.1 As a general rule, the Bank does not disclose or provide customers’ personal data to any third party without the customer’s prior consent.
However, personal data may be provided exceptionally under the following circumstances, either as required by law or with the customer’s explicit consent:

  • Provision Required by Law:
    When there is a legitimate request from competent authorities such as judicial bodies or supervisory regulators, or when other laws require financial institutions to provide customer information
    (e.g., provision of data pursuant to a court order, or requests for national security purposes).
    In such cases, information shall be disclosed strictly within the scope and procedure permitted by law.
  • Financial-Related Institutions:
    For the purpose of ensuring smooth financial services and compliance with regulatory requirements, the Bank may inquire into or provide customer credit-related information to credit information agencies (e.g., the Credit Information Center – CIC) and provide information to public authorities (e.g., tax or customs authorities) within the limits permitted by law.
  • Woori Financial Group Affiliates:
    With the customer’s consent, certain information may be shared with the parent company or related affiliates within the Woori Financial Group for purposes such as integrated financial services or risk management.
    (e.g., sharing of minimal customer information within the consented scope for joint marketing purposes).
  • Other Partner Companies:
    When the customer applies for or uses a specific partnered or affiliated service (e.g., bancassurance products, co-branded or partner marketing cards), relevant information necessary for the provision of such services may be shared with the customer’s consent.
    In such cases, the recipient entity, data items provided, and purpose of provision will be explicitly notified to and consented by the customer in advance.

4.2 The Bank strictly complies with its confidentiality obligations under the Law on Credit Institutionsand other applicable financial laws of Vietnam, and does not provide or disclose personal data to any external parties other than those specified above.
Even when disclosure is permitted, the Bank ensures that only the minimum necessary data is provided within the required scope, and that all such provision complies fully with applicable legal procedures.

4.3 ▶ Refer to the List of Third-Party Data Recipients attached to this Policy.

5. Entrustment of Personal Data Processing

5.1 For the purpose of service operation and business efficiency, the Bank may entrust certain personal data processing activities to qualified third-party service providers.
Major outsourced processing activities and examples of entrusted entities include:

  • IT System Operation:
    Personal data processing may be outsourced to professional IT companies for system development, maintenance, and server hosting (e.g., system management companies, cloud service providers).
  • Card Issuance and Delivery:
    Credit card manufacturing and delivery services may be entrusted to specialized vendors.
  • Customer Service Centers:
    Customer support or call center operations may be outsourced to external call center service providers.
  • Marketing Agency:
    Marketing communications (e.g., promotional messages) may be handled by authorized agencies, only upon obtaining prior consent from the customer.

5.2 When outsourcing personal data processing, the Bank explicitly includes contractual provisions requiring the entrusted parties (processors) to comply with personal data protection obligations and security requirements.
The Bank also monitors and supervises such entrusted entities on a regular basis to ensure ongoing compliance.

If there are any changes in the list of entrusted processors, such updates will be reflected in this Policyand/or separately notified to customers.
Customers may request information on the most recent status of outsourced processing activities at any time through the Bank.

5.3 ▶ Refer to the List of Entrusted Processors (Data Processing Contractors) attached to this Policy.

6. Cross-Border Transfer of Personal Data

6.1 In the course of providing services, the Bank may transfer customers’ personal data outside Vietnam, when necessary.
Typical cases of cross-border data transfers include:

  • Information Sharing with Headquarters and Affiliates:
    The Bank may exchange necessary information with its parent company or head office located in the Republic of Korea or other jurisdictions for business purposes.
    For example, customer data may be transferred to Woori Bank in Korea for group-level risk management, internal audit, or IT system support.
  • Use of Foreign IT Services:
    When the Bank uses cloud services or global IT solutions whose servers are located outside Vietnam, customer data may be temporarily stored or processed on such overseas servers as part of system operation.

6.2 When transferring personal data across borders, the Bank strictly complies with the requirements set forth under applicable data protection laws.
Cross-border transfers are carried out only within the scope of the customer’s prior consent, following completion of a Data Transfer Impact Assessment (DPIA) and implementation of required security measures in accordance with the Vietnamese Personal Data Protection Decree (PDPD).

The Bank will provide customers with transparent information on:

  • The categories of personal data to be transferred,
  • The recipient country and organization,
  • The time and method of transfer,
    and will obtain consent before such transfer.

The Bank will also ensure that overseas recipients implement adequate data protection measuresthrough contractual arrangements, and will comply with the reporting and procedural requirements (e.g., impact assessment submission) to the Department of Cybersecurity and High-Tech Crime Prevention (A05) of the Ministry of Public Security.

6.3 Customers may withdraw their consent for cross-border data transfers at any time.
Upon such withdrawal, the Bank will immediately cease any further overseas transfer of personal data and take all necessary remedial measures.

7. Processing of Sensitive Personal Data

7.1 Definition

“Sensitive Personal Data” refers to information concerning an individual’s private life that, if infringed, may directly affect the rights and interests of the data subject.
Under Vietnamese law, the following types of data are classified as Sensitive Personal Data:
political opinions, religious beliefs, health and medical information, biometric and genetic data, sexual life or orientation, criminal records, location data, customer credit information held by credit institutions, and other sensitive data as prescribed by law.

7.2 Processing of Sensitive Data by the Bank

Among the personal data processed by the Bank, certain data may fall under the category of sensitive data.
The Bank processes such data under enhanced security and protection measures, as follows:

  • The Bank obtains separate and explicit consent from the customer prior to collecting or using sensitive personal data.
    For example, in electronic financial transactions requiring biometric verification (such as fingerprints or facial recognition), the Bank will clearly inform the customer of the purpose, method, and security safeguards before obtaining explicit consent.
  • Sensitive financial data such as credit information is strictly protected under financial regulationsand shall not be disclosed to third parties without a legal basis.
  • Sensitive data is safeguarded through reinforced security controls, including access authorization management and encryption, throughout all processing stages.
    Where required by law, the Bank will also notify relevant data protection authorities of its sensitive data processing activities (e.g., designation of internal departments or officers responsible for sensitive data protection and notification to the competent authority).
  • Where the Bank is legally required to notify customers of the processing of their sensitive data, it will do so in a timely and transparent manner, and obtain any necessary consents, unless exempted by law.

7.3 The Bank manages sensitive personal data separately from general personal data, ensuring enhanced protection and compliance with additional legal standards to prevent any harm to the rights and interests of data subjects.

8. Lawful Basis and Consent for Personal Data Processing

8.1 The Bank principally relies on the customer’s consent as the primary legal basis for processing personal data.
Personal data provided by customers during account opening, product application, or service registration shall be processed within the scope of the purposes for which consent was given.

Consent is provided voluntarily by the customer, and silence or non-response shall not be interpreted as consent.
Where consent is sought for multiple purposes, the Bank will clearly distinguish each purpose so that customers can selectively provide consent (Opt-in) for each specific purpose.

8.2 However, under Vietnamese laws and regulations, the Bank may process personal data without obtaining separate consent from the data subject in the following exceptional circumstances:

  • Emergency Situations:
    When it is necessary to process personal data immediately to protect the life, health, or safety of the data subject or another person (e.g., in emergency medical situations).
  • Legal Requirements:
    When the processing, disclosure, or use of personal data is permitted or required by other laws (e.g., submission of data under the Criminal Procedure Code).
  • Processing by State Authorities:
    When personal data is processed by competent State agencies for national security, public order, or criminal investigation purposes, as authorized by law.
  • Performance of Contract:
    When the processing is necessary for the execution or performance of a contract to which the customer (data subject) is a party, within the scope of such purpose (e.g., processing necessary to execute the customer’s requested banking transaction).
  • Public Interest or Other Legal Grounds:
    When other legitimate grounds exist under Vietnamese law that allow processing without consent of the data subject.

In such cases, while consent may not be required, the Bank shall process personal data only to the minimum extent necessary and shall strictly comply with applicable legal provisions to ensure the protection of the customer’s rights and personal data security.

8.3 Customers retain the right to withdraw their consent at any time after it has been given.
Upon withdrawal, the Bank will immediately cease the corresponding data processing activities and take necessary measures in accordance with the law regarding any prior processing.
Customers will be notified of any potential consequences or disadvantages resulting from consent withdrawal.

(Note: Withdrawal does not have retroactive effect on services already provided prior to withdrawal. The Bank may still retain data for the statutory retention period if required by law.)

9. Rights of Data Subjects and Methods of Exercise

9.1 In accordance with Vietnamese personal data protection laws, customers (data subjects) are entitled to various rights concerning their personal data.
The Bank has established appropriate procedures to safeguard and facilitate the exercise of these rights.
The primary rights of customers and the methods of exercising them are as follows:

  • Right to Be Informed:
    Customers have the right to be informed about how their personal data is collected, used, and processed, including its purposes and scope.
    The Bank provides basic information through this Policy and will furnish further details upon request.
  • Right to Consent and Withdraw Consent:
    Customers have the right to decide whether to provide their personal data and may withdraw consent at any time.
    Withdrawal requests may be submitted via Bank branches, customer service hotlines, or online/web/app settings.
    The Bank will process such requests within 72 hours (unless otherwise provided by law) and subsequently cease processing the relevant data.
  • Right of Access and Data Provision:
    Customers have the right to access and obtain copies of their personal data held by the Bank.
    After identity verification, the Bank will provide the requested data within a reasonable timeframe.
    Access may be restricted only where disclosure would infringe upon the rights of other individuals or where prohibited by law.
  • Right to Rectification and Deletion:
    Customers have the right to request correction of inaccurate or incomplete data.
    They may also request deletion of personal data once processing purposes have been fulfilled or legal grounds for retention no longer exist.
    Upon receipt of such a request, the Bank will review and act promptly and notify the customer of the result.
    However, if retention is required by other laws (e.g., taxation or accounting), deletion may be deferred until the expiry of the statutory period.
  • Right to Restrict Processing:
    Customers may request the temporary restriction of processing in special circumstances—for instance, when contesting the accuracy of data during a verification period.
    The Bank will act upon such requests within 72 hours and suspend relevant data processing during the restriction period, unless otherwise mandated by law.
  • Right to Object:
    Customers have the right to object to the processing of their personal data for specific purposes.
    In particular, they may object to automated processing, profiling, or direct marketing activities for commercial purposes.
    Upon receiving such objection, the Bank will immediately suspend the related marketing activities.
    General objections will be handled within 72 hours, and where the objection is justified, the Bank will terminate the relevant processing.
  • Right to Complain and Seek Legal Remedies:
    Customers have the right to lodge inquiries or complaints regarding the Bank’s personal data processing.
    If dissatisfied with the Bank’s response, customers may file a complaint or initiate legal proceedings with the competent authorities such as the Department of Cybersecurity and High-Tech Crime Prevention (A05, Ministry of Public Security) or the Consumer Protection Authority.
    Customers may also seek compensation for damages arising from violations of data protection laws.
  • Right to Claim Compensation:
    Customers are entitled to claim compensation for damages caused by violations of data protection regulations, unless otherwise agreed between the parties or stipulated by law.
  • Right to Self-Protection:
    Customers have the right to take necessary measures to protect their own personal data.
    The Bank provides guidance and security best practices to assist customers in exercising self-protection of their personal information.

9.2 To exercise these rights, customers may contact the Bank’s Data Protection Officer (DPO) or the designated department (refer to Article 13 below for contact details).
The Bank will provide prompt and diligent support to ensure customers’ rights are properly exercised and will respond within the statutory timeframe.

The exercise of rights is generally free of charge, except where nominal fees are permitted under law for repetitive or excessive requests.

10. Technical and Organizational Measures for Personal Data Security

10.1 The Bank implements the following technical and administrative measures to ensure the safe protection of customers’ personal data:

  • Internal Management Framework:
    The Bank establishes internal regulations and guidelines for personal data protection, conducts regular staff training and compliance checks, and designates responsible officers for each stage of data processing. Access rights and responsibilities are strictly managed.
  • Access Control and Authorization Management:
    Strict controls are applied to granting, modifying, and revoking access rights to systems and databases containing personal data.
    Access control solutions are implemented to prevent unauthorized access.
  • Data Encryption:
    Sensitive personal data such as identification numbers, account numbers, and authentication data are protected through strong encryption technologies during both storage and transmission.
    For example, sensitive data stored in databases are encrypted, and encrypted communication channels such as SSL are used for internet data transmission.
  • Network Security:
    To protect against hacking, malware, and external attacks, the Bank operates firewalls, intrusion detection/prevention systems (IDS/IPS), and conducts regular vulnerability assessments and security updates.
  • Physical Security:
    Data centers and archives storing personal data are access-controlled, allowing entry only to authorized personnel.
    CCTV monitoring, locking systems, and other physical safeguards are used to prevent unauthorized access.
  • Data Storage Location:
    In compliance with the Law on Cybersecurity of Vietnam and related regulations, core personal data of customers are stored on secure servers within the territory of Vietnam.
    (For data transferred abroad, the Bank follows the security and procedural requirements described in Article 6.)
  • Incident Response Preparedness:
    The Bank maintains an incident-response plan for personal data breaches or damage and conducts regular simulation drills.
    In the event of an incident, the Bank will report to the competent authority within 72 hours as required by law and promptly notify affected customers to mitigate potential harm.
  • Other Measures:
    In addition to the above, the Bank continuously implements other protective measures in accordance with applicable laws and its internal policies.

10.2 Through these measures, the Bank continuously strives to maintain the security of personal data.
Any identified vulnerabilities will be promptly addressed with corrective actions to ensure the ongoing protection of customers’ personal information.

11. Destruction and Anonymization of Personal Data

11.1 The Bank promptly destroys personal data once the retention period has expired or the processing purpose has been achieved.

11.2 Destruction Procedures and Methods

  • Destruction Procedure:
    When the retention period specified in Article 3 expires or the data becomes unnecessary, the information is selected for destruction in accordance with internal procedures.
    Approved data are reviewed by the responsible officer and destroyed immediately.
    If a customer directly requests deletion with a legitimate reason, the Bank will verify and promptly carry out the deletion.
  • Destruction Method:
    Electronic data are permanently deleted using methods that make recovery impossible, such as certified data-erasure software or secure overwriting/formatting of storage media.
    Paper documents containing personal data are shredded or incinerated.
  • Partial Deletion and Anonymization:
    Even before the full retention period expires, if certain data are no longer necessary or must be converted into a legally disclosable form, the relevant portion will be deleted or anonymized (de-identified) so that individuals cannot be identified.

11.3 Personal data subject to mandatory retention under other laws will be destroyed only after the expiry of such statutory retention period.
If immediate deletion could infringe the rights of other users or conflict with legal obligations, the Bank may defer or deny deletion after explaining the reasons to the customer.

11.4 Upon completion of destruction, the Bank keeps internal records of the destruction activities and documents related procedures to demonstrate compliance when requested by supervisory or data-protection authorities.

12. Protection of Children’s Personal Data (Protection of Vulnerable Consumers)

12.1 The Bank takes special care to protect the personal data of children under 16 years of age.
In principle, the Bank’s financial services are intended for adults, and services for minors are provided only with the participation and consent of a parent or legal guardian.

  • Children Under 7 Years Old:
    Processing of a child’s personal data under the age of 7 requires explicit consent from the parent or legal guardian.
    The Bank does not directly collect personal data from children under 7.
    If data processing is unavoidable (e.g., opening an account in a minor’s name), the application and consent must be submitted by the guardian.
  • Children Aged 7 to Under 16:
    For minors in this age range, both the child’s consent and the guardian’s consent are required for the use of financial products or services.
    The Bank verifies the child’s age and requests submission of the guardian’s written consent before processing any data, and limits processing until such consent is confirmed.
  • Age Verification and Consent Validation:
    The Bank verifies the customer’s age through identification checks during registration or transactions.
    When it becomes necessary to process a child’s data, the Bank performs both age and consent verification before processing begins.
  • Restriction on Use of Children’s Data:
    Any personal data of children under 16 collected without legal guardian consent will be immediately deleted or processing will be terminated.
    Children’s data are never used for marketing or promotional purposes.

12.2 These protective measures comply with Vietnamese laws and international standards.
The Bank prioritizes the rights and interests of minors when processing their personal data.
Parents or guardians have the right to request access, correction, or deletion of a child’s data, and the Bank will verify legal guardianship before fulfilling such requests.

12.3 The Bank applies special attention and protective measures when processing the personal data of minors, elderly persons, persons with disabilities, pregnant women, and other vulnerable consumers, ensuring that their rights and interests are fully protected in accordance with applicable laws.

13. Data Protection Officer (DPO) and Contact Information

13.1 The Bank has designated a Data Protection Officer (DPO) responsible for overseeing compliance with personal data protection regulations and handling customer inquiries and requests related to personal data.
The DPO assumes overall responsibility for the Bank’s personal data protection activities, including staff training, internal control and supervision, and coordination with relevant authorities.

  • Data Protection Officer (DPO): ICT Platform Division
    • Name: Tran Huy / Shin Seung-Hoon
    • Email: TranHuy@woori.com.vn, shinshoon@woori.com.vn
  • Responsible Department: ICT Platform Division – Information Security Team

13.2 Customers may contact the DPO or the designated department regarding inquiries, complaints, or requests to exercise their rights related to personal data.
The Bank will respond promptly and sincerely through any convenient communication channel, including telephone, email, or written correspondence.
The DPO is obligated to provide a response within the statutory timeframe and to take additional actions where necessary to ensure compliance.

14. Customer Inquiries and Complaint Handling Procedures

14.1 The Bank has established clear procedures to effectively handle customer inquiries and complaints concerning personal data protection.
Customers may raise questions, suggestions, or complaints at any time through the following process:

  • Inquiry or Complaint Submission:
    Customers may submit personal data-related inquiries or complaints by visiting any branch, calling the Customer Service Hotline (1800-6003), or emailing the contacts listed in Article 13
    To ensure smooth processing, customers are encouraged to provide detailed information about the issue and verification details.

▶Please refer to the branch information

  • Receipt and Verification:
    Upon receipt, the Bank immediately forwards the inquiry or complaint to the responsible department (IT Security Team) for fact-checking and review of related documents.
    The Bank may contact the customer for additional details if necessary.
  • Response and Resolution:
    The Bank will respond as promptly as possible, generally within 15 business days, providing the results of its review.
    For complaints, appropriate corrective actions will be proposed and implemented.
    If resolution requires more time, the Bank will keep the customer informed of progress.
  • Further Remedies:
    If the customer is dissatisfied with the Bank’s response or resolution, they may file a complaint or pursue legal remedies with competent authorities, such as the Department of Cybersecurity and High-Tech Crime Prevention (A05, Ministry of Public Security) or other relevant regulatory bodies.
    The Bank will fully cooperate with such proceedings and will internally review measures to prevent recurrence.

14.2 The Bank values customers’ opinions and strives to resolve all personal data-related issues as a top priority.
Customers are encouraged to contact the Bank at any time, and the Bank will provide friendly, detailed, and transparent responses.

15. Amendment and Notification of the Privacy Policy

15.1 This Personal Data Processing Policy may be revised or updated due to changes in laws, regulations, or internal policies of the Bank.
When significant additions, modifications, or deletions are made, the Bank will notify customers by posting a notice on its official website at least seven (7) days prior to implementation.

For major changes that may materially affect customer rights, the Bank will provide notice at least thirty (30) days in advance, and, where necessary, will also issue individual notifications.

This Policy is made available on the Bank’s website, mobile application, head office, and all branch offices at clearly visible locations, ensuring that customers may review it at any time before providing their personal data.

15.2 The Bank encourages all customers to periodically review this Policy to stay informed about any updates and to understand how the Bank protects and processes their personal data.

15.3 When changes are made to this Policy, the Bank will clearly specify the effective date and details of the amendments to ensure transparency and accessibility for all customers.

15.4 Revision History
This Personal Data Processing Policy was fully revised on [October 13, 2025.]
The content may be updated from time to time in accordance with amendments to applicable laws and changes in the Bank’s internal policies.
The latest version of this Policy is available on the Banks official website.