1.THE TYPE OF PERSONAL DATA BEING COLLECTED

1.1.In these Terms and Conditions, “personal data” means data in the form of symbols, letters, numbers, images, sounds, or equivalences on electronic environment associated with an individual or used to identify an individual. Personal data comprises basic personal data and sensitive personal data as prescribed under Decree No. 13/2023/ND-CP dated 17 April 2023 of the Government on personal data protection, and the amendments, supplements, and replacements thereto, from time to time.

1.2.While requesting for, using service(s), product(s), facility(ies) provided by the Bank and/or having transaction(s) with the Bank, the Bank may process personal data including sensitive personal data, the Customer consents that the following personal data may be collected and processed: 

a. Identification information of the Customer, including full name (name at birth), alias, gender, signature sample, electronic signature, date of birth, nationality, job, place of registered permanent residence, current residential address, registered residence address in the foreign country regarding a foreigner, phone number, email, number, date of issue and place of issue of ID card, Citizen ID card, personal identification number, passport, other laissez passer (if any), information about visa of the Customer who is a foreign individual of the Customer and his/her legal representative or authorized representative (hereinafter referred to as “lawful representative”) and other relevant information.

b. Account information of the Customer, including identification information of the Customer, account name, number and balance, information relating to payment, money transfer, money withdrawal or money receipt by the Customer and other relevant information.

c. Deposit information of the Customer, including identification information of the Customer, information relating to deposit made by Customer, balance of deposit types as stipulated by laws of the Customer at Woori Bank and other relevant information.

d. Deposited property information of the Customer, including identification information of the Customer, information about Customer’s property (articles, money, financial instruments, property rights) deposited at Woori Bank, information about Customer’s property managed and stored by Woori Bank as prescribed by law, comprising of the property name, property value, documentary evidence for the ownership or right to use of or legitimate interests to Customer’s property and other relevant information.

e. Transactions information of the Customer, including identification information of the Customer, information generated from transactions between the Customer and Woori Bank comprising of transaction documents, transaction time, number of transactions, transaction value, transaction balance and other relevant information.

f. Other personal data of the Customer, including:

  • Hometown, place of birth, place of birth registration, temporary residence address; contact address; date of death or date gone missing;
  • Specimen of personal stamp (if any);
  • Driver’s license number, license plate number, personal tax identification number, social insurance number, health insurance card number; marriage registration number or other personal papers (if any);
  • Political and religious opinions;
  • Health conditions and personal information stated in health record, excluding information on blood group;
  • Information about racial or ethnic origin;
  • Information about genetic data related to an individual’s inherited or acquired genetic characteristics;
  • Information about an individual’s own biometric or biological characteristics;
  • Data on crimes and criminal activities collected and stored by law enforcement agencies;
  • Personal location identified via location services;
  • Video and audio information such as personal image, video, audio and information captured on security systems (including a recording of Customer’s image on Closed Circuit Television (CCTV), recorded phone lines and other technologies permitted by laws;
  • Digital account information, personal data reflecting activities and activity history on cyberspace, such as website, services portal, and mobile application (hereinafter referred to as the “Digital Platform”) of Woori Bank including but not limited to, location data, traffic data and other communication data (such as cookies, IP address, information of operating system, platform, version of computers, mobile phones and other communication devices used to connect with the Bank’s system, etc.), and the resources that are accessed;
  • Marital status; family relationship (parents, spouses, children); legal guardian (if any);
  • Authentication information upon access to the services of the Bank, including but not limited to fingerprint, facial image and other biometrics;
  • Information of the entity, individual being a guarantor of the Customer at the Bank;
  • Other information associated with an individual or used to identify an individual other than that specified in Clause 4 Article 2 of Decree No. 13/2023/ND-CP dated 17 April 2023 of the Government on personal data protection, and the amendments, supplements, and replacements thereto, from time to time;
  • Other specific personal data as prescribed by law that requires special protection; and
  • Other information, personal data provided by the Customer to the Bank from time to time related to the request for and use of products, services, and facilities of the Bank.

2. PURPOSE OF PERSONAL DATA COLLECTION AND PROCESSING

2.1. The personal data listed in Section 1 shall be collected and processed for one or more of the following purposes:

  • To identify, authenticate identification of Customer, including eKYC on our Digital Platform, and screening to process Customer’s application with the Bank for any products and/or services;
  • To implement banking operations, provide, manage and maintain products and services of the Bank and carry out other rights and obligations of the Bank in accordance with the terms and conditions on using products and services signed between the Bank and the Customer;
  • To verify financial status, underwrite, establish and evaluate credit trustworthiness of the Customer;
  • To process and complete transactions related to the products and services requested by the Customer, including online transactions;
  • To contact Customer for sending statements, letters, emails, text messages, notifications about products services, updated policies of the Bank from time to time; for sending necessary cautions to ensure data safety for Customer; for responding, replying to instructions, inquiries, requests for tracing, requests, complaints of the Customer;
  • To create and manage the internal customers system of the Bank for ensuring the management and classification of customers and satisfaction the limitations, restrictions (if any) in accordance with the laws and internal regulations of the Bank;
  • To protect and exercise the rights of the Bank, including collection of fees, charges and/or collection of any collectibles, pursuant to any agreement between the Bank and the Customer;
  • To pursue other purposes related to business operations of the Bank as deemed appropriate from time to time;
  • To create and maintain safety and security at the operating premises of the Bank, including headquarter, branches, transaction offices, ATM posts, etc.;
  • To create and maintain safety and security methods on Digital Platform of the Bank;
  • To personalize experiences of the Customer with the Bank’s products and services on Digital Platform and transaction locations of the Bank; monitor the Customer’s access and membership with related third parties;
  • To administer and implement campaigns and promotions, reward redemption, gift delivery;
  • To operate, research, analyze, evaluate, survey and improve the Bank operations, including developing new products and services, analyzing, improving and enhancing existing products and services; managing communications system and performing accounting, auditing, compliance, risk management and other internal functions of the Bank;
  • To produce data, report, process, store and respond to the Bank and other related third parties in accordance with the laws and internal regulations of the Bank or upon requests from competent authorities or related third parties;
  • To support the public security and order, prevention of crime, anti-bribery and corruption, anti-money laundering, anti-terrorism, preventing and countering proliferation of weapons of mass destruction, sanctions compliance and anti-fraud;
  • To support the investigation and identifying and preventing unlawful use, unauthorized use or abuse of the products, services, systems or other documents of the Bank;
  • To exercise the rights, remedies and defends against legal claim against the Bank, subsidiaries and affiliates of the Bank and to generally resolve disputes;
  • To comply with industry standards and internal procedures and policies of the Bank;
  • To comply with the applicable laws and regulations from time to time, guidelines, orders or requests issued by any court, legal or regulatory bodies (both national and international); and
  • Other purposes related to the above.

2.2. The Bank will ask for the Customer’s consent before processing the Customer’s personal data for a purpose other than those listed herein.

3. ORGANIZATIONS PROCESSING PERSONAL DATA AND ORGANIZATIONS RELATED TO THE DATA PROCESSING PURPOSES

3.1. In these Terms and Conditions, “personal data processing” means one or many activities affecting personal data, including: collecting, recording, analyzing, confirming, archiving, correct, disclosing, combining, accessing, exporting, retrieving, encrypting, decrypting, copying, sharing, transmitting, providing, delivering, erasing, destroying personal data and other relevant actions.

3.2.Woori Bank (including its successor in the case of re-organization, restructuring, transfer, assignment), shall assume the role of a controller and/or controller and processor of personal data of the Customer. For avoidance of doubt, when taking this role, the Bank is set forth by laws as the entity having right to decide the purposes, manners of data processing and directly process personal data within the scope consented by the Customer and as prescribed under the laws.

3.3. For the personal data processing purposes by Woori Bank as set forth above, the Bank may disclose the Customer’s personal data to the following individuals, companies and organizations. The Bank shall only disclose personal data to these parties on a need-to-know basis and on the principle that they have an obligation to keep confidential all provided information:

  • Domestic or oversea companies and/or organizations within the Woori Group;
  • Any individuals, companies and/or organizations acting as vendor, consultants, suppliers, partners, agents and/or professional advisers of the Bank that may be in connection with and/or support to operation of business and/or execution other responsibilities of the Bank;
  • Any authorized person as notified by the Customer to give instructions or to use the accounts, facilities, products, services on behalf of the Customer;
  • Any actual or proposed assignee or other third party as a result of any restructuring of facilities granted to the Customer or the sale of debts, or the acquisition or sale of any company or assets by the Bank;
  • Any party connected to the enforcement or preservation of any of the Bank’s rights under agreement(s) with the Customer or otherwise;
  • Employees and authorized persons and organizations to proceed with data processing of the Bank;
  • Any rating agency, insurer or insurance broker or direct or indirect provider of credit protection;
  • Any credit reporting agencies or credit reference agencies;
  • Any individuals, companies and/or organizations after a restructure, sale or acquisition of any member of the Woori Group, provided that person uses personal data of the Customer for the same purposes as it was originally given to or used by the Bank;
  • Any credit institutions, foreign bank agencies and branches, financial institutions, merchants, VISA International Services Association, MasterCard International Incorporated, and other card associations in relation to any products and services provided by the Bank to the Customer;
  • the Credit Information Center of Vietnam (CIC) or any other authority or body established by the State Bank of Vietnam or any other authority having jurisdiction over the Bank;
  • Investigating authority, security authority, court, arbitration tribunal and other competent authorities in Vietnam and overseas and the disclosure to these authorities is permitted or required under the relevant applicable laws;
  • Any third party to be an organization or individual other than the Customer, the personal data controller, personal data processor, and personal data controller-cum-processor that is permitted to process personal data under the applicable laws and regulations;
  • Any other individuals, companies and/or organizations that in a specific situation, the purpose of such disclosure is permitted or required by relevant applicable laws.

3.4. Disclosure of Customer’s personal data to any other party not listed above shall be subjected to prior consent of the Customer.

4. RIGHTS AND RESPONSIBILITIES OF CUSTOMER IN RELATION TO PERSONAL DATA

4.1. Unless otherwise provided under the laws, the Customer shall have the following rights towards the personal data provided to the Bank:

a. Right to know: Customer shall have the right to be notified about his/her personal data processing;

b. Right to consent: Customer shall have the right to consent or not consent to his/her personal data processing, except for the cases of personal data processing without the Customer’s consent as prescribed under the laws;

c. Right to access: Customer shall have the right to access to view, edit or request for editing his/her personal data. In case Customer requests for editing their personal data, the Bank shall proceed with such editing request of the Customer as soon as possible, unless otherwise prescribed under the laws;

d. Right to withdraw consent: Customer shall have the right to withdraw his/her consent. In case receiving request to withdraw consent of the Customer, the Bank shall notify to the Customer of the consequences and damages that might occur due to such consent withdrawal. The withdrawal of consent shall not affect the lawfulness of the data processing to which consent was given before it is withdrawn;

f. Right to erasure: Customer shall have the right to erase or request for erasure of his/her personal data. In case the Customer request for erasure of personal data, the Bank shall proceed with erasing such personal data within seventy-two (72) hours upon request of the Customer, unless otherwise provided by laws;

g. Right to restriction: Customer shall have the right to request for limitation of personal data processing. The limitation shall be implemented as requested by the Customer within seventy-two (72) hours upon request of the Customer, unless otherwise provided by laws;

h. Right to request for provision: Customer shall have the right to request the Bank to provide his/her personal data. The Bank shall provide data within seventy-two (72) hours upon request of the Customer, unless otherwise prescribed under the laws. The request for provision of personal data can be made by the Customer or his/her lawful representative at the headquarter, branches and transaction offices of the Bank or by submitting request form in accordance with the template on the Digital Platform of the Bank or by post or fax to the Bank;

i. Right to objection: Customer shall have the right to object to the Bank’s personal data processing to prevent or restrict the disclosure of his/her personal data or the usage of his/her personal data for advertising or promoting purpose. The Bank shall cease the Customer’s personal data processing as requested within seventy-two (72) hours from the Bank’s receipt of such objection of the Customer, unless otherwise provided by laws;

j. Right to complaint: In case of having any concern on personal data processing at the Bank, the Customer has the right to file a complaint to the Bank via channel(s) that the Bank makes available from time to time or notify the Department of Cyber​​security and Hi-tech Crime Prevention under the Ministry of Public Security when figuring out any violation of regulations on personal data protection;

k. Right to denounce & litigation: Customer shall have the right to denounce of file for litigation in accordance with the laws;

l. Right to claim for damages: Customer shall have the right to claim for damages in accordance with the laws for any violation against his/her personal data protection, unless otherwise agreed by the parties or provided by laws. The damage claim shall be handled in accordance with the laws;

m. Right to protection: Customer shall have the right to protect his/her own personal data in accordance with the laws, or request competent agency, entity to apply protection measures for his/her civil rights in accordance with the civil laws.

4.2. Customer has the following obligations with respect to the personal data provided to the Bank:

a. Read carefully this Terms and Conditions before signing the consent for data processing and providing personal data to the Bank;

b. Provide in complete and accurate manner personal data to the Bank upon giving consent to the data processing by the Bank; update and supplement personal data to the Bank upon any change;

c. Protect, secure his/her own personal data, refrain from divulging to any third party Identification information of the Customer; Account information of the Customer; Deposit information of the Customer; Deposited property information of the Customer; Transactions information of the Customer at the Bank and other information related to the use of accounts, facilities, products, services at the Bank unless such disclosure is necessary and actively consented by the Customer or is required by laws;

d. Request other organizations, individuals collecting his/her personal data to apply protection measures for Customer’s personal data;

e. Comply with regulations of laws on protection of personal data;

f. Other obligations on personal data protection prescribed under the laws.

4.3. Customer also fully understands, agrees that the Bank can not provide entirely the products, services, facilities to the Customer when the Customer only agrees partly or with conditions with the contents mentioned in this Terms and Conditions, hence the Customer agrees and consents entirely the contents under this Terms and Conditions.

5.PERSONAL DATA PROCESSING METHOD

5.1. The personal data shall be collected by the Bank directly from the Customer, provided actively by the Customer or Customer’s lawful representative; or generated while the Customer requests for or is provided with banking operations, products, services, and facilities of the Bank.

5.2. Personal data may be collected indirectly from the sources below:

  • From the personal data of the Customer publicly disclosed as prescribed by laws;
  • From suppliers, service providers, partners, merchants of the Bank and other third parties, including but not limitation to survey, social media, marketing, credit reference, fraud prevention, data aggregating agencies, infrastructure and facilities support providers, and other third parties in connection with the business of the Bank;
  • From third parties having relationship with the Customer, such as legal guardian, lawful representative, employer, co-account holder, guarantor, security measure provider, co-partner, co-manager, co-shareholder;
  • From the State Bank of Vietnam, the Credit Information Centre (CIC) or other competent authorities in Vietnam or overseas;
  • From credit information organizations, credit reference agencies and Government agencies, or from publicly available sources, directories or registries;
  • Through recorded footages from CCTV at the headquarter, branches, transaction office and ATM posts of the Bank, through recorded phone calls with Customer;
  • From an analysis of the way Customer uses and manages accounts/facilities with the Bank, from the transactions made by the Customer and the payment made to/from the accounts/facilities of the Customer;
  • Through cookies or other tracking devices/tools;
  • From third parties’ sources, which Customer consents to and authorizes for the Bank to collect; and/or
  • From other sources permitted or required under the laws.

5.3. Personal data of the Customer shall be processed upon consent of the Customer, via the methods of collection, recording, analysis, confirmation, storage, rectification, disclosure, combination, access, traceability, retrieval, encryption, decryption, copying, sharing, transmission, provision, transfer, deletion, destruction or other relevant activities as deemed appropriate from time to time. Customer’s personal data may be processed automatically when the Customer interact on Digital Platform or based on demand of the Bank on a case by case basis when the purpose of data processing is triggered respectively.

5.4. Collected personal data of the Customer shall be stored at the offices of the Bank, its branches, transaction offices, on the server of the Bank, Woori Group, and/or server of a third party having agreement with the Bank, as the case maybe, to ensure the intactness, sufficiency, without erroneousness of information, to prevent the accidental loss, destruction, unauthorized use or access, alteration or unauthorized disclosure of personal data of the Customer.

5.5. During our operations, the Bank shall apply various measures to ensure safety for the information system consisting of the collected personal data, including but not limited to applying safety measures during establishment of our system, operation of our system, implementing periodical audit, valuation of the information system, setting up risk management plan and monitoring information safety, setting up back-up plan, preventing unauthorized access, malicious software, setting up responsive plan against any information-related incident.

5.6. The processing of personal data of Customer being a child (person under 16 years of age) shall always be conducted in a manner that the rights and best interests of the child are protected. In this case, the collection and processing of personal data of a child Customer shall be subjected to consent of the Customer and his/her legal guardian. The legal guardian of the child Customer shall have the right to withdraw the consent to personal data processing of the Customer as prescribed by laws. The Bank shall cease processing such personal data, erase and delete those personal data upon request for consent withdrawal of the legal guardian or in other cases as requested by the competent authorities and in accordance with the laws.

5.7. The processing of personal data of Customer in emergency cases, in case to support the competent authorities against risk or event of a state of emergency on national defense, security, social order and safety, major disasters, or dangerous epidemics; to prevent and combat riots and terrorism, crimes and law violations shall be implemented in accordance with the laws and requests of the competent authorities.

5.8. Transfer of personal data overseas: In order to fulfill the purposes of personal data processing provided in this Terms and Conditions, the Bank may have to provide/share Customer’s personal data to other related parties and these third parties may be located outside the territory of Vietnam (including but not limited to the companies and/or organizations within the Woori Group). When providing/sharing personal data overseas, the Bank will require the receiving party to ensure that the Customer’s personal data provided to them will be confidential and secure. The Bank undertakes to comply with provisions of law regarding the transfer of Customer’s personal data.

5.9. All act of illegal breach to the information and data system of the Bank shall be actively prevented, and when these acts are detected, the Bank shall immediately report to the Department of Cyber​​security and Hi-tech Crime Prevention to coordinate and handle.

6.PROCESSING AND STORAGE TERM OF PERSONAL DATA

6.1. Customer within the period from receiving personal data of the Customer until the termination point of data processing.

6.2. The termination point of data processing shall be determined as follows, unless otherwise provided by laws:

a. In case the Customer exercises the right to withdraw consent, right to erase, right to restriction, right to objection: the termination point of data processing shall be seventy two (72) hours upon receipt of the Customer’s request or if technology platform facilitates, the point when personal data is erased by the Customer without necessity to send request to the Bank;

b. The point of time when the Bank has fulfilled the personal data processing purposes consented by the Customer or the storage and processing of personal data is no longer necessary for the Bank’s operations;

c. The point of time when the Bank is dissolved or no longer operates or declares bankruptcy or terminates its business operations in accordance with the laws;

d. The point of time when the Bank is released from the obligation to store personal data of the Customer in accordance with the laws; or

f. Other point of time as prescribed by laws and/or regulations of the Bank.

7. UNINTENDED CONSEQUENCES, DAMAGES WHICH MAY INCURS DURING PERSONAL DATA PROCESSING

7.1. The processing of Customer’s personal data processing may witness unintended event such as data corruption, data loss or inappropriate handling of data that may occurred due to the following reasons:

a. Illegal attack or disablement to invalidate the security measures of information system;

b. The act of attacking, hijacking and sabotaging of information system by hackers;

c. The act of spreading spam, malware, setting up fake and fraudulent information system;

d. Illegal act of collection, use, disclosure, trade personal data by third party; the act of taking advantage of weakness, loophole of data system to collect, deploy personal data;

e. Other objective reasons not attributable to the Bank.

7.2. The Bank undertakes to comply with the laws on personal data protection and will always apply the most effective and appropriate measures to minimize the risks mentioned above.

8. AMENDMENT AND SUPPLEMENTATION

This Terms and Conditions is publicly available on the Digital Platform of Woori Bank and/or by such other means of communication deemed suitable by the Bank. Woori Bank reserves the right to amend and supplement this Terms and Conditions in compliance with the laws from time to time. In case such amendment, supplementation leads to requirement of consent from the Customer as required by laws, the Bank shall notify the Customer in advance about the contents being amended, supplemented for Customer to exercise consent right before implementation.