Personal Information Treatment Policy


PT.BC Card Asia Pacific(BCAP), our mission is to protect your privacy and rights in accordance with Article 30 of the Personal Information Protection Act, Article 31 of the enforcement ordinance of the same Act, and to handle your potential grievances effectively. In this regard, we have established our policy on personal information treatment, the details of which are elaborated upon in the following.

We keep you informed regarding how your information is used and for what purpose together with the measures we take to protect your privacy.

We may revise our personal information treatment policy in response to changes in applicable laws and regulations, government guidelines, and our policies. We will notify you of any such revisions via either our website or through individual notices.

1. Purposes of personal information treatment (collection/use)
We use your personal information for the following purposes.
We use your personal information strictly only for the following purposes. For any changes in purposes, we will implement necessary measures such as informing you of changes in a timely manner and asking for your consent.

a. For web/app membership registration and management
  • Confirmation of intent to join
  • Member identification and verification of services to which only members are entitled
  • Maintenance and management of membership
  • Prevention of unfair use of services
b. For financial transactions
  • Personal credit inquiries via BCAP or credit information collection agencies for financial transactions
  • Decision whether to establish financial transaction relationships
  • Establishment, maintenance, implementation, and management of financial transaction relationships and financial incident-related investigation
  • Dispute settlement
  • Complaints handling and compliance with statutory obligations
c. For provision of goods and services
  • Fulfillment of service contracts and provision of prepaid content according to such contracts
  • Purchase and bill payment
  • Delivery of goods or credit card billing
  • Authentication of user identity for financial transactions and financial services
  • Fee collection, etc.
d. Grievance settlement
  • Identification of complainant(s)
  • Investigation of complaint(s)
  • Notification of fact-finding and subsequent action plans
  • Delivery of notice, confirm complainant(s)’ intention, and securing effective communication channels for complaint settlement
e. For marketing and advertising (applicable only to users who have given optional consent)
  • Introduction of and solicitation for cards and related financial products and services, market research, product- and service-related research and development, and promotional activities
  • Introduction of and solicitation for credit card companies’ ancillary businesses including travel and mail order, market research, product- and service-related research and development, and promotional activities
  • Introduction and sale of insurance products sold on consignment in our capacity as an insurance agency, provision of insurance services, and insurance information inquiry via the computer network of the Korea Insurance Development Institute
  • Providing consulting and advisory services through big data analysis (generating analytical information on both users’ consumption patterns and online/offline behaviors)
f. For the operation of identification services
  • Other ways to identify yourself without using resident registration number pursuant to Articles 23-2 and 23-3 of the Act on the Protection of Information and Communications Infrastructure
  • Prevention of fraudulent use and complaint handling
  • Analysis of usability improvement

2. Personal information-related items we use and our collection methods
At BCAP, we process the following personal information items to provide services.

a. Personal information items we collect
  • Identity information: Name, resident registration number, issue date of resident registration card, contact information (cell phone, home, and work), address (home and work), email, employer name, department, title, gender, nationality, driver’s license number, passport number, foreign registration number, voice data, connecting information (CI), name of financial institution, and account number
  • Information on credit transactions: Any information that helps determine the type, period, amount, and maximum limit of commercial transactions including any loans, guarantees, provision of collateral, credit card, and installment financing before and after this transaction with your company and other financial institutions
  • Information on credit status: Any information that helps determine credit rating such as credit standing, credit inquiry records, debt payment rescheduling, overdue payment, bankruptcy, payment by subrogation, and the amount and period involving disorderly conduct that could undermine credit orders
  • Information on payment ability: Any information that helps determine payment ability for credit transactions including the total amount of assets, liabilities, and income and tax payment records
  • Information held by public institutions: Any information owned by public institutions that facilitates identification and helps determine creditworthiness and payment ability such as the information on court rulings and decisions including personal turnaround, bankruptcy, exemption from liability, and registration of defaulters, arrears, resident registration, social insurance and public utility charges, and administrative disposition.
  • Information on direct debit (only applicable to those who have applied for direct debit): subscriber’s name, resident registration number, telecommunications service provider, phone number, phone bill, electricity bill, and gas bill
  • Information on family card (only applicable to those who have applied for a family card): card name, expected limit, name, resident registration number, phone number, address, and relationship to you
  • Other information provided by you in relation to signing, maintaining, implementing, managing, and improving service contract
    • oPayment information: time of payment, credit card company, issuer, merchant, purchased item, amount, and the number of installments in the case of an installment purchase
    • oInformation on a legal representative (name and relationship) for children under 14 years
  • Information that can be automatically generated and collected while using online (web/app) services
    • oDevice and access information (for investigation against unfair use)
    • PC
    • ·H/W information: HDD serial and USB serial
    • ·N/W information: NAT IP, Ethernet IP, Ethernet MAC address, Proxy server IP, VPN server, IP Port information, and Windows remote IP
    • Mobile
    • ·Basic information: UUID and Subscriber ID (IMSI)
    • ·H/W information: Device identification number such as terminal ID (IMEI)
    • ·N/W information: Mac address, network country code, and network operator code
    • ·SIM Card information: Serial number, country code, and network operator code
    • oAccess information: Date of access, payment record, log on, installation of personal firewall, availability of operating system security patches, cookies, remote connection settings, keyboard type, advertising ID including Google AD-ID and Apple IDFA, and services used
  • Information required to identify card users
    • oPersonal information entered by users such as name, date of birth, gender, cell phone number, and homepage login ID
    • oCard-related information such as card number, card PIN, password for identification, expiration date, and CVV
    • oIdentity information being generated upon completing the identification process such as connecting information (CI), duplicated information(DI), and division between residents and foreigners (CI and DI are not stored in our system)
b. Personal information collection methods
  • Homepage, written form, fax, phone, consultation bulletin board, email, entering for promotional events, and request for delivery
  • Provided by member companies and clients
  • Provided by affiliated companies
  • Tools to collect generation information
  • Provided by or inquiry via administrative agencies, credit information collection agencies, credit information businesses, and credit information providers or users

3. Personal information processing and retention period
In principle, we retain and use collected personal information within the period to which you have consented and will immediately destroy information once its intended purposes are met. Notwithstanding the preceding sentence, we may continue to retain personal information for a certain period based on your prior consent or applicable laws and regulations that require us to do so.

a. Records involving contracts or withdrawal of subscription
  • Applicable laws and regulations for retention: Act on the Consumer Protection in the Electronic Commerce Transaction, etc.
  • Retention period : Five years
b. Records involving payment and supply of goods
  • Applicable laws and regulations for retention: Act on the Consumer Protection in the Electronic Commerce Transaction, etc.
  • Retention period : Five years
c. Records involving consumers’ complaints and dispute settlement
  • Applicable laws and regulations for retention: Act on the Consumer Protection in the Electronic Commerce Transaction, etc.
  • Retention period : Three years
d. In the event we have secured your consent
  • Retention period: Up to the period to which you have consented

4. Provision of personal information to third parties
We only process your personal information within the scope specified in the purposes of the personal information treatment policy. Provided, however, that we disclose personal information to others in the following cases, such as your consent and the requirements of applicable laws and regulations.

a. Personal information may be provided to third parties if any of the following is applicable:
  • Your separate consent
  • Special requirements in applicable laws and regulations
  • Justifiable reasons that make it impossible to obtain consent from the data subject such as in life-threatening situations.
  • Provision of personal information in such a form that obfuscates the identity of a specific individual for the purpose of statistical surveys and academic research.
b. Current status of personal information provided to third parties
[Details of affiliates where personal information is provided]

5. Destruction of personal information
We immediately destroy all personal information in question when it is no longer necessary when its retention period elapses or its intended purposes have been met.
Provided, however, that any personal information in the following cases, such as your consent and the requirements of applicable laws and regulations overriding retention periods and treatment purposes, may be transferred to a separate database or retained in a different place.
  • Credit information collection agencies or credit bureaus, for the purposes of the centralized management and utilization of credit information or the evaluation of individuals’ creditworthiness, may retain personal information to ensure the accuracy of such information.
  • BCAP, etc. retain personal information due to their civil and criminal liability, continued statutes of limitation, and their capacity as dispute testifiers
  • Retention of personal information pursuant to Article 33 of the Commercial Law, etc.
  • Any justifiable reasons relevant to the above cases
We destroy the electronic records of personal information in an unrecoverable manner and either shred or burn paper-based personal information.

6. Entrustment of personal information processing
For the streamlined processing of personal information, we entrust the processing of personal information as follows for the purposes to which you have consented or for the purpose of signing, maintaining, implementing, and managing contracts.

a. Current status of entrusted personal information
[Details of entrusted personal information]

When entering into an entrustment contract, we comply with the Personal Information Protection Act to clearly indicate the following clauses in the contract and related documents: prohibition of the processing of personal information for purposes other than those required to perform entrusted business, protective technical and managerial safeguards, restrictions on re-entrustment, managing and supervising entrustees, liability-related matters including compensation for damages. Additionally, we ensure that entrustees treat personal information in a safe and confidential manner.
In the case of any changes to entrusted business or entrustees, we will notify you of such changes without delay through our personal information treatment policy.

7. Matters related to the safeguarding of personal information
At BCAP, we have the following safeguards in place to prevent loss, theft, leak, falsification, and damage of personal information.

a. Establishment and implementation of internal control systems
  • We have established and implemented the internal control systems including the following to securely process personal information. We constantly update our systems to reflect major changes.
  • oMatters related to the designation of a Chief Privacy Officer (CPO) in charge of personal information protection
  • oMatters related to the roles and responsibilities of a CPO and personnel in charge of processing personal information
  • oMatters related to the safeguarding of personal information
  • oMatters related to educating personnel who process personal information
  • oOther matters necessary for the safeguarding of personal information
b. Access control and management of access authority
  • We keep access to the personal information processing system to a minimum for bare-bones operations. Each staff member is differentially granted one user account depending on the nature of their business. When the person in charge of processing personal information changes, we immediately take appropriate measures to change or revoke access authority to the personal information processing system and retain related records for at least three years.
  • We utilize safe means of access such as VPN (Virtual Private Network) or a leased line for personnel in charge of personal information to gain access to the personal information processing system from outside through information networks. In addition, we have safety features incorporated in the personal information processing system and business computers to prohibit personal information from being released to unauthorized third parties or from leaking.
  • We have established and implemented strong password generation rules to enable the personnel in charge of personal information processing to generate secure passwords for their duties.
c. Encryption of personal information
  • We encrypt without fail all personal information delivered back and forth through information networks or auxiliary storage media.
  • We employ a secure one-way encryption algorithm for password and bioinformation; we encrypt and store resident registration numbers in accordance with the Personal Information Protection Act.
  • We do not store personal information on business computers; when personal information is stored and managed on a business computer due to unavoidable business-related circumstances, we encrypt such information using commercial encryption software.
d. Retention of access records and prevention of forgery
  • We retain and manage access log records of personnel in charge of personal information processing to the personal information processing system for at least two years; we safeguard these access log records against forgery, theft, and loss.
e. Installation and operation of security program
  • We have installed and operated security programs including antivirus software in the personal information processing system and business computers to detect and remove malware, and we update and scan our PCs at least once each day.
  • We immediately perform updates in response to malware-related alerts or security update notices from the makers of our currently used application programs and operating system software.
f. Physical measures for personal information
  • We have established and operated the procedures of controlling access to physical storage facilities such as data processing rooms and the data center that store a wide array of personal information. All documents and ancillary storage media that contain personal information are kept in securely locked places.

8. Matters related to installation, operation, and refusal of the devices
including an internet access information file that automatically collects personal information
We have installed and operated devices that automatically collect personal information such as a cookie used to store and retrieve information on a continuous basis. A cookie is a small piece of text sent to your web browser by our web server you visit that is stored on your computer hard disk.
We use cookies for the following purposes.

a. Purposes of using cookies
  • Providing customized information depending on users’ areas of interest
  • Identifying users’ tastes and areas of interest and utilizing them for targeted marketing
  • Authenticating goods purchases at the shopping mall we operate
  • Authenticating purchases of content we provide
  • Leveraging information about items purchased and tracing items of interest to provide customized services for future shopping
  • Informing the valid period for paid services
  • Analyzing users’ purchase patterns to form a basis for service enhancement
  • Registering for the bulletin board
  • Confirming participation in promotional events and surveys
You have the option of installing cookies; you can set your options in your web browser to allow all cookies, confirm whenever a cookie is stored, or refuse to store cookies.
b. How to refuse cookies
  • (In case of Internet Explorer) Tools at the top of the web browser > Internet option > Setting in the privacy tab
Provided, however, that you understand your refusal to set cookies means that you cannot use certain services that require a login.

9. Rights and obligations of data subjects and methods to exercise them
You and your legal representative (for children under 14 years) can exercise the following privacy-related rights with us at any time.

a. Request to browse personal information
b. Request to correct errors
c. Request for deletion
  • Provided, however, that you understand you cannot request to delete certain information if other laws and regulations specifically require that such information be collected.
d. Request to suspend processing
  • Provided that we can decline your request to suspend processing if any of the following is applicable; in such a case, we are required to inform you of our reasoning.
  • oSpecial provisions in laws and regulations or unavoidable circumstances such as statutory obligations
  • oRisks of harming the life or body of others or wrongly infringing on others’ properties and other interests
  • oSituations in which we cannot fulfill our contract with you if processing is suspended, but you have not clearly revealed your intention to terminate a contract

10. Matters related to personnel in charge of protecting personal information
We have appointed a Chief Privacy Officer as follows to protect your personal information and handle privacy-related complaints and requests for access to such information. If you have any questions regarding personal information or privacy, please contact the following person who is in charge of protecting your personal information.

a. Chief Privacy Officer (CPO)
  • Name: Nam Gyu Park
  • Position: Director
  • Department: IT Infrastructure department
b. Person in charge of privacy protection
  • Name: Ja young Oh
  • Position: Team leader
  • Department: IT Infrastructure department, Personal Information Protection Team
  • Email: privacy@bccard.com

11. Department in charge of receiving and processing requests for access to personal information
Introduction to the rights of data subjects and methods to exercise those rights: [Notice of customers’ rights]
We operate a customer service center to facilitate effective communication with our customers.

a. Customer service center
  • Phone number: 1588-4000
  • Operating hours: Weekday 09:00~18:00

12. Remedy for infringement on rights and interests of data subjects
You can make inquiries at the following institutions regarding counseling and remedying infringements of privacy.

a. Personal Information Infringement Report Center (operated by the Korea Internet & Security Agency)/div>
  • Responsibilities: Processing reports of infringement on privacy and providing counseling
  • Phone number: (without area code in Korea) 118 (ARS ext. #2)
  • Website: www.privacy.go.kr
b. Financial Supervisory Service
  • Responsibilities: Coordinating financial transaction-related damages and disputes
  • Phone number: (without area code in Korea) 1332
  • Website: www.fss.or.kr
c. Cyber Bureau of the Korean National Policy Agency
  • Responsibilities: Hacking, Denial of Service (DDoS), and infringement on information networks by malware
  • Phone number: (without area code in Korea) 182
  • Website: cyberbureau.police.go.kr

13. Matters related to changes in the personal information treatment policy

This personal information treatment policy is applied from 2021.11.30.