Information security policy

Information security policy is to ensure the normal operation of the business by managing and preventing any risks related to the protection of personal information of the information security and individuals, and to implement general requirements for ensuring the security of the use, processing, and storage of personal information.

The Bank processes personal information for the purpose of delivering its products and services and conducting its operations. The Bank aims to ensure the confidentiality and integrity of information when using bank and customer information, and to protect all systems, equipment, and objects used to process them from attacks and violations against the data. Information Technology’s function is to provide and implement legal and information security requirements, regulatory agency contracts.

Fundamental principles

Confidentiality: Information and information systems have to be protected from unauthorized viewing and other access. Also limited to access only by authorized users.

Integrity: Information and information systems have to be protected from unauthorized changes to ensure that it is reliable and correct. Only authorized users can change within acceptable limits.

Availability: The operation of the information system is continuous and normal, and the information is available to the authorized person when needed. Obtain consent from the Obtain consent from the PII principal: Obtain consent from the PII principal when collecting, processing, or using data.

Respecting PII principal rights: Providing and assisting PII principal with the opportunity to exercise their rights related to their data.

Collection, processing, and use of PII: PII is collected, processed, and used only for the reasons and purposes specified by law, and is processed in a transparent manner to the owner of the personal information

What is personal data?

“Personal data” means sensitive personal data and other information which can directly or indirectly identify or potentially identify a person, including parents’ name, first name, date of birth, place of birth, place of residence, address, location, citizen’s registration number, property, education, membership, and electronic identifiers. “Personal data protection law of Mongolia”

“Sensitive information” means information in regards with a person’s race, ethnic origin, religion, beliefs, health, correspondence, genetic and biometric data, digital signature private key, criminal records, sexual and gender orientation, expression, and sexual relations. “Personal data protection law of Mongolia”

The purpose of collecting personal data:

Golomt Bank collects and processes personal data according to the Civil Code of Mongolia, the Banking Law, the Law on Combating Money Laundering and The Financing of Terrorism, state regulations, Golomt Bank’s internal policies and procedures, and the ISO27701:2019 standard. These measures protect and ensure the security of personal data. These included:

• Register new customers and provide products and services.
• Deliver tailored products and services to meet customer needs.
• Analyze and resolve customer feedback and complaints, preventing risks.
• Offer suitable products and services based on customer data to improve service quality.
• Prevent discrepancies in personal information and ensure accurate identification.
• Protect and secure systems and equipment storing customer information.

Personal data collected by Golomt bank

Golomt bank will offer banking products and services only with the customer’s consent to collect and process their personal information, confirmed by their signature on a contract, form, or via electronic channels, agreeing to the terms and conditions of the products and services. We collect the minimum necessary data for customer identification, service provision, and offering relevant products and information.

Types of Information Collected:

• Personally identifiable information
• Access history to Golomt Bank’s digital products and services
• Account balance, transaction history, and credit information.
• Asset and income information
• Educational background
• Employment information
• Marriage and family information
• Other necessary information

Golomt Bank collects personal information from third parties to meet legal requirements. These sources include social insurance, tax authorities, court decision agencies, the Bank of Mongolia, credit databases, and other government entities.

The right to grant and withdraw consent.

If the customer registers and requests services from the bank in person, and agrees to provide accurate information in accordance with the terms, conditions, and requirements of the agreement, the bank will proceed with the establishment of the contract and the provision of services.

If the customer does not accept the terms and conditions of the agreement related to the bank’s products and services, the bank has the right to refuse service provision.

The recipients of the PII

Golomt Bank will share your information in accordance with the Personal Data Protection Law of Mongolia. We are required to disclose a customer’s personal information to government authorities and law enforcement agencies when mandated by law. Additionally, based on your consent, we may share or transmit your personal information to third-party organizations when necessary.

Information security

Golomt Bank implements strict policies, procedures, and security measures to prevent unauthorized access and breaches. Our systems are fully protected by firewalls and intrusion prevention systems. Additionally, Golomt Bank adheres to internal policies and procedures when handling personal information and conducts regular reviews of our infrastructure and servers.

We protect your personal information by complying with applicable laws, regulations, and standards, including ISO 27001:2022, ISO 27701:2019, PCI DSS v 4.0.1, SWIFT CSP, GDPR, and ISO 27701:2019, to ensure all security requirements are met.

The utilization, disposal and retention periods for the personal data:

Golomt Bank collects and uses your personal information according to Mongolian laws, bank policies, and ISO 27701:2019 standards. This is to provide you with our products and services. Personal data is handled as per the “Procedure for Archival Operations” and the “Personal data protection standard”.

We will retain your personal data for the duration of your use of our service as a customer and to meet legal obligations. The retention period of the personal data will vary depending on how long we need it.

Data subject’s Rights /Customer Rights/

It is essential for customers to manage their personal information. In compliance with the Personal Data Protection Law and the standards of the Personal Information Management System, customers have the following rights:

• To give or refuse consent to the data controller for data collection voluntarily.
• To obtain a copy of relevant information from the data controller in paper or electronic form.
• To be informed about third parties who have received or will receive the data concerning the data subject.
• To notify the data controller to erase data under the law for data erasure.
• To notify the data controller to rectify inaccurate data, make changes, and provide additional data.
• To know whether their data has been collected, processed, and used.
• To file a complaint or provide an explanation on the decision made because of data processing, provide additional data, and request data processing again.
• To transfer a copy of the specified data to a selected data controller.

Customers may submit requests to correct, delete, or restrict the processing of their personal information by sending an email to privacy@golomtbank.com, or by submitting a written request at any of Golomt Bank’s branches. In accordance with the rights outlined above, the bank will take the necessary actions to return, correct, or delete the personal information. Please note that, in compliance with applicable laws, the bank may be required to retain certain information for mandatory retention periods.

Golomt Bank fulfills requests at no charge unless they are clearly unfounded.

Prohibitions for the PII principal

• Using or registering another person’s personal information without permission;
• Unauthorized access and entering false information;
• Sharing your account password or verification code with others;

Contacts

For questions about this privacy policy, contact us at:

• Golomt bank branches and sub-branches
• Customer service: 1800 – 1646 (24/7)
• Email: privacy@golomtbank.com

For suggestions or concerns regarding information security risks, email us at security@golomtbank.com.

2026.04.30