1. How we process your personal data

To manage your relations with us, CaixaBank will process your personal data for different purposes, always in accordance with the applicable laws, respecting your rights and with complete transparency. To manage your relations with us, CaixaBank will process your personal data for different purposes, always in accordance with the applicable laws, respecting your rights and with complete transparency.

For this purpose, in this Privacy Policy, which you can access at any time at www.caixabank.com/politicaprivacidad, you can see complete details on how we will use your data in the relationships we establish with you. Similarly, if you wish, you can request this information on paper at any of our branches. 

The main regulations that regulate our processing of your personal data are:

  • Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (hereinafter the GDPR)
  • Organic Law 3/2018 of 5 December on the Protection of Personal Data and guarantee of digital rights (hereinafter the LOPD)

2. Who processes your data

Data controller:The data controller for your personal data for contractual relations and business with us ("Contractual Relations") is CaixaBank, S. A. ("CaixaBank"), with tax ID A-08663619 and address at calle Pintor Sorolla, 2-4 Valencia.

Joint data controllers: Furthermore, for certain processing, detailed information for which is provided in this policy, CaixaBank and the CaixaBank Group companies will jointly process your data, jointly deciding on the purposes ("why data is used") and the resources used ("how data is used"), which thus makes them the joint data controllers.

The purposes for which CaixaBank and the CaixaBank Group companies will jointly process your data is described in detail in heading 6 "Types of data processing"

You will also find the list of companies that process your data, as well as the essential aspects of the joint data controller agreements at: www.caixabank.es/empresasgrupo.

3. Data Protection Officer

CaixaBank and the CaixaBank Group companies have appointed a Data Protection Officer, who will deal with any matters related to the processing of your personal data and the exercising of your rights.

You can contact the Data Protection Officer to send your suggestions, queries or claims by going to: www.caixabank.com/delegadoprotecciondedatos

4. Exercising rights and filing complaints through the Spanish Data Protection Authority (AEPD)

You can exercise your rights to access, rectify, object to processing, delete, restrict processing, transfer your personal data, withdraw consent and not be subject to automated decision-making in accordance with law.

You can exercise these rights through any of the following channels:

  • at our CaixaBank branches open to the public;
  • by using the options provided in your digital banking service and in our mobile applications.
  • at the website address: www.caixabank.com/ejerciciodederechos; and
  • by sending a letter to Apartado de Correos nº 209, Valencia (46080);

Additionally, if you have any complaints related to the processing of your data, you may address them to the Spanish Data Protection Authority (www.agpd.es).

5. Data categories

At CaixaBank, we will process different types of personal data in order to manage the contractual relations you establish with us, to carry out other data processing relating to your status as a customer and, if you have given us your consent, to also process your data for the activities detailed in heading 6.1.

To make them easier to understand, we have arranged the data we process into the categories listed below.

Not all the data categories shown are used for all the types of data processing. In heading 6, where we detail how we process data, you can find, for each specific type of processing, the data categories that are involved. You can thus have the information you need to exercise, if you wish, your rights as laid out in the GDPR, in particular the rights to object and withdraw your consent.

The data categories used for the various types of processing listed in heading 6 are as follows:

  • Data you provided when registering for a service or during your relationship with us, through interviews or forms. This data includes:
     
    • identifying and contact details: your identification document, full name, sex, telephone and email contact information, address of residence, nationality and date of birth, language choice.
    • socio-economic data: details relating to your job, income or remuneration, household, level of education, assets, tax and fiscal data.
    • financial data: products and services you have with us, relationship with the product (holder, authorised user or representative), MiFID category.
    • biometric data: facial pattern, voice biometrics or fingerprint.
  • Data observed over the course of maintaining our products and services.This data includes:

    • financial data: information on entries and transactions involving checking accounts, including the transaction type, the issuer, the amount, and the purpose, information on investments made and their performance, information on financing operations, statements on debit and credit card transactions, your products with us and payment history.
    • It is important for you to know that we will not process data observed over the course of maintaining products and services that may contain information that reveals your ethnicity or race, your political opinions, religious or philosophical convictions, union membership, the processing of genetic data, biometric data intended to uniquely identify you, health data or data relating to your sex life or orientation ("Sensitive Data")
    • whether or not you are a CaixaBank shareholder.
    • digital data: the data obtained from our communications with you during chats, posts, videoconferences, telephone calls or equivalent means, and the data obtained when you browse through our websites or mobile apps (device ID, advertising ID, IP address and browsing history), if you have accepted the use of cookies and similar technologies on your browsing devices.
    • geographic details: the geolocation data of your mobile device provided by the installation and/or use of our mobile applications, when authorised by you in the settings for the apps themselves.

  • Data inferred or deduced by CaixaBank from analysing and processing the remaining data categories.This data includes:
    • customer groups in categories and segments according to age, assets and estimated income, transactions, consumption habits, preferences or propensities when taking out products, demography and relationship with other customers or categorisation as per the regulation on Markets in Financial Instruments ("MiFID").
    • scoring that assigns probabilities of payment or non-payment or risk limits.
  • Data that you have not provided directly, obtained from sources accessible to the public, public records or external sources. This data includes:

    • asset and credit solvency data obtained from Asnef and Badexcug records
    • risk data maintained in the financial system taken from the database of the Risk Information Centre of the Bank of Spain (CIRBE)
    • data on people or entities included in laws, regulations, guidelines, resolutions, programmes or restrictive measures regarding international economic and financial sanctions, imposed by the United Nations, European Union, Spain, the United Kingdom and/or the US Department of the Treasury’s Office of Foreign Assets Control (OFAC).
    • land registry or statistical data obtained from companies that provide socio-economic and demographic statistical studies associated with geographical areas or postal codes, not with specific individuals.
    • data obtained from your browsing of third-party websites (device ID, advertising ID, IP address, browsing history), if you accepted the use of cookies and similar technologies on your browsing devices
    • social network or internet data, which you have made public or that you authorise us to consult.

6. Types of data processing 

We process your data for various different purposes and legal bases:

  • Processing based on your consent
  • Processing required for contractual relations
  • Processing required to comply with regulatory obligations
  • Processing based on CaixaBank's legitimate interest

6.1 PROCESSING BASED ON YOUR CONSENT

The legal basis for this processing is your consent, as laid out in Article 6.1.a) of the General Data Protection Regulation (GDPR).

We might have requested this consent through different channels, e.g. during your customer registration interview, through digital channels, through any Bankia S.A. channel before its merger with CaixaBank or at any of the CaixaBank Group companies. If, for any reason, we have never asked you for your consent, this processing will not apply to you.

You can view the consent you have given or denied, and change your decision at any time and for free at our branches, the CaixaBank website (www.caixabank.es) and CaixaBank Group companies, or through your online account or the CaixaBank mobile apps. References to branches, websites and mobile applications include any of those belonging to Bankia S.A. that remain operational during the technological integration of the company's systems as part of the merger process. 

The processing based on your consent is indicated below from (A) to (E). For each item, we will indicate: a description of the purpose (Purpose), whether or not the processing is carried out jointly with other CaixaBank Group companies (Data Controller/Joint Data Controllers) and data categories processed (Data categories).

In the event that you gave Bankia your consent to process your data for commercial purposes, and not CaixaBank, prior to their merger, CaixaBank will process A, B and C, as indicated below, in accordance with the preferences you indicated to Bankia at that time.

Specifically, the processing described in items A and B below will only be carried out by CaixaBank Group companies, as joint controllers, when you have consented to the communication of data between Bankia group companies (now CaixaBank).

A. Analysis of your data to draw up profiles that help us to offer you products that we think might interest you

Purpose: The purpose of this data processing is to use the data categories indicated below to develop profiles that allow us to identify you with segments of customers with similar characteristics to yours and to suggest products and services that we think might interest you, as well as to determine how often to interact with you.

By means of this processing, we will analyse your data to try to identify your preferences or needs, and thus be able to make you commercial offers that we believe may be of more interest to you than generic offers.

When the offers we wish to propose to you consist of products that involve payment in instalments or financing, we will assess your solvency beforehand to calculate a suitable credit limit we can offer you, in accordance with the principle of responsibility for offering financing products that is required by the Bank of Spain.

It is important for you to know that this processing, including the pre-assessment of your solvency for high-risk products, is limited to the stated purpose of suggesting products and services to you that we think might interest you, and it is not used, under any circumstances, to deny you a product or service or to limit your credit.

Our complete catalogue of products and services is always available to you, and this processing does not prejudge, limit or condition your access to them. If you request them, we will evaluate them with you in accordance with CaixaBank's normal procedures.

We will only process your data in this way if you have given us your express consent for us to do so.Your consent will remain valid until you revoke it.

If you cancel all your products or services with the CaixaBank Group companies, but forget to revoke your consent, we will do so automatically.

Data categories: The categories of data we will process for this purpose, the content of which is detailed in heading 5, are:

  • the data you will have provided us
  • data observed as part of maintaining our products and services, with the exception of sensitive data
  • data inferred or deduced by CaixaBank
  • data that you have not provided us directly.

Joint data controllers: When we process your data in the categories specified for profiling purposes that help us to offer you products that we think might interest you, this is done in concert with the following CaixaBank Group companies, which are then joint controllers:

  • CaixaBank, S.A.
  • CaixaBank Payments & Consumer, E.F.C., E.P., S.A.U.
  • CaixaBank Electronic Money, EDE, S.L.
  • VidaCaixa, S.A.U., de Seguros y Reaseguros
  • Nuevo Micro Bank, S.A.U.
  • CaixaBank Equipment Finance, S.A.U.
  • Wivai Selectplace, S.A.U.
  • Comercia Global Payments, E.P. S.L.
  • Buildingcenter, S.A.U.
  • Imagintech S.A.

You will find the list of companies that process your data, as well as the essential aspects of the joint data controller agreements at:www.caixabank.es/empresasgrupo

B. Commercial offer of products and services through selected channels

Purpose: The purpose of this data processing is to make available to you commercial offers only through the channels that you have authorised us to do so, as per your consent.

We will only process your data in this way if you have given us your express consent for us to do so. Your consent will remain valid until you revoke it.

If you cancel all your products or services with the CaixaBank Group companies, but forget to revoke your consent, we will do so automatically.

Data categories: The data category we will process for this purpose, the content of which is detailed in heading 5, is:

  • data (identifying and contact) that you will have provided us.

Joint data controllers: The processing of your data in the specified category, for the purpose of informing them of our commercial offer for products and services through the channels selected by you, is done, as joint data controllers, by the same CaixaBank Group companies that are listed in heading 6.1 (A) above. These companies will be able to share data and use them for the same purpose of sending marketing offers.

You will find the list of companies that process your data, as well as the essential aspects of the joint data controller agreements at: www.caixabank.es/empresasgrupo

C. Disclosure of data to companies not part of the CaixaBank Group

Purpose: The purpose of this processing is to transfer your data to companies that are not part of the CaixaBank group with which we have agreements, so that they may send you offers of their products.

These third party companies to which we may transfer your data are related to banking, investment and insurance services, shareholdings, venture capital, real estate, transport infrastructure, sale and distribution of goods and services, consultancy services, leisure or charity.

Your authorisation to transfer your data does not mean that we will transfer your data immediately. If we reach an agreement with a third company to transfer your data, the recipient company would inform you of this, as well as of the details of the processing they intend to carry out.

We will only process your data in this way if you have given us your express consent for us to do so. Your consent will remain valid until you revoke it.

If you cancel all your products or services with the CaixaBank Group companies, but forget to revoke your consent, we will do so automatically.

Data categories: The data category we will process for this purpose, the content of which is detailed in heading 5, is:

  • data (identifying and contact) that you will have provided us.

Joint data controllers: When we process your data in the categories specified for the purpose of transferring it to companies that are not in the CaixaBank Group with which we have agreements so that they can offer you the products they market, this is done in concert with the CaixaBank Group companies listed in heading 6.1 (A) above, which are then joint controllers. These companies will be able to share the data and use it for the same purpose of sending marketing offers

You will find the list of companies that process your data, as well as the essential aspects of the joint data controller agreements at: www.caixabank.es/empresasgrupo

D. Identification of customers and signing documents using biometrics

Purpose: The purpose of this data processing is to use technical tools that rely on biometrics to verify your identity and your signature in the relationships you maintain with CaixaBank.

By authorising this processing, you allow us to ask you to register your facial image, voice or fingerprints with assistance from biometric identification techniques so that we can compare them to the originals when we need to verify your identity or your acceptance of contracts or operations.

Registering your biometric features is completely voluntary. We will only process your data in this way if you have given us your express consent to do so. Your consent will remain valid until you revoke it.

If you do not consent to this processing, this will not restrict your access to any product or service offered by CaixaBank. In this case, we will verify your identity and signature using means that do not rely on biometrics.

If you cancel all your products or services but forget to revoke your consent, we will do so automatically with the cancellation of your last product and/or service.

Data categories: The data category we will process for this purpose, the content of which is detailed in heading 5, is:

  • data that you will have provided us (biometric data),

Data controller: The data controller is CaixaBank. There is no co-processing with joint controllers.

E. Application of personal conditions to joint accounts 

Purpose: The purpose of this data processing is to apply the discounts or preferential conditions to which you are entitled pursuant to a commercial offer from Caixabank involving products where you are not the only account holder.

Within our commercial offer, customers can sometimes receive discounts or benefits associated with personal characteristics such as age, employment status, the number of products taken out, account balances, or similar.

If these discounts or preferential conditions are applied to products that you share with other customers, they may find out that you meet, or no longer meet, the requirements that give access to these discounts or preferential conditions.

For example, if you have the right to receive discounts because you belong to a specific professional group, such as healthcare or law enforcement, the other account holders would know that you meet this criterion by seeing these discounts applied to the account.

Therefore, and since this circumstance could affect your privacy, we will apply your commercial conditions to those products that are only in your name, and we will only process this data for those products you share with other holders if you have given us your consent, which will remain in force until you withdraw it.

If you cancel all your products or services but forget to revoke your consent, we will do so automatically with the cancellation of your last product and/or service.

Data categories: The categories of data we will process for this purpose, the content of which is detailed in heading 5, are:

  • the data you will have provided us
  • data observed as part of maintaining our products and services, with the exception of sensitive data

Data Controller: The data controller is CaixaBank. There is no co-processing with joint controllers.

6.2 PROCESSING REQUIRED FOR CONTRACTUAL RELATIONSHIPS

The legal basis of this data processing is that it is necessary to manage contracts that you request or to which you are a party, or to apply precontractual measures if you request them, as established in art. 6.1.b) of the General Data Protection Regulation (GDPR).

Therefore, this processing is necessary for you to establish and maintain Contractual Relations with us. If you object to it, we will end these relations, or we cannot establish them if they have not yet started.

The types of processing required to establish contractual relations are listed below, arranged from (A) to (C). We will indicate for each of them: a description of the purpose (Purpose), whether or not the processing is carried out jointly with other CaixaBank Group companies (Data Controller/Joint Data Controllers) and data categories processed (Data categories)

A. Signing, maintenance and performance of Contractual Relations

Purpose: The purpose of this data processing is to formalise and maintain the Contractual Relations that we establish.

This includes the processing of your applications or mandates and the procedures prior to requesting a service (pre-contractual relations) and processing your requests to take part in draws, promotions or events.

This data processing involves collecting the information necessary to establish or to manage the application, to evaluate the suitability of the product and to process the information needed to properly maintain and execute the contracts.

The processing operations involved in signing, maintaining and performing the Contractual Relations are:

  • Collection and registration of the data and documents needed to apply for the products requested
  • Formalising the signing of the contracts for the products and services
  • Managing the products and services you have taken out with us, including the handling of any associated incidents and the annotation and verification of accounting entries for receiving and making product payments
  • Adjusting measures to resolve any potential default payments, including claims for non-payment
  • Carrying out the communications derived from managing the Contractual Relations
  • Monitoring and responding to your complaints and/or claims
  • Processing your applications to take part in prize draws, promotions or events, including managing said applications

Data categories: The categories of data we will process for this purpose, the content of which is detailed in heading 5, are:

  • Data provided by you
  • Data observed as part of maintaining our products and services, with the exception of sensitive data

Data controller: The data controller is CaixaBank. There is no co-processing with joint controllers.

Furthermore, if the product or service you apply for is marketed by CaixaBank but issued by another company, said other company will be responsible for processing your data in relation to that contract.

This means that if you open a pension with or take out insurance from VidaCaixa or SegurCaixa, or a card issued by CaixaBank Payments & Consumer, through CaixaBank, these companies will be the controllers of your data as the issuers of the products.

We will inform you about this in detail in the contractual documentation for each product or service.

B. Analysis of the suitability and appropriateness of investment products

Purpose: The purpose of this data processing is to assess your suitability for applying for investment products and services, as established by the regulations applicable to said products and services.

This data processing involves collecting the information needed to assess your suitability to take out certain investment products and services and to monitor, as applicable, the appropriateness of the product.

Data categories: The categories of data we will process for this purpose, the content of which is detailed in heading 5, are:

  • Data provided by you
  • Data observed as part of maintaining our products and services, with the exception of sensitive data

Data controller: The data controller is CaixaBank. There is no co-processing with joint controllers.

C. Analysis of the solvency and ability to repay of applicants for products that involve financing.

Purpose: The purpose of this data processing is to assess whether applicants for products or services that involve the repayment of loans or credits, or deferred instalments, have the solvency and repayment capacity needed to make the payments required as part of the operations in question.

Detailed information on the solvency and repayment capacity analysis process that will be carried out when you request operations involving the repayment of loans or credits, or the deferred payment of instalments, will be provided in the transaction request you will be required to sign when you apply for these products.

This information will detail the data processing operations needed to handle your request, as well as the consequences of not accepting them.Without prejudice to the above, you will find basic information on this processing below.

The processing operations involved when analysing the solvency and ability to repay of applicants who request lending transactions are:

  • Collection and registration of the data and documents needed to evaluate the applicants' solvency and ability to repay
  • The application of scoring models to their data, consisting of statistical analyses of sociodemographic and economic variables. Specifically, a profile of the applicant will be drawn up, to include:
    • The type of operation requested (payment, term, purpose)
    • Socio-economic information on the applicant (residence, age and commercial segment to which the applicant belongs)
    • The applicant's overall financial status (balances, income, expenses)
    • Information obtained from external databases documenting failures to comply with monetary obligations, as well as risk assessments provided by other financial institutions to the Risk Information Centre of the Bank of Spain

This profile assigns a specific value to each of these aspects involving the applicant and their request, the sum of which provides a score indicative of the probability of a non-performing loan or non-fulfilment of a financial obligation, should the requested transaction be approved. The importance of each variable and its influence on the final result is calculated beforehand using risk assessment, management and control models overseen by the Bank of Spain and that are included in the bank's internal risk policies.

Data categories: The categories of data we will process for this purpose, the content of which is detailed in heading 5, are:

  • Data provided by you
  • Data observed as part of maintaining our products and services, with the exception of sensitive data
  • Data inferred or deduced by CaixaBank
  • Data that you have not provided us directly

Joint data controllers: Sector regulations on the prudential and solvency requirements that apply to the financial sector require that a credit operation be granted to customers jointly by all the companies that comprise the same consolidated group of credit institutions.

As a result, the following CaixaBank Group companies operate as joint controllers in the process of analysing the solvency and repayment capacity of customers who apply for lending transactions. These companies will be able to share data and use it for the indicated purpose.

  • CaixaBank, S.A.
  • CaixaBank Payments & Consumer, E.F.C., E.P., S.A.U.
  • Nuevo Micro Bank, S.A.U.
  • Telefónica Consumer Finance, E.F.C., S.A.
  • CaixaBank Equipment Finance, S.A.U.
  • Unión de Crédito para la Financiación Mobiliaria e Inmobiliaria, CREDIFIMO, E.F.C., S.A.U.
  • Corporación Hipotecaria Mutual, S.A.U., Establecimiento Financiero de Crédito
  • Hipotecaixa 2, S.L.U.
  • Banco BPI, S.A.

You will find the list of companies that process your data, as well as the essential aspects of the joint data controller agreements at: www.caixabank.es/empresasgrupo 

6.3 PROCESSING REQUIRED TO COMPLY WITH REGULATORY OBLIGATIONS 

The legal basis of this processing is the requirement to comply with a legal obligation that is required of us, as laid out in Article 6.1.c) of the General Data Protection Regulation (GDPR).

Therefore, it is necessary for you to establish and maintain Contractual Relations with us. If you object to it, we will need to end these relations, or we cannot establish them if they have not yet started.

The types of processing required to satisfy the regulatory requirements are listed below, arranged from (A) to (D). We will indicate for each of them: a description of the purpose (Purpose), whether or not the processing is carried out jointly with other CaixaBank Group companies (Data Controller/Joint Data Controllers) and data categories processed (Data categories)

A. Processing to comply with anti-money laundering and terrorist financing regulations

Purpose: The purpose of this processing is to adopt the measures imposed on our activity by Law 10/2010, on the Prevention of Money Laundering and Terrorist Financing.

The processing operations that are carried out to comply with anti-money laundering and terrorist financing regulations are:

  • Collect information and documentation that allows customers to comply with due diligence and knowledge measures
  • Check if you hold or have held a position of public trust
  • To check the information you provide us, comparing it with external sources or public databases, official gazettes or companies which provide information services.
  • Check your relationship with companies and, if necessary, your controlling position within their ownership structure
  • Report and update your information monthly in the Financial Ownership File, managed by the Executive Service of the Commission to Prevent Money
  • Laundering and Financial Crimes (SEPBLAC)

Data categories: The categories of data we will process for this purpose, the content of which is detailed in heading 5, are:

  • Data provided by you
  • Data observed as part of maintaining our products and services, with the exception of sensitive data
  • Data inferred or deduced by CaixaBank
  • Data that you have not provided us directly.

Joint data controllers: The following CaixaBank Group companies are joint data controllers in those processing operations that are carried out to satisfy their obligation to prevent money laundering and the financing of terrorism. These companies will be able to share data and use it for the indicated purpose.

  • CaixaBank, S.A.
  • CaixaBank Payments & Consumer, E.F.C., E.P., S.A.U.
  • VidaCaixa SA de Seguros y Reaseguros
  • BPI Vida e Pensões – Companhia de Seguros, S.A.
  • Nuevo Micro Bank, S.A.U.
  • CaixaBank Asset Management SGIIC, S.A.U
  • Telefónica Consumer Finance, E.F.C., S.A.
  • Buildingcenter, S.A.U.
  • Unión de Crédito para la Financiación Mobiliaria e Inmobiliaria, CREDIFIMO, E.F.C., S.A.U.
  • Corporación Hipotecaria Mutual, S.A.U., Establecimiento Financiero de Crédito
  • CaixaBank Wealth Management Luxembourg, S.A.
  • CaixaBank Asset Management Luxembourg, S.A.
  • BPI Gestão de Ativos, SGOIC, S.A.
  • Banco BPI, S.A.
  • CaixaBank Titulización, S.G.F.T., S.A.U.

B. Processing to comply with tax regulations

Purpose: The purpose of this processing is to adopt the measures imposed on our activity by Law 58/2003 of 17 December, the General Tax Law, and other applicable tax laws.

The processing operations carried out to comply with tax regulations are:

  • Collection of information and documentation regarding your tax situation as required by tax laws
  • Reporting to government agencies details relating to your tax situation when required by law or by the authority

Data categories: The categories of data we will process for this purpose, the content of which is detailed in heading 5, are:

  • Data provided by you
  • Data observed as part of maintaining our products and services, with the exception of sensitive data

Joint data controllers: The following CaixaBank Group companies are joint data controllers in those processing operations that are carried out to comply with tax laws. These companies will be able to share data and use it for the indicated purpose.

  • CaixaBank, S.A.
  • VidaCaixa SA de Seguros y Reaseguros
  • Nuevo Micro Bank, S.A.U.
  • CaixaBank Asset Management SGIIC, S.A.U
  • CaixaBank Titulización, S.G.F.T., S.A.U.
  • CaixaBank Notas Minoristas, S.A.U.

C. Processing to comply with obligations arising from sanctions policies and international financial countermeasures

Purpose: The purpose of this processing is to adopt the measures imposed on our activity by the international financial sanctions and countermeasures programmes adopted by the European Union and the Kingdom of Spain.

The processing operations that are carried out to comply with international sanctions and financial countermeasures programmes are:

  • To check if you are found on lists of people or entities included in laws, regulations, guidelines, resolutions, programmes or restrictive measures regarding international economic and financial sanctions, imposed by the United Nations, European Union, Spain, the United Kingdom and/or the US Department of the Treasury’s Office of Foreign Assets Control (OFAC).

Data categories: The categories of data we will process for this purpose, the content of which is detailed in heading 5, are:

  • Data provided by you
  • Data that you have not provided us directly.

Joint data controllers: The following CaixaBank Group companies are joint data controllers in those processing operations that are carried out to satisfy their obligations arising from international sanctions policies and financial countermeasures. These companies will be able to share data and use it for the indicated purpose.

  • CaixaBank, S.A.
  • CaixaBank Payments & Consumer, E.F.C., E.P., S.A.U.
  • VidaCaixa SA de Seguros y Reaseguros
  • Nuevo Micro Bank, S.A.U.
  • CaixaBank Electronic Money EDE, S.L. (MoneyToPay)
  • CaixaBank Asset Management SGIIC, S.A.U
  • Telefónica Consumer Finance, E.F.C., S.A.
    Buildingcenter, S.A.U.
  • Unión de Crédito para la Financiación Mobiliaria e Inmobiliaria, CREDIFIMO, E.F.C., S.A.U.
  • Corporación Hipotecaria Mutual, S.A.U., Establecimiento Financiero de Crédito
  • Banco BPI, S.A.
  • CaixaBank Wealth Management Luxembourg, S.A.

D. Processing to comply with obligations for granting and managing credit transactions and for consulting and reporting risks with the Bank of Spain's Risk Information Centre (CIRBE)

Purpose: The purpose of this processing is to comply with the measures established for our activity by Law 44/2002, on Financial System Reform Measures; Law 10/2014, of 26 June, on the Regulation, Supervision and Solvency of Credit Institutions, and other regulatory principles and obligations on responsible lending.

The processing operations that are carried out to comply with our obligations involving credit operations are:

  • To analyse your repayment capacity during the application process and for the duration of the lending operations you have with us, for internal risk management and to prevent non-payment of the loan or credit.
  • To check the risks associated with the applicants and holders of loan transactions with the Bank of Spain's Risk Information Centre (CIRBE)
  • To provide the Bank of Spain's Risk Information Centre (CIRBE) with the details necessary to identify the people with whom they have credit risks

Data categories: The categories of data we will process for this purpose, the content of which is detailed in heading 5, are:

  • Data provided by you
  • Data observed as part of maintaining our products and services, with the
  • exception of sensitive data
  • Data inferred or deduced by CaixaBank
  • Data that you have not provided us directly.

Joint data controllers: The following CaixaBank Group companies are joint data controllers in those processing operations that are carried out to satisfy their obligations for the granting and management of credit transactions and the consultation and disclosure of risks to the Bank of Spain's Risk Information Centre (CIRBE). These companies will be able to share data and use it for the indicated purpose.

  • CaixaBank, S.A.
  • CaixaBank Payments & Consumer, E.F.C., E.P., S.A.U.
  • Nuevo Micro Bank, S.A.U.
  • Telefónica Consumer Finance, E.F.C., S.A.
  • CaixaBank Equipment Finance, S.A.U.
  • Unión de Crédito para la Financiación Mobiliaria e Inmobiliaria, CREDIFIMO, E.F.C., S.A.U.
  • Corporación Hipotecaria Mutual, S.A.U., Establecimiento Financiero de Crédito
  • Hipotecaixa 2, S.L.U.
  • Banco BPI, S.A.

You will find the list of companies that process your data, as well as the essential aspects of the joint data controller agreements at: www.caixabank.es/empresasgrupo 

6.4 PROCESSING BASED ON CAIXABANK'S LEGITIMATE INTEREST

The legal basis of this processing is the legitimate interest pursued by CaixaBank or a third party, provided that these interests do not take precedence over your interests, or your fundamental rights and freedoms, as per art. 6.1. f) of the General Data Protection Regulation (GDPR).

This processing will imply that we have considered your rights and our legitimate interest and we have concluded that the latter prevails. Otherwise, we would not process the data. You can ask about the analysis that is done to weigh the legitimate interest of a processing operation at any time by emailing your enquiry to delegado.proteccion.datos@caixabank.com

We also remind you that you have the right to object to processing based on a legitimate interest. You can do this simply and free of charge through the channels indicated in section 4.

This processing is indicated below, arranged from (A) to (C). We will indicate for each of them: the legitimate interest of CaixaBank, a description of the purpose (Purpose), whether or not the processing is carried out jointly with other CaixaBank Group companies (Data Controller/Joint Data Controllers), and the data categories used (categories of processed data).

A. Management of the performance of employees, agents and suppliers

Legitimate Interest of CaixaBank: CaixaBank's legitimate interest in this process is to manage its relations with employees and suppliers based on an analysis of their professional performance.

Purpose: The purpose of this processing is to analyse the operations and products that employees, agents and suppliers process involving customers, in order to monitor their professional performance.

These data processing activities deal with customer information, but their information is ancillary to the purpose pursued. This processing has no effect or consequence on the data subject.

The processing operations that are carried out to manage the performance of employees, agents and suppliers are:

  • Monitoring of the commercial activity of employees, agents and suppliers to calculate incentives and prizes

Data categories: The categories of data we will process for this purpose, the content of which is detailed in heading 5, are:

  • Data provided by you
  • Data observed as part of maintaining our products and services, with the exception of sensitive data
  • Data inferred or deduced by CaixaBank
  • Data that you have not provided us directly

Data controller:The data controller is CaixaBank. There is no co-processing with joint controllers.

B. Combatting fraud

Legitimate Interest of CaixaBank: CaixaBank's legitimate interest in processing the data is to avoid fraud that results in economic or reputational losses for the bank.

Purpose: The purpose of this processing is to combat fraud that can affect both CaixaBank and you and the rest of our customers.

The processing operations carried out to prevent fraud are:

  • To confirm your identity and the validity of the identification documents provided with national and international databases managed by law enforcement and similar agencies, like INTERPOL (International Criminal Police Organization), to confirm that you are the holder of the identification document you provide us and to protect you from identity theft (when another person pretends to be you). 
  • To review and analyse the contracts and operations carried out in our systems to protect our customers from fraud through electronic channels and prevent cyberattacks.

Data categories: The categories of data we will process for this purpose, the content of which is detailed in heading 5, are:

  • Data provided by you
  • Data observed as part of maintaining our products and services, with the exception of sensitive data
  • Data inferred or deduced by CaixaBank
  • Data that you have not provided us directly

Data controller:The data controller is CaixaBank. There is no co-processing with joint controllers.

C. Creation of statistical reports to monitor and manage CaixaBank's activity

Legitimate Interest of CaixaBank: CaixaBank's legitimate interest is to monitor the Entity's business performance, study the behaviour and performance of its customer, product and service portfolios and design new ones.

Purpose: The purpose of this processing is to prepare statistical reports and mathematical models that allow the Entity to monitor its activity.
The processing operations carried out when preparing statistical reports to monitor and manage CaixaBank's activity are:

  • Grouping the customer data and their contractual relationships to prepare statistics
  • Processing the statistical data to prepare management reports and create mathematical models

Data categories: The categories of data we will process for this purpose, the content of which is detailed in heading 5, are:

  • Data provided by you
  • Data observed as part of maintaining our products and services, with the exception of sensitive data
  • Data inferred or deduced by CaixaBank
  • Data that you have not provided us directly

Data controller:The data controller is CaixaBank. There is no co-processing with joint controllers.

7. Recipients of the data

Data controller and joint data controllers

The data we process in your role as CaixaBank customer is processed at CaixaBank. If data is processed by joint data controllers, it will be processed by CaixaBank Group companies in accordance with the previous processing sections.

Authorities or official bodies

Credit institutions such as CaixaBank and other payment service providers may be legally required to provide information on transactions we carry out to authorities or official bodies in other countries located both within and outside the European Union. This obligation is within the scope of the fight against financing terrorism, serious forms of organised crime, and money laundering, as well as the prudential supervision of credit institutions by the Bank of Spain and the European Central Bank.

This obligation may also apply to payment services and technology service providers with which we maintain relations and to which we send data to carry out transactions.

Records relating to the fulfilment or non-fulfilment of financial obligations

If you stop making payments in relation to any of the monetary obligations you have undertaken with us pursuant to our Contractual Relations, we will be able to disclose payment default details to the following credit information systems in the conditions and requirements outlined in regulations:

  • Asnef Record: Asnef Equifax Servicios de Información sobre Solvencia y Crédito. Apartado de correos10546, 28080 Madrid (sac@equifax.es)
  • Badexcug Record: Apartado de correos 1188, 28108 Alcobendas (badexcug@experian.com)

We inform you that you can exercise your rights to access, rectify, object to processing, delete, restrict processing, transfer your personal data and not be subject to automated decision-making in accordance with law with these records regarding fulfilment or non-fulfilment at the indicated addresses.

Disclosure of data to outsourced service providers

Sometimes we use service providers with potential access to personal data.

Such providers grant an adequate, sufficient safeguarding service when it comes to processing your data, since we carefully screen service providers by including specific demands in the event that their services involve the need to process personal data.

The type of services we can assign to service providers is:

  • Financial back office services
  • Administrative support services
  • Audit and consulting services
  • Legal services and asset and non-payment recovery services
  • Payment services
  • Marketing and advertising services
  • Survey services
  • Call centre services
  • Logistical services
  • Physical security services
  • Computer services (system and information security, cybersecurity, information systems, architecture, hosting, data processing)
  • Telecommunications services (voice and data)
  • Printing, enveloping, postal and courier services
  • Data storage and destruction services (digital and physical)
  • Maintenance services for buildings, installations and equipment

8. Data storage periods

Storage for maintaining Contractual Relations

We will process your data as long as the Contractual Relations we have established remain in force.

Storage of authorisations for processing based on consent

We will process the data based on your consent, until you revoke it.

If you cancel all your product and service contracts with the CaixaBank Group companies but do not withdraw the consent you have given us, we will automatically void said consent until you stop being our customer.

Storage to comply with legal obligations and to formulate, exercise and defend claims

Once authorisations for use have been revoked as you have withdrawn your consent, or the contractual or business relations established with us have ended, we will only keep your data to comply with legal obligations and to allow you to formulate, exercise or defend claims during the limitation period for actions derived from these contractual relations.

We will process this data by applying the technical and organisational measures required to guarantee that it is only used for these purposes.

Data destruction

We will destroy your data when the retention periods imposed by the regulations governing CaixaBank's activity have passed and the limitation periods for administrative or judicial actions arising from the relations established between you and us have elapsed.

9. Data transfers outside the European Economic Area

At CaixaBank we process your data within the European Economic Area and generally we have service providers located within the European Economic Area or in countries determined to have an adequate level of data protection.

If we need to use service providers which carry out processing outside the European Economic Area or in countries not determined to have an adequate level of data protection, we will ensure that your data is processed in a secure and legitimate manner.

For this purpose, we require these service providers to apply suitable guarantees in accordance with the GDPR, such as binding corporate standards guaranteeing information protection in a similar way to European standards or to subscribe to the standard clauses of the European Union.

10. Automated decisions

Automated decisions
If during the Contractual Relations you maintain with us, we adopt decisions that could establish legal effects for you or could significantly affect you (for example, to not allow you to take out a certain product) based solely and exclusively on automated processing (i.e. without the participation of a person), we will inform you of this, as well as of the logic through which we adopted it, in the contractual documentation of the product or service you have requested.

Moreover, at that time, we will also adopt measures to safeguard your rights and interests by giving you the right to human involvement, to express your views and to challenge the decision.

11. Review

We will revise this Privacy Policy whenever necessary to keep you duly informed, for example, when publishing new standards or criteria or when we engage in new processing activities.

We will notify you through the usual communication channels whenever there are substantial or important changes to this privacy policy.