Privacy Policy

October 2023 version

1. How we process your personal data

To manage your relationship with us, at CaixaBank we will process your personal data for different purposes, always in accordance with the provisions set out in current regulations, respecting your rights and in complete transparency.

To this end, in this Privacy Policy, which you may access at any time via www.caixabank.com/politicaprivacidad, you may view the full details on how we will use your data during the relationship we establish with you. Similarly, if you so desire, you may request this information in printed format at any of our branches.

The main regulations that govern the processing we will perform on your personal data are:

• Regulation (EU) 2016/679 of the European Parliament and of the Council, of 27 April 2016, regarding the protection of individuals as regards personal data processing and the free flow of such data, repealing Directive 95/46/EC (hereinafter, the GDPR)
• Organic Law 3/2018 of 5 December on Personal Data Protection and Digital Rights Guarantee (hereinafter LOPD (Personal Data Protection Act)).

This policy is based on the privacy and data protection principles approved by the Board of Directors of CaixaBank, which you can consult on the website www.caixabank.com/en/shareholders-investors/corporate-governance/corporate-documents.html  

2. Who processes your data

Data controller: The party responsible for processing your personal data in your contractual and business relationships with us ("Contractual Relationships") is CaixaBank, S.A.("CaixaBank"), with tax ID number A-08663619 and address at calle Pintor Sorolla, 2-4, Valencia.

Processing co-controllers: Additionally, for certain types of processing, which we inform you about in detail in our policy, CaixaBank will process your data jointly with other companies, jointly deciding on the purposes (“what the data are used for”) and the means used (“how the data are used”) and are therefore jointly responsible for such processing.

The processing for which CaixaBank will jointly process your data with other companies is described in detail in Section 6 "What processing do we carry out with your data?".

You will also find the list of companies that process your data, as well as the essential aspects of the processing agreements subject to shared responsibility at: www.caixabank.es/empresasgrupo.

3. Data Protection Officer

CaixaBank and the CaixaBank Group companies have appointed a Data Protection Officer, who will attend to any questions you may have regarding your personal data processing and the exercise of your rights.

You may contact the Data Protection Officer to make suggestions, enquiries,         doubts        or       complaints              a        at               the        following   address:
www.caixabank.com/delegadoprotecciondedatos.

4. Exercising rights and lodging complaints with the Spanish Data Protection Authority (AEPD)

You may exercise your rights to access, rectification, objection, erasure, restriction, data portability, withdraw your consent and to not be subject to automated decisions, in accordance with the law.

You may ask to exercise your rights over the following channels:

• at our CaixaBank branches open to the public;
• by using the options provided in your online banking service and in our mobile applications;
• by writing to the e-mail address: www.caixabank.com/ejerciciodederechos and
• by sending a letter to Apartado de Correos 209, Valencia, with postal code 46080.

Additionally, if you have any complaint arising from the processing of your data, you may address it to the Spanish Data Protection Agency (www agpd.es).

5. Processed data

We will use the data specified below for the processing set out in our Privacy Policy.

Not all the data that we specify are used for all data processing activities. In Section 6, where we detail the data processing we do, you can check specifically for each kind of processing the types of data that are used.

In the event of the processing based on your consent, we will additionally inform you of the details of the specific data that are used.

The classifications and details of the data used in the processing set out section 6 are as follows:

Data that you have provided when signing your contracts or during your relationship with us by means or interview or forms.

These are the types and contents of the data:

• Personal and contact data: full name, sex, postal, telephone and electronic contact information, home address, nationality, date of birth, language of communication, identifying document, image and voice.
• Information about your professional or work activity, and socioeconomic data: professional or work activity, income or remuneration, family unit, education level, assets, and fiscal and tax data.
• Biometric data: when you authorise it, facial pattern, voice biometrics, signature stroke or fingerprint pattern.
• Data on legal capacity: data on a person's capacity to act, as established by a court ruling.
• Data on particular communication needs: the data provided by disabled interested parties to enable accessible communication and operational management.
• Sensitive data regarding situations of vulnerability: data related to personal situations of vulnerability that may be needed to adopt special measures when managing the contracts requested by the holders, or the adoption of measures set out in R.D.L. 6/2012, on urgent measures to protect mortgage holders without resources.

Data observed in the contracting and maintenance of products and services that are marketed to you (own or third-party).

These are the types and contents of the data:

• Contracting data: contracted or requested products and services, status of the holder, authorised parties or representative for the contracted product and service, categorisation according to the regulation on stock markets and financial instruments (MiFID category), information on investments made and their evolution, and information and movements of finance transactions.
• Basic financial data: current and historic balances of products and services and payment history regarding contracted services and products.
• Third-party data from statements and receipts of current accounts and payment accounts: the information of the entries and movements that issuing third parties carry out on your accounts, including the type of transaction, issuer, amount and concept as these appear on your receipts and statements for debit, credit and prepaid card transactions.
• Data on your shareholder status, or not, of CaixaBank: if you hold, or not, CaixaBank shares.
• Data on any communication with you: data obtained from chats, walls, video conferences, telephone calls or any other equivalent means of communication.
• Own browsing data: if you have accepted the use of cookies and similar technologies on your browsing devices, the data obtained from your browsing through our websites or mobile applications and the browsing you carry out on such sites or applications: browsing history (websites visited and clicks on content), device ID, advertising ID, IP address and installed version of the application.
• Geographical data: when you have granted the pertinent authorisation in the set-up of the application itself, data on the location of the premises where your card transactions are carried out and the geolocation data of your mobile device provided through the installation and/or use of our mobile applications.

Data inferred or deduced from the analysis and processing of the rest of the data. These are the types and contents of the data:

• Data obtained from the performance of other processing operations provided for in this policy: data obtained from the processing operations provided for herein, which will be specified in the information on the processing operations to which it applies.
• Data obtained from the execution of statistical models: we use the results of applying mathematical modelling to customer data to fight fraud, deduce consumer habits, preferences or propensity to contract or classify customers, fulfil our regulatory obligations and manage the operational aspects of your products and/or services.

Data obtained from sources accessible to the public, public registers or external sources. These are the types and contents of the data:

• Data on credit information systems: results from consulting the Asnef and Badexcug creditworthiness files, which provide information about debt, capital solvency and credit (debtor, creditor and debt).
• Equifax RISK SCORE information: In operations involving financing or payment in instalments, we will use the results provided by this deduction system for situations of default at 12 months, calculated by Equifax applying statistical and mathematical models to your data (DNI, the postcode for your residence and your details in credit information systems).
• CIRBE data: we will check if you have risk (financing) with other entities. We will obtain this information from the Bank of Spain Credit Reporting Agency (CIRBE).
• Data held by the General Social Security Treasury: identifying and contact data of the payer, data on professional or occupational activity (CNAE, self-employed worker and/or employee, contribution group of the worker).
• Data related to international sanctions: data on persons or entities that are included in laws, regulations, directives, resolutions, programmes or measures of a restrictive nature involving international economic/financial sanctions imposed by the United Nations, the European Union, the Kingdom of Spain, as well as by the Office of Financial Sanctions Implementation (OFSI) of His Majesty's Treasury (HMT) in the United Kingdom and/or the U.S. Department of the Treasury's Office of Foreign Assets Control (OFAC).
• Demographic and socioeconomic data: statistical data not associated with specific persons but with geographical areas, age sectors or professional activity sectors, which we will use in relation to the information of the clients.
• Data on properties and vehicles associated with you: data obtained from the land registry and basic data on vehicles obtained from the Spanish Traffic Directorate, which we will use to add to the information on your properties and vehicles.
• Data on directors, functional officers and corporate relationships: data extracted from the INFORMA databases, which we will use to add to the information on your activity.
• Data on agricultural subsidies and insurance: data published by the Spanish Agricultural Guarantee Fund (FEGA) and the State Agricultural Insurance Institution (ENESA).
• Data from third-party companies where you have given your consent to share them with us: your data processed by other companies with which we have agreements, and which you have authorised to share your information with us.
• Data obtained from sources accessible to the public and public registers: data provided by public access sources and public registers to contrast the information that you provide to us in the registration, maintenance and fulfilment of the Contractual Relationships, information from the Equifax Bankruptcy Situation Enquiries file and additional data obtained from telephone directories (White Pages, Yellow Pages, net) and from the INFORMA database, to contact our clients in the event of contractual default on obligations.

These databases are legitimised in advance to hold this information.

• Browsing data: if you have accepted the use of cookies and similar technologies on your browsing devices, the data obtained from your browsing through third-party websites or mobile applications and the browsing you carry out on such sites or applications: browsing history (websites visited and clicks on content), device ID, advertising ID, IP address.
• Social media or internet data: social media or internet data that you authorise us to consult.

6. What processing do we carry out with your data?

The processing tasks that we will carry out with your data are various, and they answer to different purposes and legal basis:

• Processing based on consent
• Processing necessary for executing Contractual Relationships
• Processing necessary for compliance with regulatory obligations
• Processing based on the legitimate interest of CaixaBank

In addition to the general processing that we specify below, we may carry out specific processing not mentioned in the aforementioned policy derived from applications made by you regarding products or services. We will provide you with the detailed information on such processing when we handle the specific request.

6.1 PROCESSING BASED ON CONSENT

The legal basis for this processing is your consent, according to the provisions of Article 6.1.a) of the General Data Protection Regulation (GDPR).

We may have requested this consent through various channels, for example, in the interview in which you registered as a customer, via your (in-person or remote) adviser or via our electronic service channels and mobile applications, through any channel of Bankia S.A. before its merger with CaixaBank, or through any of the various CaixaBank Group companies that may be co-controllers of the specific processing.

If for any circumstance, we have never requested your consent, such processing will not apply to you.

You may also check the authorisations that you have consented to or refused, and modify your decision at any time and free of charge at our branches, on the CaixaBank website (www.caixabank.es) and on those of the companies that are co-controllers of the specific processing, or in your private area of the CaixaBank website or mobile applications.

The processing types based on your consent are indicated below, arranged from (A) to the (D). We will point out for each of them: the description of the purpose(Purpose), the detail of data processed (Types of data or Data processed), if applicable, information on the use of profiles (Use of Profiles), other information necessary involving the processing (Other relevant information) and if the data are being processed under a joint responsibility regime with other companies in the CaixaBank Group (Controller/Joint Controllers).

If you gave your consent to process your data for commercial purposes not to CaixaBank but to Bankia prior to its merger with CaixaBank, processing types A, B and C indicated below will be done in accordance with the preferences you provided at the time to Bankia.

In particular, the processing described in sections A and B below will only be conducted by the companies of the CaixaBank group as co-controllers, if you have consented to the communication of data between the companies of the Bankia group (now CaixaBank).

A. Customisation of products and services based on an analysis of your data

Purpose: If we have your consent, we will use the data indicated below, to develop your commercial profile that would allow us to deduce your preferences or needs so that we can offer you, via your adviser (in person or remotely), the products and services marketed by partner companies that we believe could be of interest to you based on the preferences and needs we have deduced.

Through this processing of your data, we will be able to send you commercial offers that we believe may appeal more to you than generic offers.

Furthermore, in the event that you authorise us for “Communication of the product and service offering via channels” (Section 6.1.B), we will offer you the products and services marketed by the co-controller companies that we believe may be of interest to you based on your preferences and needs deduced through any other channels that you authorise us to use.

Data processed: This processing will not involve data that contains information which reveals your ethnicity or race, your political opinions, religious or philosophical convictions, union membership, the processing of generic data, biometric data aimed at identifying you in an unequivocal manner, data relating to your health or to your private life or sexual orientation.

The data that we will process for this purpose are:

• Personal and contact data: full name, gender, postal contact information, telephone number and email address, place of residence, nationality and date of birth, language for communications, identification document.
• Information about your professional or work activity, and socioeconomic data: professional or work activity, income or remuneration, family unit, education level, assets, and fiscal and tax data.
• Contracting data: contracted or requested products and services (own or of third parties), holder's condition, authorised or representative of the contracted product and service, categorisation according to regulations with regard to stock markets and financial instruments (MiFID category), information on investments made and their evolution and information and movements of financing operations.
• Basic financial data: current and historic balances of products and services and payment history regarding the payment of products and contracted services (own or of third parties).
• Third-party data from statements and receipts of current accounts and payment accounts: the information of the entries and movements that issuing third parties carry out on your accounts, including the type of transaction, issuer, amount and concept as these appear on your receipts and statements for debit, credit and prepaid card transactions.
• Data on your shareholder status, or not, of CaixaBank: if you hold, or not, CaixaBank shares.
• Data on any communication with you: data obtained from chats, walls, video conferences, telephone calls or any other equivalent means of communication.
• Own browsing data: if you have accepted the use of cookies and similar technologies on your browsing devices, the data obtained from your browsing through our websites or mobile applications and the browsing you carry out on such sites or applications: browsing history (websites visited and clicks on content), device ID, advertising ID, IP address and installed version of the application.
• Geographical data: when you have granted the pertinent authorisation in the set-up of the application itself, data on the location of the premises where your card transactions are carried out and the geolocation data of your mobile device provided through the installation and/or use of our mobile applications. 

• Data obtained from the performance of other processing operations provided for in this policy:
  • Risk assessment or scoring data: in operations involving financing or payments in instalments, we will infer your payment or non-payment capacity or the risk limits by applying statistical-mathematical models that are calculated using your data (processing defined in section 6.2.C).
  • Customer classification data. (processing defined in section 6.4.A).
• Data obtained from the execution of statistical models: we use the results of applying mathematical modelling to customer data to deduce consumer habits, preferences or propensity to contract or classify customers.
• Demographic and socioeconomic data: statistical data not associated with specific persons but with geographical areas, age sectors or professional activity sectors, which we will use in relation to the information of the clients.
• Data on properties and vehicles associated with you: data obtained from the land registry and basic data on vehicles obtained from the Spanish Traffic Directorate, which we will use to add to the information on your properties and vehicles.
• Data on directors, functional officers and corporate relationships: data extracted from the INFORMA databases, which we will use to add to the information on your activity.
• Data on agricultural subsidies and insurance: data published by the Spanish Agricultural Guarantee Fund (FEGA) and the State Agricultural Insurance Institution (ENESA).
• Data from third-party companies where you have given your consent to share them with us: your data processed by other companies with which we have agreements, and which you have authorised to share your information with us.
• Browsing data: if you have accepted the use of cookies and similar technologies on your browsing devices, the data obtained from your browsing through third-party websites or mobile applications and the browsing you carry out on such sites or applications: browsing history (websites visited and clicks on content), device ID, advertising ID, IP address.
• Social media or internet data: social media or internet data that you authorise us to consult.

Use of profiles: For this processing, we will create a commercial profile that we will use exclusively to customise your product and service offerings.

• Purpose of the profile: The purpose of the profile is to identify the products and services we think may interest you, based on the information we have, in order to offer you these specific contracting options instead of sending you generic commercial offers.
• Consequences: If you authorise the processing, we will use commercial profiles to decide which products or services to offer you. If you do not give your authorisation, we will not use your information to customise our commercial offer.
  We do not use this profiling, under any circumstances, to refuse any product or service, or to set credit limits. Refusal to accept this processing will not prevent, limit or condition your access to our full catalogue of products and services that is always available to you.
  If you apply for any product or service, your application will be assessed in accordance with our regular procedures, without the acceptance or not of the analysis of your data to customise the products and services affecting this assessment.
  The non-acceptance of this processing will not prevent us from contacting you in order to carry out the operational management of the products and services you have contracted. 

• Logic: The profile of a customer is calculated based on the data indicated in the section "Processed data". These data are subject to the application of mathematical formulas obtained from past behaviours observed in customers of similar characteristics, with a view to deducing the customer's future behaviour. These mathematical formulas allow us to determine the importance of all the data processed in the final result of the applicant's profile. This final result is the probability that the customer will be interested in a product or service.

Other relevant information: Below, you will find other relevant information on this processing:

• Preliminary check of your ability to pay: When the offers of products or services we want to offer you involve financing or the payment of instalments, we will first verify your ability to pay.
  We will do this preliminary check by way of the processing detailed in section 6.2.C in order to offer you a suitable credit limit and repayment period based on our knowledge of your financial situation, in keeping with the principles of responsibility when offering financing products required by the Bank of Spain, and with the regulation on prudential supervision and solvency of credit entities and responsible lending.
  The non-acceptance of this processing does not impede, limit or condition your access to our catalogue of financing products and services that, if requested by you, will be evaluated with you following our usual procedures.

• Validity of the processing: We will only process your data if you have given us your consent for this, which will remain valid until you withdraw it. If you cancel all your products or services with us, but forget to revoke your consent, we will do so automatically.

Processing co-controllers: The following CaixaBank Group companies are joint data controllers of this data processing:

• CaixaBank, S.A.
• CaixaBank Payments & Consumer, E.F.C., E.P., S.A.U.
• Nuevo Micro Bank, S.A.U.
• Wivai Select Place, S.A.U.
• ImaginersGen, S.A.
• VidaCaixa, S.A.U. de Seguros y Reaseguros

You can find the essential aspects of the joint processing agreements at: www.caixabank.es/empresasgrupo.

B. Communication of the product and service offering via channels

Purpose:  If we have your consent, we will provide you with our product and service offering via the following channels you have authorised: mobile applications, digital environments and electronic channels, letters or telephone.

The data that we will use to communicate with you using the channels that you authorise will vary depending on whether you have authorised us or not to customise our products and services based on an analysis of your data:

• If we do not have your consent to customise our commercial offer (processing A above), we will only use your identification and contact details to send you generic offers.
• If you have given us your consent to customise our commercial products and services (processing A above), we will also use the information in your commercial profile that is detailed in process 6.1. A, to send you personalised offers.

Data processed: This processing will not involve data that contains information which reveals your ethnicity or race, your political opinions, religious or philosophical convictions, union membership, the processing of generic data, biometric data aimed at identifying you in an unequivocal manner, data relating to your health or to your private life or sexual orientation.

The data that we will process for this purpose are:

• Personal and contact data: full name, gender, postal contact information, telephone number and email address, place of residence, language for communications.
• Data obtained from the performance of other processing operations provided for in this policy:
  • Details of the customisation of our products and services based on an analysis of your data: If you have given us your consent to customise our commercial products and services (processing A above), we will also use the information in your commercial profile that is detailed in process 6.1.A of the Privacy policy, to inform you of customised offers.

Other relevant information: Below, you will find other relevant information on this processing:

• Validity of the processing: We will only process your data if you have given us your consent for this, which will remain valid until you withdraw it. If you cancel all your products or services with us but forget to revoke your consent, we will do so automatically.

Processing co-controllers: The following CaixaBank Group companies are joint data controllers of this data processing:

• CaixaBank, S.A.
• CaixaBank Payments & Consumer, E.F.C., E.P., S.A.U.
• Nuevo Micro Bank, S.A.U.
• Wivai Select Place, S.A.U.
• ImaginersGen, S.A.
• VidaCaixa, S.A.U. de Seguros y Reaseguros

You can find the essential aspects of the joint processing agreements at: www.caixabank.es/empresasgrupo.

C. Disclosure of data to other companies for the purpose of sending commercial offers

Purpose: If we receive your consent, we will transfer the data indicated below to other companies with which we hold agreements with the aim of such companies providing you with commercial offers of products and services that they market.

If you do not consent to this processing, we will not transfer your data; if you consent, the data we will disclose to other companies will vary depending on whether or not you authorised us to customise our products and services based on an analysis of your data:

• If we do not have your consent to customise our commercial offer (processing A above), we will only provide your identification and contact details to these companies.
• If you have granted your consent for us to customise our commercial offer (processing A above), we will also provide those companies with information included in your commercial profile, mainly the information deduced from your preferences and needs, as well as information deduced from your probability to pay or not, or on risk limits.

These third-party companies to which we might transfer your data are dedicated to the following activities:

• banking
• investment services
• insurance and reinsurance
• venture capital
• property
• transportation
• sale and distribution of goods and services,
• consultancy services
• leisure
• charity

Data processed: For this processing, we will not use data containing information that reveals your ethnic or racial origin, your political opinions, your religious or philosophical convictions, your union membership, the processing of genetic data, biometric data intended to identify you unequivocally, data pertaining to your health, or data pertaining to your sex life or sexual orientation.

The data that we will process for this purpose are:

• Personal and contact data: full name, gender, postal contact information, telephone number and email address, place of residence, nationality and date of birth, language for communications, identification document.
• Data obtained from the performance of other processing operations provided for in this policy:
  • Details of the customisation of our products and services based on an analysis of your data: If you have granted your consent for us to customise our commercial offer (processing A above), we will also use the information included in your commercial profile which is set out in processing 6.1. A of the Privacy Policy, so they can send you personalised offers.

Other relevant information: Below, you will find other relevant information on this processing:

• Information on the transfer: If we reach an agreement with a third-party company to disclose your data to them, said recipient company would inform you of this circumstance, as well as the disclosed data and the details of the intended processing.
• Validity of the processing: We will only process your data if you have given us your consent for this, which will remain valid until you withdraw it. If you cancel all your products or services with us but forget to revoke your consent, we will do so automatically.

Processing co-controllers: The following CaixaBank Group companies are joint data controllers of this data processing:

• CaixaBank, S.A.
• CaixaBank Payments & Consumer, E.F.C., E.P., S.A.U.
• Nuevo Micro Bank, S.A.U.
• Wivai Select Place, S.A.U.
• ImaginersGen, S.A.
• VidaCaixa, S.A.U. de Seguros y Reaseguros

You can find the essential aspects of the joint processing agreements at: www.caixabank.es/empresasgrupo.

D. Verification of economic activity to comply with the regulation on the prevention of money laundering and the financing of terrorism.

Purpose:The current law on anti-money laundering and countering the financing of terrorism requires CaixaBank to obtain certain economic information from its customers and to conduct a check of that information.

If we have your consent, we will verify the economic activity that you have provided by consulting with the General Treasury of the Social Security Institute.

If we do not have your consent, we may periodically ask you for documentation that confirms the activity reported by you

Processed data:The data that we will process for this purpose are:

• Identification and contact data: full name and national ID card.
• Data held by the Social Security Treasury: identifying and contact data of the payer, data on professional or occupational activity (CNAE, self-employed worker and/or employee, contribution group of the worker)

Other relevant information:Below, you will find other relevant information on this processing:

• Validity of the processing: We will only process your data if you have given us your consent for this, which will remain valid until you withdraw it. If you cancel all your products or services with us but forget to revoke your consent, we will do so automatically.

Party responsible for the data processing:The controller responsible for this data processing is CaixaBank. This processing is not carried out as joint controllers.

6.2 PROCESSING NECESSARY FOR EXECUTING CONTRACTUAL RELATIONSHIPS

The legal basis for this data processing is the fact that it is necessary to manage the contracts you request or to which you are a party, or to apply, if you so request, pre-contractual measures, in accordance with the provisions of Article 6.1.b) of the General Data Protection Regulation (GDPR).

Therefore, these are necessary procedures for you to establish and maintain Contractual Relations with us. If you were to oppose this, we would end these relationships, or would be unable to establish them if these have not yet taken effect.

The processing necessary to implement contractual relations are indicated below from (A) to (C). We will point out for each of them: the description of the purpose (Purpose), the details of the processed data (Processed data), where appropriate, information on the use of profiles (Use of Profiles), other necessary information related to the processing (Other relevant information) and whether or not these processing tasks are carried out under a regime of shared responsibility with other companies of the CaixaBank Group (Co-controllers / Data controller).

Arrangement, maintenance and execution of Contractual Relationships

Purpose: The purpose of this data processing is to arrange and maintain Contractual Relationships that we may establish together, including the processing of requests or mandates, procedures prior to contracting (pre-contractual relationships) and the establishment of measures to ensure compliance with the contracts you have with us, where applicable managing data recovery.

This data processing entails collecting the information needed to establish the relationship or manage the request, assess the suitability of contracting and process the required information for proper maintenance and performance of contracts.

The processing operations carried out in the arrangement, maintenance and performance of Contractual Relationships are:

• Collection and registration of the data and documents needed to contract the requested products
• Formalising the signing of product and service contracts
• Manage the operation of the products and services that you have taken out from us, which includes responding to your operational queries, managing any associated incidents, documenting and verifying accounting entries for charges and payments for the products, the sending of operational communications, as well as any other processes that are necessary to comply with the commitments made to take out specific products or services, such as loyalty programmes, discounted fees or interest rates, and specific offers.
• Verify and, where applicable, confirm your ownership of your accounts in response to requests to direct debit charges and payments from providers of services or utilities with which you have or are going to initiate a commercial relationship, in order to avoid damages resulting from mistakes in the direct debit of said charges or payments.
• Adjusting measures to resolve defaults that may arise, including: early debt collection management, communication, where applicable, to external agencies for collection actions, communication, where applicable, of data to credit information systems, filing, where applicable, of lawsuits and monitoring thereof, the identification and monitoring of situations of insolvency proceedings, the review and assessment of dations in payment or files covered by the Code of Good Practices of Royal Decree-Law 6/2012, of 9 March, on urgent measures for the protection of mortgage debtors without resources, and the review and assessment of portfolio sales.

Types of data processed: The types of data that we process for this purpose, whose content is detailed in section 5, are:

• Identification and contact data
• Data about your professional or work activity, and socioeconomic data
• Sensitive data regarding situations of vulnerability
• Biometric data
• Data on legal capacity
• Data on particular communication needs
• Contracting data
• Basic financial data
• Third-party data observed on demand and payment account statements and receipts
• Data on any communication with you
• Data obtained from the performance of other processing operations provided for in this policy:
  • Risk assessment or scoring data (processing defined under heading 6.2.C).
• Data obtained from the execution of statistical models
• Data on credit information systems
• Equifax RISK SCORE information
• CIRBE data:
• Data held by the General Social Security Treasury
• Data related to international sanctions
• Information obtained from sources accessible to the public, and public registers

Other relevant information: Below, you will find other relevant information on this processing:

• Automated decisions: When you apply for a product or service, we will apply mechanisms to verify that, depending on your objective characteristics (e.g. your employment status, your MiFID profile or your tax residence), the product is or is not suitable for your needs, interests and objectives.
  Setting these objective categories derives from regulatory obligations in the area of governance of financial products and instruments and is included in the institution’s internal product design policies.
  In the event that the product is not suitable, you will not be able to take out the contract, and your application will be automatically rejected based on the fact that its objective characteristics coincide with those of the specific product you wish to take out. For example, if you are a retail customer for the purposes of MiFID, you will not be able to buy a product whose objective category is for institutional professionals.
  You may challenge the automated decision or exercise your right not to be subject to a decision based solely on automated processing by getting in touch directly with CaixaBank through the channels stated in section 4 of this policy.

• Disclosure to credit information systems: This processing may entail the disclosure to credit information systems of the data on the debt or non-payment situation, which would be performed based on our legitimate interest in accordance with the details set out in section 6.4.D
• Obtaining contact details: This processing may involve collecting further contact details from you by external debt recovery agencies, which will be conducted based on our legitimate interest, as detailed in section 6.4.E below.
• Application or tracking of commitments, discounts or preferential conditions: if you take out a product or service that requires complying with certain requirements, we inform you that we will process the data needed to verify your continued eligibility. We likewise inform you that if there are joint account holders, the other holders with whom you share accounts may indirectly know the information about your compliance with said requirements.
  For example, if you take out a product or service that gives you the right to receive a discount for belonging to a certain professional group, such as healthcare or law enforcement, we will verify during our contractual relationship that you are still a member of that group. In addition, if you share a product or service with other holders, they may know that you satisfy this characteristic when they see the discounts applied to the account.

Data controller: The controller responsible for this data processing is CaixaBank. This processing is not carried out as joint controllers.

In addition, if the product or service that you take out is marketed by CaixaBank, but is issued by another company, this company will also be a controller responsible for your data processing in that contract.

This means that if you take out a pension plan or insurance policy issued by VidaCaixa or SegurCaixa through CaixaBank, as a Banking-Insurance Operator, or, as an agent, a card issued by CaixaBank Payments & Consumer, these companies will be the controllers of your data since they are the issuers of the products and are responsible for them.

The contractual documentation for each product or service provides detailed information on this.

B. MiFID classification and analysis of suitability and convenience when contracting investment products.

Purpose: The purpose of this data processing is to classify you as a retail customer, professional or eligible counterparty pursuant to the provisions of financial market regulations and the subsequent assessment of your suitability and appropriateness in the contracting of products, investment services and savings-investment insurance.

This data processing involves collecting the necessary information to be able to classify you and provide you with the appropriate level of protection in accordance with your level of information, training and experience in taking out financial instruments, and to assess the suitability of taking out certain investment products and services and savings-investment insurance that you wish to take out and to monitor, where applicable, the suitability of the product.

Types of data processed: The types of data that we process for this purpose, whose content is detailed in section 5, are:

• Identification and contact data
• Data about your professional or work activity, and socioeconomic data
• Data on legal capacity
• Contracting data
• Basic financial data
• Data on any communication with you

Use of profiles: this processing involves drawing up an investment risk profile which we use exclusively to be able to provide you with recurring advisory and discretionary portfolio management services, as well as to monitor the suitability of the product taken out by you, pursuant to the obligations imposed on our activity by Royal Legislative Decree 4/2015, of 23 October, approving the Consolidated Text of the Securities Market Act.

• Purpose of the profile: The purpose of the profile used is to assign a level of risk aversion to the customer when making investments, based on the bank’s assessment.
• Consequences: The assigned profile is a guideline for the Bank to provide discretionary portfolio management and recurrent advisory services within the limits established by this risk profile.
• Logic: A customer profile is calculated using the identification data and the answers to the suitability test. A simple mathematical formula is applied to this data by which the customer is assigned a level of risk aversion based on their investment objectives and financial capacity.

Other relevant information: Below, you will find other relevant information on this processing:

• Regulatory obligations: This processing is performed based on the provisions of the regulations applicable to these products and services:
• Legislative Royal Decree 4/2015 of 23 October approving the consolidated text of the Securities Market Act (SMA), and;
• Royal Decree-Law 3/2020 of 4 February on urgent measures transposing into Spanish law a number of European Union directives in the field of public procurement in certain sectors: on private insurance policies; on pension plans and funds; on taxation and tax litigation.

Data controller: The controller responsible for this data processing is CaixaBank. This processing is not carried out as joint controllers.

C. Analysis of credit worthiness and ability to repay when issuing credit and monitoring your risk

Purpose: The purpose of this data processing is to assess whether applicants and/or holders of products or services that involve the repayment of money advanced, or the deferred payment of instalments, have sufficient solvency and repayment capacity to meet the payments envisaged in the operations that are analysed and/or have been granted.

The detailed information on the creditworthiness and repayment capacity analyses to be conducted when you apply for or have already been granted operations involving the repayment of money advanced, or the deferred payment of instalments, will be disclosed to you in detail in the operation application to be signed when you apply for such operations or, in the case of operations that have already been granted, in the corresponding contract.

The processing conducted in the analysis of creditworthiness and repayment capacity of applicants and/or holders of products that involve financing, is as follows:

• Analysing the repayment capacity of Applicants at the time of granting new credit operations.
• Analysing the creditworthiness of the holders of products that involve financing throughout the life of the credit operations that you maintain with us, for internal risk management and to prevent their default.

Types of data processed: The types of data that we process for this purpose, whose content is detailed in section 5, are:

• Identification and contact data
• Data about your professional or work activity, and socioeconomic data
• Contracting data
• Basic financial data
• Third-party data observed on demand and payment account statements and receipts
• Data obtained from the execution of statistical models
• Data on credit information systems
• Equifax RISK SCORE information
• CIRBE data:
• Demographic and socioeconomic data
• Data on properties and vehicles associated with the person
• Information obtained from sources accessible to the public, and public registers

Use of profiling: For such processing we will draw up a risk profile which we will use exclusively for the analysis of the creditworthiness and repayment capacity of applicants and/or holders of products that involve financing.

• Purpose: The purpose of the profile used is to determine the probability of default when granting loans, to assess whether it is appropriate to adjust the risk of current transactions and to calculate the provisions and capital requirements applicable to CaixaBank.
• Consequences: risk profiles are tools to assist in decisions on whether or not to grant risk operations, or to adjust the limits on the operations granted.
  In the case of operations requested through electronic channels, they may involve automated decisions to grant or not, as set out in the section “Other relevant information” below.
• Logic: The applicant’s profile will use the information set out in the previous section “Types of data processed”.
  Using this basic information, a specific value is attributed to each of these data of the data subject, the sum of which will give a score relating to the probability of default or non-compliance with monetary obligations.
  The importance of each variable and its influence on the end result is calculated in advance through mathematical models and is included in the bank’s internal risk policies.

Other relevant information: Below, you will find other relevant information on this processing:

• Automated decisions: For the analysis of creditworthiness and repayment capacity, in applications submitted through electronic channels, we will use automated processes to verify whether, depending on your characteristics and the information you have provided us, the financing is or is not appropriate.
  In the event that the financing requested is not suitable for your repayment capacity based on the calculations of the profiles used, you will not be able to take out the product and your application will be automatically rejected in this channel.
  You may resubmit a transaction request at one of our branches, where the analysis does not include automated decisions, challenge the automated decision or exercise your right not to be subject to a decision based solely on automated processing by contacting CaixaBank directly over the channels set out in section 4 of this policy.

• Regulatory obligations: Further to the fact that this processing is necessary in order to perform the contractual relationship that we have with you, this processing is carried out pursuant to the provisions of Law 44/2002 on Financial System Reform Measures, Law 10/2014 of 26 June on the Regulation, Supervision and Solvency of Credit Institutions, and other obligations and principles of the regulations on responsible lending, to which we, as a credit institution, are subject.
• Enquiries to credit information systems: The enquiries to credit information systems that are necessary for the analysis of creditworthiness will be made by us based on our legitimate interest, which is set out in section 6.4.D.
• Enquiry and communication to the CIRBE: Enquiries to the CIRBE necessary for solvency analysis are performed pursuant to the provisions of Law 44/2002, of 22 November, on Financial System Reform Measures. The data required to identify persons with whom credit exposures are held will also be communicated, based on the same rule.

Co-controllers of the processing: The sectoral regulations on prudential and solvency requirements, which apply to the financial sector, mean that the granting and monitoring of credit operations to customers is conducted jointly between all companies that comprise the same consolidated group of credit institutions.

Therefore, the following CaixaBank Group companies are joint data controllers of this data processing.

• CaixaBank, S.A.
• CaixaBank Payments & Consumer, E.F.C., E.P., S.A.U.
• Nuevo Micro Bank, S.A.U.
• Telefónica Consumer Finance, E.F.C., S.A.
• CaixaBank Equipment Finance, S.A.U.
• Unión de Crédito para la Financiación Mobiliaria e Inmobiliaria, CREDIFIMO, E.F.C., S.A.U.
• Corporación Hipotecaria Mutual, S.A.U., Establecimiento Financiero de Crédito
• Hipotecaixa 2, S.L.U.
• Banco BPI, S.A.
• Wivai Select Place S.A.U.

You can find the essential aspects of the joint processing agreements at: www.caixabank.es/empresasgrupo.

6.3 PROCESSING NECESSARY FOR COMPLIANCE WITH REGULATORY OBLIGATIONS

The legal basis for this data processing is the fact that it is necessary to comply with a legal obligation placed on us, in accordance with Article 6.1.c) in the General Data Protection Regulation (GDPR).

Therefore, they are necessary so that you can establish and maintain Contractual Relationships with us. If you don't want us to conduct this processing, we would be required to end these relationships, or we would be unable to establish them if these have not yet taken effect.

The data processing operations needed to comply with regulatory obligations are indicated below from (A) to (D). We will point out for each of them: the description of the purpose (Purpose), the details of the processed data (Processed data), where appropriate, information on the use of profiles (Use of Profiles), other necessary information related to the processing (Other relevant information) and whether or not these processing tasks are carried out under a regime of shared responsibility with other companies of the CaixaBank Group (Co-controllers / Data controller).

A. Processing to comply with anti-money laundering and terrorist financing regulations

Purpose: The purpose of this processing is to adopt the measures imposed on our activity by Act 10/2010, on the Prevention of Money Laundering and the Financing of Terrorism.

The data processing operations conducted to comply with regulations on money laundering and terrorist financing prevention are:

• Collecting information and documentation that allows us to comply with due diligence and know-your-customer measures;
• Verifying the information that you provide us with;
• Verifying whether you hold or have held positions of public responsibility;
• Categorising their level of risk, in accordance with which the various due diligence measures based on the Prevention of Money Laundering and Terrorist Financing regulations will be applied;
• Analysing the operations executed through CaixaBank, in accordance with legal obligations;
• Verifying your relationship with companies and, if necessary, your controlling position within the ownership structure of these, and;
• Reporting and updating their information on a monthly basis in the Financial Ownership File, which is the responsibility of the Executive Service of the Spanish Commission for the Prevention of Money Laundering and Monetary Offences (SEPBLAC).

Types of data processed: The types of data that we process for this purpose, whose content is detailed in section 5, are:

• Identification and contact data
• Data about your professional or work activity, and socioeconomic data
• Contracting data
• Basic financial data
• Third-party data observed on demand and payment account statements and receipts
• Data on any communication with you
• Data obtained from the performance of other processing operations provided for in this policy:
  • Risk assessment or scoring data (processing defined under heading 6.2.C).
• Data obtained from the execution of statistical models
• Data on directors, functional officers and corporate relationships:
• Data held by the General Social Security Treasury
• Information obtained from sources accessible to the public, and public registers

Use of profiling: This processing involves drawing up a profile we use exclusively to adopt the measures imposed on our activity by Law 10/2010, on the Prevention of Money Laundering and the Financing of Terrorism.

• Purpose: The purpose of the profile used is to prevent the execution of operations likely to be subject to money laundering or terrorist financing.
• Consequences: Profiles are tools that help anti-money laundering and terrorist financing prevention units to assess whether or not transactions are susceptible to money laundering or terrorist financing and therefore whether or not to accept them.

Co-controllers of the processing: The following CaixaBank Group companies are joint data controllers of this data processing:

• CaixaBank, S.A.
• CaixaBank Payments & Consumer, E.F.C., E.P., S.A.U.
• VidaCaixa, S.A. de seguros y reaseguros
• BPI Vida e Pensões – Companhia de Seguros, S.A.
• Nuevo Micro Bank, S.A.U.
• CaixaBank Asset Management SGIIC, S.A.U
• Telefónica Consumer Finance, E.F.C., S.A.
• Buildingcenter, S.A.U.
• Livingcenter Activos Inmobiliarios, S.A.U.
• Unión de Crédito para la Financiación Mobiliaria e Inmobiliaria, CREDIFIMO, E.F.C., S.A.U.
• Corporación Hipotecaria Mutual, S.A.U., Establecimiento Financiero de Crédito
• CaixaBank Wealth Management Luxembourg, S.A.
• CaixaBank Asset Management Luxembourg, S.A.
• BPI Gestão de Ativos, SGOIC, S.A.
• Banco BPI, S.A.
• Bankia Habitat, S.L.U.
• Puerto Triana, S.A.U.

You can find the essential aspects of the joint processing agreements at: www.caixabank.es/empresasgrupo.

B. Processing to comply with tax regulations

Purpose: The purpose of this processing is to adopt the measures imposed on our business by Law 58/2003 of 17 December on General Taxation, Royal Decree 1021/2015 of 13 November that establishes the obligation to identify the tax residence of individuals who hold the ownership or control of certain financial accounts and to report on them in the field of mutual assistance, and other current tax regulations.

The processing operations carried out to comply with tax regulations are:

• Collecting tax-related information and documentation established by tax regulations
• Notifying the public administration of your tax-related information, when this is established by the regulations or required by the authorities.

Types of data processed: The types of data that we process for this purpose, whose content is detailed in section 5, are:

• Identification and contact data
• Data about your professional or work activity, and socioeconomic data
• Contracting data
• Basic financial data

Co-controllers of the processing: The following CaixaBank Group companies are joint data controllers of this data processing:

• CaixaBank, S.A.
• VidaCaixa, S.A. de seguros y reaseguros
• Nuevo Micro Bank, S.A.U.
• CaixaBank Asset Management SGIIC, S.A.U

You can find the essential aspects of the joint processing agreements at: www.caixabank.es/empresasgrupo.

C. Processing for compliance with obligations arising from international policies on financial sanctions and countermeasures

Purpose: The aim of this processing is to adopt the measures imposed on our activity in programmes of international financial sanctions and countermeasures adopted by the European Union and the Kingdom of Spain.

In order to comply with international financial sanctions and countermeasures programmes, we will verify whether you are included in lists of persons or entities included in laws, regulations, guidelines, resolutions, programmes or restrictive measures with regard to international financial sanctions and countermeasures, imposed by the United Nations, by the European Union, including the Kingdom of Spain.

Types of data processed:  The types of data that we process for this purpose, whose content is detailed in section 5, are:

• Identification and contact data
• Data related to international sanctions

Other relevant information: Below, you will find other relevant information on this processing:

• Sanctions programmes: CaixaBank consults programmes of international economic/financial sanctions adopted by the Office of Financial Sanctions Implementation (OFSI) of His Majesty's Treasury (HMT) of the UK and the U. S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) based on our legitimate interest, as detailed in section 6.4.H.

Processing co-controllers: The following CaixaBank Group companies are joint data controllers of this data processing:

• CaixaBank, S.A.
• CaixaBank Payments & Consumer, E.F.C., E.P., S.A.U.
• VidaCaixa, S.A. de seguros y reaseguros
• Nuevo Micro Bank, S.A.U.
• CaixaBank Asset Management SGIIC, S.A.U
• Telefónica Consumer Finance, E.F.C., S.A.
• Buildingcenter, S.A.U.
• Livingcenter Activos Inmobiliarios, S.A.U.
• Unión de Crédito para la Financiación Mobiliaria e Inmobiliaria, CREDIFIMO, E.F.C., S.A.U.
• Corporación Hipotecaria Mutual, S.A.U., Establecimiento Financiero de Crédito
• Banco BPI, S.A.
• CaixaBank Wealth Management Luxembourg, S.A.
• Bankia Habitat, S.L.U.
• CaixaBank Equipment Finance, S.A.
• Puerto Triana, S.A.U.
• CaixaBank Asset Management Luxembourg, S.A.
• BPI Gestão de Ativos, SGOIC, S.A.
• BPI Vida e Pensões – Companhia de Seguros, S.A.

You can find the essential aspects of the joint processing agreements at: www.caixabank.es/empresasgrupo.

D. Processing to handle complaints and claims.

Purpose: The purpose of this processing is to attend to queries, complaints and claims made to CaixaBank, according to the regulations applicable to its status as a financial institution: specifically, Act 44/2002 of 22 November, as well as Order ECO/73/2004, which makes it compulsory to have a customer care service available to handle complaints and claims from financial users.

In turn, Act 3/2018 of 5 December on Personal Data Protection and Digital Rights Guarantee obliges the data controller, in this instance CaixaBank, to deal with claims made to its Data Protection Officer, as well as handle rights with regard to data protection that interested parties may exercise.

Processing operations that are carried out to comply with complaints and claims regulations comprise:

• Receiving of financial user complaints or claims by the CaixaBank Customer Service Department;
• Responding to the submitted complaint or claim within the set deadline, and;
• Protecting data protection rights and queries made to the CaixaBank Data Protection Offices, as well as any necessary activities to collaborate with the Supervisory Authority (Spanish Data Protection Agency)

Types of data processed: The types of data that we process for this purpose, whose content is detailed in section 5, are:

• Identification and contact data
• Data on legal capacity
• Data on particular communication needs
• Sensitive data regarding situations of vulnerability
• Contracting data
• Basic financial data
• Third-party data observed on demand and payment account statements and receipts
• Data on any communication with you
• Browsing data
• Data on credit information systems
• CIRBE data:

Data controller: The controller responsible for this data processing is CaixaBank. This processing is not carried out as joint controllers.

6.4 PROCESSING BASED ON THE LEGITIMATE INTEREST OF CAIXABANK

The legal basis for such processing is the fulfilment of the legitimate interests of CaixaBank or of a third party, provided that on those interests do not prevail over your own interests, or your fundamental rights and freedoms, in accordance with the provisions of Article 6.1.f) of the General Data Protection Regulation (GDPR).

The performance of such processing will involve that we will have carried out a weighting between your rights and our legitimate interest in which we will have concluded that the latter prevails. Otherwise, we would not carry out the processing. You can view the analysis of the weighting of the legitimate interest of a processing operation at any time by sending your request to the email address [email protected].

We also remind you that you have the right to object to data processing based on legitimate interest.If you believe that CaixaBank and, where applicable, the co-controller companies, should take into account any particular situation or other reasons that may justify us ceasing to process your data, you may request this easily and free of charge through the channels indicated in section 4.

We specify such processing below, from (A) to (H). We will point out for each of them: the Legitimate Interest of CaixaBank (Legitimate Interest of CaixaBank) the description of the purpose (Purpose), the type of data processed (Types of data processed), where applicable, information on the use of profiles (Use of profiles), other necessary information about the processing.

(Other relevant information) whether they are procedures conducted under the system of co-responsibility with other companies of the CaixaBank Group (Co-controllers/Data Controller),

A. Classification of customers

Legitimate interest of CaixaBank: CaixaBank’s legitimate interest is to organise the bank’s human and material resources in order to serve its customers correctly and efficiently.

Purpose: The purpose of this processing is to classify customers based on simple parameters, such as their income or balances deposited with the bank, salary or other direct debit deposits, age, address or product operation contracted, and the consequent organisation of the bank’s human and material resources in order to attend to them correctly.

The processing operations performed to classify CaixaBank customers are as follows:

• Grouping customers into categories and businesses into which the Bank’s commercial activity is divided, and;
• Assigning each customer a customer service centre and/or an employee of the Bank, who will act as their adviser.

Types of data processed: The types of data that we process for this purpose, whose content is detailed in section 5, are:

• Identification and contact data
• Data about your professional or work activity, and socioeconomic data
• Contracting data
• Basic financial data
• Third-party data observed on demand and payment account statements and receipts
• FEGA/SEGA data
• INFORMA database data
• Demographic and socioeconomic data: Statistical data associated with geographical areas, age sectors or professional activity sectors, not with particular individuals.

Other relevant information: Below, you will find other relevant information on this processing:

• Right to object to processing:If you understand that CaixaBank should take into account a particular situation or other grounds which justify that we should cease to perform this data processing, you can request as such easily and free of charge through the channels we have set out in section 4.

Data controller: The controller responsible for this data processing is CaixaBank. This processing is not carried out as joint controllers.

B. Management of the performance of employees, agents and suppliers

Legitimate interest of CaixaBank: The legitimate interest of CaixaBank for this data processing is to manage relations with employees and suppliers based on the analysis of their professional performance.

Purpose: The purpose of this processing is to monitor the performance, goals and professional challenges of employees, agents and suppliers, by analysing the operations and contracts that they have with customers.

Types of data processed: The types of data that we process for this purpose, whose content is detailed in section 5, are:

• Identification and contact data
• Contracting data
• Basic financial data

Other relevant information: Below, you will find other relevant information on this processing:

• Right to object to processing:If you understand that CaixaBank should take into account a particular situation or other grounds which justify that we should cease to perform this data processing, you can request as such easily and free of charge through the channels we have set out in section 4.
• Ancillary use of your information: These data processing procedures deal with customer information, but their information is accessory to their purpose. These processing operations have no effect nor consequence for the data subject.

Data controller: The controller responsible for this data processing is CaixaBank. This processing is not carried out as joint controllers.

C. Fraud prevention

Legitimate interest of CaixaBank: The legitimate interest of CaixaBank and the jointly liable companies set out in this paragraph to perform this processing is to prevent fraud that would entail financial or reputational losses for the bank or its customers.

Purpose: The aim of this processing is to adopt the necessary steps to avoid malicious transactions or behaviour before they are committed, or to reverse their effects if they do take place, by identifying transactions or behaviour suspected of being an attempt to commit fraud against the bank or its customers.

The processing operations carried out in the fight against fraud are:

• Verify the identity of customers who interact with the bank to prevent fraudulent access to information or transactions.
• Review and analyse the contracting and transactions that are carried out in our systems to protect our customers from fraud on any channel and prevent cyberattacks.
• Crosscheck your identity and the validity of provided identity documents with national and international databases managed by security forces and similar organisations such as INTERPOL (International Criminal Police Organization) to verify that you are the owner of the identity document provided and to protect you against identity fraud (where somebody pretends to be you).
• Check the information included in the PAYGUARD Fraud Prevention Service so as to detect fraudulent accounts and, where applicable, report any fraudulent transactions.

Types of data processed: The types of data that we process for this purpose, whose content is detailed in section 5, are:

• Identification and contact data
• Data about your professional or work activity, and socioeconomic data
• Contracting data
• Basic financial data
• Third-party data observed on demand and payment account statements and receipts
• Data on any communication with you
• Browsing data
• Geographical data
• Data obtained from the performance of other processing operations provided for in this policy:
  • Risk assessment or scoring data (processing defined under heading 6.2.C).
• Data obtained from the execution of statistical models

Use of profiling: This processing involves producing a profile of your normal transactions and activities that we exclusively use to spot unusual situations that may point to attempted fraud.

• Purpose: The purpose of the profile is to identify transactions or interactions that are unusual or not in line with your behaviour profile that could be an attempt to commit fraud or gain fraudulent access to information.
• Consequences: Profiles are tools that help to identify fraudulent transactions. The use of these profiles requires the implementation of measures, including reviewing transactions in detail, blocking transactions or rejecting their automatic processing.

Other relevant information: Below, you will find other relevant information on this processing:

• Automated decisions: For the purpose of fraud prevention, we will use automated processing to try to detect fraudulent transactions.
  In the case of transactions that cannot be reversed once processed, such as immediate payments or transfers, the automated processing will block any suspicious transactions and prevent them from being implemented.
  You may resubmit a transaction request at one of our branches, where the analysis does not include automated decisions, challenge the automated decision or exercise your right not to be subject to a decision based solely on automated processing by contacting CaixaBank directly over the channels set out in section 4 of this policy.

• Right to object to processing:If you understand that CaixaBank and, where applicable, the co-processor companies, should take into account a particular situation or other grounds which justify that we should cease to perform this data processing, you can request as such easily and free of charge through the channels we have set out in section 4.
• PAYGUARD Fraud Prevention Service: CaixaBank is a member of the PAYGUARD Fraud Prevention Service, which includes the country's leading financial institutions and is managed by Sociedad Española de Sistemas de Pago, S.A. (Iberpay).
  The service aims to minimise the levels of fraud related to movements between accounts by detecting, investigating, monitoring and reporting, where applicable, suspicious and fraudulent transactions involving customers' current or savings accounts. The legal basis for the processing is the legitimate interest in preventing fraud that could affect these transactions.
  CaixaBank may include data related to the IBAN number and identifying details of the holder of the account where the suspicious or fraudulent transaction has been detected in the PAYGUARD Fraud Prevention Service. You may view the updated list the powers participating companies at: www.iberpay.es
  The data will be kept for a maximum of thirty days for suspicious transactions and one year for confirmed fraudulent transactions.
  The institutions participating in the PAYGUARD Fraud Prevention Service are jointly responsible for your data. You may request the main aspects of the joint liability agreement by sending an email to www.caixabank.com/delegadoprotecciondedatos and also exercise your rights regarding the processing of your data over any of the channels indicated in section 4. Exercising rights and filing complaints through the Spanish Data Protection Authority (AEPD).

Processing co-controllers: The following CaixaBank Group companies are joint data controllers of this data processing:

• CaixaBank, S.A.
• CaixaBank Payments & Consumer, E.F.C., E.P., S.A.U.
• Nuevo Micro Bank, S.A.U.
• Global Payments Moneytopay, EDE, S.L.

You can find the essential aspects of the joint processing agreements at: www.caixabank.es/empresasgrupo.

D. Enquiry and communication with credit reporting systems within the framework of the request and subsequent management of products involving financing

CaixaBank's legitimate interest: CaixaBank’s legitimate interest in performing this processing is to avoid non-payments and defaults by applicants or holders of products involving financing.

Purpose: The purpose of this processing is to assess the creditworthiness and repayment capacity in order to (i) ensure adequate compliance by the data subjects with the payment obligations arising from the operations granted, (ii) monitor and manage the operations granted, and (iii) prevent and manage non-payment and default situations.

The processing operations performed in the consultation and communication to solvency files are:

• Querying your information: Prior to granting operations involving financing or in order to monitor and manage the risk of the credit granted, the databases of the following solvency and credit files will be reviewed: (i) Asnef File; (ii) Badexcug file, and;

• Communicating your personal data: If you fail to pay any of the monetary obligations that you have assumed with us with regard to our Contractual Relationships, we may inform, under the conditions and requirements set forth in applicable regulations, the details of the default to the same solvency and credit files.

Types of data processed: The types of data that we will process for this purpose are as follows:

• Identification and contact data
• Contracting data
• Basic financial data
• Data on credit information systems

Other relevant information: Below, you will find other relevant information on this processing:

• Right to object to processing:If you understand that CaixaBank should take into account a particular situation or other grounds which justify that we should cease to perform this data processing, you can request as such easily and free of charge through the channels we have set out in section 4.

Data controller: CaixaBank is the controller for the part of the processing relating to querying credit information systems. CaixaBank and the solvency files Asnef and Badexcug are the joint controllers of the part of the processing relating to communication to credit information systems. The contact details of the credit information systems are listed below:

• Asnef file: Asnef Equifax Servicios de Información sobre Solvencia y Crédito. Apartado de Correos 10546, 28080 Madrid ([email protected])
• Badexcug file: Apartado de Correos 1188, 28108 Alcobendas ([email protected])

E. Obtaining additional contact details in order to manage non-payments

CaixaBank's legitimate interest: CaixaBank’s legitimate interest is to recover debt in situations of non-payment, for which it is necessary to keep customers’ contact details up to date.

Purpose: The purpose of this processing is to collect additional contact information from customers in order to contact them in the event of a breach of their contractual obligations.

Additional contact details are obtained from public lists (white pages, yellow pages and Lleida.net) and private lists (Equifax or Detectives) using debt recovery agencies, always guaranteeing that the data collected complies with the principle of quality, and that it is obtained lawfully.

Types of data processed: The types of data that we will process for this purpose are as follows:

• Identification and contact data
• Information obtained from sources accessible to the public, and public registers

Other relevant information: Below, you will find other relevant information on this processing:

• Right to object to processing:If you understand that CaixaBank should take into account a particular situation or other grounds which justify that we should cease to perform this data processing, you can request as such easily and free of charge through the channels we have set out in section 4.

Data controller: The controller responsible for this data processing is CaixaBank. This processing is not carried out as joint controllers.

F. Preparing management reports and mathematical models

CaixaBank's legitimate interest: CaixaBank’s legitimate interest in performing this processing is to design, organise and optimise its business and commercial activity as efficiently as possible, for which it is necessary to have reports on the management and activity of the company and the market, together with mathematical algorithms for the advanced analysis of information.

Purpose: The purpose of this processing is to draw up reports on the company’s activity and its relationship with the market, on the composition and evolution of its customer base and on the suitability and effectiveness of its products and services. These enable its efficient direction and management and help it to create and maintain statistical and mathematical models that enable the processing detailed in this policy that require advanced calculations and analysis of the information to be carried out.

Types of data processed The data that we will process for this purpose are those that have been pre-identified in each of the processing operations, applying, where possible, anonymisation or pseudonymisation techniques in order to guarantee that these processing operations have no impact on the rights of the data subjects, and that the result of the processing operations are reports with statistical or aggregate information, or mathematical or algorithmic formulas.

Other relevant information: Below, you will find other relevant information on this processing:

• Right to object to processing:If you understand that CaixaBank should take into account a particular situation or other grounds which justify that we should cease to perform this data processing, you can request as such easily and free of charge through the channels we have set out in section 4.
• Ancillary data processing: Data processing to create statistical reports and mathematical models is not intended for the processing of data in relation to individual customers.
  This data processing is necessary, but ancillary, to the main purpose, which is to draw up management reports, or algorithmic or mathematical formulas, and is therefore performed using, whenever possible, anonymisation techniques or, failing that, pseudonymisation and minimisation of the information processed.
  These processing operations do not have any individual effect or consequence on the data subjects.

Data controller: The controller responsible for this data processing is CaixaBank. This processing is not carried out as joint controllers.

G. Sending of commercial communications based on a basic commercial profile

To whom does this processing apply?: We will only perform this processing with your data if:

• you have not informed us of your preferences regarding the commercial processing described in sections 6.1 A, 6.1 B. and 6.1 C. of this Policy
• we have sent you a personalised communication informing you of this; and
• you have not exercised your right to object.

CaixaBank'slegitimate interest: The legitimate interest of CaixaBank to carry out this processing is to promote the marketing of the products and services within its portfolio and to increase customer loyalty.

Purpose: The purpose of the processing is to send you communications on similar products and services to those which you have contracted with CaixaBank on the basis of a basic commercial profile that we will generate using your data.

Types of data processed: the types of data that we will process for this purpose are as follows:

• Personal and contact data: full name, gender, postal contact information, telephone number and email address, place of residence, nationality and date of birth, language for communications, identification document.
• Information about your professional or work activity, and socioeconomic data: professional or work activity, income or remuneration, family unit, education level, assets, and fiscal and tax data.
• Contracting data: contracted or requested products and services, status of the holder, authorised parties or representative for the contracted product and service, categorisation according to the regulation on stock markets and financial instruments (MiFID category), information on investments made and their evolution, and information and movements of finance transactions.
• Basic financial data: current and historic balances of products and services and payment history regarding contracted services and products.
• Data on your shareholder status, or not, of CaixaBank:if you hold, or not, CaixaBank shares.
• Data on any communication with you: data obtained from chats, walls, video conferences, telephone calls or any other equivalent means of communication.
• Own browsing data: If you have accepted the use of cookies and similar technologies on your browsing devices, the data obtained from your browsing through our websites or mobile applications and the browsing you carry out on such sites or applications: browsing history (websites visited and clicks on content), device ID, advertising ID, IP address and installed version of the application.
• Geographical data: The geolocation data of your mobile device provided through the installation and/or use of our mobile applications, when so authorised in the set-up of the application itself.
• Data obtained from the performance of other processing operations provided for in this policy:
  • Risk assessment or scoring data: in operations involving financing or payments in instalments, we will infer your payment or non-payment capacity or the risk limits by applying statistical-mathematical models that are calculated using your data (processing defined in section 6.2.C).
  • Data on classification of customers. (processing defined in section 6.4.A).
• Data obtained from the execution of statistical models: we use the results of applying mathematical modelling to customer data to deduce consumer habits, preferences or propensity to contract or classify customers.
• Demographic and socioeconomic data: statistical data not associated with specific persons but with geographical areas, age sectors or professional activity sectors, which we will use in relation to the information of the clients.

Use of profiling: For this processing, we will generate a basic commercial profile using only the data mentioned above:

• Purpose of the profile: The purpose of the profile is to identify the products and services we think may interest you, in order to offer you these specific contracting options instead of sending you generic commercial offers. 

• Consequences: the consequence of using the basic commercial profile is to send you offers on products and services marketed by CaixaBank, customised on the basis of the data that we have indicated. We do not use this profiling, under any circumstances, to refuse any product or service, or to set credit limits.
  Opposition to this processing will not prevent, limit or condition your access to our full catalogue of products and services that is always available to you.
  If you apply for any product or service, your application will be assessed with you, in accordance with our standard procedures, without the refusal of this processing affecting said assessment.
  The non-acceptance of this processing will not prevent us from contacting you in order to carry out the operational management of the products and services you have contracted. 

• Logic: This basic commercial profile is calculated based on the data indicated in the previous section "Processed data", within a timeframe of 13 months. These data are subject to the application of mathematical formulas obtained from past behaviours observed in customers of similar characteristics, with a view to deducing the customer's propensity to consume. These mathematical formulas allow us to determine the importance of all the data processed in the final result of the customer's profile.
  This final result is the probability that the customer will be interested in a product or service.

 Other relevant information: Below, you will find other relevant information on this processing:

• Right to object to processing: You have the right to object to data processing based on legitimate interest.
  You can do this in a simple manner, free of charge, via the following link www.caixabank.es/ile or calling the number 93 102 82 89.
  Furthermore, you have at your disposal the usual channels indicated in section 4.
  If you decide to exercise your right to object, we will cease processing without requiring you to give us any reason why we should cease processing your data.

• Preliminary check of your ability to pay: When the offers of products or services we want to offer you involve financing or the payment of instalments, we will first verify your ability to pay.
  This preliminary check will be carried out through the processing detailed in section 6.2.C of this Privacy Policy,  in order to offer you a credit limit and a repayment term suited to the knowledge that we have regarding your financial situation, in accordance with principles of accountability in the offering of financing products demanded by the Bank of Spain, and by the regulation on prudential supervision and solvency of credit institutions and of responsible lending.

• Validity of the processing: This processing will become effective as of 15 October 2022. In any case, you will receive a personalised informative communication beforehand.
  We will stop carrying out this processing, with no other additional requirement, in any of these two circumstances:

• • When we contact you to request your consent to the commercial processing by the CaixaBank Group companies described in sections 6.1. (A, B and C), regardless of whether you authorise them or you reject them.
  • In the event that you exercise your right to object.

Data controller: The controller responsible for this data processing is CaixaBank. This processing is not carried out as joint controllers.

H. International financial sanctions and countermeasures policies of OFSI and OFAC

CaixaBank's legitimate interest: The legitimate interest of CaixaBank and the co-controller companies listed in this section in carrying out this processing is to comply with the international financial sanctions and countermeasures programmes of the United States and the United Kingdom, so as to be able to carry out their business activities in those countries. 

Purpose: The purpose of this processing is the adoption of the measures laid out in the programmes of international financial sanctions and countermeasures adopted by the Office of Financial Sanctions Implementation (OFSI) of His Majesty's Treasury (HMT) of the UK and the U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC).

To comply with these international financial sanctions and countermeasures programmes, we will verify whether you are listed as a person or entity covered by the restrictive measures of these two bodies.

Types of data processed:  The types of data that we process for this purpose, whose content is detailed in section 5, are:

• Identification and contact data
• Data related to international sanctions

Other relevant information: Below, you will find other relevant information on this processing:

• Right to object to processing:If you understand that CaixaBank should take into account a particular situation or other grounds which justify that we should cease to perform this data processing, you can request as such easily and free of charge through the channels we have set out in section 4.

Processing co-controllers: The following CaixaBank Group companies are joint data controllers of this data processing:

• CaixaBank, S.A.
• CaixaBank Payments & Consumer, E.F.C., E.P., S.A.U.
• VidaCaixa, S.A. de seguros y reaseguros
• Nuevo Micro Bank, S.A.U.
• CaixaBank Asset Management SGIIC, S.A.U
• Telefónica Consumer Finance, E.F.C., S.A.
• Buildingcenter, S.A.U.
• Livingcenter Activos Inmobiliarios, S.A.U.
• Unión de Crédito para la Financiación Mobiliaria e Inmobiliaria, CREDIFIMO, E.F.C., S.A.U.
• Corporación Hipotecaria Mutual, S.A.U., Establecimiento Financiero de Crédito
• Banco BPI, S.A.
• CaixaBank Wealth Management Luxembourg, S.A.
• Bankia Habitat, S.L.U.
• CaixaBank Equipment Finance, S.A.
• Puerto Triana, S.A.U.
• CaixaBank Asset Management Luxembourg, S.A.
• BPI Gestão de Ativos, SGOIC, S.A.
• BPI Vida e Pensões – Companhia de Seguros, S.A.

You can find the essential aspects of the joint processing agreements at: www.caixabank.es/empresasgrupo.

7. Recipients of the data

Controller and joint controller of the data processing

The data we process as a CaixaBank customer is processed by CaixaBank. If the processing is carried out under shared responsibility, it is performed by the companies within the CaixaBank Group, in accordance with that which we have explained for each of the processing events.

Authorities or public institutions

Credit institutions such as CaixaBank and other payment service   suppliers may be legally obliged to provide information on the transactions that we carry out to the authorities or public institutions located in other countries both inside and outside of the European Union. This obligation arises within the framework of the fight against the financing of the terrorism and serious forms of organised crime, and for the prevention of the money laundering, as well as within the framework of the prudential supervision of credit institutions that is carried out by the Bank of Spain and by the European Central Bank.

This obligation may also apply to payment systems and providers of technological services with which we maintain relationships and to which we transfer the data in order to carry out transactions.

Files relating to the fulfilment or breach of monetary obligations

If you fail to pay any of the monetary obligations that you have assumed with us with regard to our Contractual Relationships, we may inform, under the conditions and requirements set forth in applicable regulations, the details of the default to the following credit information systems:

• Asnef file: Asnef Equifax Servicios de Información sobre Solvencia y Crédito. Apartado de correos 10546, 28080 Madrid ([email protected])
• Badexcug file: Apartado de correos 1188, 28108 Alcobendas ([email protected]) Similarly, you may exercise your rights to access, rectify, oppose, erase, limit, transfer your personal data, withdraw your consent and to not be subject to automated decisions, in accordance with the law, before these compliance or non-compliance files at the addresses provided.

Data communication in outsourcing services

We sometimes turn to service providers with potential access to personal data.

These providers offer suitable and sufficient guarantees in relation to data processing, since we carry out a responsible selection of service providers that includes specific requirements in the event that the services involve the processing of personal data.

In addition, when we formalise our relations with these suppliers, we adopt the mechanisms needed to ensure that they comply with the stipulations of the GDPR and LOPD, as well as with the corporate principles of CaixaBank in the area of data protection, approved by the Board of Directors and referenced in section 1 of this Policy.

The classification of services that we can outsource to service providers is as follows:

• Financial back-office services
• Administrative support services
• Audit and consultancy services
• Legal, asset recovery and debt recovery services
• Payment services
• Marketing and advertising services
• Survey services
• Call center services
• Logistics services
• Physical security services
• IT services (system and information security, cybersecurity, information systems, architecture, hosting, data processing)
• Telecommunication services (voice and data)
• Printing, packaging, mailing and courier services
• Information storage and destruction services (digital and physical)
• Maintenance services for buildings, facilities and equipment

8. Data retention periods

Retention to maintain Contractual Relationships

We will process your data while the Contractual Relationships that we have established remain in force.

Retention of the authorisations for the processing based on consent We will process data based on your consent, until you revoke it.

If you cancel all your product and service contracts with the CaixaBank Group companies, but do not revoke the consents that you have provided to us, we will automatically cancel them as soon as you cease to be a customer.

Retention to comply with legal obligations and arrangement, performance and defence of claims

Once the authorisation for use of your data has been revoked through the withdrawal of your consent, or upon completion of the contractual or business relationship that you have established with us, we will keep your data solely to comply with the legal obligations and to allow for the arrangement, exercise and defence of claims during the statute of limitation period relating to the actions arising from contractual relationships.

We will process this data by applying the technical and organisational measures necessary to ensure that they may only be used for such purposes.

Data destruction

We will destroy your data once the retention periods established by the regulations governing the activities of CaixaBank have elapsed, as well as bearing in mind the statute of limitation periods of the administrative and judicial actions derived from the relationships established between you and us.

9. Data transfers outside of the European Economic Area

At CaixaBank we process your data within the European Economic Area and, in general, we hire service providers that are also located within the European Economic Area or in countries that have been declared to have an adequate level of protection.

If we need to use service providers that perform processing outside of the European Economic Area or in countries that have not been declared to have an adequate level of protection, we would ensure processing security and legitimacy of your data is guaranteed.

For this, we demand suitable guarantees from those service providers in accordance with what is established in the GDPR so as to ensure they have, for example, implemented binding corporate standards that guarantee data protection in a manner similar to what is established by European regulations, or that they subscribed to the standard clauses applicable within the European Union. You may request a copy of the appropriate guarantees required by CaixaBank from these suppliers by contacting the Data Protection Delegate at www.caixabank.com/delegadoprotecciondedatos.

10. Automated decisions

Section 6 of this Policy informs you of the processing operations that incorporate automated decisions.

Furthermore, if in the course of the Contractual Relationship you have with us, we should use mechanisms that may make decisions based solely and exclusively on automated processing (i.e. without the involvement of a person) that could produce legal effects on you, or that could significantly affect you (for example, by refusing the contracting of a certain product), we will inform you of this in the contractual documentation of the product or service you have requested from us, together with the rationale by virtue of which the decision is made.

Similarly, at that time, we will adopt measures to safeguard your rights and interests providing you with the right to obtain human intervention, to express your point of view and to challenge the decision.

11. Review

We will undertake a review of this Privacy Policy whenever it becomes necessary to ensure you are duly informed, for example, on the occasion of the publication of new regulations or criteria, or the performance of new processing.

Whenever there are material or substantial amendments to this Privacy Policy, we will notify you in your monthly current account statement and/or through the usual channels.