HOW WE PROCESS YOUR PERSONAL DATA

To manage your relations with us, CaixaBank Payments & Consumer will process your personal data for different purposes, always in accordance with the applicable laws, respecting your rights and with complete transparency.


For this purpose, in this privacy policy, which you can access at any time at https://www.caixabankpc.com/politicaprivacidad, you can see complete details on how we will use your data in the relationships we establish with you.


The main regulations that regulate our processing of your personal data are:

  • Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (hereinafter the GDPR)
  • Organic Law 3/2018 of 5 December on the Protection of Personal Data and guarantee of digital rights (hereinafter the LOPD)

WHO PROCESSES YOUR DATA

Data controller: The data controller for your personal data for contractual relations and business with us ("Contractual Relations") is CaixaBank Payments & Consumer, E.F.C., E.P., S.A. (CaixaBank Payments & Consumer" or "Entity"), with tax ID A-08980153 and registered address at Avenida de Manoteras No. 20. Edificio París. 28050 Madrid.

Joint data controllers: Furthermore, for certain processing, detailed information for which is provided in this policy, CaixaBank Payments & Consumer will jointly process your data with other companies, jointly deciding on the purposes ("what the data is used for") and the resources used ("how the data is used"), which thus makes them the joint data controllers.

The purposes for which CaixaBank Payments & Consumer will jointly process your data with other companies are described in detail in heading 6 "Types of data processing".


In addition, you will find the list of companies that process your data, as well as the essential aspects of the joint data controller agreements at www.caixabank.es/empresasgrupo. 


DATA PROTECTION OFFICER

 

CaixaBank Payments & Consumer and the CaixaBank Group companies have appointed a Data Protection Officer, who will deal with any matters related to the processing of your personal data and the exercise of your rights.


You can contact the Data Protection Officer to send your suggestions, questions or claims to them at this address: www.caixabank.com/delegadoprotecciondedatos

 


EXERCISING RIGHTS AND FILING COMPLAINTS THROUGH THE SPANISH DATA PROTECTION AGENCY (AEPD)

 

You can exercise your rights to access, rectify, object to processing, delete, restrict processing, transfer your personal data, withdraw consent and not be subject to automated decision-making in accordance with law.

You can exercise these rights through any of the following channels:

  • at CaixaBank, S.A. branches open to the public;
  • by using the options provided in your private space on the website www.caixabankpc.com and in our mobile applications;
  • at the website address: www.caixabankpc.com/ejerciciodederechos; and
  • by sending a letter to Apartado de Correos nº 209, Valencia 46080.

Additionally, if you have any complaints related to the processing of your data, you may address them to the Spanish Data Protection Authority (www.aepd.es).


 DATA PROCESSED

The following data will be used in the processing operations outlined in this Policy.

Not all the data we inform you about is used for all data processing. You can consult the specific type of data processed for each processing operation in section 6, detailing the data processing operations that we perform.

Regarding processing operations subject to your consent, we will also inform you of the details of the specific data used.

The types and details of the data used in the different processing operations described in section 6 are as follows:


Data you provided when registering for a service or during your relationship with us, through interviews or forms.

Data you provided when registering for a service or during your relationship with us, through interviews or forms.

The data types and details are as follows:

  • Identifying and contact details: full name, sex, postal, telephone and email contact information, address of residence, nationality, date of birth, language choice, identification document, image and voice.
  • Details of your professional or work activity and socio-economic information: details related to your job, income or remuneration, household, level of education, assets, tax and fiscal data.
  • Data on legal capacity: details of a person's power to act, established in a court judgment 
  • Details on special communication needs: data provided by disabled persons to allow accessibility to dialogue and operational management.
  • Sensitive data related to situations of vulnerability: data related to personal situations of vulnerability that may be required to implement special measures to manage the contracts requested by customers.

Data observed during the contracting and maintenance of marketed products and services (own or third-party).

The data types and details are as follows:

  • Contract data: contracted or requested products and services, account holder status, authorised or representative of the product and service contracted, categorisation according to regulations regarding securities markets and financial instruments (MiFID category), information on investments made and their evolution and information and transactions related to your financing operations.
  • Basic financial data: current and historical balances of products and services and payment history of contracted products and services.
  • Third-party data from statements and receipts of instant accounts and payment accounts: information on entries and transactions that third-party issuers make to your accounts, including transaction type, issuer, amount, and the concept as it appears on receipts and statements for debit, credit and prepaid card transactions.
  • Details of whether or not you are a CaixaBank shareholder: if you have CaixaBank shares or not.
  • Data on communications maintained with you: data obtained in chats, walls, video conferences, telephone calls or any other equivalent means of communication.
  • Own browsing data: if you have accepted the use of cookies and similar technologies on your browsing devices, the data obtained from your browsing on our websites or mobile applications and the browsing you perform on them: browsing history (pages visited and clicks on content), device ID, advertising ID, IP address and version installed on the app.
  • Geographic data: details of the location of the businesses where you make card transactions and the geolocation data of your mobile device provided by the installation and/or use of our mobile applications, when authorised by you in the settings for the apps.

Data inferred or deduced by analysing and processing other data.

The data types and details are as follows:

  • Data obtained from other processing activities provided for in this policy: data obtained from the processing activities provided for in this policy, which will be detailed in the corresponding information on the applicable processing operations. 
  • Data obtained from the execution of statistical models: we use the results of applying mathematical modelling to customer data to combat fraud, detect your consumer habits, product preferences and tendencies, classify customers (see Section 6.4. Letter A https://www.caixabank.es/particular/general/privacidad.html), comply with our regulatory obligations, and manage the processing of your products and/or services (processing defined in Section 6.4.E).

Data obtained from public access sources, public records or external sources.

The data types and details are as follows:

  • Data on credit information systems: obtained by consulting the Asnef and Badexcug credit rating services, which provide information on debts, financial solvency and credit (debtor, creditor and debt).
  • Details of the Equifax RISK SCORE: In financing or instalment operations, we will use the result provided by this system to forecast the probability of default at 12 months, which is calculated by Equifax by applying statistical and mathematical models to your data (DNI/NIE, postcode of residence and data in credit information systems).
  • CIRBE data: we will check if you have risk (financing) with other banks. We will obtain this information from the Bank of Spain Credit Reporting Agency (CIRBE).
  • Data on international sanctions: data on people or entities included in laws, regulations, guidelines, resolutions, programmes or restrictive measures regarding international economic and financial sanctions, imposed by the United Nations, European Union, Spain, the Office of Financial Sanctions Implementation (OFSI) of His Majesty's Treasury (HMT) of the United Kingdom and/or the US Department of the Treasury’s Office of Foreign Assets Control (OFAC).
  • Demographic and socio-economic data: these are data not relating to specific people but geographical areas, age sectors or professional activity sectors, which we will use to put into context with customer information.
  • Details of properties and vehicles associated with you: these are data obtained from the land registry and basic data on vehicles obtained from the Spanish Traffic Directorate, which we will use to add to the information on your properties and vehicle.
    Details of directors, functional officers and corporate relationships: these are data taken from the INFORMA databases that we will use to add to the information on your activities.
  • Details of agricultural subsidies and insurance: these are data published by the Spanish Agricultural Guarantee Fund (FEGA) and the State Agricultural Insurance Institution (ENESA).
  • Data from third-party companies where you have given your consent to share them with us: your data processed by other companies with which we have agreements, and which you have authorised to share your information with us.
  • Information obtained from public access sources and public records: data provided by public access sources and public records to compare the information you provide to enter into, maintain and fulfil the Contractual Relationships, information from the Equifax Bankruptcy file and additional contact data obtained from telephone directories (White Pages, Yellow Pages, Lleida.net) and the INFORMA database, to contact our customers in the event of non-compliance with contractual obligations.

These databases have been authorised in advance to contain this information.

  • Browsing data: if you have accepted the use of cookies and similar technologies on your browsing devices, the data obtained from your browsing on third-party websites or mobile applications and the browsing you perform on them: browsing history (pages visited and clicks on content), device ID, advertising ID and IP address.
  • Social media or internet details: social media or internet data that you authorise us to view.

Types of data processing  

We process your data for various purposes and legal reasons:

  • Processing based on your consent
  • Processing required for the Contractual Relationships
  • Processing required to comply with regulatory obligations
  • Processing based on legitimate interest of CaixaBank Payments & Consumer

In addition to the general processing detailed below, we may carry out specific processing operations not mentioned in this policy in response to your requests for products or services. Detailed information on these processing operations will be provided to you at the time of processing the specific request.


PROCESSING BASED ON YOUR CONSENT

The legal basis for this processing is your consent, as laid out in Article 6.1.a) of the General Data Protection Regulation (GDPR).


We may have requested this consent through different channels during your customer registration interview, through your adviser (remotely or in person), through digital channels or mobile applications, through any company with which we maintain a collaboration agreement ("Advisors"), through any channel of Bankia, S.A. prior to its merger with CaixaBank, or any CaixaBank Group company that is a joint data controller of the specific processing operation. If, for any reason, we have never asked you for your consent, this processing will not apply to you.


You can view the consent you have given or denied and change your decision at any time and for free at CaixaBank branches, on the CaixaBank Payments & Consumer website www.caixabank.es) and on the websites of each of the companies jointly responsible for the specific processing, or through your online account or the CaixaBank Payments & Consumer mobile apps.


Processing based on your consent is indicated below from (A) to (C). For each item, we will provide: a description of the purpose (Purpose), the details of the processed data (types of data processed), if applicable, information on the use of profiles (Use of profiles), other relevant processing information (Other relevant information) and whether or not the processing is carried out jointly with other CaixaBank Group companies (Joint data controllers/Data controller).


In the event that you gave Bankia your consent to process your data for commercial purposes, and not CaixaBank, prior to their merger, CaixaBank will carry out processing operations A, B and C, as indicated below, in accordance with the preferences you indicated to Bankia at that time.


Specifically, the processing described in items A and B below will only be carried out by CaixaBank Group companies as joint controllers when you have consented to the communication of data between Bankia group companies (now CaixaBank).


A. Personalisation of products and services offered based on the analysis of your data


Purpose: If we have your consent, we will use the data indicated below to create a commercial profile for you, which will allow us to define your preferences or needs and offer you, through your adviser (in-person or virtual), products and services marketed by companies acting as joint data controllers that we believe may interest you according to those preferences and needs.


By processing your data, we can make customised offers that may be of more interest to you than generic offers.


In addition, if you authorise us to "Inform you of the products and services available through channels" (Section 6.1.B), we will offer you products and services from joint data controllers that we believe may interest you based on the preferences and needs we deduce for you, through any other channel that you authorise us to


Data processed: We will not process data that contains information that reveals your ethnicity or race, your political opinions, religious or philosophical convictions, union membership, the processing of genetic data, biometric data intended to uniquely identify you, health data or data relating to your sex life or orientation.


For this purpose, we will process the following data:

 

  • Identifying and contact details: full name, sex, telephone and email contact information, address of residence, nationality and date of birth, language choice, identification document.
  • Details of your professional or work activity and socio-economic information: details related to your job, income or remuneration, household, level of education, assets, tax and fiscal data.
  • Contract data: contracted or requested products and services (own or third-party), account holder status, authorised or representative of the product and service contracted, categorisation according to regulations regarding securities markets and financial instruments (MiFID category), information on investments made and their performance and information and transactions related to your financing operations.
  • Basic financial data: current and historical balances of products and services and payment history of contracted products and services (own or third party).
  • Third-party data from statements and receipts of instant accounts and payment accounts: information on entries and transactions that third-party issuers make to your accounts, including transaction type, issuer, amount, and the concept as it appears on receipts and statements for debit, credit and prepaid card transactions.
  • Details of whether or not you are a CaixaBank shareholder: if you have CaixaBank shares or not.
  • Data on communications maintained with you: data obtained in chats, walls, video conferences, telephone calls or any other equivalent means of communication.
  • Own browsing data: if you have accepted the use of cookies and similar technologies on your browsing devices, the data obtained from your browsing on our websites or mobile applications and the browsing you perform on them: browsing history (pages visited and clicks on content), device ID, advertising ID, IP address and version installed on the app.
  • Geographic data: details of the location of the businesses where you make card transactions and the geolocation data of your mobile device provided by the installation and/or use of our mobile applications, when authorised by you in the settings for the apps.
  • Data obtained from other processing activities provided for in this policy:
    • Risk assessment data or scoring: in financing or payment for instalments, we will forecast your capacity to pay or not pay or the risk limits, applying statistical and mathematical models using your data (processing defined in section 6.2.B).
    • Customer classification data. (processing defined in section 6.4.A at https://www.caixabank.es/particular/general/politica-privacidad.html
  • Data obtained from the execution of statistical models: we use the results of applying mathematical modelling to customer data to deduce their consumption habits, product preferences or tendencies or to classify customers.
  • Demographic and socio-economic data: these are data not relating to specific people but geographical areas, age sectors or professional activity sectors, which we will use to put into context with customer information.
  • Details of properties and vehicles associated with you: these are data obtained from the land registry and basic data on vehicles obtained from the Spanish Traffic Directorate, which we will use to add to the information on your properties and vehicle.
  • Details of directors, functional officers and corporate relationships: these are data taken from the INFORMA databases that we will use to add to the information on your activities.
  • Details of agricultural subsidies and insurance: these are data published by the Spanish Agricultural Guarantee Fund (FEGA) and the State Agricultural Insurance Institution (ENESA).
  • Data from third-party companies where you have given your consent to share them with us: your data processed by other companies with which we have agreements, and which you have authorised to share your information with us.
  • Browsing data: if you have accepted the use of cookies and similar technologies on your browsing devices, the data obtained from your browsing on third-party websites or mobile applications and the browsing you perform on them: browsing history (pages visited and clicks on content), device ID, advertising ID and IP address.
  • Data from social media or the internet: social media or internet data that you authorise us to view.

Use of profiling: For this processing, we will create a business profile that we will use exclusively to customise the products and services we offer you:

 

  • Purpose of the profile:The purpose of the profile is to identify the products and services we think may interest you, based on the information we have about you, to offer your specific rather than generic commercial offers.
  • Consequences: If you authorise the processing, we will use commercial profiles to decide which products or services to offer you. If you do not give your authorisation, we will not use your information to customise our commercial offer. We do not use this profiling, under any circumstances, to refuse any product or service, or to set credit limits. Refusal to accept this processing will not prevent, limit or condition your access to our full catalogue of products and services, which is always available to you. If you apply for any product or service, your application will be assessed in accordance with our regular procedures. The acceptance or non-acceptance of the analysis of your data for the purpose of customising the products or services offered will not affect this assessment. Failure to accept this processing will not prevent us from contacting you to manage the products and services you have with us.
  • Logic: The profile of a customer is calculated based on the data indicated in the "processed data" section.

These data are applied to mathematical formulas obtained from past behaviours observed in clients of similar characteristics to infer the customer's future behaviour. These mathematical formulae allow us to determine the importance of all the data processed in the final result of the applicant's profile.


This final result is the probability that the customer will be interested in a product or service.


Other relevant information: The following section includes other relevant data processing information:

 

  • Pre-check of your payment capacity: When the offers we wish to propose to you consist of products or services that involve payment in instalments or financing, we will first check your payment capacity. We will carry out this check by means of the processing outlined in section 6.2.B of this Privacy Policy, with the aim of offering you a credit limit and repayment term suited to our knowledge of your financial situation, in accordance with the principle of responsibility regarding the offer of financing products required by the Bank of Spain, under regulations on the oversight and solvency of credit institutions and responsible lending. Not accepting this processing does not prevent, limit or condition your access to our catalogue of financing products and services. If you request them, we will evaluate them with you in accordance with our standard procedures.
  • Duration of data processing: We will only process your data if you have given us your consent, which will remain in force until you withdraw it. If you cancel all your products or services but forget to revoke your consent, we will do so automatically.
  • Preparation of management reports and mathematical models: The data processed and resulting from this processing will also be used to prepare management reports and mathematical models under the terms detailed in the processing defined in section 6.4.E) of this Policy. 

Joint data controllers: The following CaixaBank Group companies will process your data jointly.

  • CaixaBank, S.A.
  • CaixaBank Payments & Consumer, E.F.C., E.P., S.A.U.
  • Nuevo Micro Bank, S.A.U.
  • Wivai Select Place, S.A.U,
  • ImaginersGen, S.A.
  • VidaCaixa, S.A.U. de Seguros y Reaseguros

You will find the essential aspects of the joint data controller agreements at: www.caixabank.es/empresasgrupo

B. Notification of products and services through channels


Purpose: If we have your consent, we will make our range of products and services available to you only via the following channels authorised by you: mobile applications, digital environments and electronic channels, letter or telephone.


The data we will use to communicate through the channels that you authorise will vary depending on whether you have authorised us to customise our product offerings by analysing your data:

 

  • If we do not have your consent to customise our commercial offer (Processing A), we will only use your identifying and contact details to send you generic offers.
  • If you have given us your consent to personalise our commercial offer to you (processing A above), we will also use your commercial profile information as detailed in processing 6.1. A, to inform you of personalised offers.

Data processed: We will not process data that contains information that reveals your ethnicity or race, your political opinions, religious or philosophical convictions, union membership, the processing of genetic data, biometric data intended to uniquely identify you, health data or data relating to your sex life or orientation.


For this purpose, we will process the following data:

 

  • Identifying and contact details: full name, sex, telephone and email contact information, address of residence, language choice.
  • Data obtained from other processing activities provided for in this policy:
    • Data on the personalisation of products and services offered based on an analysis of your data: If you have given us your consent to personalise our commercial offer to you (processing A above), we will also use your commercial profile information as detailed in treatment 6.1. A of our Privacy Policy to inform you of personalised offers.

Other relevant information: The following section includes other relevant data processing information:

  • Duration of data processing: We will only process your data if you have given us your consent, which will remain in force until you withdraw it. If you cancel all your products or services but forget to revoke your consent, we will do so automatically.

Joint data controllers: The following CaixaBank Group companies will process your data jointly:

  • CaixaBank, S.A.
  • CaixaBank Payments & Consumer, E.F.C., E.P., S.A.U.
  • Nuevo Micro Bank, S.A.U.
  • Wivai Select Place, S.A.U,
  • ImaginersGen, S.A.
  • VidaCaixa, S.A.U. de Seguros y Reaseguros

You will find the essential aspects of the joint data controller agreements at: www.caixabank.es/empresasgrupo 


C. Disclosure of data to other companies so they can send you advertising.


Purpose: If we have your consent, we will transfer the data indicated below to companies with which we have agreements so that they may send you offers of their products and services.

 

If you do not consent to this data processing, we will not disclose your data. However, if you do give your consent, the data transferred to other companies will vary depending on whether you have authorised us to customise our product and service offerings by analysing your data:

  • If we do not have your consent to customise our commercial offer (Processing A), we will only provide these companies with your identifying and contact details.
  • If you have given us your consent to personalise our commercial offer (Processing A), we will also inform these companies of your commercial profile, including information on your preferences and needs, as well as inferred information about your probability of payment or non-payment, or risk limits.

These third-party companies to which we may transfer your data undertake the following activities:

  • banking
  • investment services
  • insurance and reinsurance
  • venture capital
  • property
  • highways
  • sale and distribution of goods and services,
  • consultancy services
  • leisure and
  • charity-social action

Data processed: We will not process data that contains information that reveals your ethnicity or race, your political opinions, religious or philosophical convictions, union membership, the processing of genetic data, biometric data intended to uniquely identify you, health data or data relating to your sex life or orientation.


For this purpose, we will process the following data:

  • Identifying and contact details: full name, sex, telephone and email contact information, address of residence, nationality and date of birth, language choice, identification document.
  • Data obtained from other processing activities provided for in this policy:
    • Data relating to the personalisation of products and services offered according to analysis of your data: If you have given us your consent to personalise our commercial offer to you (processing A above), we will also use your commercial profile information as detailed in processing 6.1. A of the Privacy Policy, so that we can send you personalised offers.

Other relevant information: The following section includes other relevant data processing information:

  • Data transfer information: If we reach an agreement with a third company to transfer your data, the recipient company would inform you of this, as well as of the details of the processing they intend to carry out.
  • Duration of data processing: We will only process your data if you have given us your consent, which will remain in force until you withdraw it. If you cancel all your products or services but forget to revoke your consent, we will do so automatically.

Joint data controllers: The following CaixaBank Group companies will process your data jointly:

  • CaixaBank, S.A.
  • CaixaBank Payments & Consumer, E.F.C., E.P., S.A.U.
  • Nuevo Micro Bank, S.A.U.
  • Wivai Select Place, S.A.U,
  • ImaginersGen, S.A.
  • VidaCaixa, S.A.U. de Seguros y Reaseguros

You will find the essential aspects of the joint data controller agreements at: www.caixabank.es/empresasgrupo

PROCESSING REQUIRED FOR CONTRACTUAL RELATIONSHIPS

The legal basis of this data processing is that it is necessary to manage contracts that you request or to which you are a party, or to apply precontractual measures if you request them, as established in art. 6.1.b) of the General Data Protection Regulation (GDPR).


Therefore, this processing is necessary for you to establish and maintain Contractual Relations with us. If you object to it, we will end these relations, or we cannot establish them if they have not yet started.


The types of processing required to establish contractual relations are listed below, arranged from (A) to (B). For each item, we will provide: a description of the purpose (Purpose), the type of processed data (Type of data processed), if applicable, information on the use of profiles (Use of profiles), other relevant processing information (Other relevant information) and whether or not the processing is carried out, as joint controllers, with other CaixaBank Group companies (Joint data controllers/Data controller).


A. Signing, maintenance and performance of Contractual Relations


Purpose: The purpose of this data processing is to formalise and maintain the Contractual Relationships established between you and us, including the processing of your requests or orders, the steps prior to entering into a contract (pre-contractual relationships), processed with us directly or through one of our intermediaries (such as our agent CaixaBank, S. A. or any of our advisors, who have commercial establishments of which you may be a customer), and the implementation of measures to ensure compliance with the contracts you sign with us and, where appropriate, the management of debt recovery.


This data processing involves collecting the information necessary to establish or to manage the application, to evaluate the suitability of the product and to process the information needed to properly maintain and execute the contracts.


The processing activities involved in signing, maintaining and performing the Contractual Relations are:

  • Collection and registration of the data and documents needed to apply for the products requested.
  • Formalising the signing of the contracts for the products and services.
  • Managing the products and services you have taken out with us, including responding to your questions regarding operations, handling any associated incidents and the annotation and verification of accounting entries for receiving and making product payments and sending operational communications, as well as any other processes that are necessary in order to satisfy the commitments made to take out specific products or services, such as loyalty programmes, discounts on fees or interest, and specific offers.
  • Adjusting measures to resolve any potential default payments, including: early debt collection management, communication, where applicable, to external agencies for collection actions, communication, where applicable, of data to credit information systems, filing, where applicable, and monitoring of lawsuits, identification and monitoring of situations of insolvency proceedings, and review and assessment of portfolio sales.

Type of data processed: The types of data we will process for this purpose (the content of which is detailed in heading 5) are:

  • Identification and contact details
  • Details of your professional or work activity and socio-economic information
  • Sensitive data related to situations of vulnerability
  • Legal capacity data 
  • Details on special communication needs
  • Contract details
  • Basic financial data
  • Third-party data from statements and receipts of instant accounts and payment accounts
  • Data on communications maintained with you
  • Data obtained from the execution of statistical models
  • Data obtained from other processing activities provided for in this policy
    • Risk assessment or scoring data (processing defined in heading 6.2.B) 
  • Data obtained from the execution of statistical models
  • Data on credit information systems
  • Details of Equifax Risk Score
  • CIRBE details
  • Data relating to international sanctions
  • Information obtained from public access sources and public records

 
Other relevant information: The following section includes other relevant data processing information:

  • Automated decisions: When you request a product or service, we will use mechanisms to verify whether or not, based on objective criteria (e.g., employment status or tax residence), the product is suitable for your needs, interests and objectives. The establishment of these objective criteria derives from regulatory obligations regarding the governance of financial products and instruments and is included in the bank's internal product design policies. If the product is deemed to be unsuitable, the applicant may not contract it, and the application will be automatically rejected as the applicant's objective criteria are incompatible with those of the specific requested product or service. You may challenge the automated decision or exercise your right not to be subject to a decision based solely on automated processing by contacting CaixaBank Payments & Consumer directly through the channels set out in section 4 of this policy.
  • Disclosure to credit information systems: This processing may involve disclosing your debt or non-payment details to credit information systems based on our legitimate interest, as described in section 6.4.C
  • Obtaining contact information: This processing may involve the collection of additional contact details from you by external debt recovery agencies, which will be carried out based on our legitimate interest, as detailed in section 6.4.D
  • Application or monitoring of commitments, discounts or preferential conditions: If you take out a product or service that requires compliance with certain requirements, we inform you that we will process the data necessary to verify your continued compliance with them. We also inform you that if there are joint holders, the other joint holders with whom you share accounts could indirectly become aware of the information on your compliance with said requirements.  For example, if you take out a product or service that gives you the right to receive discounts because you belong to a specific professional group, such as healthcare or law enforcement, we will verify during our contractual relationship that you still belong to said group. In addition, if you share a product or service with other account holders, they may realise that you satisfy this characteristic when they see these discounts applied to the account.

Data Controller: The data controller is CaixaBank Payments & Consumer. This processing is not done with another controller.


Furthermore, if the product or service you apply for is marketed by CaixaBank Payments & Consumer but issued by another company, said other company will be responsible for processing your data in relation to that contract.


This means that if you take out through CaixaBank Payments & Consumer, as the associated banking-insurance operator, an insurance plan issued by VidaCaixa or SegurCaixa, these companies will be the controllers of your data as the issuers of the products.


We will inform you about this in detail in the contractual documentation for each product or service.


B. Analysis of creditworthiness and repayment capacity for the granting and monitoring of credit risk.


Purpose: The purpose of this data processing is to assess whether applicants and/or holders for products or services that involve the repayment of loans or credits, or deferred instalments, have the solvency and repayment capacity needed to make the payments required as part of the operations in question.


Detailed information on the solvency and repayment capacity analysis process that will be carried out when you apply for or have already been granted transactions involving the repayment of loans or credits, or the deferred payment of instalments, will be provided in the transaction request you will be required to sign when you apply for these products.


The processing activities carried out to analyse the solvency or repayment capacity of applicants and/or holders of products involving financing are:

  • Analysis of the repayment capacity of applicants at the time of granting new credit operations.
  • Analysis of the solvency of the holders of products involving financing throughout the life of the credit operations maintained with us to manage internal risks and prevent payment defaults.

Types of data processed: The types of data we will process for this purpose (the content of which is detailed in heading 5) are:

  • Identification and contact details
  • Details of your professional or work activity and socio-economic information
  • Contract details
  • Basic financial data
  • Third-party data from statements and receipts of instant accounts and payment accounts
  • Data obtained from the execution of statistical models
  • Data on credit information systems
  • Details of Equifax Risk Score
  • CIRBE details
  • Demographic and socio-economic data
  • Details of properties and vehicles associated with you
  • Information obtained from public access sources and public records

Use of profiling: For this processing, we will create a risk profile that will be used exclusively to analyse the solvency and repayment capacity of applicants and/or holders of products involving financing.

  • Purpose: The purpose of the profile is to determine the probability of default when granting transactions, assess the need to adjust the risk of current transactions and calculate the provisions and capital requirements applicable to CaixaBank Payments & Consumer.
  • Consequences: risk profiles are tools used to support decisions on whether to grant risk transactions or adjust the limits of existing transactions. Transactions requested through electronic channels may involve automated decisions on whether to grant the transaction, as detailed in the section "Other relevant information".
  • Logic: The applicant's profile will use the information indicated in the "Type of processed data" section above. This basic information is used to assign a specific value to each piece of data on the applicant, the sum of which produces a score indicating the probability of default or non-compliance with monetary obligations. The importance of each variable and its influence on the final result is calculated in advance using mathematical models and is included in the institution's internal risk policies.

Other relevant information: The following section includes other relevant data processing information:

  • Automated decisions: We will use automated processes to analyse solvency and repayment capacity for applications submitted through electronic channels to check whether the financing is suitable, depending on your characteristics and the information you have provided. If the requested financing is deemed unsuitable for your repayment capacity according to the profile calculations employed, you will not be able to contract the product, and your application will be rejected automatically in this channel. You may resubmit an application for the transaction at one of our branches, where the analysis does not include automated decisions, challenge the automated decision or exercise your right not to be subject to a decision based solely on automated processing by contacting CaixaBank Payments & Consumer directly through the channels set out in section 4 of this policy.
  • Regulatory obligations: In addition to these processing operations being required to perform the contractual relationship between you and us, this processing is carried out in accordance with the provisions of Law 44/2002, on Financial System Reform Measures, Law 10/2014, of 26 June, on the regulation, supervision and solvency of credit institutions, and other obligations and standards set out in regulations on responsible lending, to which we adhere as a credit institution.
  • Credit information system enquiries: The credit information systems enquiries required for solvency analysis will be carried out based on our legitimate interest, as detailed in section 6.4.D.
  • CIRBE enquiry and communication: The CIRBE enquiries required for solvency analysis are carried out in accordance with the provisions of Law 44/2002, of 22 November, on Financial System Reform Measures. Furthermore, the data necessary to identify the persons with whom credit risks are maintained will be communicated, based on the same standard.
  • Preparation of management reports and mathematical models: The data processed and resulting from this processing will also be used to prepare management reports and mathematical models under the terms detailed in the processing defined in section 6.4.E) of this Policy. 

Joint data controllers: Sector regulations on the prudential and solvency requirements that apply to the financial sector require that a credit operation be granted to customers and monitored jointly by all the companies that comprise the same consolidated group of credit institutions.


The following CaixaBank Group companies will process your data jointly.

 

  • CaixaBank, S.A.
  • CaixaBank Payments & Consumer, E.F.C., E.P., S.A.U.
  • Nuevo Micro Bank, S.A.U.
  • Telefónica Consumer Finance, E.F.C., S.A.
  • CaixaBank Equipment Finance, S.A.U.
  • Unión de Crédito para la Financiación Mobiliaria e Inmobiliaria, CREDIFIMO, E.F.C., S.A.U.
  • Corporación Hipotecaria Mutual, S.A.U., Establecimiento Financiero de Crédito
  • Hipotecaixa 2, S.L.U.
  • Banco BPI, S.A.
  • Wivai Select Place S.A.U.

You will find the essential aspects of the joint data controller agreements at: www.caixabank.es/empresasgrupo 

 

PROCESSING REQUIRED TO COMPLY WITH REGULATORY OBLIGATIONS

The legal basis of this processing is the requirement to comply with a legal obligation that is required of us, as laid out in Article 6.1.c) of the General Data Protection Regulation (GDPR).


Therefore, it is necessary for you to establish and maintain Contractual Relations with us. If you object to it, we will need to end these relations, or we cannot establish them if they have not yet started.


The types of processing required to satisfy the regulatory requirements are listed below, arranged from (A) to (C). For each item, we will provide: a description of the purpose (Purpose), the type of processed data (Type of processed data), if applicable, information on the use of profiles (Use of profiling), other relevant processing information (Other relevant information) and whether or not the processing is carried out jointly with other CaixaBank Group companies (Joint data controllers/Data controller).


Processing to comply with anti-money laundering and terrorist financing regulations


Purpose: The purpose of this processing is to adopt the measures imposed on our activity by Law 10/2010, on the Prevention of Money Laundering and Terrorist Financing.


The processing operations that are carried out to comply with anti-money laundering and terrorist financing regulations are:

 

  • Collecting information and documentation that allows customers to comply with due diligence and knowledge measures;
  • Checking the information that you provide us;
  • Checking if you hold or have held a position of public trust;
  • Categorising your risk level, based on which the various due diligence measures will be applied in accordance with Prevention of Money Laundering and Financing of Terrorism regulations;
  • Analysing the transactions executed through CaixaBank Payments & Consumer, in accordance with legal obligations;
  • Checking your relationship with companies and, if necessary, your controlling position within their ownership structure, and;
  • Reporting and updating your information monthly in the Financial Ownership Database, managed by the Executive Service of the Commission to Prevent Money Laundering and Financial Crimes (SEPBLAC).

Types of data processed: The types of data we will process for this purpose (the content of which is detailed in heading 5) are:

  • Identification and contact details
  • Details of your professional or work activity and socio-economic information
  • Contract details
  • Basic financial data
  • Third-party data from statements and receipts of instant accounts and payment account
  • Data on communications maintained with you
  • Data obtained from other processing activities provided for in this policy:
    • Risk assessment or scoring data (processing defined in heading 6.2.B).
  • Data obtained from the execution of statistical models
  • Details of directors, functional officers and corporate relationships
  • Information obtained from public access sources and public records

Use of profiling: This processing involves creating a profile that we use exclusively for adopting the necessary measures in accordance with the provisions of Law 10/2010 on the Prevention of Money Laundering and the Financing of Terrorism.

 

  • Purpose: The purpose of the profile is to prevent the contracting of operations susceptible to money laundering or the financing of terrorism.
  • Consequences: Profiles are tools that help money laundering and terrorist financing prevention units determine whether operations are likely to be subject to money laundering or terrorist financing and, therefore, whether to accept or decline them.

Joint data controllers: The following CaixaBank Group companies will process your data jointly.

  • CaixaBank, S.A.
  • CaixaBank Payments & Consumer, E.F.C., E.P., S.A.U.
  • VidaCaixa SA de Seguros y Reaseguros
  • BPI Vida e Pensões – Companhia de Seguros, S.A.
  • Nuevo Micro Bank, S.A.U.
  • CaixaBank Asset Management SGIIC, S.A.U
  • Telefónica Consumer Finance, E.F.C., S.A.
  • Buildingcenter, S.A.U.
  • Livingcenter Activos Inmobiliarios, S.A.U.
  • Unión de Crédito para la Financiación Mobiliaria e Inmobiliaria, CREDIFIMO, E.F.C., S.A.U.
  • Corporación Hipotecaria Mutual, S.A.U., Establecimiento Financiero de Crédito
  • CaixaBank Wealth Management Luxembourg, S.A.
  • CaixaBank Asset Management Luxembourg, S.A.
  • BPI Gestão de Ativos, SGOIC, S.A.
  • Banco BPI, S.A.
  • Bankia Habitat, S.L.U.
  • Puerto Triana, S.A.U.

You will find the essential aspects of the joint data controller agreements at: www.caixabank.es/empresasgrupo 

B. Processing to comply with obligations arising from sanctions policies and international financial countermeasures
 

Purpose: The purpose of this processing is to adopt the measures imposed on our activity by the international financial sanctions and countermeasures programmes adopted by the European Union and the Kingdom of Spain.


In order to comply with international financial sanctions or countermeasures programmes, we will check if your name is on the lists of people or entities included in laws, regulations, guidelines, resolutions, programmes or restrictive measures regarding international economic and financial sanctions imposed by the United Nations, the European Union and/or the Kingdom of Spain. 


Types of data processed:  The types of data we will process for this purpose (the content of which is detailed in heading 5) are:

  • Identification and contact details
  • Data relating to international sanctions

Other relevant information: The following section includes other relevant data processing information:

  • Sanctions programmes: CaixaBank Payments & Consumer consults the programmes of international economic-financial sanctions adopted by the Office of Financial Sanctions Implementation (OFSI) of His Majesty’s Treasury (HMT) of the United Kingdom and/or the US Department of the Treasury’s Office of Foreign Assets Control (OFAC) based on our legitimate interest, which we provide details of in section 6.4.A. 

Joint data controllers: The following CaixaBank Group companies will process your data jointly:

  • CaixaBank, S.A.
  • CaixaBank Payments & Consumer, E.F.C., E.P., S.A.U.
  • VidaCaixa SA de Seguros y Reaseguros
  • Nuevo Micro Bank, S.A.U.
  • CaixaBank Asset Management SGIIC, S.A.U
  • Telefónica Consumer Finance, E.F.C., S.A.
  • Buildingcenter, S.A.U.
  • Livingcenter Activos Inmobiliarios, S.A.U.
  • Unión de Crédito para la Financiación Mobiliaria e Inmobiliaria, CREDIFIMO, E.F.C., S.A.U.
  • Corporación Hipotecaria Mutual, S.A.U., Establecimiento Financiero de Crédito
  • Banco BPI, S.A.
  • CaixaBank Wealth Management Luxembourg, S.A.
  • Bankia Habitat, S.L.U.
  • CaixaBank Equipment Finance, S.A.
  • Puerto Triana, S.A.U.
  • CaixaBank Asset Management Luxembourg, S.A.
  • BPI Gestão de Ativos, SGOIC, S.A.
  • BPI Vida e Pensões – Companhia de Seguros, S.A.

You will find the essential aspects of the joint data controller agreements at: www.caixabank.es/empresasgrupo 

C. Processing for handling complaints and claims.

Purpose: The purpose of this processing is to handle queries, complaints and claims submitted to CaixaBank Payments & Consumer, in accordance with the regulations applicable to its capacity as a financial institution; specifically, Law 44/2002 of 22 November and Order ECO/73/2004, requiring CaixaBank to have a customer service department in place to respond to complaints and claims submitted by financial users.


Furthermore, Law 3/2018 of 5 December on the Protection of Personal Data and the guarantee of digital rights requires the data controller (in this case CaixaBank Payments & Consumer) to handle any complaints submitted to its Data Protection Officer and respond to any data protection rights exercised by data subjects.


The following processing operations are carried out to comply with regulations on the processing of complaints and claims:

 

  • Receiving complaints and claims submitted by financial users through the CaixaBank Payments & Consumer Customer Service Department;
  • Responding to complaints and claims within the established time frame, and;
  • Managing data protection rights and queries submitted to the Data Protection Officer of CaixaBank Payments & Consumer and the necessary activities to collaborate with the Control Authority (Spanish Data Protection Agency)

Types of data processed: The types of data we will process for this purpose (the content of which is detailed in heading 5) are:

  • Identification and contact details
  • Legal capacity data 
  • Details on special communication needs
  • Sensitive data related to situations of vulnerability
  • Contract details
  • Basic financial data
  • Third-party data from statements and receipts of instant accounts and payment accounts
  • Data on communications maintained with you
  • Own browsing data
  • Data on credit information systems
  • CIRBE details

Data Controller: The data controller is CaixaBank Payments & Consumer. This processing is not done with another controller.

PROCESSING BASED ON THE LEGITIMATE INTEREST OF CAIXABANK PAYMENTS & CONSUMER

The legal basis of this processing is the legitimate interest pursued by CaixaBank Payments & Consumer or a third party, provided that these interests do not take precedence over your interests, or your fundamental rights and freedoms, as per art. 6.1. f) of the General Data Protection Regulation (GDPR).

This processing will imply that we have considered your rights and our legitimate interest and we have concluded that the latter prevails. Otherwise, we would not process the data. You can ask about the analysis that is done to weigh the legitimate interest of a processing operation at any time by emailing your enquiry to delegado.proteccion.datos@caixabank.com 


We also remind you that you have the right to object to processing based on a legitimate interest. If you believe that CaixaBank and, where applicable, joint data controller companies should be aware of any particular situation or other justifiable reasons for us to stop processing your data, you may submit a request to this effect simply and free of charge through the channels indicated in section 4.


This processing is detailed below, arranged from (A) to (G). For each item, we will provide: CaixaBank Payments & Consumer's Legitimate Interest (CaixaBank Payments & Consumer's legitimate interest), a description of the purpose (Purpose), the type of processed data (Type of data processed), if applicable, information on the use of profiles (Use of profiles), other relevant processing information (Other relevant information) and whether or not the processing is carried out jointly with other CaixaBank Group companies (Joint data controllers/Data controller).


A. OFSI and OFAC international financial sanctions and countermeasure policies.


Interest of CaixaBank Payments & Consumer: The legitimate interest of CaixaBank Payments & Consumer and the joint data controller companies listed in this section for carrying out this processing is to comply with international financial sanctions and countermeasures programmes of the United States and the United Kingdom, with a view to carrying out their business activities in those countries.  


Purpose: The purpose of this processing is to adopt the measures envisaged in the international financial sanctions and countermeasures programmes adopted by the Office of Financial Sanctions Implementation (OFSI) of His Majesty’s Treasury (HMT) of the United Kingdom and/or the U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC). 


In order to comply with these international financial sanctions and countermeasures programmes, we will check whether you are included on lists of persons or entities subject to the restrictive measures of these two bodies.


Types of data processed:  The types of data we will process for this purpose (the content of which is detailed in heading 5) are:

  • identifying and contact details:
  • Data relating to international sanctions:

Other relevant information: The following section includes other relevant data processing information: 

  • Right to object to processing: If you believe that CaixaBank Payments & Consumer should be aware of any particular situation or other justifiable reasons for us to stop processing your data, you may submit a request to this effect simply and free of charge through the channels indicated in heading 4.

Joint data controllers: The following CaixaBank Group companies will process your data jointly:

  • CaixaBank, S.A.
  • CaixaBank Payments & Consumer, E.F.C., E.P., S.A.U.
  • VidaCaixa SA de Seguros y Reaseguros
  • Nuevo Micro Bank, S.A.U.
  • CaixaBank Asset Management SGIIC, S.A.U
  • Telefónica Consumer Finance, E.F.C., S.A.
  • Buildingcenter, S.A.U.
  • Livingcenter Activos Inmobiliarios, S.A.U.
  • Unión de Crédito para la Financiación Mobiliaria e Inmobiliaria, CREDIFIMO, E.F.C., S.A.U.+
  • Corporación Hipotecaria Mutual, S.A.U., Establecimiento Financiero de Crédito
  • Banco BPI, S.A.
  • CaixaBank Wealth Management Luxembourg, S.A.
  • Bankia Habitat, S.L.U.
  • CaixaBank Equipment Finance, S.A.
  • Puerto Triana, S.A.U.
  • CaixaBank Asset Management Luxembourg, S.A.
  • BPI Gestão de Ativos, SGOIC, S.A.
  • BPI Vida e Pensões – Companhia de Seguros, S.A.

You will find the essential aspects of the joint data controller agreements at: www.caixabank.es/empresasgrupo


B. Fraud prevention


Legitimate interest of CaixaBank Payments & Consumer: The legitimate interest of CaixaBank Payments & Consumer and the joint data controller companies listed in this section for carrying out this processing is to prevent fraud that could lead to financial or reputational damage to the institution or its customers.


Purpose: The purpose of this processing is to adopt the necessary measures to prevent malicious transactions or conduct before they occur or to mitigate their impact if they do occur by identifying suspicious transactions or conduct that could involve an attempt to defraud the institution or its customers.


The processing operations carried out to prevent fraud are:

 

  • Verifying the identity of customers that interact with the bank to prevent fraudulent access to information or operations.
  • Reviewing and analysing the contracts and operations carried out in our systems to protect our customers from fraud through any channel and prevent cyberattacks.
  • To confirm your identity and the validity of the identification documents provided with national and international databases managed by law enforcement and similar agencies, like INTERPOL (International Criminal Police Organization), to confirm that you are the holder of the identification document you provide us and to protect you from identity theft (when another person pretends to be you).

Consulting the information included in the PAYGUARD Fraud Prevention Service to detect fraudulent accounts and report, where appropriate, fraudulent transactions. Types of data processed: The types of data we will process for this purpose (the content of which is detailed in heading 5) are:

  • Identification and contact details
  • Details of your professional or work activity and socio-economic information
  • Contract details
  • Basic financial data
  • Third-party data from statements and receipts of instant accounts and payment accounts
  • Data on communications maintained with you
  • Own browsing data
  • Geographical details
  • Data obtained from other processing activities provided for in this policy:
    • Risk assessment or scoring data (processing defined in heading 6.2.B).
  • Data obtained from the execution of statistical models

Use of profiling: This processing involves creating a profile of your usual operations and activities, which we use exclusively to detect irregular situations that may indicate an attempt to commit fraud.

 

  • Purpose: The purpose of the profile is to identify operations or interactions that are unusual or not in line with your behaviour profile that could be an attempt to commit fraud or gain fraudulent access to information.
  • Consequences: Profiles are tools that help to identify fraudulent transactions. The use of these profiles requires the implementation of measures, including reviewing transactions in detail, blocking transactions and rejecting their automatic execution.

Other relevant information: The following section includes other relevant data processing information:

  • Automated decisions: For the purpose of fraud prevention, we will use automated processing to try to detect fraudulent transactions. In the case of transactions that cannot be reversed once executed, such as immediate payments or transfers, the automated processes will block any suspicious transactions and prevent them from being executed. You may request the transaction again, challenge the automated decision or exercise your right not to be subject to a decision based solely on automated processing by contacting CaixaBank Payments & Consumer directly through the channels set out in section 4 of this policy.
  • Right to object to processing: If you believe that CaixaBank Payments & Consumer and, where applicable, the joint data controller companies should be aware of any particular situation or other justifiable reasons for us to stop processing your data, you may submit a request to this effect simply and free of charge through the channels indicated in section 4.
  • PAYGUARD Fraud Prevention Service: CaixaBank is a member of the PAYGUARD Fraud Prevention Service, which covers the country's leading financial institutions and is managed by Sociedad Española de Sistemas de Pago, S.A. (Spanish Payment Systems Company) (Iberpay). This service aims to minimise the levels of fraud related to movements between accounts by detecting, investigating, monitoring and reporting, where applicable, suspicious and fraudulent transactions involving customers' current or savings accounts. The legal basis for the processing is the legitimate interest in preventing the type of fraudulent activity that could affect these transactions. CaixaBank may include in the PAYGUARD Fraud Prevention Service data related to the IBAN number and identifying details of the holder of the account where the suspicious or fraudulent transaction has been detected. You can consult the    updated    list    at    participating companies participants at: 
https://www.iberpay.es/es/servicios/servicios/prevenci%C3%B3n-del-fraude/  The data will be stored for a maximum of thirty days for suspicious transactions, and one year for confirmed fraudulent transactions. The institutions participating in the PAYGUARD Fraud Prevention Service are the joint controllers of your data. You can request the main aspects of the joint data controller agreement by sending an email to www.caixabank.com/delegadoprotecciondedatos and also exercise your rights regarding the processing of your data through any of the channels indicated in section 4. Exercising rights and filing complaints through the Spanish Data Protection Agency (AEPD).

Joint data controllers: The following CaixaBank Group companies will process your data jointly:

  • CaixaBank, S.A.
  • CaixaBank Payments & Consumer, E.F.C., E.P., S.A.U.
  • Nuevo Micro Bank, S.A.U.
  • Global Payments Moneytopay, EDE, S.L.

You will find the essential aspects of the joint data controller agreements at: www.caixabank.es/empresasgrupo 

C. Consultation and communication with credit reporting systems as part of the application for and subsequent management of products that involve financing.

Legitimate interest of CaixaBank Payments & Consumer: The legitimate interest of CaixaBank Payments & Consumer to carry out this processing is to avoid non-payment and defaults by applicants or account holders of those products that involve financing.


Purpose: The purpose of this processing is to assess the solvency and repayment capacity to (i) ensure adequate compliance by the interested parties with their payment obligations resulting from the transactions granted, (ii) to monitor and   manage the transactions granted, and (iii) to prevent and manage defaults and non-performing loans.


The processing operations carried out when checking solvency records are:

 

  • Checking your information: The databases of the following solvency and credit files shall be consulted prior to approving the transactions involving financing or in order to monitor and manage the risk of the credit granted: (i) Asnef database; (ii) Badexcug database, and:
  • Communicate your personal details: If you stop making payments in relation to any of the monetary obligations you have undertaken with us pursuant to our Contractual Relations, we may disclose your payment default details to the following credit information systems subject to the conditions and requirements outlined by law:

Types of data processed: The types of data we will process for this purpose are:

  • Identification and contact details
  • Contract details
  • Basic financial data
  • Data on credit information systems

Other relevant information: The following section includes other relevant data processing information:

  • Right to object to processing: If you believe that CaixaBank Payments & Consumer should be aware of any particular situation or other justifiable reasons for us to stop processing your data, you may submit a request to this effect simply and free of charge through the channels indicated in section 4.

Data Controller: CaixaBank Payments & Consumer is responsible for the part of the processing related to consulting credit information systems. CaixaBank Payments & Consumer and the Asnef and Badexcug databases are jointly responsible for the part of the processing related to communication to credit information systems: The contact details for the credit reporting agencies are provided below:

  • Asnef database: Asnef Equifax Servicios de Información sobre Solvencia y Crédito. Apartado de correos10546, 28080 Madrid (sac@equifax.es
  • Badexcug database: Apartado de correos 1188, 28108 Alcobendas (badexcug@experian.com

D. Collection of additional contact details for default management


Legitimate interest of CaixaBank Payments & Consumer: CaixaBank Payments & Consumer's legitimate interest is to collect the debt in non-payment situations, which requires having up-to-date contact details on its customers.


Purpose: The purpose of this processing is to obtain additional customer contact information to contact them in the event they breach their contractual obligations.


Additional contact details are obtained from public lists (white pages, yellow pages and Lleida.net) and private lists (Equifax or Detectives) through debt collection agencies, ensuring that the data collected complies with the quality principle and is obtained legally.


Types of data processed: The types of data we will process for this purpose are:

  • Identification and contact details
  • Information obtained from public access sources and public records

Other relevant information: The following section includes other relevant data processing information:

  • Right to object to processing: If you believe that CaixaBank Payments & Consumer should be aware of any particular situation or other justifiable reasons for us to stop processing your data, you may submit a request to this effect simply and free of charge through the channels indicated in heading 4.

Data Controller: The data controller is CaixaBank Payments & Consumer. This processing is not done with another controller.

E. Preparation of management reports and mathematical models


Legitimate interest of CaixaBank Payments & Consumer:CaixaBank Payments & Consumer's legitimate interest in carrying out this process is to design, organise and optimise its corporate and commercial activity as efficiently as possible, which requires having reports on the management and activity of the company and the market, as well as advanced information analysis mathematical algorithms.


Purpose: The purpose of this processing is to prepare reports on the company's activity and its relationship with the market, on the composition and evolution of its customer base and on the convenience and effectiveness of its products and services. These reports are used to manage said products/services and to create and maintain statistical and mathematical models that allow for the processing detailed in this policy to be carried out and that require advanced calculations and analysis of the information.


Types of data processed The data we will process for this purpose is that which has been identified previously for each processing type. We will apply, whenever possible, anonymisation or pseudonymisation techniques to ensure that this processing does not have an impact on the rights of the data subjects, and that the result of the processing is reports with statistical or aggregated information, or mathematical or algorithmic formulas.


Other relevant information: The following section includes other relevant data processing information:

  • Right to object to processing: If you believe that CaixaBank Payments & Consumer should be aware of any particular situation or other justifiable reasons for us to stop processing your data, you may submit a request to this effect simply and free of charge through the channels indicated in heading 4.
  • Ancillary data processing: The processing of data to create statistical reports and mathematical models is not intended to process individual customer data. This data processing is necessary, but accessory, to the main purpose of preparing management reports, or algorithmic or mathematical formulas, and is thus carried out using, whenever possible, anonymising techniques or, failing that, pseudonymisation and minimising the information processed. This processing has no effects or consequences on the individual data subject.

Data Controller: When management reports or mathematical models are produced that originate from other processing under this Policy for which CaixaBank is the controller, the controller for this processing will also be CaixaBank. 

If management reports or mathematical models are produced that originate from other processing under this Policy that are carried out under a joint data controller regime, this processing will be carried out under the same joint data controller regime as the original processing. In these cases, you will find the details of the joint data controller companies and other essential aspects of the processing agreements at www.caixabank.es/empresasgrupo

F. Sending of commercial communications based on a basic commercial profile 


Who does this processing apply to? We will only process your data in this way if: 

  • you have not indicated your preferences for the commercial processing described in sections 6.1.A., 6.1.B. and 6.1.C of this Policy
  • we have sent you a personalised communication informing you of this; and
  • you have not exercised your right to objection. 

Legitimate interest of CaixaBank Payments & Consumer: CaixaBank Payments & Consumer's legitimate interest in processing this data is to promote the marketing of the products and services in its portfolio and to ensure customer loyalty. 


Purpose: The purpose of this processing is to send commercial communications on products and services similar to those you have with CaixaBank Payments & Consumer, based on a basic commercial profile that we will create using your data.


Types of data processed: the types of data we will process for this purpose are:

  • Identifying and contact details: full name, sex, telephone and email contact information, address of residence, nationality and date of birth, language choice, identification document.
  • Details of your professional or work activity and socio-economic information: professional or employment activity, income or salary.
  • Contract data: contracted or requested products and services, account holder status, authorised or representative of the product and service contracted and information and transactions related to your financing operations.
  • Basic financial data: current and historical balances of products and services and payment history of contracted products and services.
  • Data obtained from the execution of statistical models: we use the results of applying mathematical modelling to client data, which helps us combat fraud, detect your consumer habits, preferences or product tendencies for regulatory compliance, and manage your products and services.
  • Data obtained from other processing activities provided for in this policy:
    • Risk assessment data or scoring: in financing or payment for instalments, we will forecast your capacity to pay or not pay or the risk limits, applying statistical and mathematical models using your data (processing defined in section 6.2.B)
  • Demographic and socio-economic data: these are data not relating to specific people but geographical areas, age sectors or professional activity sectors, which we will use to put into context with customer information.

Use of profiling: For this processing, we will only prepare a basic commercial profile using the data specified previously:

  • Purpose of the profile: The purpose of the profile is to identify the products and services we think may interest you, in order to offer your specific rather than generic commercial offers.
  • Consequences: the consequence of using the basic commercial profile is the sending of customised offers on products and services marketed by CaixaBank Payments & Consumer based on the data we have specified. We do not use this profiling, under any circumstances, to refuse any product or service, or to set credit limits.  Your refusal to accept this processing will not prevent, limit or condition your access to our full catalogue of products and services, which is always available to you. If you apply for any product or service, your application will be assessed in accordance with our regular procedures. Your objection to this processing will not affect this assessment. Failure to accept this processing will not prevent us from contacting you to manage the products and services you have with us.
  • Logic: This basic commercial profile is calculated based on the data indicated in the "processed data" section, with a time period spanning thirteen months. This data is processed using mathematical formulas obtained from past behaviours observed in customers of similar characteristics so as to infer the customer's propensity to consume. These mathematical formulas allow us to determine the importance of all the data processed in the final result of the customer's profile. This final result is the probability that the customer will be interested in a product or service.

Other relevant information: The following section includes other relevant data processing information:

 

  • Right to object to processing: Please note that you have the right to object to processing based on a legitimate interest.  You can do it simply and free of charge at the following link https://www.caixabank.es/apl/particulares/gdpr/index_es.html?empresa=6&derecho=oposicioncomunicaciones You can also use the normal channels described in section 4.  If you decide to exercise your right of objection, we inform you that we will stop processing the data without requiring you to provide a reason for us to stop processing your data.
  • Pre-check of your payment capacity: When the offers we wish to propose to you consist of products or services that involve payment in instalments or financing, we will first check your payment capacity. We will carry out this check by means of the processing outlined in section 6.2.B of this Privacy Policy, with the aim of offering you a credit limit and repayment term suited to our knowledge of your financial situation, in accordance with the principle of responsibility regarding the offer of financing products required by the Bank of Spain, under regulations on the oversight and solvency of credit institutions and responsible lending.
  • Duration of data processing: This processing will come into effect on 10 October 2022. In any case, you will receive a personalised informative message beforehand. We will stop processing this data, with no other additional requirements, in either of these two circumstances: 
    • When we contact you to request your consent to the commercial processing carried out by the CaixaBank Group companies described in section 6.1 (A, B and C), whether you authorise or reject them.
    • If you exercise your right of objection.

Data Controller: The data controller is CaixaBank Payments & Consumer. This processing is not done with another controller.

G. Conducting customer surveys


Legitimate interest of CaixaBank Payments & Consumer: CaixaBank Payments & Consumer's legitimate interest in processing this data is to determine the level of customer satisfaction and improve the services and products it offers them, guaranteeing them an adequate experience that meets their expectations. 


Purpose: The purpose of this processing is to conduct surveys with customers to find out how satisfied they are with the Entity's services and to be able to improve internal processes, if applicable.


Type of data processed: The types of data we will process for this purpose are:

  • Identification and contact details
  • Contract details
  • Details of the communications with the data subject

Other relevant information: 

  • Right to object to processing: If you believe that CaixaBank Payments & Consumer should be aware of any particular situation or other justifiable reasons for us to stop processing your data, you may submit a request to this effect simply and free of charge through the channels indicated in section 4.

 


RECIPIENTS OF THE DATA

 

Data controller and joint data controllers


The data we process in your capacity as a customer of CaixaBank Payments & Consumer is processed by CaixaBank Payments & Consumer. If data is processed by joint data controllers, it will be processed by CaixaBank Group companies in accordance with the previous processing sections.


Authorities or official bodies


Credit institutions such as CaixaBank Payments & Consumer and other payment service providers may be legally required to provide information on transactions we carry out to authorities or official bodies in other countries located both within and outside the European Union. This obligation is within the scope of the fight against financing terrorism, serious forms of organised crime, and money laundering, as well as the prudential supervision of credit institutions by the Bank of Spain and the European Central Bank.


This obligation may also apply to payment services and technology service providers with which we maintain relations and to which we send data to carry out transactions.


Credit reporting databases


If you stop making payments in relation to any of the monetary obligations you have undertaken with us pursuant to our Contractual Relations, we will be able to disclose payment default details to the following credit information systems in the conditions and requirements outlined in regulations:

  • Asnef database: Asnef Equifax Servicios de Información sobre Solvencia y Crédito. Apartado de correos10546, 28080 Madrid (sac@equifax.es
  • Badexcug database: Apartado de correos 1188, 28108 Alcobendas (badexcug@experian.com)

We inform you that you can exercise your rights to access, rectify, object to processing, delete, restrict processing, transfer your personal data and not be subject to automated decision-making in accordance with the law with these records regarding fulfilment or non-fulfilment at the indicated addresses.


Disclosure of data to outsourced service providers


Sometimes we use service providers with potential access to personal data.


Such providers grant an adequate, sufficient safeguarding service when it comes to processing your data, since we carefully screen service providers by including specific demands in the event that their services involve the need to process personal data.

  • The type of services we can assign to service providers is:
  • Financial back office services
  • Administrative support services
  • Audit and consulting services
  • Legal services and asset and non-payment recovery services
  • Payment services
  • Marketing and advertising services
  • Survey services
  • Call centre services 
  • Physical security services
  • Computer services (system and information security, cybersecurity, information systems, architecture, hosting, data processing)
  • Telecommunications services (voice and data)
  • Printing, enveloping, postal and courier services
  • Data storage and destruction services (digital and physical)
  • Maintenance services for buildings, installations and equipment

DATA STORAGE PERIODS

Storage for maintaining Contractual Relations


We will process your data as long as the Contractual Relations we have established remain in force

Storage of authorisations for consent-based processing

We will process the data based on your consent until you revoke it.


If you cancel all your product and service contracts with the CaixaBank Group companies but do not withdraw the consent you have given us, we will automatically void said consent until you stop being our customer.


Storage to comply with legal obligations and to formulate, exercise and defend claims


Once authorisations for use have been revoked as you have withdrawn your consent, or the contractual or business relations established with us have ended, we will only keep your data to comply with legal obligations and to allow you to formulate, exercise or defend claims during the limitation period for actions derived from these contractual relations.


We will process this data by applying the technical and organisational measures required to guarantee that it is only used for these purposes.


Data destruction


We will destroy your data when the retention periods imposed by the regulations governing CaixaBank Payments and Consumer's activity have passed and the limitation periods for administrative or judicial actions arising from the relations established between you and us have elapsed.


 


DATA TRANSFERS OUTSIDE THE EUROPEAN ECONOMIC AREA

At CaixaBank Payments & Consumer, we process your data within the European Economic Area and generally, our service providers are located within the European Economic Area or in countries that are deemed to have an adequate level of data protection.


If we need to use brokers that carry out processing outside the European Economic Area or in countries not determined to have an adequate level of data protection, we will ensure that your data is processed in a secure and legitimate manner.


For this purpose, we require these brokers and service providers to apply suitable guarantees in accordance with the GDPR (such as binding corporate standards guaranteeing information protection in a similar way to European standards) or to subscribe to the standard clauses of the European Union. You may request a copy of the proper guarantees required by CaixaBank Payments & Consumer from these vendors by contacting the data protection officer at www.caixabank.com/delegadoprotecciondedatos.

 


AUTOMATED DECISIONS

 

Section 6 of this Policy contains information on the type of processing that incorporates automated decision-making.


If during the Contractual Relationships you maintain with us, we adopt decisions that could establish legal effects for you or could significantly affect you (for example, to not allow you to take out a certain product) based solely and exclusively on automated processing (i.e. without the participation of a person), we will inform you of this, as well as of the logic through which we adopted it, in the contractual documentation of the product or service you have requested.


Moreover, at that time, we will also adopt measures to safeguard your rights and interests by giving you the right to human involvement, to express your views and to challenge the decision.

REVIEW

 

We will revise this Privacy Policy whenever necessary to keep you duly informed, for example, when publishing new standards or criteria or when we engage in new processing activities.


We will notify you through the usual communication channels whenever there are substantial or important changes to this privacy policy.


Last review date


3 May 2024