Privacy and Data Protection Policy
A. INTRODUCTION
The privacy and data protection policy of Caixa-Banco de Investimento, S.A. regarding personal data processing, described below, is in accordance with Regulation (EU) 2016/679 of the European Parliament and the Council - General Data Protection Regulation (GDPR) - and the remaining regulation applicable on privacy and data protection.
http://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32016R0679&from=EN
B. DEFINITIONS
To enable the reading of the present document, the main definitions used therein are hereby identified:
Personal Data: The processing of personal data should be designed to serve mankind. The right to the protection of personal data is not an absolute right; it must be considered in relation to its function in society and be balanced against other fundamental rights, in accordance with the principle of proportionality. This Regulation respects all fundamental rights and observes the freedoms and principles recognised in the Charter as enshrined in the Treaties, in particular the respect for private and family life, home and communications, the protection of personal data, freedom of thought, conscience and religion, freedom of expression and information, freedom to conduct a business, the right to an effective remedy and to a fair trial, and cultural, religious and linguistic diversity.
Processing: means an operation or a set of operations conducted on personal data or on sets of personal data by automatic or non-automatic means, such as collection, recording, organisation, structuring, storage, adaptation or modification, recovery, consultation, use, disclosure or transmission, dissemination or any other form of provision, comparison or interconnection, limitation, erasing or destruction;
Person responsible for Personal Data Processing: natural or legal person that determines the ends and means used in the processing of personal data.
Subcontractor: a natural or legal person that processes personal data on behalf of Caixa-Banco de Investimento, S.A., in a service provision context, formalised in a Contract.
Supervisory authority: an independent public authority that, in the case of Portugal, is the National Data Protection Commission (CNPD), which is responsible for monitoring and accurately enforcing legislation on personal data protection.
Cookies: computer files that contain a sequence of numbers and letters that allow for the unique identification of a person's internet access device, but that can also contain other information. The cookies are downloaded through the browser into the device used for internet access (computer, cell phone, tablet, etc.) when certain websites are accessed;
C. ENTITY RESPONSIBLE FOR DATA PROCESSING
The entity responsible for data processing is Caixa-Banco de Investimento, S.A. with headquarters at Av. João XXI, 63, 1000-300 in Lisbon
D. PERSONAL DATA COLLECTION AND PROCESSING
Personal data of customers or potential customers or other individuals with a commercial relation with Caixa-Banco de Investimento, S.A. can be collected directly or indirectly by Caixa-Banco de Investimento, S.A. from other sources or may stem from accesses, consultation, instructions, transactions and other records concerning the contracts that have been concluded between Caixa-Banco de Investimento, S.A. and its customers or other individuals with public or private entities as part of the fulfilment of legal or regulatory obligations that apply to Caixa-Banco de Investimento, S.A., for the purpose of data confirmation of collection of the necessary elements of that contract relationship whenever these are allowed for under applicable law.
Personal data of customers or potential customers or individuals that have a commercial relation with Caixa-Banco de Investimento, S.A. are only processed for predetermined purposes, which are explicit and legitimate.
E. PURPOSE OF DATA PROCESSING
Caixa-Banco de investimento, S.A. processes personal data that have been previously identified according to the terms of GDPR and the remaining legal provisions that apply within this scope, and in accordance with the following purposes:
- Management and execution of the contract or other proceedings requested by the data subject (Art. 6 no.1 b) of GDPR)
The processing of personal data is conducted with the aim of upholding the relation of Caixa-Banco de Investimento, S.A. with its customer or data subject and in order to allow for the execution of banking operations and for the provision of banking or financial services, as well as complementary services, namely to allow for the execution of contracts signed by the bank and the data subject and for the execution and management of the requests made by the latter, as well as all action necessary as part of the conduction and management of an institution that provides banking and financial services.
- Per legal imperative or in benefit of public interest (Art. 6 no.1 c) and e) of GDPR
As a financial institution, the Bank is under several legal obligations, namely the General Scheme for Credit Institutions and Financial Companies, legislation that focuses on the fight against money laundering and financing of terrorism, laws on intermediation of financial transactions and negotiation of securities and tax regulation, as well as provisions on the supervision of the banking activity by the European Central Bank, of the European Banking Authority, of Banco de Portugal and of the Portuguese Securities Market Commission (CMVM).
- As part of a legitimate interest (Art. 6 (1) (f) of GDPR)
Whenever necessary, we process your data in order to protect both the legitimate interests of the bank and those of third parties, namely the consultation and exchange of data with credit information systems to determine solvency or default risks, provisions regarding security of Caixa-Banco de Investimento, S.A., of its IT network, of its facilities and IT systems such as access control, security and transaction proof.
- Based on your consent (Art. 6 (1) (a) GDPR)
Whenever your consent for the processing of personal data for specific purposes has been given (for instance, the disclosure of data outside of the scope of the cases provided for in this Policy or in specific documentation of the Bank, assessment of data on payments), we will conduct such data processing that you have been notified of and on which you have given your consent. The consent can be repealed at any time, with such repeal being only applicable to situations taking place in the future and thus, not having any retroactive effects. This is also applicable to the repeal of any informed consents that have been given to us prior to May 25th, 2018.
F. COMMUNICATION OF DATA TO OTHER ENTITIES
The provision of services by Caixa-Banco de Investimento, S.A. to its Customers and other data subjects may imply that the Bank shall turn to third parties (subcontractors, as per GDPR), including entities based outside of the European Union, for the provision of certain services, and this may potentially mean access by these parties to personal data of the Customers. The Bank ensures that under such circumstances, it adopts all technical and organisational measures deemed appropriate in order to make sure that such subcontractors that have access to data are reputed and offer the highest guarantees at this level, which will be duly established and covered under the contract that is to be signed between Caixa-Banco de Investimento, S.A. and each of these third parties.
G. TIMEFRAME FOR DATA RETENTION
Caixa-Banco de Investimento, S.A. keeps a digital record of the Customer's codes and of the orders and instructions provided by the latter, regardless of its support and channel, intended for accounting treatment, question clarification or for the compliance with legal, regulatory and fiscal obligations.
The period of time during which data are stored and retained varies according to the end for which such information is processed. Whenever there is no specific legal requirement, data is stored and retained only for the minimum time period necessary to complete the purpose that justified its collection in the first place or its later processing, or for the timeframe that is permitted by the National Data Protection Commission, after which the data will be deleted.
H. SECURITY MEASURES
Caixa-Banco de Investimento, S.A. ensures adequate levels of security and protection of personal data. To this end, several technical and organisational security measures have been adopted in order to protect personal data against dissemination, loss, undue use, modification, processing or unauthorised access, as well as against any other form of undue processing. Notwithstanding the security measures adopted by Caixa-Banco de Investimento, S.A., the data subject should hold the codes of access secret and not share them with third parties.
If Caixa-Banco de Investimento, S.A. subcontracts services to third parties that may have access to personal data, without prejudice to the aspects mentioned above, its subcontractors will be under obligation to adopt security protocols at the organisation level and the technical measures necessary to the protection of confidentiality and security of personal data, as well as to prevent unauthorised accesses, losses or destruction of personal data.
I. COOKIES POLICY
Caixa-Banco de Investimento, S.A. does not use cookies in its websites.
J. RIGHTS OF DATA SUBJECTS
Data subjects are entitled to access, update, rectify or erase, in this case whenever this is legally permitted, any personal information that may concern them, and is also entitled to oppose the processing of their information, as well as data portability.
Customers or potential customers or other individuals that have a commercial relation with Caixa-Banco de Investimento, S.A. may oppose, at any time, the use of their data for marketing purposes, for the sending of information or the inclusion in information lists or services.
l. Exercise of Rights by DATA SUBJECTS
For the exercise of the rights mentioned above, as well as the obtaining of any information regarding the present Privacy and Data Protection Policy, customers or other data subjects may address Caixa-Banco de Investimento, S.A. in writing, to the address provided below to the attention of the Data Protection Officer or to the following e-mail address: data.protection.officer@caixabi.pt.
Caixa-Banco de Investimento, S.A.
A/C Data Protection Officer
Av. João XXI, 63
1000-300 Lisbon
