PRIVACY POLICY OF CAIXABANK PAYMENTS & CONSUMER 

The legal basis for this processing is your consent, as laid out in Article 6.1.a) of the General Data Protection Regulation (GDPR).

We may have requested this consent through different channels during your customer registration interview, through your adviser (remotely or in person), through digital channels or mobile applications, through any company with which we maintain a collaboration agreement ("Advisors"), through any channel of Bankia, S.A. prior to its merger with CaixaBank, or any CaixaBank Group company that is a joint data controller of the specific processing operation.

If, for any reason, we have never asked you for your consent, this processing will not apply to you.

You can view the consent you have given or denied and change your decision at any time and for free at CaixaBank branches, on the CaixaBank Payments & Consumer website (www.caixabank.es) and on the websites of each of the companies jointly responsible for the specific processing, or through your online account or the CaixaBank Payments & Consumer mobile apps.

Processing based on your consent is indicated below from (A) to (E). For each item, we will provide: a description of the purpose (Purpose), the details of the processed data (types of data processed), if applicable, information on the use of profiles (Use of profiles), other relevant processing information (Other relevant information) and whether or not the processing is carried out jointly with other CaixaBank Group companies (Joint data controllers/Data controller).

In the event that you gave Bankia your consent to process your data for commercial purposes, and not CaixaBank, prior to their merger, CaixaBank will carry out processing operations A, B and C, as indicated below, in accordance with the preferences you indicated to Bankia at that time.

Specifically, the processing described in items A and B below will only be carried out by CaixaBank Group companies as joint controllers when you have consented to the communication of data between Bankia group companies (now CaixaBank).

A. Personalisation of products and services offered based on the analysis of your data

Purpose: If we have your consent, we will use the data indicated below to create a commercial profile for you, which will allow us to define your preferences or needs and offer you, through your adviser (in-person or virtual), products and services marketed by companies acting as joint data controllers that we believe may interest you according to those preferences and needs.

By processing your data, we can make customised offers that may be of more interest to you than generic offers.

In addition, if you authorise us to "Inform you of the products and services available through channels" (Section 6.1.B), we will offer you products and services from joint data processors that we believe may interest you based on the preferences and needs we deduce for you, through any other channel that you authorise us to

Data processed: We will not process data that contains information that reveals your ethnicity or race, your political opinions, religious or philosophical convictions, union membership, the processing of genetic data, biometric data intended to uniquely identify you, health data or data relating to your sex life or orientation.

For this purpose, we will process the following data:

• Identifying and contact details: full name, sex, telephone and email contact information, address of residence, nationality and date of birth, language choice, identification document.
• Details of your professional or work activity and socio-economic information: details related to your job, income or remuneration, household, level of education, assets, tax and fiscal data.
• Contract data: contracted or requested products and services (own or third-party), account holder status, authorised or representative of the product and service contracted, categorisation according to regulations regarding securities markets and financial instruments (MiFID category), information on investments made and their evolution and information and transactions related to your financing operations.
• Basic financial data: current and historical balances of products and services and payment history of contracted products and services (own or third party).
• Third-party data from statements and receipts of instant accounts and payment accounts: information on entries and transactions that third-party issuers make to your accounts, including transaction type, issuer, amount, and the concept as it appears on receipts and statements for debit, credit and prepaid card transactions.
• Details of whether or not you are a CaixaBank shareholder: if you have CaixaBank shares or not.
• Data on communications maintained with you: data obtained in chats, walls, video conferences, telephone calls or any other equivalent means of communication.
• Own browsing data: if you have accepted the use of cookies and similar technologies on your browsing devices, the data obtained from your browsing on our websites or mobile applications and the browsing you perform on them: browsing history (pages visited and clicks on content), device ID, advertising ID, IP address and version installed on the app.
• Geographic data: details of the location of the businesses where you make card transactions and the geolocation data of your mobile device provided by the installation and/or use of our mobile applications, when authorised by you in the settings for the apps.
• Data obtained from other processing activities provided for in this policy:
• Risk assessment data or scoring: in financing or payment for instalments, we will forecast your capacity to pay or not pay or the risk limits, applying statistical and mathematical models using your data (processing defined in section 6.2.B).
• Customer classification data (processing defined in section 6.4.A on https://www.caixabank.es/particular/general/politica-privacidad.html).
• Data obtained from the execution of statistical models: we use the results of applying mathematical modelling to customer data to deduce their consumption habits, product preferences or tendencies or to classify customers.
• Demographic and socio-economic data: these are data not relating to specific people but geographical areas, age sectors or professional activity sectors, which we will use to put into context with customer information.
• Details of properties and vehicles associated with you: these are data obtained from the land registry and basic data on vehicles obtained from the Spanish Traffic Directorate, which we will use to add to the information on your properties and vehicle.
• Details of directors, functional officers and corporate relationships: these are data taken from the INFORMA databases that we will use to add to the information on your activities.
• Details of agricultural subsidies and insurance: these are data published by the Spanish Agricultural Guarantee Fund (FEGA) and the State Agricultural Insurance Institution (ENESA).
• Data from third-party companies where you have given your consent to share them with us: your data processed by other companies with which we have agreements, and which you have authorised to share your information with us.
• Browsing data: if you have accepted the use of cookies and similar technologies on your browsing devices, the data obtained from your browsing on third-party websites or mobile applications and the browsing you perform on them: browsing history (pages visited and clicks on content), device ID, advertising ID and IP address.
• Data from social media or the internet: social media or internet data that you authorise us to view.

Use of profiling: For this processing, we will create a business profile that we will use exclusively to customise the products and services we offer you:

• Purpose of the profile: The purpose of the profile is to identify the products and services we think may interest you, based on the information we have about you, to offer your specific rather than generic commercial offers.
• Consequences: If you authorise the processing, we will use commercial profiles to decide which products or services to offer you. If you do not give your authorisation, we will not use your information to customise our commercial offer.

 We do not use this profiling, under any circumstances, to refuse any product or service, or to set credit limits. Refusal to accept this processing will not prevent, limit or condition your access to our full catalogue of products and services, which is always available to you.

If you apply for any product or service, your application will be assessed in accordance with our regular procedures. The acceptance or non-acceptance of the analysis of your data for the purpose of customising the products or services offered will not affect this assessment.

Your non-acceptance of this processing will not prevent us from contacting you to manage the products and services you have with us.

• Logic: The profile of a customer is calculated based on the data indicated in the "data processed" section.

These data are applied to mathematical formulas obtained from past behaviours observed in clients of similar characteristics to infer the customer's future behaviour. These mathematical formulae allow us to determine the importance of all the data processed in the final result of the applicant's profile.

This final result is the probability that the customer will be interested in a product or service.

Other relevant information: The following section includes other relevant data processing information:

• Pre-check of your payment capacity: When the offers we wish to propose to you consist of products or services that involve payment in instalments or financing, we will first check your payment capacity.

We will carry out this check by means of the processing outlined in section 6.2.B of this Privacy Policy, with the aim of offering you a credit limit and repayment term suited to our knowledge of your financial situation, in accordance with the principle of responsibility regarding the offer of financing products required by the Bank of Spain, under regulations on the oversight and solvency of credit institutions and responsible lending.

Not accepting this processing does not prevent, limit or condition your access to our catalogue of financing products and services. If you request them, we will evaluate them with you in accordance with our standard procedures.

• Duration of data processing: We will only process your data if you have given us your consent, which will remain in force until you withdraw it. If you cancel all your products or services but forget to revoke your consent, we will do so automatically.

Joint data controllers: The following CaixaBank Group companies will process your data jointly.

• CaixaBank, S.A.
• CaixaBank Payments & Consumer, E.F.C., E.P., S.A.U.
• Nuevo Micro Bank, S.A.U.
• Wivai Select Place, S.A.U,
• ImaginersGen, S.A.
• VidaCaixa, S.A.U. de Seguros y Reaseguros

You will find the essential aspects of the joint data controller agreements at: www.caixabank.es/empresasgrupo. 

B. Notification of products and services through channels

Purpose: If we have your consent, we will make our range of products and services available to you only via the following channels authorised by you: mobile applications, digital environments and electronic channels, letter or telephone.

The data we will use to communicate through the channels that you authorise will vary depending on whether you have authorised us to customise our product offerings by analysing your data:

• If we do not have your consent to customise our commercial offer (Processing A), we will only use your identifying and contact details to send you generic offers.
• If you have given us your consent to personalise our commercial offer to you (processing A above), we will also use your commercial profile information as detailed in processing 6.1. A, to inform you of personalised offers.

Data processed: We will not process data that contains information that reveals your ethnicity or race, your political opinions, religious or philosophical convictions, union membership, the processing of genetic data, biometric data intended to uniquely identify you, health data or data relating to your sex life or orientation.

For this purpose, we will process the following data:

• Identifying and contact details: name and surname, sex, postal, telephone and e-mail contact information, address of residence, language of communication.
• Data obtained from other processing activities provided for in this policy:

- Data relating to the personalisation of products and services offered according to analysis of your data: if you have given us your consent to personalise our commercial offer to you (processing A above), we will also use your commercial profile information as detailed in processing 6.1. A of our Privacy Policy to inform you of personalised offers.

Other relevant information: The following section includes other relevant data processing information:

• Duration of data processing: We will only process your data if you have given us your consent, which will remain in force until you withdraw it. If you cancel all your products or services but forget to revoke your consent, we will do so automatically.

Joint data controllers: The following CaixaBank Group companies will process your data jointly:

• CaixaBank, S.A.
• CaixaBank Payments & Consumer, E.F.C., E.P., S.A.U.
• Nuevo Micro Bank, S.A.U.
• Wivai Select Place, S.A.U,
• ImaginersGen, S.A.
• VidaCaixa, S.A.U. de Seguros y Reaseguros

You will find the essential aspects of the joint data controller agreements at: www.caixabank.es/empresasgrupo.

C. Disclosure of data to other companies so they can send you advertising.

Purpose: If we have your consent, we will transfer the data indicated below to companies with which we have agreements so that they may send you offers of their products and services.

If you do not consent to this processing, we will not transfer your data; if you do consent, the data we transfer to other companies will vary depending on whether you have authorised us to customise our product offerings by analysing your data:

• If we do not have your consent to customise our commercial offer (Processing A), we will only provide these companies with your identifying and contact details.
• If you have given us your consent to personalise our commercial offer (Processing A), we will also inform these companies of your commercial profile, including information on your preferences and needs, as well as inferred information about your probability of payment or non-payment, or risk limits.

These third-party companies to which we may transfer your data undertake the following activities:

• banking
• investment services
• insurance and reinsurance
• venture capital
• property
• highways
• sale and distribution of goods and services,
• consultancy services
• leisure and
• charity-social action

Data processed: We will not process data that contains information that reveals your ethnicity or race, your political opinions, religious or philosophical convictions, union membership, the processing of genetic data, biometric data intended to uniquely identify you, health data or data relating to your sex life or orientation.

For this purpose, we will process the following data:

• Identifying and contact details: full name, sex, telephone and email contact information, address of residence, nationality and date of birth, language choice, identification document.
• Data obtained from other processing activities provided for in this policy:

 - Data relating to the personalisation of products and services offered according to analysis of your data: if you have given us your consent to personalise our commercial offer to you (processing A above), we will also use your commercial profile information as detailed in processing 6.1. A of the Privacy Policy, so that we can send you personalised offers.

Other relevant information: The following section includes other relevant data processing information:

• Data transfer information: If we reach an agreement with a third company to transfer your data, the recipient company would inform you of this, as well as of the details of the processing they intend to carry out.
• Duration of data processing: We will only process your data if you have given us your consent, which will remain in force until you withdraw it. If you cancel all your products or services but forget to revoke your consent, we will do so automatically.

Joint data controllers: The following CaixaBank Group companies will process your data jointly:

• CaixaBank, S.A.
• CaixaBank Payments & Consumer, E.F.C., E.P., S.A.U.
• Nuevo Micro Bank, S.A.U.
• Wivai Select Place, S.A.U,
• ImaginersGen, S.A.
• VidaCaixa, S.A.U. de Seguros y Reaseguros

You will find the essential aspects of the joint data controller agreements at: www.caixabank.es/empresasgrupo.

D. Identification of customers and signing documents using biometrics

Purpose: With your consent, we will employ technical tools using biometrics to confirm your identity and sign transactions or contracts with CaixaBank Payments & Consumer.

Data processed: For this purpose, we will process the following data:

• Identifying and contact details: full name, sex and identification document.
• Biometric data: facial pattern or fingerprint.

Other relevant information: The following section includes other relevant data processing information:

• Recording your biometrics is totally voluntary: We will only process your data in this way if you have given us your express consent to do so. Your consent will remain valid until you revoke it. If you do not consent to this processing, this will not restrict your access to any product or service offered by CaixaBank Payments & Consumer.In this case, we will verify your identity and signature using means that do not rely on biometrics.
• Duration of data processing: We will only process this data if you have given us your consent during the registration process in order to confirm your identity, and we will then block the information for the period required by the regulations for the sole purpose of complying with legal obligations or to draw up, exercise or defend complaints or claims. 

Data Controller: The data controller is CaixaBank Payments & Consumer. This processing is not done with another controller.

The legal basis of this data processing is that it is necessary to manage contracts that you request or to which you are a party, or to apply precontractual measures if you request them, as established in art. 6.1.b) of the General Data Protection Regulation (GDPR).

Therefore, this processing is necessary for you to establish and maintain Contractual Relations with us. If you object to it, we will end these relations, or we cannot establish them if they have not yet started.

The types of processing required to establish contractual relations are listed below, arranged from (A) to (B).For each item, we will provide: a description of the purpose (Purpose), the type of data processed (Type of data processed), if applicable, information on the use of profiles (Use of profiles), other relevant processing information (Other relevant information) and whether or not the processing is carried out jointly with other CaixaBank Group companies (Joint data controllers/Data controller).

A. Signing, maintenance and performance of Contractual Relations

Purpose: The purpose of this data processing is to formalise and maintain the Contractual Relationships established between you and us, including the processing of your requests or orders, the steps prior to entering into a contract (pre-contractual relationships), processed with us directly or through one of our intermediaries (such as our agent CaixaBank, S. A. or any of our advisors, who have commercial establishments of which you may be a customer), and the implementation of measures to ensure compliance with the contracts you sign with us and, where appropriate, the management of debt recovery.

This data processing involves collecting the information necessary to establish or to manage the application, to evaluate the suitability of the product and to process the information needed to properly maintain and execute the contracts.

The processing activities involved in signing, maintaining and performing the Contractual Relations are:

• Collection and registration of the data and documents needed to apply for the products requested
• Formalising the signing of the contracts for the products and services.
• Managing the products and services you have taken out with us, including responding to your questions regarding operations, handling any associated incidents and the annotation and verification of accounting entries for receiving and making product payments and sending operational communications, as well as any other processes that are necessary in order to satisfy the commitments made to take out specific products or services, such as loyalty programmes, discounts on fees or interest, and specific offers.
• Adapting measures to resolve any defaults that may arise, including early debt collection management, communication, where applicable, to external agencies for collection actions, communication, where applicable, of data to credit information systems, filing, where applicable, and monitoring of lawsuits, identification and monitoring of situations of insolvency proceedings, and the review or valuation of portfolio sales.
• Type of data processed: The types of data we will process for this purpose (the content of which is detailed in heading 5) are:
• Identification and contact details
• Details of your professional or work activity and socio-economic information
• Sensitive data related to situations of vulnerability
• Biometric data
• Legal capacity data
• Details on special communication needs
• Contract details
• Basic financial data
• Third-party data from statements and receipts of instant accounts and payment accounts
• Data on communications maintained with you
• Data obtained from the execution of statistical models
• Data obtained from other processing activities provided for in this policy
• Risk assessment or scoring data (processing defined in heading 6.2.B) 
• Data obtained from the execution of statistical models
• Data on credit information systems
• Details of Equifax Risk Score
• CIRBE details
• Data from the General Treasury of the National Social Security Institute
• Data relating to international sanctions
• Information obtained from public access sources and public records

Other relevant information: The following section includes other relevant data processing information:

• Automated decisions: When you request a product or service, we will use mechanisms to verify its suitability for your needs, interests and objectives based on objective criteria (e.g., employment status or tax residence).

The establishment of these objective criteria derives from regulatory obligations regarding the governance of financial products and instruments and is included in the bank's internal product design policies.

If the product is deemed to be unsuitable, the applicant may not contract it, and the application will be automatically rejected as the applicant's objective criteria are incompatible with those of the specific requested product or service.

You may challenge the automated decision or exercise your right not to be subject to a decision based solely on automated processing by contacting CaixaBank Payments & Consumer directly through the channels set out in section 4 of this policy.

• Disclosure to credit information systems: This processing may involve disclosing your debt or non-payment details to credit information systems based on our legitimate interest, as described in section 6.4.D
• Obtaining contact information: This processing may involve the collection of additional contact details from you by external debt recovery agencies, which will be carried out based on our legitimate interest, as detailed in section 6.4.E.
• Application or monitoring of commitments, discounts or preferential conditions: If you take out a product or service that requires compliance with certain requirements, we inform you that we will process the data necessary to verify your continued compliance with them. We also inform you that if there are joint holders, the other joint holders with whom you share accounts could indirectly become aware of the information on your compliance with said requirements.

For example, if you take out a product or service that gives you the right to receive discounts because you belong to a specific professional group, such as healthcare or law enforcement, we will verify during our contractual relationship that you still belong to said group. In addition, if you share a product or service with other account holders, they may realise that you satisfy this characteristic when they see these discounts applied to the account.

Data Controller: The data controller is CaixaBank Payments & Consumer. This processing is not done with another controller.

Furthermore, if the product or service you apply for is marketed by CaixaBank Payments & Consumer but issued by another company, said other company will be responsible for processing your data in relation to that contract.

This means that if you take out through CaixaBank Payments & Consumer, as the associated banking-insurance operator, an insurance plan issued by VidaCaixa or SegurCaixa, these companies will be the controllers of your data as the issuers of the products.

We will inform you about this in detail in the contractual documentation for each product or service.

B. Analysis of creditworthiness and repayment capacity for the granting and monitoring of credit risk.

Purpose: The purpose of this data processing is to assess whether applicants and/or holders for products or services that involve the repayment of loans or credits, or deferred instalments, have the solvency and repayment capacity needed to make the payments required as part of the operations in question.

 Detailed information on the solvency and repayment capacity analysis process that will be carried out when you apply for or have already been granted transactions involving the repayment of loans or credits, or the deferred payment of instalments, will be provided in the transaction request you will be required to sign when you apply for these products.

The processing activities carried out to analyse the solvency or repayment capacity of applicants and/or holders of products involving financing are:

• Analysis of the repayment capacity of applicants at the time of granting new credit operations.
• Analysis of the solvency of the holders of products involving financing throughout the life of the credit operations maintained with us to manage internal risks and prevent payment defaults.

Types of data processed: The types of data we will process for this purpose (the content of which is detailed in heading 5) are:

• Identification and contact details
• Details of your professional or work activity and socio-economic information
• Contract details
• Basic financial data
• Third-party data from statements and receipts of instant accounts and payment accounts
• Data obtained from the execution of statistical models
• Data on credit information systems
• Details of Equifax Risk Score
• CIRBE details
• Demographic and socio-economic data
• Details of properties and vehicles associated with you
• Information obtained from public access sources and public records

Use of profiling: For this processing, we will create a risk profile that will be used exclusively to analyse the solvency and repayment capacity of applicants and/or holders of products involving financing.

• Purpose: The purpose of the profile is to determine the probability of default when granting transactions, assess the need to adjust the risk of current transactions and calculate the provisions and capital requirements applicable to CaixaBank Payments & Consumer.
• Consequences: risk profiles are tools used to support decisions on whether to grant risk transactions or adjust the limits of existing transactions.

Transactions requested through electronic channels may involve automated decisions on whether to grant the transaction, as detailed in the section "Other relevant information".

• Logic: The applicant's profile will use the information indicated in the "Type of data processed" section above.

This basic information is used to assign a specific value to each piece of data on the applicant, the sum of which produces a score indicating the probability of default or non-compliance with monetary obligations.

The importance of each variable and its influence on the final result is calculated in advance using mathematical models and is included in the institution's internal risk policies.

 Other relevant information: The following section includes other relevant data processing information:

• Automated decisions: We will use automated processes to analyse solvency and repayment capacity for applications submitted through electronic channels to check whether the financing is suitable, depending on your characteristics and the information you have provided.

If the requested financing is deemed unsuitable for your repayment capacity according to the profile calculations employed, you will not be able to contract the product, and your application will be rejected automatically in this channel.

You may resubmit an application for the transaction at one of our branches, where the analysis does not include automated decisions, challenge the automated decision or exercise your right not to be subject to a decision based solely on automated processing by contacting CaixaBank Payments & Consumer directly through the channels set out in section 4 of this policy.

• Regulatory obligations: In addition to these processing operations being required to perform the contractual relationship between you and us, this processing is carried out in accordance with the provisions of Law 44/2002, on Financial System Reform Measures, Law 10/2014, of 26 June, on the regulation, supervision and solvency of credit institutions, and other obligations and standards set out in regulations on responsible lending, to which we adhere as a credit institution.
• Credit information system enquiries: The credit information systems enquiries required for solvency analysis will be carried out based on our legitimate interest, as detailed in section 6.4.D.
• CIRBE enquiry and communication: The CIRBE enquiries required for solvency analysis are carried out in accordance with the provisions of Law 44/2002, of 22 November, on Financial System Reform Measures. Furthermore, the data necessary to identify the persons with whom credit risks are maintained will be communicated, based on the same standard.

Joint data controllers: Sector regulations on the prudential and solvency requirements that apply to the financial sector require that a credit operation be granted to customers and monitored jointly by all the companies that comprise the same consolidated group of credit institutions.

The following CaixaBank Group companies will process your data jointly.

• CaixaBank, S.A.
• CaixaBank Payments & Consumer, E.F.C., E.P., S.A.U.
• Nuevo Micro Bank, S.A.U.
• Telefónica Consumer Finance, E.F.C., S.A.
• CaixaBank Equipment Finance, S.A.U.
• Unión de Crédito para la Financiación Mobiliaria e Inmobiliaria, CREDIFIMO, E.F.C., S.A.U.
• Corporación Hipotecaria Mutual, S.A.U., Establecimiento Financiero de Crédito
• Hipotecaixa 2, S.L.U.
• Banco BPI, S.A.
• Wivai Select Place S.A.U.

You will find the essential aspects of the joint data controller agreements at: www.caixabank.es/empresasgrupo.

The legal basis of this processing is the requirement to comply with a legal obligation that is required of us, as laid out in Article 6.1.c) of the General Data Protection Regulation (GDPR).

Therefore, it is necessary for you to establish and maintain Contractual Relations with us. If you do not want us to carry out this processing, we will have to end this relationship, or we will not be able to establish the relationship if not already in place.

The types of processing required to satisfy the regulatory requirements are listed below, arranged from (A) to (D). For each item, we will provide: a description of the purpose (Purpose), the type of data processed (Type of data processed), if applicable, information on the use of profiles (Use of profiling), other relevant processing information (Other relevant information) and whether or not the processing is carried out jointly with other CaixaBank Group companies (Joint data controllers/Data controller).

Processing to comply with anti-money laundering and terrorist financing regulations

Purpose: The purpose of this processing is to adopt the measures imposed on our activity by Law 10/2010, on the Prevention of Money Laundering and Terrorist Financing.

The processing operations that are carried out to comply with anti-money laundering and terrorist financing regulations are:

• Collecting information and documentation that allows customers to comply with due diligence and knowledge measures;
• Checking the information that you provide us;
• Checking if you hold or have held a position of public trust;
• Categorising your risk level, based on which the various due diligence measures will be applied in accordance with Prevention of Money Laundering and Financing of Terrorism regulations;
• Analysing the transactions executed through CaixaBank Payments & Consumer, in accordance with legal obligations;
• Checking your relationship with companies and, if necessary, your controlling position within their ownership structure, and;
• Reporting and updating your information monthly in the Financial Ownership Database, managed by the Executive Service of the Commission to Prevent Money Laundering and Financial Crimes (SEPBLAC).

Types of data processed: The types of data we will process for this purpose (the content of which is detailed in heading 5) are:

• Identification and contact details
• Details of your professional or work activity and socio-economic information
• Contract details
• Basic financial data
• Third-party data from statements and receipts of instant accounts and payment accounts
• Data on communications maintained with you
• Data obtained from other processing activities provided for in this policy:
• Risk assessment or scoring data (processing defined in heading 6.2.B).
• Data obtained from the execution of statistical models
• Details of directors, functional officers and corporate relationships
• Data from the General Treasury of the National Social Security Institute
• Information obtained from public access sources and public records

Use of profiling: This processing involves creating a profile that we use exclusively for adopting the necessary measures in accordance with the provisions of Law 10/2010 on the Prevention of Money Laundering and the Financing of Terrorism.

• Purpose: The purpose of the profile is to prevent the contracting of operations susceptible to money laundering or the financing of terrorism.
• Consequences: Profiles are tools that help money laundering and terrorist financing prevention units determine whether operations are likely to be subject to money laundering or terrorist financing and, therefore, whether to accept or decline them.

Joint data controllers: The following CaixaBank Group companies will process your data jointly.

• CaixaBank, S.A.
• CaixaBank Payments & Consumer, E.F.C., E.P., S.A.U.
• VidaCaixa SA de Seguros y Reaseguros
• BPI Vida e Pensões – Companhia de Seguros, S.A.
• Nuevo Micro Bank, S.A.U.
• CaixaBank Asset Management SGIIC, S.A.U
• Telefónica Consumer Finance, E.F.C., S.A.
• Buildingcenter, S.A.U.
• Livingcenter Activos Inmobiliarios, S.A.U.
• Unión de Crédito para la Financiación Mobiliaria e Inmobiliaria, CREDIFIMO, E.F.C., S.A.U.
• Corporación Hipotecaria Mutual, S.A.U., Establecimiento Financiero de Crédito
• CaixaBank Wealth Management Luxembourg, S.A.
• CaixaBank Asset Management Luxembourg, S.A.
• BPI Gestão de Ativos, SGOIC, S.A.
• Banco BPI, S.A.
• Bankia Habitat, S.L.U.
• Puerto Triana, S.A.U.

You will find the essential aspects of the joint data controller agreements at: www.caixabank.es/empresasgrupo.

B. Processing to comply with tax regulations

Purpose: The purpose of this processing is to adopt the measures imposed on our activity by Law 58/2003, of 17 December, the General Tax Law, Royal Decree 1021/2015, of 13 November, establishing the obligation to identify the tax residence of persons who own or control certain financial accounts and to report on them in the field of mutual assistance, and other current tax regulations.

The processing operations carried out to comply with tax regulations are:

• Collection of information and documentation regarding your tax situation as required by tax laws, and;
• Reporting to government agencies details relating to your tax situation when required by law or by the authority.

Types of data processed: The types of data we will process for this purpose (the content of which is detailed in heading 5) are:

• Identification and contact details
• Details of your professional or work activity and socio-economic information
• Contract details
• Basic financial data

Data Controller: The data controller is CaixaBank Payments & Consumer. This processing is not done with another controller.

C. Processing to comply with obligations arising from sanctions policies and international financial countermeasures

 Purpose: The purpose of this processing is to adopt the measures imposed on our activity by the international financial sanctions and countermeasures programmes adopted by the European Union and the Kingdom of Spain.

In order to comply with international financial sanctions or countermeasures programmes, we will check if your name is on the lists of people or entities included in laws, regulations, guidelines, resolutions, programmes or restrictive measures regarding international economic and financial sanctions imposed by the United Nations, the European Union and/or the Kingdom of Spain. 

Types of data processed: The types of data we will process for this purpose (the content of which is detailed in heading 5) are:

• Identification and contact details
• Data relating to international sanctions

Other relevant information: The following section includes other relevant data processing information:

• Sanctions programmes: CaixaBank Payments & Consumer consults programmes of international economic-financial sanctions adopted by the Office of Financial Sanctions Implementation (OFSI) of the His Majesty’s Treasury (HMT) of the United Kingdom and/or the US Department of the Treasury's Office of Foreign Assets Control (OFAC) based on our legitimate interest, which is detailed in Section 6.4.G.

Joint data controllers: The following CaixaBank Group companies will process your data jointly:

• CaixaBank, S.A.
• CaixaBank Payments & Consumer, E.F.C., E.P., S.A.U.
• VidaCaixa SA de Seguros y Reaseguros
• Nuevo Micro Bank, S.A.U.
• CaixaBank Asset Management SGIIC, S.A.U
• Telefónica Consumer Finance, E.F.C., S.A.
• Buildingcenter, S.A.U.
• Livingcenter Activos Inmobiliarios, S.A.U.
• Unión de Crédito para la Financiación Mobiliaria e Inmobiliaria, CREDIFIMO, E.F.C., S.A.U.
• Corporación Hipotecaria Mutual, S.A.U., Establecimiento Financiero de Crédito
• Banco BPI, S.A.
• CaixaBank Wealth Management Luxembourg, S.A.
• Bankia Habitat, S.L.U.
• CaixaBank Equipment Finance, S.A.
• Puerto Triana, S.A.U.
• CaixaBank Asset Management Luxembourg, S.A.
• BPI Gestão de Ativos, SGOIC, S.A.
• BPI Vida e Pensões – Companhia de Seguros, S.A.

You will find the essential aspects of the joint data controller agreements at: www.caixabank.es/empresasgrupo.

D. Processing for handling complaints and claims.

Purpose: The purpose of this processing is to handle queries, complaints and claims submitted to CaixaBank Payments & Consumer, in accordance with the regulations applicable to its capacity as a financial institution; specifically, Law 44/2002 of 22 November and Order ECO/73/2004, requiring CaixaBank to have a customer service department in place to respond to complaints and claims submitted by financial users.

Furthermore, Law 3/2018 of 5 December on the Protection of Personal Data and the guarantee of digital rights requires the data controller (in this case CaixaBank Payments & Consumer) to handle any complaints submitted to its Data Protection Officer and respond to any data protection rights exercised by data subjects.

The following processing operations are carried out to comply with regulations on the processing of complaints and claims:

• Receiving complaints and claims submitted by financial users through the CaixaBank Payments & Consumer Customer Service Department;
• Responding to complaints and claims within the established time frame; and 
• Managing data protection rights and queries submitted to the Data Protection Officer of CaixaBank Payments & Consumer and the necessary activities to collaborate with the Control Authority (Spanish Data Protection Agency)

Types of data processed: The types of data we will process for this purpose (the content of which is detailed in heading 5) are:

• Identification and contact details
• Legal capacity data 
• Details on special communication needs
• Sensitive data related to situations of vulnerability
• Contract details
• Basic financial data
• Third-party data from statements and receipts of instant accounts and payment accounts:
• Data on communications maintained with you
• Own browsing data
• Data on credit information systems
• CIRBE details

Data Controller: The data controller is CaixaBank Payments & Consumer. This processing is not done with another controller.

The legal basis of this processing is the legitimate interest pursued by CaixaBank Payments & Consumer or a third party, provided that these interests do not take precedence over your interests, or your fundamental rights and freedoms, as per art. 6.1. f) of the General Data Protection Regulation (GDPR).

This processing will imply that we have considered your rights and our legitimate interest and we have concluded that the latter prevails. Otherwise, we would not process the data. You can ask about the analysis that is done to weigh the legitimate interest of a processing operation at any time by emailing your enquiry to delegado.proteccion.datos@caixabank.com.

We also remind you that you have the right to object to processing based on a legitimate interest. If you believe that CaixaBank and, where applicable, joint data controller companies should be aware of any particular situation or other justifiable reasons for us to stop processing your data, you may submit a request to this effect simply and free of charge through the channels indicated in heading 4.

This processing is indicated below from (A) to (F). For each item, we will provide: CaixaBank Payments & Consumer's Legitimate Interest (CaixaBank Payments & Consumer's legitimate interest), a description of the purpose (Purpose), the type of data processed (Type of data processed), if applicable, information on the use of profiles (Use of profiles), other relevant processing information (Other relevant information) and whether or not the processing is carried out jointly with other CaixaBank Group companies (Joint data controllers/Data controller).

A. Management of the performance of employees, agents and suppliers

Legitimate interest of CaixaBank Payments & Consumer: CaixaBank Payments & Consumer's legitimate interest in this process is to manage its relations with employees, agents, suppliers and brokers based on their professional performance.

Purpose: The purpose of this processing is to monitor the performance, objectives and professional challenges of employees, agents, suppliers and brokers by analysing the operations and contracts that they maintain with customers.

Types of data processed: The types of data we will process for this purpose (the content of which is detailed in heading 5) are:

• Identification and contact details
• Contract details
• Basic financial data

Other relevant information: The following section includes other relevant data processing information:

• Right to object to processing: If you believe that CaixaBank Payments & Consumer should be aware of any particular situation or other justifiable reasons for us to stop processing your data, you may submit a request to this effect simply and free of charge through the channels indicated in heading 4.
• Ancillary use of your data: These data processing activities deal with customer information, but their information is ancillary to the purpose pursued. This processing has no effect or consequence on the data subject.

Data controller: The data controller is CaixaBank Payments & Consumer. This processing is not done with another controller.

B. Fraud prevention

Legitimate interest of CaixaBank Payments & Consumer: The legitimate interest of CaixaBank Payments & Consumer and the joint data controller companies listed in this section for carrying out this processing is to prevent fraud that could lead to financial or reputational damage to the institution or its customers.

Purpose: The purpose of this processing is to adopt the necessary measures to prevent malicious transactions or conduct before they occur or to mitigate their impact if they do occur by identifying suspicious transactions or conduct that could involve an attempt to defraud the institution or its customers.

The processing operations carried out to prevent fraud are:

• Verifying the identity of customers that interact with the bank to prevent fraudulent access to information or operations.
• Reviewing and analysing the contracts and operations carried out in our systems to protect our customers from fraud through any channel and prevent cyberattacks.
• To confirm your identity and the validity of the identification documents provided with national and international databases managed by law enforcement and similar agencies, like INTERPOL (International Criminal Police Organization), to confirm that you are the holder of the identification document you provide us and to protect you from identity theft (when another person pretends to be you).
• Consulting the information included in the PAYGUARD Fraud Prevention Service to detect fraudulent accounts and report, where appropriate, fraudulent transactions.

Types of data processed: The types of data we will process for this purpose (the content of which is detailed in heading 5) are:

• Identification and contact details
• Details of your professional or work activity and socio-economic information
• Contract details
• Basic financial data
• Third-party data from statements and receipts of instant accounts and payment accounts
• Data on communications maintained with you
• Own browsing data
• Geographical details
• Data obtained from other processing activities provided for in this policy:
• Risk assessment or scoring data (processing defined in heading 6.2.B)
• Data obtained from the execution of statistical models

 Use of profiling: This processing involves creating a profile of your usual operations and activities, which we use exclusively to detect irregular situations that may indicate an attempt to commit fraud.

• Purpose: The purpose of the profile is to identify operations or interactions that are unusual or not in line with your behaviour profile that could be an attempt to commit fraud or gain fraudulent access to information.
• Consequences: Profiles are tools that help to identify fraudulent transactions. The use of these profiles requires the implementation of measures, including reviewing transactions in detail, blocking transactions and rejecting their automatic execution.

Other relevant information: The following section includes other relevant data processing information:

• Automated decisions: For the purpose of fraud prevention, we will use automated processing to try to detect fraudulent transactions.

In the case of transactions that cannot be reversed once executed, such as immediate payments or transfers, the automated processes will block any suspicious transactions and prevent them from being executed.

You may request the transaction again, challenge the automated decision or exercise your right not to be subject to a decision based solely on automated processing by contacting CaixaBank Payments & Consumer directly through the channels set out in section 4 of this policy.

• Right to object to processing: If you believe that CaixaBank Payments & Consumer and, where applicable, joint data controller companies should be aware of any particular situation or other justifiable reasons for us to stop processing your data, you may submit a request to this effect simply and free of charge through the channels indicated in heading 4.
• PAYGUARD Fraud Prevention Service: CaixaBank is a member of the PAYGUARD Fraud Prevention Service, which covers the country's leading financial institutions and is managed by Sociedad Española de Sistemas de Pago, S.A. (Spanish Payment Systems Company) (Iberpay).

This service aims to minimise the levels of fraud related to movements between accounts by detecting, investigating, monitoring and reporting, where applicable, suspicious and fraudulent transactions involving customers' current or savings accounts. The legal basis for the processing is the legitimate interest in preventing the type of fraudulent activity that could affect these transactions.

CaixaBank may include in the PAYGUARD Fraud Prevention Service data related to the IBAN number and identifying details of the holder of the account where the suspicious or fraudulent transaction has been detected. You can consult the updated list of participating companies at:
https://www.iberpay.es/es/servicios/servicios/prevenci%C3%B3n-del-fraude/ 

The data will be stored for a maximum of thirty days for suspicious transactions, and one year for confirmed fraudulent transactions.

The institutions participating in the PAYGUARD Fraud Prevention Service are the joint controllers of your data. You can request the main aspects of the joint data controller agreement at www.caixabank.com/delegadoprotecciondedatos and also exercise your rights regarding the processing of your data through any of the channels indicated in section 4. Exercising rights and filing complaints through the Spanish Data Protection Agency (AEPD).

Joint data controllers: The following CaixaBank Group companies will process your data jointly:

• CaixaBank, S.A.
• CaixaBank Payments & Consumer, E.F.C., E.P., S.A.U.
• Nuevo Micro Bank, S.A.U.
• Global Payments Moneytopay, EDE, S.L.

You will find the essential aspects of the joint data controller agreements at: www.caixabank.es/empresasgrupo.

 C. Consultation and communication with credit reporting systems as part of the application for and subsequent management of products that involve financing.

Legitimate interest of CaixaBank Payments & Consumer: The legitimate interest of CaixaBank Payments & Consumer to carry out this processing is to avoid non-payment and defaults by applicants or account holders of those products that involve financing.

Purpose: The purpose of this processing is to assess the solvency and repayment capacity to (i) ensure adequate compliance by the interested parties with their payment obligations resulting from the transactions granted, (ii) to monitor and   manage the transactions granted, and (iii) to prevent and manage defaults and non-performing loans.

The processing operations carried out when checking solvency records are:

• Checking your information: The databases of the following solvency and credit files shall be consulted prior to approving the transactions involving financing or in order to monitor and manage the risk of the credit granted: (i) Asnef database; (ii) Badexcug database, and:
• Communicate your personal details: If you stop making payments in relation to any of the monetary obligations you have undertaken with us pursuant to our Contractual Relations, we may disclose your payment default details to the following credit information systems subject to the conditions and requirements outlined by law:

Types of data processed: The types of data we will process for this purpose are:

• Identification and contact details
• Contract details
• Basic financial data
• Data on credit information systems

Other relevant information: The following section includes other relevant data processing information:

• Right to object to processing: If you believe that CaixaBank Payments & Consumer should be aware of any particular situation or other justifiable reasons for us to stop processing your data, you may submit a request to this effect simply and free of charge through the channels indicated in heading 4.

Data Controller: CaixaBank Payments & Consumer is responsible for the part of the processing related to consulting credit information systems. CaixaBank Payments & Consumer and the Asnef and Badexcug databases are jointly responsible for the part of the processing related to communication to credit information systems. The contact details for the credit reporting agencies are provided below:

• Asnef database: Asnef Equifax Servicios de Información sobre Solvencia y Crédito. Apartado de correos10546, 28080 Madrid (sac@equifax.es)
• Badexcug database: Apartado de correos 1188, 28108 Alcobendas (badexcug@experian.com) 

D. Collection of additional contact details for default management

Legitimate interest of CaixaBank Payments & Consumer: CaixaBank Payments & Consumer's legitimate interest is to collect the debt in non-payment situations, which requires having up-to-date contact details on its customers.

Purpose: The purpose of this processing is to obtain additional customer contact information to contact them in the event they breach their contractual obligations.

Additional contact details are obtained from public lists (white pages, yellow pages and Lleida.net) and private lists (Equifax or Detectives) through debt collection agencies, ensuring that the data collected complies with the quality principle and is obtained legally.

Types of data processed: The types of data we will process for this purpose are:

• Identification and contact details
• Information obtained from public access sources and public records

Other relevant information: The following section includes other relevant data processing information:

• Right to object to processing: If you believe that CaixaBank Payments & Consumer should be aware of any particular situation or other justifiable reasons for us to stop processing your data, you may submit a request to this effect simply and free of charge through the channels indicated in heading 4.

Data Controller: The data controller is CaixaBank Payments & Consumer. This processing is not done with another controller.

E. Preparation of management reports and mathematical models

Legitimate interest of CaixaBank Payments & Consumer: CaixaBank Payments & Consumer's legitimate interest in carrying out this process is to design, organise and optimise its corporate and commercial activity as efficiently as possible, which requires having reports on the management and activity of the company and the market, as well as advanced information analysis mathematical algorithms.

Purpose: The purpose of this processing is to prepare reports on the company's activity and its relationship with the market, on the composition and evolution of its customer base and on the convenience and effectiveness of its products and services. These reports are used to manage said products/services and to create and maintain statistical and mathematical models that allow for the processing detailed in this policy to be carried out and that require advanced calculations and analysis of the information.

Types of data processed The data we will process for this purpose is that which has been identified previously for each processing type. We will apply, whenever possible, anonymisation or pseudonymisation techniques to ensure that this processing does not have an impact on the rights of the data subjects, and that the result of the processing is reports with statistical or aggregated information, or mathematical or algorithmic formulas.

Other relevant information: The following section includes other relevant data processing information:

• Right to object to processing: If you believe that CaixaBank Payments & Consumer should be aware of any particular situation or other justifiable reasons for us to stop processing your data, you may submit a request to this effect simply and free of charge through the channels indicated in heading 4.
• Ancillary data processing: The processing of data to create statistical reports and mathematical models is not intended to process individual customer data.

This data processing is necessary, but accessory, to the main purpose of preparing management reports, or algorithmic or mathematical formulas, and is thus carried out using, whenever possible, anonymising techniques or, failing that, pseudonymisation and minimising the information processed.

This processing has no effects or consequences on the individual data subject.

Data Controller: The data controller is CaixaBank Payments & Consumer. This processing is not done with another controller.

F. Sending of commercial communications based on a basic commercial profile 

Who does this processing apply to? We will only process your data in this way if: 

• you have not indicated your preferences for the commercial processing described in sections 6.1.A., 6.1.B. and 6.1.C of this Policy
• we have sent you a personalised communication informing you of this; and
• you have not exercised your right to objection. 

Legitimate interest of CaixaBank Payments & Consumer: CaixaBank Payments & Consumer's legitimate interest in processing this data is to promote the marketing of the products and services in its portfolio and to ensure customer loyalty. 

Purpose: The purpose of this processing is to send commercial communications on products and services similar to those you have with CaixaBank Payments & Consumer, based on a basic commercial profile that we will create using your data.

Types of data processed: the types of data we will process for this purpose are:

• Identifying and contact details: full name, sex, telephone and email contact information, address of residence, nationality and date of birth, language choice, identification document.

• Details of your professional or work activity and socio-economic information: professional or employment activity, income or salary.

• Contract data: contracted or requested products and services, account holder status, authorised or representative of the product and service contracted and information and transactions related to your financing operations.

• Basic financial data: current and historical balances of products and services and payment history of contracted products and services.
• Data obtained from the execution of statistical models: we use the results of applying mathematical modelling to client data, which helps us combat fraud, detect your consumer habits, preferences or product tendencies for regulatory compliance, and manage your products and services.
• Data obtained from other processing activities provided for in this policy:

• Risk assessment data or scoring: in financing or payment for instalments, we will forecast your capacity to pay or not pay or the risk limits, applying statistical and mathematical models using your data (processing defined in section 6.2.B)

• Demographic and socio-economic data: these are data not relating to specific people but geographical areas, age sectors or professional activity sectors, which we will use to put into context with customer information.

Use of profiling: For this processing, we will only prepare a basic commercial profile using the data specified previously:

• Purpose of the profile: the purpose of the profile is to identify the products and services we think may interest you in order to offer your specific rather than generic commercial offers. 
• Consequences: the consequence of using the basic commercial profile is the sending of customised offers on products and services marketed by CaixaBank Payments & Consumer based on the data we have specified. We do not use this profiling, under any circumstances, to refuse any product or service or to set credit limits. 

Your refusal to accept this processing will not prevent, limit or condition your access to our full catalogue of products and services, which is always available to you.

If you apply for any product or service, your application will be assessed in accordance with our regular procedures. Your objection to this processing will not affect this assessment.

Failure to accept this processing will not prevent us from contacting you to manage the products and services you have with us.

• Logic: This basic commercial profile is calculated based on the data indicated in the "processed data" section, with a time period spanning thirteen months.

This data is processed using mathematical formulas obtained from past behaviours observed in customers of similar characteristics so as to infer the customer's propensity to consume. These mathematical formulas allow us to determine the importance of all the data processed in the final result of the customer's profile.

This final result is the probability that the customer will be interested in a product or service.

Other relevant information: The following section includes other relevant data processing information:

• Right to object to processing: Please note that you have the right to object to processing based on a legitimate interest. 

You can do it simply and free of charge at the following link https://www.caixabank.es/apl/particulares/gdpr/index_es.html?empresa=6&derecho=oposicioncomunicaciones

You can also use the normal channels described in section 4. 

If you decide to exercise your right of objection, we inform you that we will stop processing the data without requiring you to provide a reason for us to stop processing your data.

• Pre-check of your payment capacity: When the offers we wish to propose to you consist of products or services that involve payment in instalments or financing, we will first check your payment capacity.

We will carry out this check by means of the processing outlined in section 6.2.B of this Privacy Policy, with the aim of offering you a credit limit and repayment term suited to our knowledge of your financial situation, in accordance with the principle of responsibility regarding the offer of financing products required by the Bank of Spain, under regulations on the oversight and solvency of credit institutions and responsible lending.

• Duration of data processing: This processing will come into effect on 10 October 2022. In any case, you will receive a personalised informative message beforehand.

We will stop processing this data, with no other additional requirements, in either of these two circumstances: 

• When we contact you to request your consent to the commercial processing carried out by the CaixaBank Group companies described in section 6.1 (A, B and C), whether you authorise or reject them.
• If you exercise your right of objection.

Data Controller: The data controller is CaixaBank Payments & Consumer. This processing is not done with another controller.

 G. OFSI and OFAC international financial sanctions policies and countermeasures.

Legitimate interest of CaixaBank Payments & Consumer: The legitimate interest of CaixaBank Payments & Consumer and the joint data controller companies listed in this section for carrying out this processing is to comply with international financial sanctions and countermeasures programmes of the United States and the United Kingdom, with a view to carrying out their business activities in those countries.  

Purpose: The purpose of this processing is to adopt the measures envisaged in the international financial sanctions and countermeasures programmes adopted by the Office of Financial Sanctions Implementation (OFSI) of the His Majesty’s Treasury (HMT) of the United Kingdom and/or the US Department of the Treasury’s Office of Foreign Assets Control (OFAC). 

In order to comply with these international financial sanctions and countermeasures programmes, we will check whether you are included on lists of persons or entities subject to the restrictive measures of these two bodies.

Types of data processed: The types of data we will process for this purpose (the content of which is detailed in heading 5) are:

• Identification and contact details
• Data relating to international sanctions

Other relevant information: The following section includes other relevant data processing information: 

• Right to object to processing: If you believe that CaixaBank Payments & Consumer should be aware of any particular situation or other justifiable reasons for us to stop processing your data, you may submit a request to this effect simply and free of charge through the channels indicated in heading 4.

Joint data controllers: The following CaixaBank Group companies will process your data jointly:

• CaixaBank, S.A.
• CaixaBank Payments & Consumer, E.F.C., E.P., S.A.U.
• VidaCaixa SA de Seguros y Reaseguros
• Nuevo Micro Bank, S.A.U.
• CaixaBank Asset Management SGIIC, S.A.U
• Telefónica Consumer Finance, E.F.C., S.A.
• Buildingcenter, S.A.U.
• Livingcenter Activos Inmobiliarios, S.A.U.
• Unión de Crédito para la Financiación Mobiliaria e Inmobiliaria, CREDIFIMO, E.F.C., S.A.U.
• Corporación Hipotecaria Mutual, S.A.U., Establecimiento Financiero de Crédito
• Banco BPI, S.A.
• CaixaBank Wealth Management Luxembourg, S.A.
• Bankia Habitat, S.L.U.
• CaixaBank Equipment Finance, S.A.
• Puerto Triana, S.A.U.
• CaixaBank Asset Management Luxembourg, S.A.
• BPI Gestão de Ativos, SGOIC, S.A.
• BPI Vida e Pensões – Companhia de Seguros, S.A.

You will find the essential aspects of the joint data controller agreements at: www.caixabank.es/empresasgrupo.