PRIVACY POLICY OF CAIXABANK PAYMENTS & CONSUMER 

The legal basis for this processing is your consent, as laid out in Article 6.1.a) of the General Data Protection Regulation (GDPR).

We may have requested this consent through different channels during your customer registration interview, through your adviser (remotely or in person), through digital channels or mobile applications, through any company with which we maintain a collaboration agreement (''Advisors'') or any CaixaBank Group company that is a joint data controller of the specific processing operation, or through any channel of
Bankia, S.A. prior to its merger with CaixaBank.

If, for any reason, we have never asked you for your consent, this processing will not apply to you.

You can view the consent you have given or denied and change your decision at any time and for free at our branches, on the CaixaBank Payments & Consumer website (www.caixabank.es) and on the websites of each of the companies jointly responsible for the specific processing, at CaixaBank branches, or through your online account or the CaixaBank Payments & Consumer mobile apps.

Processing based on your consent is indicated below from (A) to (F). The following information will be indicated for each operation: a description of the purpose (Purpose), the details of the processed data (Processed data), if applicable, information on the use of profiles (Use of profiles), other relevant processing information (Other relevant information) and whether or not the processing is carried out jointly with other CaixaBank Group companies (Joint data controllers/Data controller).

In the event that you gave Bankia your consent to process your data for commercial purposes prior to their merger, CaixaBank will carry out processing operations A, B and C, as indicated below, in accordance with the preferences you indicated to Bankia at that time.

Specifically, the processing described in items A and B below will only be carried out by CaixaBank Group companies as joint controllers when you have consented to the communication of data between Bankia group companies (now CaixaBank).

A. Customisation of product offer according to analysis of your data

Purpose: if we have your consent, we will use the data indicated below to create a commercial profile for you, which will allow us to define your preferences or needs and offer you, through your adviser (in-person or virtual), products and services marketed by companies acting as joint data controllers that we believe may interest you according to those preferences and needs.

By processing your data, we can make customised offers that may be of more interest to you than generic offers.

In addition, if you authorise us to ''Inform you of the products and services available through channels'' (Section 6.1.B), we will offer you products and services from joint data processors that we believe may interest you based on the preferences and needs we deduce for you, through any other channel that you authorise us to.

Data processed: we will not process data that contains information that reveals your ethnicity or race, your political opinions, religious or philosophical convictions, union membership, the
processing of genetic data, biometric data intended to identify you uniquely, health data or data relating to your sex life or orientation.

For this purpose, we will process the following data:

• Identification and contact details: full name, gender, sex, postal, telephone and
  email contact information, address of residence, nationality and date of birth,
  language choice, identification document.
• Details of your professional or work activity and socio-economic information:
  details related to your job, income or remuneration, household, level of education,
  assets, tax and fiscal data.
• Contract details: contracted or requested products and services (first-party and
  third-party), account holder status, authorised or representative of the product and
  service contracted and information and transactions related to your financing
  operations.
• Basic financial data: current and historical balances of products and services and
  payment history of contracted products and services (own or third party).
• Third-party data from statements and receipts of instant accounts and
  payment accounts: information on entries and transactions that third-party issuers
  make to your accounts, including transaction type, issuer, amount, and the concept
  as it appears on receipts and statements for debit, credit and prepaid card
  transactions.
• Details of whether or not you are a CaixaBank shareholder: if you have
  CaixaBank shares or not.
• Data on communications maintained with you: data obtained in chats, walls,
  video conferences, telephone calls or any other equivalent means of
  communication.
• Own browsing data: if you have accepted the use of cookies and similar
  technologies on your browsing devices, the data obtained from your browsing on our
  websites or mobile applications and the browsing you perform on them: browsing
  history (pages visited and clicks on content), device ID, advertising ID, IP address
  and version installed on the app.
• Geographical details: details of the location of the businesses where you make
  card transactions and the geolocation data of your mobile device provided by the
  installation and/or use of our mobile applications, when authorised by you in the
  settings for the apps.
• Data obtained from other processing activities provided for in this policy: Risk assessment data or scoring: in financing or payment for instalments, we will
  forecast your capacity to pay or not pay or the risk limits, applying statistical and
  mathematical models using your data (processing defined in section 6.2.B).
• Data obtained from the execution of statistical models: we use the results of
  applying mathematical modelling to customer data to deduce their consumption
  habits, product preferences or tendencies or to classify customers.
• Demographic and socio-economic data: these are data not relating to specific
  people but geographical areas, age sectors or professional activity sectors, which we
  will use to put into context with customer information.
• Details of properties and vehicles associated with you: these are data obtained from
  the land registry and basic data on vehicles obtained from the Spanish Traffic
  Directorate, which we will use to add to the information on your properties and vehicle.
• Details of directors, functional officers and corporate relationships: these are
  data taken from the INFORMA databases that we will use to add to the information on
  your activities.
• Details of agricultural subsidies and insurance: these are data published by the
  Spanish Agricultural Guarantee Fund (FEGA) and the State Agricultural Insurance
  Institution (ENESA).
• Data from third-party companies where you have given your consent to share
  them with us: your data processed by other companies with which we have
  agreements and which you have authorised to share your information with us.
• Browsing data: if you have accepted the use of cookies and similar technologies on
  your browsing devices, the data obtained from your browsing on third-party websites
  or mobile applications and the browsing you perform on them: browsing history
  (pages visited and clicks on content), device ID, advertising ID and IP address.
• Social media or internet details: social media or internet data that you authorise us
  to view.

Use of profiling: for this processing, we will create a business profile that we will use exclusively to customise the products and services we offer you:

• Purpose of the profile: the purpose of the profile is to identify the products and
  services we think may interest you, based on the information we have about you, to
  offer your specific rather than generic commercial offers.
• Consequences: if you authorise the processing, we will use commercial profiles to
  decide which products or services to offer you. If you do not give your authorisation,
  we will not use your information to customise our commercial offer. We do not use this profiling, under any circumstances, to refuse any product or
  service or to set credit limits. Refusal to accept this processing will not prevent, limit
  or condition your access to our full catalogue of products and services, which is
  always available to you.
  If you apply for any product or service, your application will be assessed in
  accordance with our regular procedures. The acceptance or non-acceptance of the
  analysis of your data for the purpose of customising the product offering will not
  affect this assessment.
  Failure to accept this processing will not prevent us from contacting you to manage
  the products and services you have with us.
• Logic: The profile of a customer is calculated based on the data indicated in the
  ''processed data'' section.
  These data are applied to mathematical formulas obtained from past behaviours
  observed in clients of similar characteristics to infer the customer's future behaviour.
  These mathematical formulae allow us to determine the importance of all the data
  processed in the final result of the applicant's profile.
  This final result is the probability that the customer will be interested in a product or
  service.

Other relevant information: the following section includes other relevant data processing
information:

• Pre-check of your payment capacity: when the offers we wish to propose to you
  consist of products or services that involve payment in instalments or financing, we
  will first check your payment capacity.
  We will carry out this check by means of the processing outlined in section 6.2.C of
  our privacy policy, with the aim of offering you a credit limit and repayment term
  suited to our knowledge of your financial situation, in accordance with the principle of
  responsibility regarding the offer of financing products required by the Bank of Spain,
  under regulations on the oversight and solvency of credit institutions and responsible
  lending.
  Not accepting this processing does not prevent, limit or condition your access to our
  catalogue of financing products and services. If you request them, we will evaluate
  them with you in accordance with our standard procedures.
• Duration of data processing: we will only process your data if you have given us
  your consent, which will remain in force until you withdraw it. If you cancel all your
  products or services with us but forget to revoke your consent, we will do so
  automatically.

Joint data controllers: the following CaixaBank Group companies will process your data jointly.

• CaixaBank, S.A.
• CaixaBank Payments & Consumer, E.F.C., E.P., S.A.U.
• Nuevo Micro Bank, S.A.U.
• Wivai Select Place, S.A.U.
• imaginersGen, S.A.
• VidaCaixa, S.A.U. de Seguros y Reaseguros

You will find the essential aspects of the joint data controller agreements at:
www.caixabank.es/empresasgrupo.

B. Notification of products and services through channels

Purpose: if we have your consent, we will make our range of products and services available to you only via the following channels authorised by you: mobile applications, digital environments and electronic channels, letter or telephone.

The data we will use to communicate through the channels that you authorise will vary depending on whether you have authorised us to customise our product offerings by analysing your data:

• If we do not have your consent to customise our commercial offer (Processing A),
  we will only use your identifying and contact details to send you generic offers.
• If you have given us your consent to customise our commercial offer (Processing A),
  we will also use the information from your commercial profile that is detailed in
  processing 6.1.A to inform you of personalised offers.

Data processed: the data we will process for this purpose are:

• Identification and contact details: full name, gender, postal, telephone and email
  contact information, address of residence, and language choice.

Other relevant information: the following section includes other relevant data processing
information:

• Duration of data processing: we will only process your data if you have given us
  your consent, which will remain in force until you withdraw it. If you cancel all your
  products or services with us but forget to revoke your consent, we will do so
  automatically.

Joint data controllers: The following CaixaBank Group companies will process your data jointly:

• CaixaBank, S.A.
• CaixaBank Payments & Consumer, E.F.C., E.P., S.A.U.
• Nuevo Micro Bank, S.A.U.
• Wivai Select Place, S.A.U.
• imaginersGen, S.A.
• VidaCaixa, S.A.U. de Seguros y Reaseguros

You will find the essential aspects of the joint data controller agreements at:
www.caixabank.es/empresasgrupo. 

C. Disclosure of data to other companies so they can send you advertising

Purpose: if we have your consent, we will transfer the data indicated below to companies with which we have agreements so they can offer you their products and services.

If you do not consent to this processing, we will not transfer your data. If you consent, the data we transfer to other companies will vary depending on whether you have authorised us to customise our product offerings by analysing your data:

• If we do not have your consent to customise our commercial offer (Processing A),
  we will only provide these companies with your identifying and contact details.
• If you have given us your consent to personalise our commercial offer (Processing
  A), we will also inform these companies of your commercial profile, including
  information on your preferences and needs, as well as inferred information about
  your probability of payment or non-payment, or risk limits.

These third-party companies to which we may transfer your data undertake the following
activities:

• banking
• investment services
• insurance and reinsurance
• venture capital
• property
• highways
• sale and distribution of goods and services
• consultancy services
• leisure
• charity-social action

Data processed: we will not process data that contains information that reveals your ethnicity or race, your political opinions, religious or philosophical convictions, union membership, the
processing of genetic data, biometric data intended to identify you uniquely, health data or data relating to your sex life or orientation.

This is the data we will use if you consent to us disclosing your data to third parties, but we do not have your consent to personalise our commercial offer of products and services to you
(Processing A):

• Identification and contact details: full name, gender, postal, telephone and email
  contact information, address of residence, nationality and date of birth, language
  choice, and identification document.

We will also use the following data if you have given us your consent to personalise our
commercial offer of products and services (Processing A):

• Data obtained from other processing activities provided for in this policy: 
  • Risk assessment data or scoring: in financing or payment for instalments, we will
    forecast your capacity to pay or not pay or the risk limits, applying statistical and
    mathematical models using your data (processing defined in section 6.2.B).
  • Data obtained from the execution of statistical models: we use the results of
    applying mathematical modelling to customer data to deduce their consumption
    habits, product preferences or tendencies or to classify customers.

   

Other relevant information: the following section includes other relevant data processing
information:

• Data transfer information: if we reach an agreement with a third company to
  transfer your data, the recipient company will inform you of this, as well as of the
  details of the processing they intend to carry out.
• Duration of data processing: we will only process your data if you have given us
  your consent, which will remain in force until you withdraw it. If you cancel all your
  products or services with us but forget to revoke your consent, we will do so
  automatically.

Joint data controllers: The following CaixaBank Group companies will process your data jointly:

• CaixaBank, S.A.
• CaixaBank Payments & Consumer, E.F.C., E.P., S.A.U.
• Nuevo Micro Bank, S.A.U.
• Wivai Select Place, S.A.U.
• imaginersGen, S.A.
• VidaCaixa, S.A.U. de Seguros y Reaseguros

You will find the essential aspects of the joint data controller agreements at:
www.caixabank.es/empresasgrupo. 

D. Identification of customers and signing documents using biometrics

Purpose: with your consent, we will employ technical tools using biometrics to confirm your
identity and sign transactions or contracts with CaixaBank Payments & Consumer.

Data processed: the data we will process for this purpose are:

• Identifying and contact details: full name, gender and identification document
• Biometric data: facial pattern, voice biometrics or fingerprint.

Other relevant information: the following section includes other relevant data processing
information:

• Recording your biometrics is totally voluntary: we will only process your data in
  this way if you have given us your express consent for us to do so. Your consent will
  remain valid until you revoke it. If you do not consent to this processing, this will not
  restrict your access to any product or service offered by CaixaBank Payments &
  Consumer.In this case, we will verify your identity and signature using means that do
  not rely on biometrics.
   
• Duration of data processing: we will only process this data if you have given us
  your consent during the registration process in order to confirm your identity, and we
  will then block the information for the period required by the regulations for the sole
  purpose of complying with legal obligations or to draw up, exercise or defend
  complaints or claims.

Data Controller: the data controller is CaixaBank Payments & Consumer. This processing is not done with another controller.

The legal basis of this data processing is that it is necessary to manage contracts that you request or to which you are a party, or to apply precontractual measures if you request them, as established in art. 6.1.b) of the General Data Protection Regulation (GDPR).

Therefore, this processing is necessary for you to establish and maintain Contractual Relations with us. If you object to it, we will end these relations, or we cannot establish them if they have not yet started.

The types of processing required to establish contractual relations are listed below, arranged from (A) to (B). The following information will be indicated for each operation:a description of the purpose (Purpose), the type of processed data (Type of processed data), if applicable, information on the use of profiles (Use of profiles), other relevant processing information (Other relevant information) and whether or not the processing is carried out jointly with other CaixaBank Group companies (Joint data controllers/Data controller).

A. Signing, maintenance and performance of Contractual Relations

Purpose: the purpose of this data processing is to formalise and maintain the Contractual
Relationships established between you and us, including the processing of your requests or
orders, the steps prior to entering into a contract (pre-contractual relationships), processed with us directly or through one of our intermediaries (such as our agent CaixaBank, S. A. or any of our brokers, who have commercial establishments of which you may be a customer), and the implementation of measures to ensure compliance with the contracts you sign with us and, where appropriate, the management of debt recovery.

This data processing involves collecting the information necessary to establish or to manage the application, to evaluate the suitability of the product and to process the information needed to properly maintain and execute the contracts.

The processing activities involved in signing, maintaining and performing the Contractual
Relations are:

• Collecting and registering the data and documents needed to apply for the requested
  products.
• Formalising the signing of the contracts for the products and services.
• Managing the products and services you have taken out with us, including
  responding to your questions regarding operations, handling any associated
  incidents and the annotation and verification of accounting entries for receiving and
  making product payments and sending operational communications and managing
  the collection or waiver of any fees related to products and services.
• Adapting measures to resolve any defaults that may arise, including early debt
  collection management, communication, where applicable, to external agencies for
  collection actions, communication, where applicable, of data to credit information
  systems, filing, where applicable, and monitoring of lawsuits, identification and
  monitoring of situations of insolvency proceedings.

Type of data processed: the types of data we will process for this purpose (the content of which is detailed in heading 5) are:

• Identification and contact details
• Details of your professional or work activity and socio-economic information
• Sensitive data related to situations of vulnerability
• Biometric data
• Legal capacity data
• Details on special communication needs
• Contract details
• Basic financial data
• Third-party data from statements and receipts of instant accounts and payment
  accounts
• Data on communications maintained with you
• Data obtained from the execution of statistical models
• Data obtained from other processing activities provided for in this policy:
  - Risk assessment or scoring data (processing defined in heading 6.2.B)
• Data on credit information systems
• Details of Equifax Risk Score
• CIRBE details
• Data from the General Treasury of the National Social Security Institute
• Data relating to international sanctions
• Information obtained from public access sources and public records

Other relevant information: the following section includes other relevant data processing
information:

• Automated decisions: when you request a product or service, we will use mechanisms
  to verify its suitability for your needs, interests and objectives based on objective
  criteria (e.g. employment status or tax residence). The establishment of these objective criteria derives from regulatory obligations regarding the governance of financial products and instruments and is included in the bank's internal product design policies. If the product is deemed to be unsuitable, the applicant may not contract it, and the
  application will be automatically rejected as the applicant's objective criteria are
  incompatible with those of the specific requested product or service.                                You may challenge the automated decision or exercise your right not to be subject to a decision based solely on automated processing by contacting CaixaBank Payments & Consumer directly through the channels set out in section 4 of this policy.

• Disclosure to credit information systems: this processing may involve disclosing
  your debt or non-payment details to credit information systems based on our
  legitimate interest, as described in section 6.4.D
   
• Obtaining contact information: This processing may involve the collection of additional contact details from you by external debt investigation and recovery agencies, which will be carried out based on our legitimate interest, as detailed in section 6.4.E

Data Controller: the data controller is CaixaBank Payments & Consumer. This processing is not done with another controller. 

Furthermore, if the product or service you apply for is marketed by CaixaBank Payments & Consumer but issued by another company, said other company will be responsible for processing your data in relation to that contract.

This means that if you take out through CaixaBank Payments & Consumer, as a banking-
insurance operator, an insurance plan issued by VidaCaixa or SegurCaixa, these companies will
be the controllers of your data as the issuers of the products.

We will inform you about this in detail in the contractual documentation for each product or service.

B. Analysis of creditworthiness and repayment capacity for the granting and monitoring of
credit risk.

Purpose: the purpose of this data processing is to assess whether applicants and/or holders for products or services that involve the repayment of loans or credits, or deferred instalments, have the solvency and repayment capacity needed to make the scheduled payments in the operations that are analysed and/or have been granted.
Detailed information on the solvency and repayment capacity analysis process that will be carried out when you apply for or have already been granted transactions involving the repayment of loans or credits, or the deferred payment of instalments, will be provided in the transaction request you will be required to sign when you apply for these products.

The processing activities carried out to analyse the solvency or repayment capacity of applicants and/or holders of products involving financing are:

• Analysis of the repayment capacity of applicants at the time of granting new credit
  operations.
• Analysis of the solvency of the holders of products involving financing throughout the
  life of the credit operations maintained with us to manage internal risks and prevent
  payment defaults.

Types of data processed: the types of data we will process for this purpose (the content of
which is detailed in heading 5) are:

• Identification and contact details
• Details of your professional or work activity and socio-economic information
• Contract details
• Basic financial data
• Third-party data from statements and receipts of instant accounts and payment
  accounts
• Data obtained from the execution of statistical models
• Data obtained from other processing activities provided for in this policy:

- Risk assessment or scoring data (processing defined in heading 6.2.B)

• Data on credit information systems
• Details of Equifax Risk Score
• CIRBE details
• Demographic and socio-economic data
• Details of properties and vehicles associated with you
• Information obtained from public access sources and public records

Use of profiling: for this processing, we will create a risk profile that will be used exclusively to
analyse the solvency and repayment capacity of applicants and/or holders of products involving financing.

• Purpose: the purpose of the profile is to determine the probability of default when
  granting transactions, assess the need to adjust the risk of current transactions and
  calculate the provisions and capital requirements applicable to CaixaBank Payments & Consumer.
• Consequences: risk profiles are tools used to support decisions on whether to grant
  risk transactions or adjust the limits of existing transactions.
  Transactions requested through electronic channels may involve automated decisions
  on whether to grant the transaction, as detailed in the section & ''Other relevant
  information''.
• Logic: the applicant's profile will use the information indicated in the Type of ''processed data'' section above.
  This basic information is used to assign a specific value to each piece of data on the
  applicant, the sum of which produces a score indicating the probability of default or
  non-compliance with monetary obligations.
  The importance of each variable and its influence on the final result is calculated in
  advance using mathematical models and is included in the institution's internal risk
  policies.

Other relevant information: the following section includes other relevant data processing
information:

• Automated decisions: we will use automated processes to analyse solvency and
  repayment capacity for applications submitted through electronic channels to check
  whether the financing is suitable, depending on your characteristics and the
  information you have provided. If the requested financing is deemed incompatible with your repayment capacity based on the profile calculations employed, you will not be able to contract the product, and your application will be rejected automatically in this channel.
  You may resubmit an application for the transaction at one of our branches, where the
  analysis does not include automated decisions, challenge the automated decision or
  exercise your right not to be subject to a decision based solely on automated processing
  by contacting CaixaBank Payments & Consumer directly through the channels set out in section 4 of this policy.
• Regulatory obligations: in addition to these processing operations being required
  to perform the contractual relationship between you and us, this processing is
  carried out in accordance with the provisions of Law 44/2002, on Financial System
  Reform Measures, Law 10/2014, of 26 June, on the regulation, supervision and
  solvency of credit institutions, and other obligations and standards set out in
  regulations on responsible lending, to which we adhere as a credit institution.
• Credit information system enquiries: the credit information systems enquiries
  required for solvency analysis will be carried out based on our legitimate interest, as
  detailed in section 6.4.D.
• CIRBE enquiry and communication: the CIRBE enquiries required for solvency
  analysis are carried out in accordance with the provisions of Law 44/2002, of 22
  November, on Financial System Reform Measures. Furthermore, the data necessary
  to identify the persons with whom credit risks are maintained will be communicated,
  based on the same standard.

Joint data controllers: sector regulations on the prudential and solvency requirements that apply to the financial sector require that a credit operation be granted to customers and monitored jointly by all the companies that comprise the same consolidated group of credit institutions.

The following CaixaBank Group companies will process your data jointly.

• CaixaBank, S.A.
• CaixaBank Payments & Consumer, E.F.C., E.P., S.A.U.
• Nuevo Micro Bank, S.A.U.
• Telefónica Consumer Finance, E.F.C., S.A.
• CaixaBank Equipment Finance, S.A.U.
• Unión de Crédito para la Financiación Mobiliaria e Inmobiliaria, CREDIFIMO, E.F.C.,
  S.A.U.
• Corporación Hipotecaria Mutual, S.A.U., Establecimiento Financiero de Crédito
• Hipotecaixa 2, S.L.U.
• Banco BPI, S.A.
• Wivai Select Place, S.A.U.

You will find the essential aspects of the joint data controller agreements at:
www.caixabank.es/empresasgrupo. 

The legal basis of this processing is the requirement to comply with a legal obligation that is required of us, as laid out in Article 6.1.c) of the General Data Protection Regulation (GDPR).

Therefore, it is necessary for you to establish and maintain Contractual Relations with us. If you do not want us to carry out this processing, we will have to end this relationship, or we will not be able to establish the relationship if not already in place.

The types of processing required to satisfy the regulatory requirements are listed below, arranged from (A) to (D). The following information is indicated for each process: a description of the purpose (Purpose), the type of processed data (Type of processed data), if applicable, information on the use of profiles (Use of profiles), other relevant processing information (Other relevant information) and whether or not the processing is carried out jointly with other CaixaBank Group companies (Joint data controllers/Data controller).

Processing to comply with anti-money laundering and terrorist financing regulations

Purpose: the purpose of this processing is to adopt the measures imposed on our activity by Law 10/2010 on the Prevention of Money Laundering and Terrorist Financing.

The processing operations that are carried out to comply with anti-money laundering and terrorist financing regulations are:

The legal basis of this processing is the legitimate interest pursued by CaixaBank Payments &
Consumer or a third party, provided that these interests do not take precedence over your interests, or your fundamental rights and freedoms, as per art. 6.1. f) of the General Data Protection Regulation (GDPR).

This processing will imply that we have considered your rights and our legitimate interest and we have concluded that the latter prevails. Otherwise, we would not process the data. You can ask about the analysis that is done to weigh the legitimate interest of a processing operation at any time by emailing your enquiry to delegado.proteccion.datos@caixabank.com.

We also remind you that you have the right to object to processing based on a legitimate
interest. If you consider that CaixaBank and, where applicable, joint data controller companies
should be aware of any particular situation or other justifiable reasons for us to stop processing your data, you may submit a request to this effect simply and free of charge through the channels indicated in heading 4.

This processing is indicated below from (A) to (F). The following information will be indicated for each operation: CaixaBank Payments & Consumer's Legitimate Interest (CaixaBank Payments & Consumer's legitimate interest), a description of the purpose (Purpose), the type of processed data (Type of processed data), if applicable, information on the use of profiles (Use of profiles), other relevant processing information (Other relevant information) and whether or not the processing is carried out jointly with other CaixaBank Group companies (Joint data controllers/Data controller).

A. Management of the performance of employees, agents and suppliers

Legitimate interest of CaixaBank Payments & Consumer: CaixaBank Payments &
Consumer's legitimate interest in this process is to manage its relations with employees, agents,suppliers and brokers based on their professional performance.

Purpose: the purpose of this processing is to monitor the performance, objectives and
professional challenges of employees, suppliers and brokers by analysing the operations and
contracts that they maintain with customers.

Types of data processed: the types of data we will process for this purpose (the content of
which is detailed in heading 5) are:

• Contract details
• Basic financial data

Other relevant information: the following section includes other relevant data processing
information:

• Right to object to processing: if you consider that CaixaBank Payments &
  Consumer should be aware of any particular situation or other justifiable reasons for
  us to stop processing your data, you may submit a request to this effect simply and
  free of charge through the channels indicated in heading 4.
• Ancillary use of your data: these data processing activities deal with customer
  information, but their information is ancillary to the purpose pursued. This processing
  has no effect or consequence on the data subject.

Data Controller: the data controller is CaixaBank Payments & Consumer. This processing is not done with another controller.

B. Fraud prevention

Legitimate interest of CaixaBank Payments & Consumer: the legitimate interest of CaixaBank Payments & Consumer and the joint data controller companies listed in this section for carrying out this processing is to prevent fraud that could lead to financial or reputational damage to the institution or its customers.

Purpose: the purpose of this processing is to adopt the necessary measures to prevent malicious transactions or conduct before they occur or to mitigate their impact if they do occur by identifying suspicious transactions or conduct that could involve an attempt to defraud the institution or its customers.

The processing operations carried out to prevent fraud are:

• Verifying the identity of customers that interact with the bank to prevent fraudulent
  access to information or operations.
• Reviewing and analysing the contracts and operations carried out in our systems to
  protect our customers from fraud through any channel and prevent cyberattacks.
• To confirm your identity and the validity of the identification documents provided with
  national and international databases managed by law enforcement and similar
  agencies, like INTERPOL (International Criminal Police Organization), to confirm that
  you are the holder of the identification document you provide us and to protect you
  from identity theft (when another person pretends to be you).
• Consulting the information included in the PAYGUARD Fraud Prevention Service to
  detect fraudulent accounts and report, where appropriate, fraudulent transactions.

Types of data processed: the types of data we will process for this purpose (the content of
which is detailed in heading 5) are:

• Identification and contact details
• Details of your professional or work activity and socio-economic information
• Contract details
• Basic financial data
• Third-party data from statements and receipts of instant accounts and payment
  accounts
• Data on communications maintained with you
• Own browsing data
• Geographical details
• Data obtained from other processing activities provided for in this policy
  • Risk assessment or scoring data (processing defined in heading 6.2.B
• Data obtained from the execution of statistical models

Use of profiling: this processing involves creating a profile of your usual operations and
activities, which we use exclusively to detect irregular situations that may indicate an attempt to commit fraud.

• Purpose: the purpose of the profile is to identify operations or interactions that are
  unusual or not in line with your behaviour profile that could be an attempt to commit
  fraud or gain fraudulent access to information.
• Consequences: profiles are tools that help to identify fraudulent transactions. The use
  of these profiles requires the implementation of measures, including reviewing
  transactions in detail, blocking transactions and rejecting their automatic execution.

Other relevant information: the following section includes other relevant data processing
information:

• Automated decisions: for the purpose of fraud prevention, we will use automated
  processing to try to detect fraudulent transactions.
  In the case of transactions that cannot be reversed once executed, such as immediate
  payments or transfers, the automated processes will block any suspicious transactions
  and prevent them from being executed.
  You may request the transaction again, challenge the automated decision or exercise
  your right not to be subject to a decision based solely on automated processing by
  contacting CaixaBank Payments & Consumer directly through the channels set out in section 4 of this policy.
• Right to object to processing: If you consider that CaixaBank Payments &
  Consumer and, where applicable, joint data controller companies should be aware of
  any particular situation or other justifiable reasons for us to stop processing your data,
  you may submit a request to this effect simply and free of charge through the
  channels indicated in heading 4.
• PAYGUARD Fraud Prevention Service: CaixaBank is a member of the PAYGUARD
  Fraud Prevention Service, which covers the country's leading financial institutions and is managed by Sociedad Española de Sistemas de Pago, S.A. (Spanish Payment
  Systems Company) (Iberpay). This service aims to minimise the levels of fraud related to movements between accounts by detecting, investigating, monitoring and reporting, where applicable, suspicious and fraudulent transactions involving customers' current or savings accounts. The legal basis for the processing is the legitimate interest in preventing the type of fraudulent activity that could affect these transactions.
  CaixaBank may include in the PAYGUARD Fraud Prevention Service data related to the
  IBAN number and identifying details of the holder of the account where the suspicious or fraudulent transaction has been detected. You can view the updated list of participating institutions at: https://www.iberpay.es/es/servicios/servicios/prevenci%C3%B3n-del-fraude/ 
  The data will be stored for a maximum of thirty days for suspicious transactions, and one
  year for confirmed fraudulent transactions.
  The institutions participating in the PAYGUARD Fraud Prevention Service are the joint
  controllers of your data. You can request the main aspects of the joint data controller
  agreement by sending an email to www.caixabank.com/delegadoprotecciondedatos
  and also exercise your rights regarding the processing of your data through any of the
  channels indicated in section 4. ''Exercising rights and filing complaints through the Spanish Data Protection Authority (AEPD)''.

Joint data controllers: The following CaixaBank Group companies will process your data jointly:

• CaixaBank, S.A.
• CaixaBank Payments & Consumer, E.F.C., E.P., S.A.U.
• Nuevo Micro Bank, S.A.U.
• Global Payments Moneytopay, EDE, S.L.

You will find the essential aspects of the joint data controller agreements at:
www.caixabank.es/empresasgrupo. 

C. Consultation and communication with credit reporting systems as part of the
application for and subsequent management of products that involve financing.

Legitimate interest of CaixaBank Payments & Consumer: the legitimate interest of CaixaBank Payments & Consumer to carry out this processing is to avoid non-payment and defaults by applicants or account holders of those products that involve financing.

Purpose: the purpose of this processing is to assess the solvency and repayment capacity (i) to
ensure adequate compliance by the interested parties with their payment obligations resulting
from the transactions granted, (ii) to monitor and manage the transactions granted, and (iii) to
prevent and manage defaults and non-performing loans.

The processing operations carried out when checking solvency records are:

• Checking your information: the databases of the following solvency and credit files shall
  be consulted prior to approving the transactions involving financing or in order to
  monitor and manage the risk of the credit granted: (i) Asnef database; (ii) Badexcug
  database.
• Communicate your personal details: if you stop making payments in relation to any of
  the monetary obligations you have undertaken with us pursuant to our Contractual
  Relations, we may disclose your payment default details to the following credit
  information systems subject to the conditions and requirements outlined by law:

Types of data processed: the types of data we will process for this purpose are:

• Identification and contact details
• Contract details
• Basic financial data
• Data on credit information systems

Other relevant information: the following section includes other relevant data processing
information:

• Right to object to processing: if you consider that CaixaBank Payments &
  Consumer should be aware of any particular situation or other justifiable reasons for
  us to stop processing your data, you may submit a request to this effect simply and
  free of charge through the channels indicated in heading 4.

Data Controller: CaixaBank Payments & Consumer is responsible for the part of the processing related to consulting credit information systems. CaixaBank Payments & Consumer and the Asnef and Badexcug databases are jointly responsible for the part of the processing related to communication to credit information systems:

• Asnef database: Asnef Equifax Servicios de Información sobre Solvencia y Crédito.
  Apartado de correos 10546, 28080 Madrid (sac@equifax.es)
• Badexcug database: Apartado de correos 1188, 28108 Alcobendas
  (badexcug@experian.com)

D. Collection of additional contact details for default management

Legitimate interest of CaixaBank Payments & Consumer: CaixaBank Payments &
Consumer's legitimate interest is to collect the debt in non-payment situations, which requires having up-to-date contact details on its customers.

Purpose: the purpose of this processing is to obtain additional customer contact information to contact them in the event they breach their contractual obligations.
Additional contact details are obtained from public lists (white pages, yellow pages and
Lleida.net) and private lists (Equifax or Detectives) through debt collection agencies, ensuring
that the data collected complies with the quality principle and is obtained legally.

Types of data processed: the types of data we will process for this purpose are:

• Identification and contact details
• Information obtained from public access sources and public records

Other relevant information: the following section includes other relevant data processing
information:

• Right to object to processing: if you consider that CaixaBank Payments &
  Consumer should be aware of any particular situation or other justifiable reasons for
  us to stop processing your data, you may submit a request to this effect simply and
  free of charge through the channels indicated in heading 4.

Data Controller: the data controller is CaixaBank Payments & Consumer. This processing is not done with another controller.

E. Preparation of management reports and mathematical models

Legitimate interest of CaixaBank Payments & Consumer: CaixaBank Payments &
Consumer's legitimate interest in carrying out this process is to design, organise and optimise its corporate and commercial activity as efficiently as possible, which requires having reports on the management and activity of the company and the market, as well as advanced information analysis mathematical algorithms.
Purpose: the purpose of this processing is to prepare reports on the company's activity and its relationship with the market, on the composition and evolution of its customer base and on the convenience and effectiveness of its products and services. These reports are used to manage said products/services and to create and maintain statistical and mathematical models that allow for the processing detailed in this policy to be carried out and that require advanced calculations and analysis of the information.

Types of data processed: the data we will process for this purpose is that which has been
identified previously for each processing type. We will apply, whenever possible, anonymisation or pseudonymisation techniques to ensure that this processing does not have an impact on the rights of the data subjects and that the processing results in reports with statistical or aggregated information or mathematical or algorithmic formulas.

Other relevant information: the following section includes other relevant data processing
information:

• Right to object to processing: if you consider that CaixaBank Payments &
  Consumer should be aware of any particular situation or other justifiable reasons for
  us to stop processing your data, you may submit a request to this effect simply and
  free of charge through the channels indicated in heading 4.
• Ancillary data processing: the processing of data to create statistical reports and
  mathematical models is not intended to process individual customer data. This data processing is necessary but ancillary to the main purpose of preparing management reports or algorithmic or mathematical formulas and is thus carried out using, whenever possible, anonymising techniques or, failing that, pseudonymisation and minimising the information processed. This processing has no effects or consequences on the individual data subject.

Data Controller: the data controller is CaixaBank Payments & Consumer. This processing is not done with another controller.

F. Sending of commercial communications based on a basic commercial profile

Who does this processing apply to? We will only process your data in this way if:

• you have not indicated your preferences for the commercial processing described in
  sections 6.1.A., 6.1.B. and 6.1.C of this policy;
• we have sent you a personalised communication informing you of this; and
• you have not exercised your right to objection.

Legitimate interest of CaixaBank Payments & Consumer: CaixaBank Payments &
Consumer's legitimate interest in processing this data is to promote the marketing of the products and services in its portfolio and to ensure customer loyalty.

Purpose: the purpose of this processing is to send commercial communications on products and services similar to those you have with CaixaBank Payments & Consumer based on a basic commercial profile that we will create using your data.

Types of data processed: the types of data we will process for this purpose are:

• Identification and contact details: full name, gender, postal, telephone and email
  contact information, address of residence, nationality and date of birth, language
  choice, and identification document.
• Details of your professional or work activity and socio-economic information:
  professional or employment activity, income or salary.
• Contract details: contracted or requested products and services, account holder
  status, authorised or representative of the product and service contracted and
  information and transactions related to your financing operations.
• Basic financial data: current and historical balances of products and services and
  payment history of contracted products and services.
• Data obtained from the execution of statistical models: we use the results of
  applying mathematical modelling to client data, which helps us combat fraud, detect
  your consumer habits, preferences or product tendencies for regulatory compliance,
  and manage your products and services.
• Data obtained from other processing activities provided for in this policy:
  • Risk assessment data or scoring: in financing or payment for instalments, we will forecast your capacity to pay or not pay or the risk limits, applying statistical and mathematical models using your data (processing defined in section 6.2.B).
• Demographic and socio-economic data: these are data not relating to specific
  people but geographical areas, age sectors or professional activity sectors, which we
  will use to put into context with customer information.

Use of profiling: for this processing, we will only prepare a basic commercial profile using the
data specified previously:

• Purpose of the profile: the purpose of the profile is to identify the products and
  services we think may interest you in order to offer your specific rather than generic
  commercial offers.
• Consequences: the consequence of using the basic commercial profile is the
  sending of customised offers on CaixaBank Payments & Consumer products and
  services based on the data we have specified. We do not use this profiling, under any
  circumstances, to refuse any product or service or to set credit limits.
  Your refusal to accept this processing will not prevent, limit or condition your access to
  our full catalogue of products and services, which is always available to you.
  If you apply for any product or service, your application will be assessed in
  accordance with our regular procedures. Your objection to this processing will not
  affect this assessment.
  Failure to accept this processing will not prevent us from contacting you to manage
  the products and services you have with us.
• Logic: this basic commercial profile is calculated based on the data indicated in the
  ''Processed data'' section, with a time period spanning thirteen months.
  This data is processed using mathematical formulas obtained from past behaviours
  observed in customers of similar characteristics so as to infer the customer's
  propensity to consume. These mathematical formulas allow us to determine the
  importance of all the data processed in the final result of the customer's profile.
  This final result is the probability that the customer will be interested in a product or
  service.

Other relevant information: the following section includes other relevant data processing information:

• Right to object to processing: please note that you have the right to object to
  processing based on a legitimate interest.
  You can do so simply and free of charge at the following link:
  https://www.caixabank.es/apl/particulares/gdpr/index_es.html?empresa=6&derecho=o posicioncomunicaciones.
  You can also use the normal channels described in section 4.
  If you decide to exercise your right of objection, we inform you that we will stop
  processing the data without requiring you to provide a reason for us to stop
  processing your data.
• Pre-check of your payment capacity: when the offers we wish to propose to you
  consist of products or services that involve payment in instalments or financing, we
  will first check your payment capacity.
  We will carry out this check by means of the processing outlined in section 6.2.B of
  this privacy policy, with the aim of offering you a credit limit and repayment term suited
  to our knowledge of your financial situation, in accordance with the principle of
  responsibility regarding the offer of financing products required by the Bank of Spain,
  under regulations on the oversight and solvency of credit institutions and responsible
  lending.
• Duration of data processing: this processing will come into effect on 10 October
  2022. In any case, you will receive a personalised informative message beforehand.
  We will stop processing this data, with no other additional requirements, in either of
  these two circumstances:
  - When we contact you to request your consent to the commercial processing
  carried out by the CaixaBank Group companies described in section 6.1 (A, B
  and C), whether you authorise or reject them.
  - If you exercise your right of objection.

Data Controller: the data controller is CaixaBank Payments & Consumer. This processing is not done with another controller.

G. OFSI and OFAC international financial sanctions policies and countermeasures.

Legitimate interest of CaixaBank Payments & Consumer: the legitimate interest of
CaixaBank Payments & Consumer and the joint data controller companies listed in this section for carrying out this processing is to comply with international financial sanctions and
countermeasures programmes of the United States and the United Kingdom, with a view to
carrying out their business activities in those countries.

Purpose: the purpose of this processing is to adopt the measures envisaged in the international financial sanctions and countermeasures programmes adopted by the Office of Financial Sanctions Implementation (OFSI) of the His Majesty’s Treasury (HMT) of the United Kingdom and/or the US Department of the Treasury’s Office of Foreign Assets Control (OFAC).

In order to comply with these international financial sanctions and countermeasures
programmes, we will check whether you are included on lists of persons or entities subject to
the restrictive measures of these two bodies.

Types of data processed: the types of data we will process for this purpose (the content of
which is detailed in heading 5) are:

• Identification and contact details
• Data relating to international sanctions

Other relevant information: the following section includes other relevant data processing
information:

• Right to object to processing: if you consider that CaixaBank Payments &
  Consumer should be aware of any particular situation or other justifiable reasons for us to stop processing your data, you may submit a request to this effect simply and free of
  charge through the channels indicated in heading 4.

Joint data controllers: The following CaixaBank Group companies will process your data jointly:

• CaixaBank, S.A.
• CaixaBank Payments & Consumer, E.F.C., E.P., S.A.U.
• VidaCaixa, S.A. de Seguros y Reaseguros
• Nuevo Micro Bank, S.A.U.
• CaixaBank Asset Management, SGIIC, S.A.U
• Telefónica Consumer Finance, E.F.C., S.A.
• Buildingcenter, S.A.U.
• Livingcenter Activos Inmobiliarios, S.A.U.
• Unión de Crédito para la Financiación Mobiliaria e Inmobiliaria, CREDIFIMO, E.F.C.,
  S.A.U.
• Corporación Hipotecaria Mutual, S.A.U., Establecimiento Financiero de Crédito
• Banco BPI, S.A.
• CaixaBank Wealth Management Luxembourg, S.A.
• Bankia Habitat, S.L.U.
• CaixaBank Equipment Finance, S.A.
• Puerto Triana, S.A.U.
• CaixaBank Asset Management Luxembourg, S.A.
• BPI Gestão de Ativos, SGOIC, S.A.
• BPI Vida e Pensões – Companhia de Seguros, S.A.

You will find the essential aspects of the joint data controller agreements at:
www.caixabank.es/empresasgrupo.