Privacy Policy
PRIVACY POLICY OF CAIXABANK PAYMENTS & CONSUMER
HOW WE PROCESS YOUR PERSONAL DATA
To manage your relations with us, CaixaBank Payments & Consumer will process your personal data for different purposes, always in accordance with the applicable laws, respecting your rights and with complete transparency.
For this purpose, in this privacy policy, which you can access at any time at
https://www.caixabankpc.com/politicaprivacidad, you can see complete details on how we will use your data in the relationships we establish with you.
The main regulations that regulate our processing of your personal data are:
- Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016
on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (hereinafter the GDPR) - Organic Law 3/2018 of 5 December on the Protection of Personal Data and Guarantee of
Digital Rights (hereinafter the LOPD)
WHO PROCESSES YOUR DATA
Data controller: The data controller for your personal data for contractual relations and business with us (''Contractual Relations'') is CaixaBank Payments & Consumer, E.F.C., E.P., S.A. (''CaixaBank Payments & Consumer' or "Entity"'), with tax ID A-08980153 and registered address at Avenida de Manoteras No. 20. Edificio Paris. 28050 Madrid.
Joint data controllers: furthermore, for certain processing, detailed information for which is provided in this policy, CaixaBank Payments & Consumer will jointly process your data with other companies, jointly deciding on the purposes (''what the data is used for'') and the resources used (''how the data is used''), which thus makes them the joint data controllers.
The purposes for which CaixaBank Payments & Consumer will jointly process your data with other companies are described in detail in heading 6 ''Types of data processing''.
In addition, you will find the list of companies that process your data, as well as the essential aspects of the joint data controller agreements at www.caixabank.es/empresasgrupo.
EXERCISING RIGHTS AND FILING COMPLAINTS THROUGH THE SPANISH DATA PROTECTION AGENCY (AEPD)
You can exercise your rights to access, rectify, object to processing, delete, restrict processing, transfer your personal data, withdraw consent and not be subject to automated decision-making in accordance with law.
You can exercise these rights through any of the following channels:
- at CaixaBank, S.A. branches open to the public;
- by using the options provided in your private space on the website www.caixabankpc.com
and in our mobile applications; - at the website address: www.caixabankpc.com/ejerciciodederechos; and
- by sending a letter to Apartado de Correos nº 209, Valencia (46080)
Additionally, if you have any complaints related to the processing of your data, you may address them to the Spanish Data Protection Agency (www.aepd.es).
DATA PROTECTION REPRESENTATIVE
CaixaBank Payments & Consumer and the CaixaBank Group companies have appointed a data protection officer who will deal with any matters related to the processing of your personal data and the exercise of your rights.
You can contact the data protection officer to send your suggestions, queries or claims by going
to: www.caixabank.com/delegadoprotecciondedatos.com.
DATA PROCESSED
The following data will be used in the processing operations outlined in this policy.
Not all the data we inform you about is used for all data processing operations. In section 6, detailing
the data processing operations that we perform, you can consult the specific type of data processed
for each processing operation.
Regarding processing operations subject to your consent, we will also inform you of the details of the
specific data used.
The types and details of the data used in the different processing operations described in section 6
are as follows:
Data you provided when registering for a service or during your relationship with us, through interviews or forms
The data types and details are as follows:
- Identification and contact details: full name, sex, telephone and email contact
information, address of residence, nationality, date of birth, language choice,
identification document, image and voice. - Details of your professional or work activity and socio-economic information:
details related to your job, income or remuneration, household, level of education,
assets, tax and fiscal data. - Biometric data: facial pattern, voice biometrics or fingerprint.
- Legal capacity data: details of a person's power to act, established in a court
judgment. - Details on special communication needs: data provided by disabled persons to
allow accessibility to dialogue and operational management. - Sensitive data related to situations of vulnerability: data related to personal
situations of vulnerability that may be required to implement special measures to
manage contracts and adopt the measures set out in the Royal Decree-Law 6/2012
on Urgent Measures to Protect Mortgage Borrowers without Resources.
Data observed during the contracting and maintenance of marketed products and services (own or third-party)
The data types and details are as follows:
- Contract details: contracted or requested products and services, account holder
status, authorised or representative of the product and service contracted,
categorisation according to regulations regarding securities markets and financial
instruments (MiFID category), information on investments made and their evolution
and information and transactions related to your financing operations. - Basic financial data: current and historical balances of products and services and
payment history of contracted products and services. - Third-party data from statements and receipts of instant accounts and
payment accounts: information on entries and transactions that third-party issuers
make to your accounts, including transaction type, issuer, amount, and the concept
as it appears on receipts and statements for debit, credit and prepaid card
transactions. - Details of whether or not you are a CaixaBank shareholder: if you have
CaixaBank shares or not. - Data on communications maintained with you: data obtained in chats, walls,
video conferences, telephone calls or any other equivalent means of
communication. - Own browsing data: if you have accepted the use of cookies and similar
technologies on your browsing devices, the data obtained from your browsing on our
websites or mobile applications and the browsing you perform on them: browsing
history (pages visited and clicks on content), device ID, advertising ID, IP address
and version installed on the app. - Geographical details: details of the location of the businesses where you make
card transactions and the geolocation data of your mobile device provided by the
installation and/or use of our mobile applications, when authorised by you in the
settings for the apps.
Data inferred or deduced by analysing and processing other data
The data types and details are as follows:
- Data obtained from other processing activities provided for in this policy: data
obtained from the processing activities provided for in this policy, which will be
detailed in the corresponding information on the applicable processing operations. - Data obtained from the execution of statistical models: we use the results of
applying mathematical modelling to customer data to combat fraud, detect your
consumer habits, product preferences and tendencies, classify customers (see
Section 6.4. Letter A: https://www.caixabank.es/particular/general/politica-
privacidad.html), comply with our regulatory obligations, and manage the processing
of your products and/or services (processing defined in Section 6.4.E).
Data obtained from public access sources, public records or external sources.
The data types and details are as follows:
- Data on credit information systems: obtained by consulting the Asnef and
Badexcug credit rating services, which provide information on debts, financial
solvency and credit (debtor, creditor and debt). - Details of Equifax Risk Score: in financing or instalment operations, we will use
the result provided by this system to forecast the probability of default at 12 months,
which is calculated by Equifax by applying statistical and mathematical models to
your Personal ID, postcode of residence and data in credit information systems. - CIRBE Details: we will check if you have risk (financing) with other banks. We will
obtain this information from the Bank of Spain Credit Reporting Agency (CIRBE). - Data from the General Treasury of the National Social Security Institute: The
payer's identification and contact details, professional or employment activity details (CNAE [National Classification of Economic Activities], self-employed worker and/oremployee, employee contribution group). - Data relating to international sanctions: data on people or entities included in
laws, regulations, guidelines, resolutions, programmes or restrictive measures
regarding international economic and financial sanctions imposed by the United
Nations, European Union, Spain, the Office of Financial Sanctions Implementation
(OFSI) of His Majesty;s Treasury (HMT) of the United Kingdom and/or the US
Department of the Treasury’s Office of Foreign Assets Control (OFAC). - Demographic and socio-economic data: these are data not relating to specific
people but geographical areas, age sectors or professional activity sectors, which
we will use to put into context with customer information. - Details of properties and vehicles associated with you: these are data obtained
from the land registry and basic data on vehicles obtained from the Spanish Traffic
Directorate, which we will use to add to the information on your properties and vehicle. - Details of directors, functional officers and corporate relationships: these are
data taken from the INFORMA databases that we will use to add to the information
on your activities. - Details of agricultural subsidies and insurance: these are data published by the Spanish Agricultural Guarantee Fund (FEGA) and the State Agricultural Insurance Institution (ENESA). Data from third-party companies where you have given your consent to share them with us: your data processed by other companies with which we have agreements and which you have authorised to share your information with us.
- Information obtained from public access sources and public records: data
provided by public access sources and public records to compare the information
you provide to enter into, maintain and fulfil the Contractual Relationships,
information from the Equifax Bankruptcy file and additional contact data obtained
from telephone directories (white pages, yellow pages, Lleida.net) and the
INFORMA database, to contact our customers in the event of non-compliance with
contractual obligations.
These databases have been authorised in advance to contain this information. - Browsing data: if you have accepted the use of cookies and similar technologies on
your browsing devices, the data obtained from your browsing on third-party websites
or mobile applications and the browsing you perform on them: browsing history
(pages visited and clicks on content), device ID, advertising ID and IP address. - Social media or internet details: social media or internet data that you authorise
us to view.
Types of data processing
We process your data for various purposes and legal reasons:
- Processing based on your consent
- Processing required for the Contractual Relationships
- Processing required to comply with regulatory obligations
- Processing based on legitimate interest of CaixaBank Payments & Consumer
In addition to the general processing detailed below, we may carry out specific processing operations not mentioned in this policy in response to your requests for products or services. Detailed information on these processing operations will be provided to you at the time of processing the specific request.
PROCESSING BASED ON YOUR CONSENT
The legal basis for this processing is your consent, as laid out in Article 6.1.a) of the General Data Protection Regulation (GDPR).
We may have requested this consent through different channels during your customer registration interview, through your adviser (remotely or in person), through digital channels or mobile applications, through any company with which we maintain a collaboration agreement (''Advisors'') or any CaixaBank Group company that is a joint data controller of the specific processing operation, or through any channel of
Bankia, S.A. prior to its merger with CaixaBank.
If, for any reason, we have never asked you for your consent, this processing will not apply to you.
You can view the consent you have given or denied and change your decision at any time and for free at our branches, on the CaixaBank Payments & Consumer website (www.caixabank.es) and on the websites of each of the companies jointly responsible for the specific processing, at CaixaBank branches, or through your online account or the CaixaBank Payments & Consumer mobile apps.
Processing based on your consent is indicated below from (A) to (F). The following information will be indicated for each operation: a description of the purpose (Purpose), the details of the processed data (Processed data), if applicable, information on the use of profiles (Use of profiles), other relevant processing information (Other relevant information) and whether or not the processing is carried out jointly with other CaixaBank Group companies (Joint data controllers/Data controller).
In the event that you gave Bankia your consent to process your data for commercial purposes prior to their merger, CaixaBank will carry out processing operations A, B and C, as indicated below, in accordance with the preferences you indicated to Bankia at that time.
Specifically, the processing described in items A and B below will only be carried out by CaixaBank Group companies as joint controllers when you have consented to the communication of data between Bankia group companies (now CaixaBank).
A. Customisation of product offer according to analysis of your data
Purpose: if we have your consent, we will use the data indicated below to create a commercial profile for you, which will allow us to define your preferences or needs and offer you, through your adviser (in-person or virtual), products and services marketed by companies acting as joint data controllers that we believe may interest you according to those preferences and needs.
By processing your data, we can make customised offers that may be of more interest to you than generic offers.
In addition, if you authorise us to ''Inform you of the products and services available through channels'' (Section 6.1.B), we will offer you products and services from joint data processors that we believe may interest you based on the preferences and needs we deduce for you, through any other channel that you authorise us to.
Data processed: we will not process data that contains information that reveals your ethnicity or race, your political opinions, religious or philosophical convictions, union membership, the
processing of genetic data, biometric data intended to identify you uniquely, health data or data relating to your sex life or orientation.
For this purpose, we will process the following data:
- Identification and contact details: full name, gender, sex, postal, telephone and
email contact information, address of residence, nationality and date of birth,
language choice, identification document. - Details of your professional or work activity and socio-economic information:
details related to your job, income or remuneration, household, level of education,
assets, tax and fiscal data. - Contract details: contracted or requested products and services (first-party and
third-party), account holder status, authorised or representative of the product and
service contracted and information and transactions related to your financing
operations. - Basic financial data: current and historical balances of products and services and
payment history of contracted products and services (own or third party). - Third-party data from statements and receipts of instant accounts and
payment accounts: information on entries and transactions that third-party issuers
make to your accounts, including transaction type, issuer, amount, and the concept
as it appears on receipts and statements for debit, credit and prepaid card
transactions. - Details of whether or not you are a CaixaBank shareholder: if you have
CaixaBank shares or not. - Data on communications maintained with you: data obtained in chats, walls,
video conferences, telephone calls or any other equivalent means of
communication. - Own browsing data: if you have accepted the use of cookies and similar
technologies on your browsing devices, the data obtained from your browsing on our
websites or mobile applications and the browsing you perform on them: browsing
history (pages visited and clicks on content), device ID, advertising ID, IP address
and version installed on the app. - Geographical details: details of the location of the businesses where you make
card transactions and the geolocation data of your mobile device provided by the
installation and/or use of our mobile applications, when authorised by you in the
settings for the apps. - Data obtained from other processing activities provided for in this policy: Risk assessment data or scoring: in financing or payment for instalments, we will
forecast your capacity to pay or not pay or the risk limits, applying statistical and
mathematical models using your data (processing defined in section 6.2.B). - Data obtained from the execution of statistical models: we use the results of
applying mathematical modelling to customer data to deduce their consumption
habits, product preferences or tendencies or to classify customers. - Demographic and socio-economic data: these are data not relating to specific
people but geographical areas, age sectors or professional activity sectors, which we
will use to put into context with customer information. - Details of properties and vehicles associated with you: these are data obtained from
the land registry and basic data on vehicles obtained from the Spanish Traffic
Directorate, which we will use to add to the information on your properties and vehicle. - Details of directors, functional officers and corporate relationships: these are
data taken from the INFORMA databases that we will use to add to the information on
your activities. - Details of agricultural subsidies and insurance: these are data published by the
Spanish Agricultural Guarantee Fund (FEGA) and the State Agricultural Insurance
Institution (ENESA). - Data from third-party companies where you have given your consent to share
them with us: your data processed by other companies with which we have
agreements and which you have authorised to share your information with us. - Browsing data: if you have accepted the use of cookies and similar technologies on
your browsing devices, the data obtained from your browsing on third-party websites
or mobile applications and the browsing you perform on them: browsing history
(pages visited and clicks on content), device ID, advertising ID and IP address. - Social media or internet details: social media or internet data that you authorise us
to view.
Use of profiling: for this processing, we will create a business profile that we will use exclusively to customise the products and services we offer you:
- Purpose of the profile: the purpose of the profile is to identify the products and
services we think may interest you, based on the information we have about you, to
offer your specific rather than generic commercial offers. - Consequences: if you authorise the processing, we will use commercial profiles to
decide which products or services to offer you. If you do not give your authorisation,
we will not use your information to customise our commercial offer. We do not use this profiling, under any circumstances, to refuse any product or
service or to set credit limits. Refusal to accept this processing will not prevent, limit
or condition your access to our full catalogue of products and services, which is
always available to you.
If you apply for any product or service, your application will be assessed in
accordance with our regular procedures. The acceptance or non-acceptance of the
analysis of your data for the purpose of customising the product offering will not
affect this assessment.
Failure to accept this processing will not prevent us from contacting you to manage
the products and services you have with us. - Logic: The profile of a customer is calculated based on the data indicated in the
''processed data'' section.
These data are applied to mathematical formulas obtained from past behaviours
observed in clients of similar characteristics to infer the customer's future behaviour.
These mathematical formulae allow us to determine the importance of all the data
processed in the final result of the applicant's profile.
This final result is the probability that the customer will be interested in a product or
service.
Other relevant information: the following section includes other relevant data processing
information:
- Pre-check of your payment capacity: when the offers we wish to propose to you
consist of products or services that involve payment in instalments or financing, we
will first check your payment capacity.
We will carry out this check by means of the processing outlined in section 6.2.C of
our privacy policy, with the aim of offering you a credit limit and repayment term
suited to our knowledge of your financial situation, in accordance with the principle of
responsibility regarding the offer of financing products required by the Bank of Spain,
under regulations on the oversight and solvency of credit institutions and responsible
lending.
Not accepting this processing does not prevent, limit or condition your access to our
catalogue of financing products and services. If you request them, we will evaluate
them with you in accordance with our standard procedures. - Duration of data processing: we will only process your data if you have given us
your consent, which will remain in force until you withdraw it. If you cancel all your
products or services with us but forget to revoke your consent, we will do so
automatically.
Joint data controllers: the following CaixaBank Group companies will process your data jointly.
- CaixaBank, S.A.
- CaixaBank Payments & Consumer, E.F.C., E.P., S.A.U.
- Nuevo Micro Bank, S.A.U.
- Wivai Select Place, S.A.U.
- imaginersGen, S.A.
- VidaCaixa, S.A.U. de Seguros y Reaseguros
You will find the essential aspects of the joint data controller agreements at:
www.caixabank.es/empresasgrupo.
B. Notification of products and services through channels
Purpose: if we have your consent, we will make our range of products and services available to you only via the following channels authorised by you: mobile applications, digital environments and electronic channels, letter or telephone.
The data we will use to communicate through the channels that you authorise will vary depending on whether you have authorised us to customise our product offerings by analysing your data:
- If we do not have your consent to customise our commercial offer (Processing A),
we will only use your identifying and contact details to send you generic offers. - If you have given us your consent to customise our commercial offer (Processing A),
we will also use the information from your commercial profile that is detailed in
processing 6.1.A to inform you of personalised offers.
Data processed: the data we will process for this purpose are:
- Identification and contact details: full name, gender, postal, telephone and email
contact information, address of residence, and language choice.
Other relevant information: the following section includes other relevant data processing
information:
- Duration of data processing: we will only process your data if you have given us
your consent, which will remain in force until you withdraw it. If you cancel all your
products or services with us but forget to revoke your consent, we will do so
automatically.
Joint data controllers: The following CaixaBank Group companies will process your data jointly:
- CaixaBank, S.A.
- CaixaBank Payments & Consumer, E.F.C., E.P., S.A.U.
- Nuevo Micro Bank, S.A.U.
- Wivai Select Place, S.A.U.
- imaginersGen, S.A.
- VidaCaixa, S.A.U. de Seguros y Reaseguros
You will find the essential aspects of the joint data controller agreements at:
www.caixabank.es/empresasgrupo.
C. Disclosure of data to other companies so they can send you advertising
Purpose: if we have your consent, we will transfer the data indicated below to companies with which we have agreements so they can offer you their products and services.
If you do not consent to this processing, we will not transfer your data. If you consent, the data we transfer to other companies will vary depending on whether you have authorised us to customise our product offerings by analysing your data:
- If we do not have your consent to customise our commercial offer (Processing A),
we will only provide these companies with your identifying and contact details. - If you have given us your consent to personalise our commercial offer (Processing
A), we will also inform these companies of your commercial profile, including
information on your preferences and needs, as well as inferred information about
your probability of payment or non-payment, or risk limits.
These third-party companies to which we may transfer your data undertake the following
activities:
- banking
- investment services
- insurance and reinsurance
- venture capital
- property
- highways
- sale and distribution of goods and services
- consultancy services
- leisure
- charity-social action
Data processed: we will not process data that contains information that reveals your ethnicity or race, your political opinions, religious or philosophical convictions, union membership, the
processing of genetic data, biometric data intended to identify you uniquely, health data or data relating to your sex life or orientation.
This is the data we will use if you consent to us disclosing your data to third parties, but we do not have your consent to personalise our commercial offer of products and services to you
(Processing A):
- Identification and contact details: full name, gender, postal, telephone and email
contact information, address of residence, nationality and date of birth, language
choice, and identification document.
We will also use the following data if you have given us your consent to personalise our
commercial offer of products and services (Processing A):
- Data obtained from other processing activities provided for in this policy:
- Risk assessment data or scoring: in financing or payment for instalments, we will
forecast your capacity to pay or not pay or the risk limits, applying statistical and
mathematical models using your data (processing defined in section 6.2.B). - Data obtained from the execution of statistical models: we use the results of
applying mathematical modelling to customer data to deduce their consumption
habits, product preferences or tendencies or to classify customers.
- Risk assessment data or scoring: in financing or payment for instalments, we will
Other relevant information: the following section includes other relevant data processing
information:
- Data transfer information: if we reach an agreement with a third company to
transfer your data, the recipient company will inform you of this, as well as of the
details of the processing they intend to carry out. - Duration of data processing: we will only process your data if you have given us
your consent, which will remain in force until you withdraw it. If you cancel all your
products or services with us but forget to revoke your consent, we will do so
automatically.
Joint data controllers: The following CaixaBank Group companies will process your data jointly:
- CaixaBank, S.A.
- CaixaBank Payments & Consumer, E.F.C., E.P., S.A.U.
- Nuevo Micro Bank, S.A.U.
- Wivai Select Place, S.A.U.
- imaginersGen, S.A.
- VidaCaixa, S.A.U. de Seguros y Reaseguros
You will find the essential aspects of the joint data controller agreements at:
www.caixabank.es/empresasgrupo.
D. Identification of customers and signing documents using biometrics
Purpose: with your consent, we will employ technical tools using biometrics to confirm your
identity and sign transactions or contracts with CaixaBank Payments & Consumer.
Data processed: the data we will process for this purpose are:
- Identifying and contact details: full name, gender and identification document
- Biometric data: facial pattern, voice biometrics or fingerprint.
Other relevant information: the following section includes other relevant data processing
information:
- Recording your biometrics is totally voluntary: we will only process your data in
this way if you have given us your express consent for us to do so. Your consent will
remain valid until you revoke it. If you do not consent to this processing, this will not
restrict your access to any product or service offered by CaixaBank Payments &
Consumer.In this case, we will verify your identity and signature using means that do
not rely on biometrics.
- Duration of data processing: we will only process this data if you have given us
your consent during the registration process in order to confirm your identity, and we
will then block the information for the period required by the regulations for the sole
purpose of complying with legal obligations or to draw up, exercise or defend
complaints or claims.
Data Controller: the data controller is CaixaBank Payments & Consumer. This processing is not done with another controller.
PROCESSING REQUIRED FOR CONTRACTUAL RELATIONSHIPS
The legal basis of this data processing is that it is necessary to manage contracts that you request or to which you are a party, or to apply precontractual measures if you request them, as established in art. 6.1.b) of the General Data Protection Regulation (GDPR).
Therefore, this processing is necessary for you to establish and maintain Contractual Relations with us. If you object to it, we will end these relations, or we cannot establish them if they have not yet started.
The types of processing required to establish contractual relations are listed below, arranged from (A) to (B). The following information will be indicated for each operation:a description of the purpose (Purpose), the type of processed data (Type of processed data), if applicable, information on the use of profiles (Use of profiles), other relevant processing information (Other relevant information) and whether or not the processing is carried out jointly with other CaixaBank Group companies (Joint data controllers/Data controller).
A. Signing, maintenance and performance of Contractual Relations
Purpose: the purpose of this data processing is to formalise and maintain the Contractual
Relationships established between you and us, including the processing of your requests or
orders, the steps prior to entering into a contract (pre-contractual relationships), processed with us directly or through one of our intermediaries (such as our agent CaixaBank, S. A. or any of our brokers, who have commercial establishments of which you may be a customer), and the implementation of measures to ensure compliance with the contracts you sign with us and, where appropriate, the management of debt recovery.
This data processing involves collecting the information necessary to establish or to manage the application, to evaluate the suitability of the product and to process the information needed to properly maintain and execute the contracts.
The processing activities involved in signing, maintaining and performing the Contractual
Relations are:
- Collecting and registering the data and documents needed to apply for the requested
products. - Formalising the signing of the contracts for the products and services.
- Managing the products and services you have taken out with us, including
responding to your questions regarding operations, handling any associated
incidents and the annotation and verification of accounting entries for receiving and
making product payments and sending operational communications and managing
the collection or waiver of any fees related to products and services. - Adapting measures to resolve any defaults that may arise, including early debt
collection management, communication, where applicable, to external agencies for
collection actions, communication, where applicable, of data to credit information
systems, filing, where applicable, and monitoring of lawsuits, identification and
monitoring of situations of insolvency proceedings.
Type of data processed: the types of data we will process for this purpose (the content of which is detailed in heading 5) are:
- Identification and contact details
- Details of your professional or work activity and socio-economic information
- Sensitive data related to situations of vulnerability
- Biometric data
- Legal capacity data
- Details on special communication needs
- Contract details
- Basic financial data
- Third-party data from statements and receipts of instant accounts and payment
accounts - Data on communications maintained with you
- Data obtained from the execution of statistical models
- Data obtained from other processing activities provided for in this policy:
- Risk assessment or scoring data (processing defined in heading 6.2.B) - Data on credit information systems
- Details of Equifax Risk Score
- CIRBE details
- Data from the General Treasury of the National Social Security Institute
- Data relating to international sanctions
- Information obtained from public access sources and public records
Other relevant information: the following section includes other relevant data processing
information:
- Automated decisions: when you request a product or service, we will use mechanisms
to verify its suitability for your needs, interests and objectives based on objective
criteria (e.g. employment status or tax residence). The establishment of these objective criteria derives from regulatory obligations regarding the governance of financial products and instruments and is included in the bank's internal product design policies. If the product is deemed to be unsuitable, the applicant may not contract it, and the
application will be automatically rejected as the applicant's objective criteria are
incompatible with those of the specific requested product or service. You may challenge the automated decision or exercise your right not to be subject to a decision based solely on automated processing by contacting CaixaBank Payments & Consumer directly through the channels set out in section 4 of this policy.
- Disclosure to credit information systems: this processing may involve disclosing
your debt or non-payment details to credit information systems based on our
legitimate interest, as described in section 6.4.D
- Obtaining contact information: This processing may involve the collection of additional contact details from you by external debt investigation and recovery agencies, which will be carried out based on our legitimate interest, as detailed in section 6.4.E
Data Controller: the data controller is CaixaBank Payments & Consumer. This processing is not done with another controller.
Furthermore, if the product or service you apply for is marketed by CaixaBank Payments & Consumer but issued by another company, said other company will be responsible for processing your data in relation to that contract.
This means that if you take out through CaixaBank Payments & Consumer, as a banking-
insurance operator, an insurance plan issued by VidaCaixa or SegurCaixa, these companies will
be the controllers of your data as the issuers of the products.
We will inform you about this in detail in the contractual documentation for each product or service.
B. Analysis of creditworthiness and repayment capacity for the granting and monitoring of
credit risk.
Purpose: the purpose of this data processing is to assess whether applicants and/or holders for products or services that involve the repayment of loans or credits, or deferred instalments, have the solvency and repayment capacity needed to make the scheduled payments in the operations that are analysed and/or have been granted.
Detailed information on the solvency and repayment capacity analysis process that will be carried out when you apply for or have already been granted transactions involving the repayment of loans or credits, or the deferred payment of instalments, will be provided in the transaction request you will be required to sign when you apply for these products.
The processing activities carried out to analyse the solvency or repayment capacity of applicants and/or holders of products involving financing are:
- Analysis of the repayment capacity of applicants at the time of granting new credit
operations. - Analysis of the solvency of the holders of products involving financing throughout the
life of the credit operations maintained with us to manage internal risks and prevent
payment defaults.
Types of data processed: the types of data we will process for this purpose (the content of
which is detailed in heading 5) are:
- Identification and contact details
- Details of your professional or work activity and socio-economic information
- Contract details
- Basic financial data
- Third-party data from statements and receipts of instant accounts and payment
accounts - Data obtained from the execution of statistical models
- Data obtained from other processing activities provided for in this policy:
- Risk assessment or scoring data (processing defined in heading 6.2.B)
- Data on credit information systems
- Details of Equifax Risk Score
- CIRBE details
- Demographic and socio-economic data
- Details of properties and vehicles associated with you
- Information obtained from public access sources and public records
Use of profiling: for this processing, we will create a risk profile that will be used exclusively to
analyse the solvency and repayment capacity of applicants and/or holders of products involving financing.
- Purpose: the purpose of the profile is to determine the probability of default when
granting transactions, assess the need to adjust the risk of current transactions and
calculate the provisions and capital requirements applicable to CaixaBank Payments & Consumer. - Consequences: risk profiles are tools used to support decisions on whether to grant
risk transactions or adjust the limits of existing transactions.
Transactions requested through electronic channels may involve automated decisions
on whether to grant the transaction, as detailed in the section & ''Other relevant
information''. - Logic: the applicant's profile will use the information indicated in the Type of ''processed data'' section above.
This basic information is used to assign a specific value to each piece of data on the
applicant, the sum of which produces a score indicating the probability of default or
non-compliance with monetary obligations.
The importance of each variable and its influence on the final result is calculated in
advance using mathematical models and is included in the institution's internal risk
policies.
Other relevant information: the following section includes other relevant data processing
information:
- Automated decisions: we will use automated processes to analyse solvency and
repayment capacity for applications submitted through electronic channels to check
whether the financing is suitable, depending on your characteristics and the
information you have provided. If the requested financing is deemed incompatible with your repayment capacity based on the profile calculations employed, you will not be able to contract the product, and your application will be rejected automatically in this channel.
You may resubmit an application for the transaction at one of our branches, where the
analysis does not include automated decisions, challenge the automated decision or
exercise your right not to be subject to a decision based solely on automated processing
by contacting CaixaBank Payments & Consumer directly through the channels set out in section 4 of this policy. - Regulatory obligations: in addition to these processing operations being required
to perform the contractual relationship between you and us, this processing is
carried out in accordance with the provisions of Law 44/2002, on Financial System
Reform Measures, Law 10/2014, of 26 June, on the regulation, supervision and
solvency of credit institutions, and other obligations and standards set out in
regulations on responsible lending, to which we adhere as a credit institution. - Credit information system enquiries: the credit information systems enquiries
required for solvency analysis will be carried out based on our legitimate interest, as
detailed in section 6.4.D. - CIRBE enquiry and communication: the CIRBE enquiries required for solvency
analysis are carried out in accordance with the provisions of Law 44/2002, of 22
November, on Financial System Reform Measures. Furthermore, the data necessary
to identify the persons with whom credit risks are maintained will be communicated,
based on the same standard.
Joint data controllers: sector regulations on the prudential and solvency requirements that apply to the financial sector require that a credit operation be granted to customers and monitored jointly by all the companies that comprise the same consolidated group of credit institutions.
The following CaixaBank Group companies will process your data jointly.
- CaixaBank, S.A.
- CaixaBank Payments & Consumer, E.F.C., E.P., S.A.U.
- Nuevo Micro Bank, S.A.U.
- Telefónica Consumer Finance, E.F.C., S.A.
- CaixaBank Equipment Finance, S.A.U.
- Unión de Crédito para la Financiación Mobiliaria e Inmobiliaria, CREDIFIMO, E.F.C.,
S.A.U. - Corporación Hipotecaria Mutual, S.A.U., Establecimiento Financiero de Crédito
- Hipotecaixa 2, S.L.U.
- Banco BPI, S.A.
- Wivai Select Place, S.A.U.
You will find the essential aspects of the joint data controller agreements at:
www.caixabank.es/empresasgrupo.
PROCESSING REQUIRED TO COMPLY WITH REGULATORY OBLIGATIONS
The legal basis of this processing is the requirement to comply with a legal obligation that is required of us, as laid out in Article 6.1.c) of the General Data Protection Regulation (GDPR).
Therefore, it is necessary for you to establish and maintain Contractual Relations with us. If you do not want us to carry out this processing, we will have to end this relationship, or we will not be able to establish the relationship if not already in place.
The types of processing required to satisfy the regulatory requirements are listed below, arranged from (A) to (D). The following information is indicated for each process: a description of the purpose (Purpose), the type of processed data (Type of processed data), if applicable, information on the use of profiles (Use of profiles), other relevant processing information (Other relevant information) and whether or not the processing is carried out jointly with other CaixaBank Group companies (Joint data controllers/Data controller).
Processing to comply with anti-money laundering and terrorist financing regulations
Purpose: the purpose of this processing is to adopt the measures imposed on our activity by Law 10/2010 on the Prevention of Money Laundering and Terrorist Financing.
The processing operations that are carried out to comply with anti-money laundering and terrorist financing regulations are:
- Collect information and documentation that allows customers to comply with due
diligence and knowledge measures. - Checking the information that you provide us.
- Check if you hold or have held a position of public trust.
- Categorising your risk level, based on which the various due diligence measures will
be applied in accordance with prevention of money laundering and financing of
terrorism regulations. - Analysing the transactions executed through CaixaBank Payments & Consumer, in
accordance with legal obligations. - Check your relationship with companies and, if necessary, your controlling position
within their ownership structure. - Reporting and updating your information monthly in the Financial Ownership
Database, managed by the Executive Service of the Commission to Prevent Money
Laundering and Financial Crimes (SEPBLAC).
Types of data processed: the types of data we will process for this purpose (the content of
which is detailed in heading 5) are:
- Identification and contact details
- Details of your professional or work activity and socio-economic information
- Contract details
- Basic financial data
- Third-party data from statements and receipts of instant accounts and payment
accounts - Data on communications maintained with you
- Data obtained from other processing activities provided for in this policy:
- Risk assessment or scoring data (processing defined in heading 6.2.B)
- Data obtained from the execution of statistical models
- Details of directors, functional officers and corporate relationships
- Data from the General Treasury of the National Social Security Institute
- Information obtained from public access sources and public records
Use of profiling: this processing involves creating a profile that we use exclusively for adopting the necessary measures in accordance with the provisions of Law 10/2010 on the Prevention of Money Laundering and the Financing of Terrorism.
- Purpose: the purpose of the profile is to prevent the contracting of operations
susceptible to money laundering or the financing of terrorism. - Consequences: profiles are tools that help money laundering and terrorist financing
prevention units determine whether operations are likely to be subject to money
laundering or terrorist financing and, therefore, whether to accept or decline them.
Joint data controllers: the following CaixaBank Group companies will process your data jointly.
- CaixaBank, S.A.
- CaixaBank Payments & Consumer, E.F.C., E.P., S.A.U.
- VidaCaixa, S.A. de Seguros y Reaseguros
- BPI Vida e Pensões – Companhia de Seguros, S.A.
- Nuevo Micro Bank, S.A.U.
- CaixaBank Asset Management, SGIIC, S.A.U
- Telefónica Consumer Finance, E.F.C., S.A.
- Buildingcenter, S.A.U.
- Livingcenter Activos Inmobiliarios, S.A.U.
- Unión de Crédito para la Financiación Mobiliaria e Inmobiliaria, CREDIFIMO, E.F.C.,
S.A.U. - Corporación Hipotecaria Mutual, S.A.U., Establecimiento Financiero de Crédito
- CaixaBank Wealth Management Luxembourg, S.A.
- CaixaBank Asset Management Luxembourg, S.A.
- BPI Gestão de Ativos, SGOIC, S.A.
- Banco BPI, S.A.
- Bankia Habitat, S.L.U.
- Puerto Triana, S.A.U.
You will find the essential aspects of the joint data controller agreements at:
www.caixabank.es/empresasgrupo.
B. Processing to comply with tax regulations
Purpose: the purpose of this processing is to adopt the measures imposed on our activity by Law 58/2003, of 17 December, the General Tax Law, Royal Decree 1021/2015, of 13 November, establishing the obligation to identify the tax residence of persons who own or control certain financial accounts and to report on them in the field of mutual assistance, and other current tax regulations.
The processing operations carried out to comply with tax regulations are:
- Collection of information and documentation regarding your tax situation as required
by tax laws. - Reporting to government agencies details relating to your tax situation when required
by law or by the authority.
Types of data processed: the types of data we will process for this purpose (the content of
which is detailed in heading 5) are:
- Identification and contact details
- Details of your professional or work activity and socio-economic information
- Contract details
- Basic financial data
Data Controller: the data controller is CaixaBank Payments & Consumer. This processing is not done with another controller.
C. Processing to comply with obligations arising from sanctions policies and international
financial countermeasures
Purpose: the purpose of this processing is to adopt the measures imposed on our activity by the international financial sanctions and countermeasures programmes adopted by the European Union and the Kingdom of Spain.
To check if you are found on lists of people or entities included in laws, regulations, guidelines,
resolutions, programmes or restrictive measures regarding international economic and financial sanctions imposed by the United Nations, the European Union and/or the Kingdom of Spain.
Types of data processed: the types of data we will process for this purpose (the content of
which is detailed in heading 5) are:
- Identification and contact details
- Data relating to international sanctions
Other relevant information: the following section includes other relevant data processing
information:
- Sanctions programmes: CaixaBank Payments & Consumer consults programmes of
international economic-financial sanctions adopted by the Office of Financial
Sanctions Implementation (OFSI) of the His Majesty’s Treasury (HMT) of the United
Kingdom and/or the US Department of the Treasury's Office of Foreign Assets Control (OFAC) based on our legitimate interest, which is detailed in Section 6.4.G.
Joint data controllers: The following CaixaBank Group companies will process your data jointly:
- CaixaBank, S.A.
- CaixaBank Payments & Consumer, E.F.C., E.P., S.A.U.
- VidaCaixa, S.A. de Seguros y Reaseguros
- Nuevo Micro Bank, S.A.U.
- CaixaBank Asset Management, SGIIC, S.A.U
- Telefónica Consumer Finance, E.F.C., S.A.
- Buildingcenter, S.A.U.
- Livingcenter Activos Inmobiliarios, S.A.U.
- Unión de Crédito para la Financiación Mobiliaria e Inmobiliaria, CREDIFIMO, E.F.C.,
S.A.U. - Corporación Hipotecaria Mutual, S.A.U., Establecimiento Financiero de Crédito
- Banco BPI, S.A.
- CaixaBank Wealth Management Luxembourg, S.A.
- Bankia Habitat, S.L.U.
- CaixaBank Equipment Finance, S.A.
- Puerto Triana, S.A.U.
- CaixaBank Asset Management Luxembourg, S.A.
- BPI Gestão de Ativos, SGOIC, S.A.
- BPI Vida e Pensões – Companhia de Seguros, S.A.
You will find the essential aspects of the joint data controller agreements at:
www.caixabank.es/empresasgrupo.
D. Processing for handling complaints and claims.
Purpose: the purpose of this processing is to handle queries, complaints and claims submitted to CaixaBank Payments & Consumer in accordance with the regulations applicable to its capacity as a financial institution; specifically, Law 44/2002 of 22 November and Order ECO/73/2004, requiring CaixaBank to have a customer service department in place to respond to complaints and claims submitted by financial users.
Furthermore, Law 3/2018 of 5 December on the Protection of Personal Data and the Guarantee of Digital Rights requires the data controller (in this case CaixaBank Payments & Consumer) to handle any complaints submitted to its data protection officer and respond to any data protection rights exercised by data subjects.
The following processing operations are carried out to comply with regulations on the processing of complaints and claims:
- Receiving complaints and claims submitted by financial users through the CaixaBank
Payments & Consumer Customer Service Department. - Responding to complaints and claims within the established time frame.
- Managing data protection rights and queries submitted to the data protection officer of
CaixaBank Payments & Consumer and the necessary activities to collaborate with the control authority (Spanish Data Protection Agency).
Types of data processed: The types of data we will process for this purpose (the content of
which is detailed in heading 5) are:
- Identification and contact details
- Legal capacity data
- Details on special communication needs
- Contract details
- Basic financial data
- Third-party data from statements and receipts of instant accounts and payment accounts:
- Data on communications maintained with you
- Own browsing data
- Data on credit information systems
- CIRBE details
Data Controller: the data controller is CaixaBank Payments & Consumer. This processing is not done with another controller.
PROCESSING BASED ON THE LEGITIMATE INTEREST OF CAIXABANK PAYMENTS & CONSUMER
The legal basis of this processing is the legitimate interest pursued by CaixaBank Payments &
Consumer or a third party, provided that these interests do not take precedence over your interests, or your fundamental rights and freedoms, as per art. 6.1. f) of the General Data Protection Regulation (GDPR).
This processing will imply that we have considered your rights and our legitimate interest and we have concluded that the latter prevails. Otherwise, we would not process the data. You can ask about the analysis that is done to weigh the legitimate interest of a processing operation at any time by emailing your enquiry to delegado.proteccion.datos@caixabank.com.
We also remind you that you have the right to object to processing based on a legitimate
interest. If you consider that CaixaBank and, where applicable, joint data controller companies
should be aware of any particular situation or other justifiable reasons for us to stop processing your data, you may submit a request to this effect simply and free of charge through the channels indicated in heading 4.
This processing is indicated below from (A) to (F). The following information will be indicated for each operation: CaixaBank Payments & Consumer's Legitimate Interest (CaixaBank Payments & Consumer's legitimate interest), a description of the purpose (Purpose), the type of processed data (Type of processed data), if applicable, information on the use of profiles (Use of profiles), other relevant processing information (Other relevant information) and whether or not the processing is carried out jointly with other CaixaBank Group companies (Joint data controllers/Data controller).
A. Management of the performance of employees, agents and suppliers
Legitimate interest of CaixaBank Payments & Consumer: CaixaBank Payments &
Consumer's legitimate interest in this process is to manage its relations with employees, agents,suppliers and brokers based on their professional performance.
Purpose: the purpose of this processing is to monitor the performance, objectives and
professional challenges of employees, suppliers and brokers by analysing the operations and
contracts that they maintain with customers.
Types of data processed: the types of data we will process for this purpose (the content of
which is detailed in heading 5) are:
- Contract details
- Basic financial data
Other relevant information: the following section includes other relevant data processing
information:
- Right to object to processing: if you consider that CaixaBank Payments &
Consumer should be aware of any particular situation or other justifiable reasons for
us to stop processing your data, you may submit a request to this effect simply and
free of charge through the channels indicated in heading 4. - Ancillary use of your data: these data processing activities deal with customer
information, but their information is ancillary to the purpose pursued. This processing
has no effect or consequence on the data subject.
Data Controller: the data controller is CaixaBank Payments & Consumer. This processing is not done with another controller.
B. Fraud prevention
Legitimate interest of CaixaBank Payments & Consumer: the legitimate interest of CaixaBank Payments & Consumer and the joint data controller companies listed in this section for carrying out this processing is to prevent fraud that could lead to financial or reputational damage to the institution or its customers.
Purpose: the purpose of this processing is to adopt the necessary measures to prevent malicious transactions or conduct before they occur or to mitigate their impact if they do occur by identifying suspicious transactions or conduct that could involve an attempt to defraud the institution or its customers.
The processing operations carried out to prevent fraud are:
- Verifying the identity of customers that interact with the bank to prevent fraudulent
access to information or operations. - Reviewing and analysing the contracts and operations carried out in our systems to
protect our customers from fraud through any channel and prevent cyberattacks. - To confirm your identity and the validity of the identification documents provided with
national and international databases managed by law enforcement and similar
agencies, like INTERPOL (International Criminal Police Organization), to confirm that
you are the holder of the identification document you provide us and to protect you
from identity theft (when another person pretends to be you). - Consulting the information included in the PAYGUARD Fraud Prevention Service to
detect fraudulent accounts and report, where appropriate, fraudulent transactions.
Types of data processed: the types of data we will process for this purpose (the content of
which is detailed in heading 5) are:
- Identification and contact details
- Details of your professional or work activity and socio-economic information
- Contract details
- Basic financial data
- Third-party data from statements and receipts of instant accounts and payment
accounts - Data on communications maintained with you
- Own browsing data
- Geographical details
- Data obtained from other processing activities provided for in this policy
- Risk assessment or scoring data (processing defined in heading 6.2.B
- Data obtained from the execution of statistical models
Use of profiling: this processing involves creating a profile of your usual operations and
activities, which we use exclusively to detect irregular situations that may indicate an attempt to commit fraud.
- Purpose: the purpose of the profile is to identify operations or interactions that are
unusual or not in line with your behaviour profile that could be an attempt to commit
fraud or gain fraudulent access to information. - Consequences: profiles are tools that help to identify fraudulent transactions. The use
of these profiles requires the implementation of measures, including reviewing
transactions in detail, blocking transactions and rejecting their automatic execution.
Other relevant information: the following section includes other relevant data processing
information:
- Automated decisions: for the purpose of fraud prevention, we will use automated
processing to try to detect fraudulent transactions.
In the case of transactions that cannot be reversed once executed, such as immediate
payments or transfers, the automated processes will block any suspicious transactions
and prevent them from being executed.
You may request the transaction again, challenge the automated decision or exercise
your right not to be subject to a decision based solely on automated processing by
contacting CaixaBank Payments & Consumer directly through the channels set out in section 4 of this policy. - Right to object to processing: If you consider that CaixaBank Payments &
Consumer and, where applicable, joint data controller companies should be aware of
any particular situation or other justifiable reasons for us to stop processing your data,
you may submit a request to this effect simply and free of charge through the
channels indicated in heading 4. - PAYGUARD Fraud Prevention Service: CaixaBank is a member of the PAYGUARD
Fraud Prevention Service, which covers the country's leading financial institutions and is managed by Sociedad Española de Sistemas de Pago, S.A. (Spanish Payment
Systems Company) (Iberpay). This service aims to minimise the levels of fraud related to movements between accounts by detecting, investigating, monitoring and reporting, where applicable, suspicious and fraudulent transactions involving customers' current or savings accounts. The legal basis for the processing is the legitimate interest in preventing the type of fraudulent activity that could affect these transactions.
CaixaBank may include in the PAYGUARD Fraud Prevention Service data related to the
IBAN number and identifying details of the holder of the account where the suspicious or fraudulent transaction has been detected. You can view the updated list of participating institutions at: https://www.iberpay.es/es/servicios/servicios/prevenci%C3%B3n-del-fraude/
The data will be stored for a maximum of thirty days for suspicious transactions, and one
year for confirmed fraudulent transactions.
The institutions participating in the PAYGUARD Fraud Prevention Service are the joint
controllers of your data. You can request the main aspects of the joint data controller
agreement by sending an email to www.caixabank.com/delegadoprotecciondedatos
and also exercise your rights regarding the processing of your data through any of the
channels indicated in section 4. ''Exercising rights and filing complaints through the Spanish Data Protection Authority (AEPD)''.
Joint data controllers: The following CaixaBank Group companies will process your data jointly:
- CaixaBank, S.A.
- CaixaBank Payments & Consumer, E.F.C., E.P., S.A.U.
- Nuevo Micro Bank, S.A.U.
- Global Payments Moneytopay, EDE, S.L.
You will find the essential aspects of the joint data controller agreements at:
www.caixabank.es/empresasgrupo.
C. Consultation and communication with credit reporting systems as part of the
application for and subsequent management of products that involve financing.
Legitimate interest of CaixaBank Payments & Consumer: the legitimate interest of CaixaBank Payments & Consumer to carry out this processing is to avoid non-payment and defaults by applicants or account holders of those products that involve financing.
Purpose: the purpose of this processing is to assess the solvency and repayment capacity (i) to
ensure adequate compliance by the interested parties with their payment obligations resulting
from the transactions granted, (ii) to monitor and manage the transactions granted, and (iii) to
prevent and manage defaults and non-performing loans.
The processing operations carried out when checking solvency records are:
- Checking your information: the databases of the following solvency and credit files shall
be consulted prior to approving the transactions involving financing or in order to
monitor and manage the risk of the credit granted: (i) Asnef database; (ii) Badexcug
database. - Communicate your personal details: if you stop making payments in relation to any of
the monetary obligations you have undertaken with us pursuant to our Contractual
Relations, we may disclose your payment default details to the following credit
information systems subject to the conditions and requirements outlined by law:
Types of data processed: the types of data we will process for this purpose are:
- Identification and contact details
- Contract details
- Basic financial data
- Data on credit information systems
Other relevant information: the following section includes other relevant data processing
information:
- Right to object to processing: if you consider that CaixaBank Payments &
Consumer should be aware of any particular situation or other justifiable reasons for
us to stop processing your data, you may submit a request to this effect simply and
free of charge through the channels indicated in heading 4.
Data Controller: CaixaBank Payments & Consumer is responsible for the part of the processing related to consulting credit information systems. CaixaBank Payments & Consumer and the Asnef and Badexcug databases are jointly responsible for the part of the processing related to communication to credit information systems:
- Asnef database: Asnef Equifax Servicios de Información sobre Solvencia y Crédito.
Apartado de correos 10546, 28080 Madrid (sac@equifax.es) - Badexcug database: Apartado de correos 1188, 28108 Alcobendas
(badexcug@experian.com)
D. Collection of additional contact details for default management
Legitimate interest of CaixaBank Payments & Consumer: CaixaBank Payments &
Consumer's legitimate interest is to collect the debt in non-payment situations, which requires having up-to-date contact details on its customers.
Purpose: the purpose of this processing is to obtain additional customer contact information to contact them in the event they breach their contractual obligations.
Additional contact details are obtained from public lists (white pages, yellow pages and
Lleida.net) and private lists (Equifax or Detectives) through debt collection agencies, ensuring
that the data collected complies with the quality principle and is obtained legally.
Types of data processed: the types of data we will process for this purpose are:
- Identification and contact details
- Information obtained from public access sources and public records
Other relevant information: the following section includes other relevant data processing
information:
- Right to object to processing: if you consider that CaixaBank Payments &
Consumer should be aware of any particular situation or other justifiable reasons for
us to stop processing your data, you may submit a request to this effect simply and
free of charge through the channels indicated in heading 4.
Data Controller: the data controller is CaixaBank Payments & Consumer. This processing is not done with another controller.
E. Preparation of management reports and mathematical models
Legitimate interest of CaixaBank Payments & Consumer: CaixaBank Payments &
Consumer's legitimate interest in carrying out this process is to design, organise and optimise its corporate and commercial activity as efficiently as possible, which requires having reports on the management and activity of the company and the market, as well as advanced information analysis mathematical algorithms.
Purpose: the purpose of this processing is to prepare reports on the company's activity and its relationship with the market, on the composition and evolution of its customer base and on the convenience and effectiveness of its products and services. These reports are used to manage said products/services and to create and maintain statistical and mathematical models that allow for the processing detailed in this policy to be carried out and that require advanced calculations and analysis of the information.
Types of data processed: the data we will process for this purpose is that which has been
identified previously for each processing type. We will apply, whenever possible, anonymisation or pseudonymisation techniques to ensure that this processing does not have an impact on the rights of the data subjects and that the processing results in reports with statistical or aggregated information or mathematical or algorithmic formulas.
Other relevant information: the following section includes other relevant data processing
information:
- Right to object to processing: if you consider that CaixaBank Payments &
Consumer should be aware of any particular situation or other justifiable reasons for
us to stop processing your data, you may submit a request to this effect simply and
free of charge through the channels indicated in heading 4. - Ancillary data processing: the processing of data to create statistical reports and
mathematical models is not intended to process individual customer data. This data processing is necessary but ancillary to the main purpose of preparing management reports or algorithmic or mathematical formulas and is thus carried out using, whenever possible, anonymising techniques or, failing that, pseudonymisation and minimising the information processed. This processing has no effects or consequences on the individual data subject.
Data Controller: the data controller is CaixaBank Payments & Consumer. This processing is not done with another controller.
F. Sending of commercial communications based on a basic commercial profile
Who does this processing apply to? We will only process your data in this way if:
- you have not indicated your preferences for the commercial processing described in
sections 6.1.A., 6.1.B. and 6.1.C of this policy; - we have sent you a personalised communication informing you of this; and
- you have not exercised your right to objection.
Legitimate interest of CaixaBank Payments & Consumer: CaixaBank Payments &
Consumer's legitimate interest in processing this data is to promote the marketing of the products and services in its portfolio and to ensure customer loyalty.
Purpose: the purpose of this processing is to send commercial communications on products and services similar to those you have with CaixaBank Payments & Consumer based on a basic commercial profile that we will create using your data.
Types of data processed: the types of data we will process for this purpose are:
- Identification and contact details: full name, gender, postal, telephone and email
contact information, address of residence, nationality and date of birth, language
choice, and identification document. - Details of your professional or work activity and socio-economic information:
professional or employment activity, income or salary. - Contract details: contracted or requested products and services, account holder
status, authorised or representative of the product and service contracted and
information and transactions related to your financing operations. - Basic financial data: current and historical balances of products and services and
payment history of contracted products and services. - Data obtained from the execution of statistical models: we use the results of
applying mathematical modelling to client data, which helps us combat fraud, detect
your consumer habits, preferences or product tendencies for regulatory compliance,
and manage your products and services. - Data obtained from other processing activities provided for in this policy:
- Risk assessment data or scoring: in financing or payment for instalments, we will forecast your capacity to pay or not pay or the risk limits, applying statistical and mathematical models using your data (processing defined in section 6.2.B).
- Demographic and socio-economic data: these are data not relating to specific
people but geographical areas, age sectors or professional activity sectors, which we
will use to put into context with customer information.
Use of profiling: for this processing, we will only prepare a basic commercial profile using the
data specified previously:
- Purpose of the profile: the purpose of the profile is to identify the products and
services we think may interest you in order to offer your specific rather than generic
commercial offers. - Consequences: the consequence of using the basic commercial profile is the
sending of customised offers on CaixaBank Payments & Consumer products and
services based on the data we have specified. We do not use this profiling, under any
circumstances, to refuse any product or service or to set credit limits.
Your refusal to accept this processing will not prevent, limit or condition your access to
our full catalogue of products and services, which is always available to you.
If you apply for any product or service, your application will be assessed in
accordance with our regular procedures. Your objection to this processing will not
affect this assessment.
Failure to accept this processing will not prevent us from contacting you to manage
the products and services you have with us. - Logic: this basic commercial profile is calculated based on the data indicated in the
''Processed data'' section, with a time period spanning thirteen months.
This data is processed using mathematical formulas obtained from past behaviours
observed in customers of similar characteristics so as to infer the customer's
propensity to consume. These mathematical formulas allow us to determine the
importance of all the data processed in the final result of the customer's profile.
This final result is the probability that the customer will be interested in a product or
service.
Other relevant information: the following section includes other relevant data processing information:
- Right to object to processing: please note that you have the right to object to
processing based on a legitimate interest.
You can do so simply and free of charge at the following link:
https://www.caixabank.es/apl/particulares/gdpr/index_es.html?empresa=6&derecho=o posicioncomunicaciones.
You can also use the normal channels described in section 4.
If you decide to exercise your right of objection, we inform you that we will stop
processing the data without requiring you to provide a reason for us to stop
processing your data. - Pre-check of your payment capacity: when the offers we wish to propose to you
consist of products or services that involve payment in instalments or financing, we
will first check your payment capacity.
We will carry out this check by means of the processing outlined in section 6.2.B of
this privacy policy, with the aim of offering you a credit limit and repayment term suited
to our knowledge of your financial situation, in accordance with the principle of
responsibility regarding the offer of financing products required by the Bank of Spain,
under regulations on the oversight and solvency of credit institutions and responsible
lending. - Duration of data processing: this processing will come into effect on 10 October
2022. In any case, you will receive a personalised informative message beforehand.
We will stop processing this data, with no other additional requirements, in either of
these two circumstances:
- When we contact you to request your consent to the commercial processing
carried out by the CaixaBank Group companies described in section 6.1 (A, B
and C), whether you authorise or reject them.
- If you exercise your right of objection.
Data Controller: the data controller is CaixaBank Payments & Consumer. This processing is not done with another controller.
G. OFSI and OFAC international financial sanctions policies and countermeasures.
Legitimate interest of CaixaBank Payments & Consumer: the legitimate interest of
CaixaBank Payments & Consumer and the joint data controller companies listed in this section for carrying out this processing is to comply with international financial sanctions and
countermeasures programmes of the United States and the United Kingdom, with a view to
carrying out their business activities in those countries.
Purpose: the purpose of this processing is to adopt the measures envisaged in the international financial sanctions and countermeasures programmes adopted by the Office of Financial Sanctions Implementation (OFSI) of the His Majesty’s Treasury (HMT) of the United Kingdom and/or the US Department of the Treasury’s Office of Foreign Assets Control (OFAC).
In order to comply with these international financial sanctions and countermeasures
programmes, we will check whether you are included on lists of persons or entities subject to
the restrictive measures of these two bodies.
Types of data processed: the types of data we will process for this purpose (the content of
which is detailed in heading 5) are:
- Identification and contact details
- Data relating to international sanctions
Other relevant information: the following section includes other relevant data processing
information:
- Right to object to processing: if you consider that CaixaBank Payments &
Consumer should be aware of any particular situation or other justifiable reasons for us to stop processing your data, you may submit a request to this effect simply and free of
charge through the channels indicated in heading 4.
Joint data controllers: The following CaixaBank Group companies will process your data jointly:
- CaixaBank, S.A.
- CaixaBank Payments & Consumer, E.F.C., E.P., S.A.U.
- VidaCaixa, S.A. de Seguros y Reaseguros
- Nuevo Micro Bank, S.A.U.
- CaixaBank Asset Management, SGIIC, S.A.U
- Telefónica Consumer Finance, E.F.C., S.A.
- Buildingcenter, S.A.U.
- Livingcenter Activos Inmobiliarios, S.A.U.
- Unión de Crédito para la Financiación Mobiliaria e Inmobiliaria, CREDIFIMO, E.F.C.,
S.A.U. - Corporación Hipotecaria Mutual, S.A.U., Establecimiento Financiero de Crédito
- Banco BPI, S.A.
- CaixaBank Wealth Management Luxembourg, S.A.
- Bankia Habitat, S.L.U.
- CaixaBank Equipment Finance, S.A.
- Puerto Triana, S.A.U.
- CaixaBank Asset Management Luxembourg, S.A.
- BPI Gestão de Ativos, SGOIC, S.A.
- BPI Vida e Pensões – Companhia de Seguros, S.A.
You will find the essential aspects of the joint data controller agreements at:
www.caixabank.es/empresasgrupo.
RECIPIENTS OF THE DATA
Data controller and joint data controllers
The data we process in your capacity as a customer of CaixaBank Payments & Consumer is
processed by CaixaBank Payments & Consumer. If data is processed by joint data controllers, it will be processed by CaixaBank Group companies in accordance with the previous processing sections.
Authorities or official bodies
Credit institutions such as CaixaBank Payments & Consumer and other payment service providers may be legally required to provide information on transactions we carry out to authorities or official bodies in other countries located both within and outside the European Union. This obligation is within the scope of the fight against financing terrorism, serious forms of organised crime, and money laundering, as well as the prudential supervision of credit institutions by the Bank of Spain and the European Central Bank.
This obligation may also apply to payment services and technology service providers with which we
maintain relations and to which we send data to carry out transactions.
Credit reporting databases
If you stop making payments in relation to any of the monetary obligations you have undertaken with us pursuant to our Contractual Relations, we will be able to disclose payment default details to the following credit information systems in the conditions and requirements outlined in regulations:
- Asnef database: Asnef Equifax Servicios de Información sobre Solvencia y Crédito. Apartado
de correos 10546, 28080 Madrid (sac@equifax.es). - Badexcug database: Apartado de correos 1188, 28108 Alcobendas (badexcug@experian.com).
We inform you that you can exercise your rights to access, rectify, object to processing, delete, restrict processing, transfer your personal data and not be subject to automated decision-making in accordance with the law with these records regarding fulfilment or non-fulfilment at the indicated addresses.
Disclosure of data to outsourced service providers
Sometimes we use service providers with potential access to personal data.
Such providers grant an adequate, sufficient safeguarding service when it comes to processing your data, since we carefully screen service providers by including specific demands in the event that their services involve the need to process personal data.
The type of services we can assign to service providers is:
- Financial back office services
- Administrative support services
- Audit and consulting services
- Legal and non-payment recovery services
- Payment services
- Marketing and advertising services
- Survey services
- Call centre services
- Logistical services
- Physical security services
- Computer services (system and information security, cybersecurity, information systems,
architecture, hosting, data processing) - Telecommunications services (voice and data)
- Printing, enveloping, postal and courier services
- Data storage and destruction services (digital and physical)
- Maintenance services for buildings, installations and equipment
DATA STORAGE PERIODS
Storage for maintaining Contractual Relations
We will process your data as long as the Contractual Relations we have established remain in force.
Storage of authorisations for processing based on consent
We will process the data based on your consent, until you revoke it.
If you cancel all your product and service contracts with the CaixaBank group companies but do not
withdraw the consent you have given us, we will automatically void said consent until you stop being
our customer.
Storage to comply with legal obligations and to formulate, exercise and defend claims
Once authorisations for use have been revoked as you have withdrawn your consent, or the contractual or business relations established with us have ended, we will only keep your data to comply with legal obligations and to allow you to formulate, exercise or defend claims during the limitation period for actions derived from these contractual relations.
We will process this data by applying the technical and organisational measures required to
guarantee that it is only used for these purposes.
Data destruction
We will destroy your data when the retention periods imposed by the regulations governing CaixaBank Payments and Consumer's activity have passed and the limitation periods for administrative or judicial actions arising from the relations established between you and us have elapsed.
DATA TRANSFERS OUTSIDE THE EUROPEAN ECONOMIC AREA
At CaixaBank Payments & Consumer, we process your data within the European Economic Area and generally, our service providers are located within the European Economic Area or in countries that are deemed to have an adequate level of data protection.
If we need to use brokers that carry out processing outside the European Economic Area or in countries Not determined to have an adequate level of data protection, we will ensure that your data is processed in a secure and legitimate manner.
For this purpose, we require these brokers and service providers to apply suitable guarantees in
accordance with the GDPR (such as binding corporate standards guaranteeing information protection
in a similar way to European standards) or to subscribe to the standard clauses of the European
Union. You may request a copy of the proper guarantees required by CaixaBank Payments &
Consumer from these vendors by contacting the data protection officer at
www.caixabank.com/delegadoprotecciondedatos.
AUTOMATED DECISIONS
Section 6 of this policy contains information on the type of processing that incorporates automated
decision-making.
If, during the Contractual Relationships you maintain with us, we adopt decisions that could establish
legal effects for you or could significantly affect you (for example, preventing you from taking out a
certain product) based solely and exclusively on automated processing (i.e. without the participation
of a person), we will inform you of this, as well as of the logic through which we adopted it, in the
contractual documentation of the product or service you have requested.
Moreover, at that time, we will also adopt measures to safeguard your rights and interests by giving
you the right to human involvement, to express your views and to challenge the decision.
REVIEW
We will revise this privacy policy whenever necessary to keep you duly informed, for example, when
publishing new standards or criteria or when we engage in new processing activities.
We will notify you through the usual communication channels whenever there are substantial or
important changes to this privacy policy.
Last review date
9 June 2023