Background
With this document, the Bank aims to provide all the information related to the processing of personal data that it carries out within the framework of its activity, and which may concern data relating to its customers, their representatives or other holders of personal data processed by the Bank in any other capacity.
It is therefore the purpose of this Privacy Policy to explain which personal data we collect about you, how we use it, to whom we transmit it and under what conditions, as well as the mechanisms we use to ensure the security and privacy of your personal data.
Our commitment is to ensure that the personal data of all those who in any way have a relationship with BPI, including yours, will be processed in accordance with best security and data protection practices.
For this reason, please read this document to understand how we handle your data and what rights you have as a data subject. Should you have any queries, please do not hesitate to ask for clarification from BPI's Data Protection Officer via the contacts indicated below, in the section "Data Protection Officer".
Data controller
BPI is responsible for the processing of your data within the scope of the commercial relationship established with you. Nevertheless, and given its integration in the CaixaBank Group, some processing is performed by BPI, by legal or regulatory imposition, jointly with other companies which are also members of that corporate group. Specifically, the processing of your data by the Bank jointly with other CaixaBank Group companies, further explained in the chapter of this Policy "Personal Data we share and with Whom", is exclusively for the following purposes:
(i) analysis of the credit risk of Customers who apply for or take out credit and who are common to BPI « and another company of the CaixaBank Group.
(ii) analysis of the risk of money laundering and terrorist financing; and
(iii) adoption of restrictive measures imposed on banking activities under international financial sanctions and countermeasures programmes.
Data Protection Officer
For any clarification of this Privacy Policy or for any information regarding the processing of your data, « you may contact BPI's Data Protection Officer by letter, addressed to the BPI DPO - Avenida da Boavista, n.º 1117, 4100-129 Porto or via the following e-mail address: dpo.rgpd@bancobpi.pt.
National Commission for Data Protection
Should you wish, you may also lodge complaints or requests for information with the National Commission for Data Protection, which is the national supervisory authority that controls and supervises compliance with the General Data Protection Regulation and applicable national law.
Personal data we process
To help you understand what personal data we process, please note that personal data is any information about you that directly or indirectly identifies you (e.g., name, civil or tax identification number, location or contact details).
We may therefore process personal data resulting from your contracting with the Bank for products and/or services or resulting from the management of the Bank's relationship with you, directly or through our credit intermediaries or partners.
We also process personal data when you interact with us, for example when you visit our websites or mobile applications, contact us by phone or visit one of our branches or ask us about any of our products or services. The following are the main categories of personal data we collect and process:
Categories or Personal Data | Examples |
Identity, family and contact data | Name, identification document number, tax identification number, photograph, signature, address, phone number or e-mail address, date of birth, gender, nationality, place of birth, marital status, household information, education, or employment data. |
Financial Data | Financial wealth, liabilities in the financial sector, income from employment or self-employment, business activity, expenses, among others. |
Product and Service Data | Current account number, balance, debit/credit card number, amount and conditions of credits contracted, respective terms and interest rate, credit risk assessment and other information regarding products and services purchased or subscribed by the Customer and respective conditions. |
Operations Data | Date, time, description, and value of banking operations performed, such as deposits, withdrawals, transfers, and payments. |
Data related to the use of Digital Channels | Access codes and coordinates, digital signature, and biometric data. Visited pages, or information about the equipment used to access digital channels (e.g., IP address, geographical location, browser used). |
Segments and profiles | Business segment, profile or degree of credit risk, investor profile, or propensity to purchase financial products. |
Tax information | Address and classification of the holder subject to tax rules of other jurisdictions, e.g., a US citizen and resident in Portugal. |
Images | Images collected through video surveillance cameras placed in our premises. |
Recording of telephone conversations | Listing and recording of telephone calls held with you, for (i) compliance with legal obligations such as the Financial Markets Directive - MiFID II and related legislation; (ii) contractual evidence such as stock exchange orders transmitted by phone; (iii) responding to complaints or (iv) responding to satisfaction surveys. |
The way we collect personal data
The data we process may be directly provided by you in the context of the relationship established with you, such as identification, contact, family, and professional data, or arising from the use of products and services marketed by the Bank. The Bank also collects data relating to your use of the Bank's websites and applications (e.g., pages visited, user preferences, etc.), which is obtained using the Bank's cookies or those of third parties (for further information on the type of cookies used by the Bank and the data collected, please refer to the section of this policy on "Use of Cookies").
Other than the data we collect from you, we also collect personal data for certain purposes from other CaixaBank Group companies (see "What Personal Data We Share and With Whom") and from third parties, such as the Central Credit Register of the Bank of Portugal, other public entities, or agents of the Bank.
We may also collect personal data from potential customers of the Bank (e.g., name, address, age, e-mail address and phone number) through several sources, such as in the context of promotional campaigns, BPI sales stands and the Bank's social networks.
Purposes and basis we process personal data on
BPI only processes your personal data when there is a source of legitimacy for the respective processing.
Data may be processed by the Bank in the following circumstances:
- For the conclusion, performance, and management of a contract to which it is a party or for pre-contractual procedures at your request.
- Based on your prior, express, written or by explicit action, informed, free and informed consent to specific purposes.
- When the processing is required for compliance with the various legal obligations - national and European - to which BPI is subject.
- When the processing is required for the purposes of the legitimate interests pursued by BPI or by third parties.
Please find below examples of the main purposes for which BPI, within the scope of its activity, processes personal data. However, in addition to these, BPI may also process personal data for other purposes, not specifically detailed in this Privacy Policy, but always resulting from the contracting of specific products or a specific campaign of the Bank. In such circumstances, BPI will ensure that you are provided with the appropriate information and that your consent is obtained, where applicable.
Identification of the Main Purposes for which BPI processes the data of the Data Subjects and the respective source of lawfulness:
I. For execution of a contract or pre-contractual procedures
Categories of Personal Data | Examples |
Opening and managing accounts | Collecting and registering data from Customers, or their Representatives, and updating or changing identifying elements when opening, maintaining, and closing accounts. Issuing account statements. With respect to the data of the Representatives, Proxies as well as BPI Net Empresas Users, such data is collected for the purposes of representation of their principals and, where consent is given, for the presentation of proposals for the acquisition of financial products and services. |
Subscription and contracting of financial products and services | Subscription, simulation, creation and management of financial products and the provision of information on products and services acquired or subscribed by the Customer. |
Credit granting and management | Registration, simulation, analysis and decision of credit operations and respective guarantees, contracting or collection of instalments. |
Analysis of the Customer's economic and financial capacity and risk assessment | Collecting and analysing data on the economic and financial capacity of customers and carrying out risk assessment of operations contracted, or to be contracted, through consulting and exchanging data with credit information systems. |
Marketing of Third-Party Products (credit and debit cards and insurance): | Collection and analysis of data for the subscription of products marketed by the Bank on behalf of the third party issuer of the same, of which the Bank is an Agent, such as, for example, in the case of insurance or credit cards marketed by the Bank. |
Execution of banking operations | Processing of deposits, direct debits, top-ups, payments, national and international transfers, and execution of customer orders for financial instruments. |
Subscription and management of services related to Digital Channels | Subscription to Digital Channels, management of access credentials and activation and deactivation of the related Services. |
Recording of telephone conversations | Recording of calls to verify compliance with contractual obligations. |
II. Compliance with legal obligations
Purposes | Examples |
Customer identification and knowledge | Collection of identification data (e.g., name, civil and tax identification, and address) for subsequent contracting of Bank products and services, within the scope of compliance with legislation on the prevention of money laundering and fight against terrorist financing. |
Other obligations under the measures to prevent money laundering and fight financial crime | Determination, segmentation and assessment of the money laundering and terrorist financing risk profile; response to requests for information from Authorities; analysis of the lists of politically exposed entities and persons, aimed at ensuring reports to supervisory and judicial authorities, among others, or compliance with and enforcement of restrictive measures. |
Analysis of the Customer's economic and financial capacity and risk assessment of a credit requested by the Customer | Collecting and analysing data on the economic and financial capacity of customers and carrying out risk assessment of operations contracted or to be contracted, for the purpose of assessing the customer's solvency, as required by law. Additionally, the regulations applicable to the financial sector require that the granting and analysis of the solvency of the Customer is performed by the entities integrating the same consolidated group, of financial nature, in a global perspective, and, for such, they should treat the risk information jointly, for which reason this is one of the treatments performed jointly with the other entities of CaixaBank Group. |
Assessment of Customers' knowledge and experience in contracting investment products and respective classification | Collecting the necessary information to classify and segment the Customer, guaranteeing an adequate level of protection according to the Customer's level of information, training, and experience in contracting financial instruments, and to assess the suitability of contracting certain investment and savings-investment insurance products and services that the Customer wishes to contract. |
Provision of information and response to requests from Public Authorities | Providing compulsory information and responding to requests from the Judicial Authorities and/or other public entities, namely within the scope of seizure orders, distraints and inventories of assets, insolvency proceedings and proceedings for the certificate of inheritance (e.g., name, civil and/or tax identification, address, account identification, as well as other data relative to the process in question), and the Tax Authority. |
Handling and providing mandatory information and responding to requests from Regulatory Authorities: | Compliance with reporting obligations to Regulatory Bodies, namely the European Central Bank, Bank of Portugal, Portuguese Securities Market Commission (CMVM), National Commission for Data Protection (CNPD), Tax Authority or Judicial Authorities. |
Video surveillance systems | Adoption of means and procedures for the security of people and goods that involve the collection of images in the context of video surveillance. |
Recording of telephone conversations | Adoption of means and procedures for the security of people and goods that involve the collection of images in the context of video surveillance. |
Complaints Management | Reception, analysis, response and filing of Customer requests for information and complaints. |
III. BPI's Legitimate Interest
Before processing personal data based on its own or a third party's Legitimate Interest, BPI conducts a balancing test of the interests at stake. BPI will only process your data where it has concluded that the legitimate interests of BPI, or of Third Parties, are equivalent to or override the interests and rights of the Data Subject.
You may request clarification about the basis for this type of processing by sending your request to the Data Protection Officer, using the contacts identified in this policy.
In any case, the Data Subject, under the terms and situations foreseen in Article 21 of the GDPR, has the right to oppose the processing of their data for these purposes. In such cases, the Bank shall cease to process your data unless it has compelling legitimate reasons for continuing to conduct such processing.
Purposes | Examples |
Customer Satisfaction Assessment | Carrying out questionnaires to assess customer satisfaction regarding products and services sold by the Bank. |
Assignment of Credits | Sale of credit portfolios to third parties, namely for securitisation purposes. |
Customer Segmentation | Allocation of Customers to the various segments created by the Bank according to their objective characteristics, such as address, assets, and age, allowing better organisation and distribution of the Bank's internal resources. The allocation of certain Customers to the Private segment or to the exclusively digital segment are examples of this |
Communication of the Bank's offer | Communication of the Bank's commercial offer that each manager, within the context of the contractual relationship established, makes to the Customers he or she assists. |
Development of new products and services | Development by the Bank of new products and services or improvement of the existing offer, considering the objective trends of its Customers |
Management control | Data processing to produce control and management information for the Bank. |
Internal audit | Collection and analysis of data within the scope of the internal audit of the Bank's processes and operations. |
Prevention of market abuse practices | Identification of the data subjects that are related to employees of the Bank, subject to the internal code of conduct, adopted by the Bank within the framework of the legislation of the securities markets, as well as the financial operations carried out by them. |
Development of predictive models | Development of generic, predictive models, using artificial intelligence, to improve the Bank's offer and optimise internal processes. When developing these models, the Bank resorts to statistical models and advanced algorithms, using only anonymised personal information/data. |
Sending invitations and gifts to Customers and potential Customers | Sending invitations to Bank events and gifts to Customers and potential Customers. Maintenance of the respective record in a database for the same purpose. |
Credit recovery | Credit recovery actions, or intervention in insolvency proceedings or of any other nature, with a view to exercising or defending BPI's rights as a creditor or financial services provider. |
Notification of campaigns/draws | Communication to Customers of campaigns and draws associated with products and services contracted by them. |
Monitoring the quality of service | Call recording for direct monitoring of the quality of service provided to the Customer. |
IV. Consent
The processing identified below is carried out based on the consent given by the respective Data Subject. This consent must be prior, express, and given for specific and defined purposes and may, at any time, be withdrawn through the means made available by BPI and further described in the chapter "Rights of the Data Subjects". Consent shall remain valid until it is withdrawn, or the business relationship established with the Bank is terminated.
Purposes | Examples |
Profiling | With your consent, the Bank will process your personal data by automated means to adjust the Bank's offer to your preferences or propensity to purchase and/or subscribe to products/services, thereby customising its commercial offers addressed to you. |
Cookie management | Except for cookies essential for the normal functioning of its public websites, the Bank uses cookies and other similar technologies (e.g., analytics tracking), with your express consent, to collect, process and analyse your browsing behaviour to customise and improve your user experience and customise your experience on the Bank's websites and applications. For further information, please see the chapter "Use of Cookies" of this policy. |
Sending communications for direct marketing purposes | Marketing actions of products and/or services marketed by the Bank through email, letter, or telemarketing. Specifically, the Bank requests, with your express consent, to send you offers for products and services via postal mail, email, telemarketing, SMS, email, and other digital means, including its digital channels, push notifications (messages that appear on mobile devices), or other means that may become available in the future. |
Use of biometric data | With your consent, BPI will use technical means to allow you to use your biometric data to verify your identity on the Digital Channels made available by BPI. |
Contacts and presentation of commercial proposals to potential Customers | BPI, within the scope of events it organises, may collect the contact details of the data subjects of potential Customers, and the respective consent, for the presentation of its products and services. |