Privacy Policy

Background

With this document, the Bank aims to provide all the information related to the processing of personal data that it carries out within the framework of its activity, and which may concern data relating to its customers, their representatives or other holders of personal data processed by the Bank in any other capacity.

It is therefore the purpose of this Privacy Policy to explain which personal data we collect about you, how we use it, to whom we transmit it and under what conditions, as well as the mechanisms we use to ensure the security and privacy of your personal data.

Our commitment is to ensure that the personal data of all those who in any way have a relationship with BPI, including yours, will be processed in accordance with best security and data protection practices.

For this reason, please read this document to understand how we handle your data and what rights you have as a data subject. Should you have any queries, please do not hesitate to ask for clarification from BPI's Data Protection Officer via the contacts indicated below, in the section "Data Protection Officer".

 

Data controller

BPI is responsible for the processing of your data within the scope of the commercial relationship established with you. Nevertheless, and given its integration in the CaixaBank Group, some processing is performed by BPI, by legal or regulatory imposition, jointly with other companies which are also members of that corporate group. Specifically, the processing of your data by the Bank jointly with other CaixaBank Group companies, further explained in the chapter of this Policy "Personal Data we share and with Whom", is exclusively for the following purposes:
(i) analysis of the credit risk of Customers who apply for or take out credit and who are common to BPI « and another company of the CaixaBank Group.
(ii) analysis of the risk of money laundering and terrorist financing; and
(iii) adoption of restrictive measures imposed on banking activities under international financial sanctions and countermeasures programmes.

 

Data Protection Officer

For any clarification of this Privacy Policy or for any information regarding the processing of your data, « you may contact BPI's Data Protection Officer by letter, addressed to the BPI DPO - Avenida da Boavista, n.º 1117, 4100-129 Porto or via the following e-mail address: dpo.rgpd@bancobpi.pt.

 

National Commission for Data Protection

Should you wish, you may also lodge complaints or requests for information with the National Commission for Data Protection, which is the national supervisory authority that controls and supervises compliance with the General Data Protection Regulation and applicable national law.

 

Personal data we process

To help you understand what personal data we process, please note that personal data is any information about you that directly or indirectly identifies you (e.g., name, civil or tax identification number, location or contact details).

We may therefore process personal data resulting from your contracting with the Bank for products and/or services or resulting from the management of the Bank's relationship with you, directly or through our credit intermediaries or partners.

We also process personal data when you interact with us, for example when you visit our websites or mobile applications, contact us by phone or visit one of our branches or ask us about any of our products or services. The following are the main categories of personal data we collect and process:

Categories or Personal DataExamples
Identity, family and contact dataName, identification document number, tax identification number, photograph, signature, address, phone number or e-mail address, date of birth, gender, nationality, place of birth, marital status, household information, education, or employment data.
 
Financial DataFinancial wealth, liabilities in the financial sector, income from employment or self-employment, business activity, expenses, among others.
Product and Service DataCurrent account number, balance, debit/credit card number, amount and conditions of credits contracted, respective terms and interest rate, credit risk assessment and other information regarding products and services purchased or subscribed by the Customer and respective conditions.
Operations DataDate, time, description, and value of banking operations performed, such as deposits, withdrawals, transfers, and payments.
Data related to the use of Digital ChannelsAccess codes and coordinates, digital signature, and biometric data. Visited pages, or information about the equipment used to access digital channels (e.g., IP address, geographical location, browser used).
Segments and profilesBusiness segment, profile or degree of credit risk, investor profile, or propensity to purchase financial products.
Tax informationAddress and classification of the holder subject to tax rules of other jurisdictions, e.g., a US citizen and resident in Portugal.
ImagesImages collected through video surveillance cameras placed in our premises.
Recording of telephone conversations Listing and recording of telephone calls held with you, for (i) compliance with legal obligations such as the Financial Markets Directive - MiFID II and related legislation; (ii) contractual evidence such as stock exchange orders transmitted by phone; (iii) responding to complaints or (iv) responding to satisfaction surveys.



The way we collect personal data

The data we process may be directly provided by you in the context of the relationship established with you, such as identification, contact, family, and professional data, or arising from the use of products and services marketed by the Bank. The Bank also collects data relating to your use of the Bank's websites and applications (e.g., pages visited, user preferences, etc.), which is obtained using the Bank's cookies or those of third parties (for further information on the type of cookies used by the Bank and the data collected, please refer to the section of this policy on "Use of Cookies").

Other than the data we collect from you, we also collect personal data for certain purposes from other CaixaBank Group companies (see "What Personal Data We Share and With Whom") and from third parties, such as the Central Credit Register of the Bank of Portugal, other public entities, or agents of the Bank.

We may also collect personal data from potential customers of the Bank (e.g., name, address, age, e-mail address and phone number) through several sources, such as in the context of promotional campaigns, BPI sales stands and the Bank's social networks.

 

Purposes and basis we process personal data on

BPI only processes your personal data when there is a source of legitimacy for the respective processing.

Data may be processed by the Bank in the following circumstances:

  • For the conclusion, performance, and management of a contract to which it is a party or for pre-contractual procedures at your request.
  • Based on your prior, express, written or by explicit action, informed, free and informed consent to specific purposes.
  • When the processing is required for compliance with the various legal obligations - national and European - to which BPI is subject.
  • When the processing is required for the purposes of the legitimate interests pursued by BPI or by third parties.

Please find below examples of the main purposes for which BPI, within the scope of its activity, processes personal data. However, in addition to these, BPI may also process personal data for other purposes, not specifically detailed in this Privacy Policy, but always resulting from the contracting of specific products or a specific campaign of the Bank. In such circumstances, BPI will ensure that you are provided with the appropriate information and that your consent is obtained, where applicable.

Identification of the Main Purposes for which BPI processes the data of the Data Subjects and the respective source of lawfulness:
 


I. For execution of a contract or pre-contractual procedures

Categories of Personal DataExamples
Opening and managing accountsCollecting and registering data from Customers, or their Representatives, and updating or changing identifying elements when opening, maintaining, and closing accounts.
Issuing account statements.
With respect to the data of the Representatives, Proxies as well as BPI Net Empresas Users, such data is collected for the purposes of representation of their principals and, where consent is given, for the presentation of proposals for the acquisition of financial products and services.
Subscription and contracting of financial products and servicesSubscription, simulation, creation and management of financial products and the provision of information on products and services acquired or subscribed by the Customer.
Credit granting and managementRegistration, simulation, analysis and decision of credit operations and respective guarantees, contracting or collection of instalments.
Analysis of the Customer's economic and financial capacity and risk assessmentCollecting and analysing data on the economic and financial capacity of customers and carrying out risk assessment of operations contracted, or to be contracted, through consulting and exchanging data with credit information systems.
Marketing of Third-Party Products (credit and debit cards and insurance):Collection and analysis of data for the subscription of products marketed by the Bank on behalf of the third party issuer of the same, of which the Bank is an Agent, such as, for example, in the case of insurance or credit cards marketed by the Bank.
Execution of banking operationsProcessing of deposits, direct debits, top-ups, payments, national and international transfers, and execution of customer orders for financial instruments.
Subscription and management of services related to Digital ChannelsSubscription to Digital Channels, management of access credentials and activation and deactivation of the related Services.
Recording of telephone conversationsRecording of calls to verify compliance with contractual obligations.

 

II. Compliance with legal obligations

PurposesExamples
Customer identification and knowledgeCollection of identification data (e.g., name, civil and tax identification, and address) for subsequent contracting of Bank products and services, within the scope of compliance with legislation on the prevention of money laundering and fight against terrorist financing.
Other obligations under the measures to prevent money laundering and fight financial crimeDetermination, segmentation and assessment of the money laundering and terrorist financing risk profile; response to requests for information from Authorities; analysis of the lists of politically exposed entities and persons, aimed at ensuring reports to supervisory and judicial authorities, among others, or compliance with and enforcement of restrictive measures.
Analysis of the Customer's economic and financial capacity and risk assessment of a credit requested by the CustomerCollecting and analysing data on the economic and financial capacity of customers and carrying out risk assessment of operations contracted or to be contracted, for the purpose of assessing the customer's solvency, as required by law. Additionally, the regulations applicable to the financial sector require that the granting and analysis of the solvency of the Customer is performed by the entities integrating the same consolidated group, of financial nature, in a global perspective, and, for such, they should treat the risk information jointly, for which reason this is one of the treatments performed jointly with the other entities of CaixaBank Group.
Assessment of Customers' knowledge and experience in contracting investment products and respective classificationCollecting the necessary information to classify and segment the Customer, guaranteeing an adequate level of protection according to the Customer's level of information, training, and experience in contracting financial instruments, and to assess the suitability of contracting certain investment and savings-investment insurance products and services that the Customer wishes to contract.
Provision of information and response to requests from Public AuthoritiesProviding compulsory information and responding to requests from the Judicial Authorities and/or other public entities, namely within the scope of seizure orders, distraints and inventories of assets, insolvency proceedings and proceedings for the certificate of inheritance (e.g., name, civil and/or tax identification, address, account identification, as well as other data relative to the process in question), and the Tax Authority.
Handling and providing mandatory information and responding to requests from Regulatory Authorities:Compliance with reporting obligations to Regulatory Bodies, namely the European Central Bank, Bank of Portugal, Portuguese Securities Market Commission (CMVM), National Commission for Data Protection (CNPD), Tax Authority or Judicial Authorities.
Video surveillance systemsAdoption of means and procedures for the security of people and goods that involve the collection of images in the context of video surveillance.
Recording of telephone conversationsAdoption of means and procedures for the security of people and goods that involve the collection of images in the context of video surveillance.
Complaints ManagementReception, analysis, response and filing of Customer requests for information and complaints.

 

III. BPI's Legitimate Interest

Before processing personal data based on its own or a third party's Legitimate Interest, BPI conducts a balancing test of the interests at stake. BPI will only process your data where it has concluded that the legitimate interests of BPI, or of Third Parties, are equivalent to or override the interests and rights of the Data Subject.

You may request clarification about the basis for this type of processing by sending your request to the Data Protection Officer, using the contacts identified in this policy.

In any case, the Data Subject, under the terms and situations foreseen in Article 21 of the GDPR, has the right to oppose the processing of their data for these purposes. In such cases, the Bank shall cease to process your data unless it has compelling legitimate reasons for continuing to conduct such processing.

PurposesExamples
Customer Satisfaction AssessmentCarrying out questionnaires to assess customer satisfaction regarding products and services sold by the Bank.
Assignment of CreditsSale of credit portfolios to third parties, namely for securitisation purposes.

 

Customer SegmentationAllocation of Customers to the various segments created by the Bank according to their objective characteristics, such as address, assets, and age, allowing better organisation and distribution of the Bank's internal resources. The allocation of certain Customers to the Private segment or to the exclusively digital segment are examples of this
Communication of the Bank's offerCommunication of the Bank's commercial offer that each manager, within the context of the contractual relationship established, makes to the Customers he or she assists.
Development of new products and servicesDevelopment by the Bank of new products and services or improvement of the existing offer, considering the objective trends of its Customers
Management controlData processing to produce control and management information for the Bank.
Internal auditCollection and analysis of data within the scope of the internal audit of the Bank's processes and operations.
Prevention of market abuse practicesIdentification of the data subjects that are related to employees of the Bank, subject to the internal code of conduct, adopted by the Bank within the framework of the legislation of the securities markets, as well as the financial operations carried out by them.
Development of predictive modelsDevelopment of generic, predictive models, using artificial intelligence, to improve the Bank's offer and optimise internal processes. When developing these models, the Bank resorts to statistical models and advanced algorithms, using only anonymised personal information/data.
Sending invitations and gifts to Customers and potential CustomersSending invitations to Bank events and gifts to Customers and potential Customers. Maintenance of the respective record in a database for the same purpose.
Credit recoveryCredit recovery actions, or intervention in insolvency proceedings or of any other nature, with a view to exercising or defending BPI's rights as a creditor or financial services provider.
Notification of campaigns/drawsCommunication to Customers of campaigns and draws associated with products and services contracted by them.
Monitoring the quality of serviceCall recording for direct monitoring of the quality of service provided to the Customer.


 
IV. Consent

The processing identified below is carried out based on the consent given by the respective Data Subject. This consent must be prior, express, and given for specific and defined purposes and may, at any time, be withdrawn through the means made available by BPI and further described in the chapter "Rights of the Data Subjects". Consent shall remain valid until it is withdrawn, or the business relationship established with the Bank is terminated.

PurposesExamples
ProfilingWith your consent, the Bank will process your personal data by automated means to adjust the Bank's offer to your preferences or propensity to purchase and/or subscribe to products/services, thereby customising its commercial offers addressed to you.
Cookie managementExcept for cookies essential for the normal functioning of its public websites, the Bank uses cookies and other similar technologies (e.g., analytics tracking), with your express consent, to collect, process and analyse your browsing behaviour to customise and improve your user experience and customise your experience on the Bank's websites and applications. For further information, please see the chapter "Use of Cookies" of this policy.
Sending communications for direct marketing purposesMarketing actions of products and/or services marketed by the Bank through email, letter, or telemarketing. Specifically, the Bank requests, with your express consent, to send you offers for products and services via postal mail, email, telemarketing, SMS, email, and other digital means, including its digital channels, push notifications (messages that appear on mobile devices), or other means that may become available in the future.
Use of biometric dataWith your consent, BPI will use technical means to allow you to use your biometric data to verify your identity on the Digital Channels made available by BPI.
Contacts and presentation of commercial proposals to potential CustomersBPI, within the scope of events it organises, may collect the contact details of the data subjects of potential Customers, and the respective consent, for the presentation of its products and services.

  

Digital channels and use of cookies

 

BPI collects and processes the personal data necessary for the provision and operation of its websites and mobile applications (BPI Apps), ensuring an appropriate level of security and protection of the personal data of clients/users who have subscribed to them.

BPI uses cookies on its websites, which are small text files containing relevant information that are downloaded to the access device (computer, mobile phone/smartphone or tablet) through the browser when the client/user visits a website. To find out more about how BPI uses cookies, please click here to access the Bank's Cookies Policy.

 

Personal Data

Personal data we share and with whom

BPI transfers specific personal data to other CaixaBank Group companies in the context of certain processing operations that it is jointly responsible for (see chapter "Data Controller" of this policy). If, in addition to the Bank, you are also a customer of another company in the CaixaBank Group, such as CaixaBank Payments & Consumer, EFC, EP, SAL, your data will be transferred to these other companies for the following purposes only:

  • Analysis of the credit risk of customers who apply for or take out credit and who are common to BPI and another CaixaBank Group company.
  • Analysis of the risk of money laundering and terrorist financing;
  • Adoption of restrictive measures imposed on banking activities under international financial sanctions and countermeasures programmes.

The Bank also transfers data to third parties, namely to:

  • Competent authorities for compliance with legal obligations (such as the Bank of Portugal, the European Banking Authority, the European Central Bank, the Securities and Exchange Commission, the Tax and Customs Authority, the Central Department of Criminal Investigation and Prosecution (DCIAP), the Financial Intelligence Unit and other judicial, police and sectoral authorities.
  • Service providers and other subcontracting entities that, under the terms of the GDPR, may access the data for the provision of services. However, the Bank ensures that subcontractors with access to personal data comply with the data protection legislation in force and with banking secrecy.
  • Other credit and financial services institutions, particularly financial entities affiliated to the banking information exchange system (Swift) and payment service providers (Mastercard, Visa).



Retention periods for personal data

BPI will process and maintain your data only to the extent necessary, considering the contractual relationship established with you and the legal obligations to which the Bank is subject.

Within this framework, the retention periods of your data are limited to a minimum and are only kept for the periods necessary for the purposes for which they are collected and processed, and to comply with legal and regulatory obligations applicable to the Bank or to defend the Bank in legal proceedings.

Upon termination of your business relationship with the Bank, the Bank may be required to keep your data for the statutory limitation periods associated with legal, tax or regulatory obligations, or for periods provided for in special legislation, such as a period of 7 years, as from the end of the contractual relationship established with you, to comply with the obligation of retention provided for in the law on the prevention of money laundering and terrorist financing.

The retention period of your data may also be linked to legal limitation periods, which in many cases can be up to 20 years.

Notwithstanding, once the business relationship with the Bank has ended, your personal data will no longer be processed for commercial or marketing purposes.

The Bank may also keep data on potential Customers for a maximum period of 6 months, after which, if no contact is made, the data is deleted.

 

 

The rights of the data subjects and how they can be exercised

As a data subject of personal data processed by the Bank, you have the following rights:

  • The right to access the information we hold about you and to obtain information about how we process it.
  • The right to request the rectification of your details with BPI, whenever they are incorrect or not up to date.
  • The right to erasure (or the right to "be forgotten") of your personal data from the records of BPI when they are no longer used for the purposes for which they were collected. However, the Bank is required to keep your data for the legally stipulated periods, which extend beyond the end of your business relationship with the Bank. Nonetheless, as stated above, once your relationship with the Bank has ended, your personal data will no longer be processed for commercial or marketing purposes.
  • The right to object to the processing of your data, stating your reasons, when it is carried out on the grounds of the legitimate interests of the Bank or a third party. Nevertheless, the Bank may continue to process the data concerned, should the Bank have compelling legitimate grounds which override your interests, rights, and freedoms or for the establishment, exercise, or defence of legal claims. You may also object to the processing of your data for direct marketing purposes without providing any justification.
  • The right, where applicable under the terms of the law, to receive the personal data you have provided to BPI, in a structured, commonly used, and machine-readable format, and to request their transmission to third parties (right to portability). In the specific case of banking activity, this right corresponds to the account switching service regulated in Law No. 105/2017, of August 30.
  • The right to request the Bank to limit the processing of your personal data in the following situations: (a) when you contest the accuracy of your personal data, and suspend processing for a period that allows BPI to verify its accuracy; (b) if the processing is unlawful and you object to the erasure of your data and request instead restriction of their use; (c) where BPI no longer requires your personal data for processing purposes but they are requested by you for the establishment, exercise or defence of legal claims; or (d) when you have opposed the
    processing of your data and until it is ascertained which legitimate interests prevail, whether yours or those of the Bank.

To exercise any of your rights, simply send the Bank a communication to that effect, delivered to any branch of the Bank or using any of the following channels or other means that the Bank makes available for that purpose:

  • BPI digital channels (BPI Net and BPI App).
  • E-mail address of the Data Protection Officer (dpo.rgpd@bancobpi.pt).

In any case, the response to an exercise of rights will be replied to/sent to your address/contacts registered with the Bank. It is therefore of the utmost importance that you keep your details up to date.

 

How to withdraw your consent

You may also withdraw, at any time, your consent to the processing for which you have given your consent by sending a communication to the Bank, delivering it to any Branch, or using the channels identified above for that purpose.

Upon receipt of a withdrawal of consent, the Bank will immediately cease processing your data for the purposes for which it has requested your consent.

 

Exclusively automated decisions and use of profiles

You also have the right to object to or request human intervention concerning decisions based solely on automated processing which could have significant effects on your legal sphere or your privacy (e.g., decision not to grant credit through digital channels, in the form of an immediate decision when such a decision is obtained through exclusively automated means).

In these cases, the Bank has mechanisms to guarantee human intervention, ensuring the exercise of this right and considering your personal conditions.

BPI also adopts predictive and propensity models for profiling, processing several categories of personal data collected from different sources. The personal data processed is cross-referenced and analysed using automated models (e.g., statistical models and advanced algorithms) to assign you a particular consumer profile, which will reflect your personal preferences regarding the products and services marketed by the Bank. For this purpose (matching the Bank's offer to your personal profile), such processing will only be carried out with your consent.

There are, however, other purposes for which the Bank also defines your profile:

(i) definition of your category as an investor in Markets in Financial Instruments to ascertain, in accordance with Directive 2014/65/EU of the European Parliament and of the Council of May 15, 2014, and other applicable provisions, whether you are a retail investor or a professional investor and thus adapt the offer to your profile.
(ii) profiling in the context of the Bank's legal and regulatory obligations regarding the prevention of money laundering and terrorist financing, thus preventing the execution of operations which are prohibited by law.
(iii) definition of your credit risk profile, in the assessment of your creditworthiness to meet the payment/repayment obligations you wish to assume towards the Bank (solvency assessment) when, for example, applying for a credit. For this assessment, the Bank uses a scoring system that considers, among other information, the level of your income, charges, outstanding debts, your professional and family situation, and other information contained in the Central Credit Register.
 

Security

The security of your personal data

BPI has implemented diverse physical, logical, technical, and organisational security measures, aimed at protecting your personal data against disclosure, loss, improper use, alteration, processing, or unauthorised access, including:

(i) mechanisms for controlling access to information systems and data.
(ii) specialised security systems (e.g., firewalls, anti-virus, intrusion detection systems).
(iii) mechanisms to register actions carried out by employees, Customers, and other users of the information
systems (e.g., access, alteration, elimination of personal data).
(iv) mechanisms for encryption, pseudonymisation and anonymisation of data.
(v) encryption measures for mobile equipment and devices.
(vi) physical security measures to protect the premises (e.g., physical access control, video surveillance, miscellaneous
alarms).

It should be noted that the Bank is committed to continuous improvement of the security of its systems and processes, through continuous monitoring of risks and controls. This enables it to identify new risks arising from continuous technological evolution and to adopt new security measures and controls adapted to such risks. In addition, the Bank has an awareness and training programme for employees on information security and personal data protection to ensure that all those involved in the processing of your data know their obligations and are committed to protecting your privacy.

 

Amendments to this Privacy Policy

BPI reserves the right to revise or amend this Privacy Policy at any time. Such amendments shall be duly disclosed by BPI, including through its public website www.bancobpi.pt.