A - INTRODUCTION
In the course of its activity, Banco BPI, S.A., with registered office in Porto, at Rua Tenente Valadim, n.º 284, registered in the Commercial Registry Office of Porto under single registration and VAT number 501 214 534, with share capital of €1,293,063,324.98 (hereinafter "Banco BPI"), collects data from its clients concerning their personal details, either in person or remotely, through its websites and mobile applications (BPI Apps), and ensures that these data are treated in accordance with the privacy protection rules set out in Regulation (EU) 2016/679 and other applicable national legislation, as well as with the confidentiality duties to which Banco BPI is subject under the General Law on Credit Institutions and Financial Companies (Decree-Law no. 298/92, of 31 December).
The data collected are provided by the Clients themselves by filling in forms, namely when opening an account or subscribing a credit card, or correspond to the personal details provided as a result of these business relationships, including through the use of the Bank’s digital channels which the Clients have subscribed, through logins, inquiries, instructions, transactions and other records of use. In addition, the Bank treats data of its Clients that it collects, under the terms of the applicable law, (i) from the Central Credit Register or (ii) through the sale of products and services which it commercializes as an insurance broker or agent for companies providing financial services.
B. ENTITY RESPONSIBLE FOR TREATMENT
Banco BPI is the entity responsible for the treatment of the personal data of its Clients/Users in so far as it is responsible for deciding on the purposes for which they will be used and the means through which they are processed.
C. DATA PROTECTION OFFICER
If they so wish, Clients may also submit complaints or requests for information to the National Data Protection Commission ("CNPD"), the national control authority for the purposes of the General Data Protection Regulations and the applicable national legislation.
D. TYPE OF DATA PROCESSED BY THE BANK
The personal details collected concern identification, filiation, address, borrowings, profession, assets and financial data (remuneration earned or liabilities in the financial sector) that are provided by the Clients themselves when filling in forms, such as to open an account or subscribe a credit card, or personal details provided as a result of the business relationship established with the Bank, namely involving transactions carried out, products and/or services subscribed or instructions given.
The data may be collected directly by Banco BPI or by credit intermediaries or partners through which the operations/services are submitted to Banco BPI for decision/approval and contracting.
In particular, the activation of certain functionalities of the BPI Adds requires the collection of the ID of the mobile device associated with the BPI App used and may also require Banco BPI to access, providing it is authorised to do so by the Clients/ Users, the data/information indicated below, although such access does not imply any record in Banco BPI databases or any other type of processing: (i) access to geographic location to permit the location of Branches, BPI Premier Centres and Banco BPI Corporate Centres; (ii) access to the telephone to allow making calls to the Customer Assistance numbers; (iii) access to fingerprint/facial recognition in terminals that support it, to identify the user; and (iv) access to internal and/or external memory to support the recording of documents to be downloaded.
In any case, the Client will always be informed of the need for such data to be accessed in order for him/her to use the functionalities in question, and the Client may not consent.
Also concerning the use of the BPI and BPINet Apps, and of these only, Banco BPI may, provided it is so authorised by the Client, process image data (photos) of the Clients/Users (Users in case of BPI Net Empresas).
In addition, Banco BPI treats credit data of its Clients that it collects, under the terms of the applicable law, (i) from the Central Credit Register or (ii) through the sale of products and services which it commercialises as an insurance broker or agent for companies providing financial services.
When commercial relations between the Client and Banco BPI are established through digital means, which imply the use of electronic signatures, Banco BPI also processes the biometric data required to create such signatures, under the terms of the Convention on the Use of Digital Signature, which is subscribed by the Client whenever he/she signs up for this service.
E. OBLIGATORY PERSONAL DETAILS
Under the terms of the Anti-Money Laundering and Terrorist Financing Law, the opening of a current account with a credit institution, the establishment of any other business relationship, such as the contracting of a credit card, or any one-off transaction, are conditional upon the collection and processing of the following identification data and respective supporting documents: (i) photo; (ii) full name; (iii) signature; (iv) date of birth; (v) nationality as stated in the identification document; (vi) type, number, validity date, and issuer of identification document; (vii) Tax identification document, or when lacking one, the equivalent number issued by a competent foreign authority; (viii) profession and employer, when applicable; (ix) full address of permanent residence and, when different, tax residence address; (x) place of birth; and (xi) other nationalities not indicated in the identification document.
On the other hand, the contracting of loans by consumers, i.e., by natural persons who contract loans for purposes other than their trade, business or profession, is subject, under the terms of the law (Decree-Law no. 133/2009 and Decree-Law no. 74-A/2017), to the prior assessment by the Bank of the solvency of the Client who asks for a loan or for an increase in a loan already contracted. This solvency assessment requires, under the terms of Notice no. 4/2017, the collection and treatment of at least the following personal details of the Client: (i) age and professional status of the Client; (ii) income earned by the Client; (iii) the Client’s regular expenses; and (iv) Compliance by the Client with other obligations assumed under other loan agreements, either with Banco BPI or with other credit institutions.
F. PURPOSES OF THE TREATMENT
The personal details collected by BPI are treated for the following purposes:
(a) Management of commercial, pre-contractual and contractual relations between individual Clients and Banco BPI, namely the opening of current accounts, subscription to digital channels, entering into and execution of agreements on the acquisition of banking products and financial instruments, portfolio management agreements, loan granting or provision of financial services, and also the acquisition of financial products and/or insurance for which Banco BPI acts as agent;
(b) Commercial and/or risk assessment of loan operations contracted or to be contracted;
(c) The identification of banking or financial products and/or services that may be of interest to the Clients, using for the purpose statistical techniques and the definition of Client profiles/segmentation aimed at carrying out direct marketing actions;
(d) Marketing of products and/or services sold by Banco BPI through e-mail, letter or telemarketing;
(e) Compliance with regulatory obligations, namely related to fraud prevention and control and anti-money laundering and terrorist financing, or tax obligations;
(f) The use of means and procedures to ensure the security of people and assets, which in certain cases requires the collection of images through video surveillance;
(g) Loan recovery actions or intervention in insolvency proceedings or proceedings of any other nature viewing the exercise or the defence of the rights of Banco BPI as lender or provider of financial services;
(h) Loan assignment operations undertaken under the terms of the law, namely for purposes of credit securitisation;
(j) Customisation of information on Clients/Users of BPI APPs and BPINet;
(k) The data of Representatives, proxies and Users of BPI Net Empresas are collected for purposes of representation of the respective principals, and, when authorised, to allow the presentation of proposals for the acquisition of financial products and/or services.
(l) Management of complaint processes;
(m) Presentation of commercial propositions to potential Clients;
(n) Processing and provision of obligatory information and reply to requests from regulators (e.g. European Central Bank, Banco de Portugal and CMVM, the Portuguese Securities Market Commission) for compliance of legal obligations in force, and to reply to requests from public authorities (e.g. Courts and Police);
(o) Recording of calls as proof of commercial transactions and any other communications regarding the commercial relation or the fulfilment of legal obligations.
G. AUTOMATIC PROCESSING AND PROFILING
To analyse the credit risk and assess the solvency of its Clients, Banco BPI uses statistical and client segmentation techniques (profiling), based on the personal details collected directly from the Clients or obtained as a result of the relationship established with Banco BPI, namely through the type of products subscribed, the credit operations contracted, the level of non-compliance registered, etc. In addition, under the terms of the law, Banco BPI also resorts to the data contained in Banco de Portugal’s Central Credit Register.
Banco BPI also uses statistical and client segmentation techniques (profiling) to customise the offer to its clients and design direct marketing campaigns based on the data referred to above, and where applicable, the browsing data in BPI Net (homebanking) and the BPI App, such as logins, inquiries, instructions, transactions and other records of use.
In its analyses and processing, namely to create client profiles/segments, Banco BPI does not use personal details provided by third parties, except, as referred, those obtained from the Central Credit Register, to which it has access under the applicable legislation, or those obtained through the establishment, through Banco BPI, of commercial relations between its Clients and its commercial partners, where Banco BPI acts as agent.
The fact that it resorts to profiling techniques does not imply that Banco BPI’s decision-taking process is exclusively automatic. This is only the case for credit contracted through Banco BPI’s digital channels (BPI Net and BPI App), where, due to the very nature of these channels, there is no human intervention. However, in this case the Clients are entitled to request a reassessment of the decisions taken by Banco BPI, based on the submission of additional elements or their specific conditions.
Note also that the use of profiling techniques also aims to address obligations to which all credit institutions are bound, namely under the Anti Money Laundering and Terrorist Financing Law, the national and EU laws and regulations that govern the financial markets, the consumer credit legal framework, and the mortgage credit, including residential mortgage credit, legal framework.
As referred, Banco BPI collects and processes the personal data required for the provision and operation of its websites and mobile applications (BPI Apps), hereinafter referred to as Digital Channels or just Channels, ensuring adequate levels of security and protection of the personal data of the Clients/Users who subscribed to these Channels.
Notwithstanding the security measures adopted by Banco BPI, the Client/User of the Channels shall keep the access codes secret and not share them with third parties, and, in the particular case of the BPI Apps, the Client/User shall keep the mobile device where these apps are installed under security conditions and follow the security practices recommended by the manufacturer and/or operator, in particular with regard to the installation and updating of the necessary security applications, namely antivirus.
Banco BPI uses several types of cookies, as described below:
(i) Essential cookies - some cookies are essential to access specific areas of BPI websites, enabling browsing and the use of these websites’ applications, as well as access to secure areas, through a login. Without these cookies, services that require them cannot be provided;
(ii) Functionality cookies - functionality cookies allow a website to remember the user’s browsing choices, which therefore do not have to be reloaded and customised each time the user visits the website;
(iii) Analytical cookies - these cookies are used to gain insight into the use of websites. They permit to highlight items or services which might be of interest to users, and to monitor websites’ performance, tracking the most popular pages, the most effective connection method between pages or the reason why certain pages show error messages. These cookies are used for statistical creation and analysis purposes only and never collect personal information. They allow Banco BPI to provide a high-quality experience by customising its offer and rapidly identifying and correcting any problems that may arise.
Banco BPI may also, for statistical purposes, place cookies on newsletters and emails, to know if they are opened and to check clicks on links or advertisements within newsletters. Clients/Users may at any time disable the receipt of newsletters/emails, for which purpose a specific option is provided at the bottom of the newsletter or email.
I. DATA RECIPIENTS
Banco BPI is obliged by law to communicate the personal data of its clients, including their identity, credit liabilities, current and term bank accounts, financial instruments subscribed and respective remuneration, to the regulatory authorities that oversee its activity, and other public/official entities, namely including the following:
(a) Banco de Portugal: Central Credit Register and Banking System Accounts Database;
(b) Tax and Customs Authority;
(c) Central Bureau of Investigation and Prosecution ("DCIAP"), Financial Intelligence Unit and other judicial, policing and industry authorities, as provided in the Anti Money Laundering and Terrorist Financing Law.
(d) Companies controlled by Banco BPI or in which it has a stake, or shareholders of Banco BPI, namely CaixaBank, S.A. (BPI/CaixaBank Group), within the scope of measures to prevent money laundering, terrorist financing and fraud, or for risk management purposes, as well as for purposes of administrative and financial management of BPI/CaixaBank Group;
(e) Other credit and financial services institutions, namely financial entities affiliated to the banking information exchange system (Swift) and payment service providers (Mastercard, Visa);
(f) The Securities Market Commission, under the terms established in the legal and regulatory regime of markets in financial instruments.
The transmission of data to countries outside the European Union only occurs when this is necessary for (i) the execution of orders or requests (for example, foreign payment or investment transfers), (ii) due to a legal requirement, or iii) when it is expressly authorised by the Client. In addition, and whenever Banco BPI attempts to recover credit or to intervene in insolvency or other proceedings for the exercise or defense of a right that assists it in a judicial proceeding, the personal data of the identification and process related clients communicated to the intervening judicial authorities.
It should also be mentioned that Banco BPI uses, in the scope of its activity, service providers that may have access to personal data of its Customers. Banco BPI ensures that in these circumstances it adopts all appropriate technical and organizational measures to ensure that the subcontractors with access to the data are reputed and offer the highest guarantees at this level and that they guarantee compliance with the applicable legislation in privacy and data protection of Clients, including in respect of the exercise of data owners’ rights
On the other hand, Banco BPI establishes commercial partnerships with certain entities according to which advantages or benefits are attributed to its clients, such as, for example, co-branded credit cards, which give advantages to holders of such cards when they make purchases at Banco BPI’s partner establishments. In these cases and with the consent of the customers, Banco BPI may transfer to these trading partners data of its Customers in order to offer them related to the products / services that they commercialize. In any case, Banco BPI Clients always have the right to withdraw their consent to the transfer of the data.
Finally, it should be noted that the transmission of data to countries outside the European Union only occurs when this is necessary for (i) execution of orders or requests (eg transfer of payment abroad or investment); ) by legal requirement, (iii) in the scope of a service provision, when the subcontractor is located outside the EU; or (iv) upon express authorization of Customer.
The Bank ensures that the service providers to which the Bank resorts and who are located outside the EU are reputable entities and provide adequate data protection guarantees in terms similar to those established by European standards, either because the third country provide a suitable level of protection recognized by a decision of the European Commission (‘adequacy decision’), as will be the case of service providers located in the USA and listed in the Privacy Protection Shield List approved by the Commission ( the "Privacy Shield"), either because they have adopted the standard data protection clauses approved by the Commission or binding corporate rules recognized by the competent European authorities.
J. TIMEFRAME FOR DATA RETENTION
Banco BPI will retain the data for as long as necessary for compliance with the applicable legal and contractual provisions, namely those arising from the relationship established with its Clients. Data retention periods are kept as short as possible, and data is retained for as long as necessary to meet the purposes for which they were collected and processed, as well as to meet the legal and regulatory obligations to which Banco BPI is subject or to defend the Bank in legal proceedings. Once a Client’s commercial relationship with the Bank has terminated, his/her personal data will be kept for the mandatory legal periods or until the rights arising therefrom lapse, under the terms of the law. In any case, once the commercial relationship with the Bank terminates, the Clients’ personal data cease to be treated for commercial or marketing purposes.
K. RIGHTS OF PERSONAL DATA SUBJECTS
Under the terms of the applicable legislation, Clients that are personal data subjects shall have the following rights:
(a) Right to Information - Clients are entitled to be informed by Banco BPI, among others, about the purpose of the data processing, to whom these data may be transmitted, the Clients’ rights and in what conditions they may exercise them, and which details they must obligatorily provide.
(b) Right of Access - this is the right of Clients to access their personal data which they have provided, without restrictions, undue delay or excessive costs, and to obtain any available information on the origin of such data;
(c) Right of Rectification - this is the right of Clients to demand that their data be accurate and up-to-date, and to request their correction from Banco BPI;
(d) Right to Erasure (or "right to be forgotten") - this is the right of Clients to demand the elimination of their personal details from Banco BPI’s records when these cease to be used for the purposes for which they were collected, however, without prejudice to the retention periods imposed by law;
(e) Right to Object - this is the right of Clients to object, at their request and free of charge, to the treatment of their personal details for purposes of direct marketing, or when the treatment of data by Banco BPI is grounded on their legitimate interests;
(f) Right to Data Portability - this is the right of Clients to receive the personal data which they have provided to Banco BPI, in a structured, commonly used and machine-readable format and to transmit those data to another entity responsible for their treatment. In the particular case of banking activity, this right applies in particular to the transfer of bank accounts, which is regulated by Law no. 105/2017, of 30 August;
(g) Right to Restriction of Processing - this is the right of Clients to, under certain circumstances, request Banco BPI to restrict the processing of their data, namely when (i) they contest the accuracy of their personal data for a period enabling Banco BPI to verify their accuracy; (ii) the processing is unlawful and the Client opposes the erasure of the personal data and requests the restriction of their use instead; or (iii) Banco BPI no longer needs the personal data for the purposes of the processing, but they are required by the Client for the establishment, exercise or defence of legal claims;
(h) Right to Complain to the CNPD - without prejudice to any other administrative or judicial remedy, this is the right of Clients to lodge a complaint with a supervisory authority, in particular in the Member State of his or her habitual residence, place of work or place of the alleged infringement, if the data subject considers that the processing of personal data relating to him or her infringes the General Data Protection Regulation (Regulation (EU) 2016/679) and other applicable national legislation. In Portugal the control authority is the Comissão Nacional de Protecção de Dados (CNPD - National Data Protection Commission).
For the exercise of any of their rights under the law, including the right to access their data, request their rectification or erasure or object to their treatment, Clients should go to any Banco BPI Branch or BPI Premier Centre, or use any other channel made available by Banco BPI for the purpose.
Clients may also at any time withdraw their consent, where applicable, which they may do at any Banco BPI Branch or BPI Premier Centre, or through any other channel made available by Banco BPI for the purpose.
L. DATA SECURITY
Banco BPI has implemented various physical, logical, technical and organisational security measures to protect personal data from unauthorised disclosure, loss, misuse, alteration, treatment or access, as well as against any other form of illicit treatment.
M. BPI EVENTS AND SOCIAL RESPONSIBILITY
The personal data collected by Banco BPI for Social Solidarity purposes, namely within the scope of the BPI/Fundação Bancária
La Caixa ("FBLC") Solidarity Awards and the BPI Events are identification data, and when authorised, image and voice data. These data are collected for the purpose of promoting and advertising BPI Events and social solidarity events, which entail the capture and treatment of images of the participants in these events.
The processing of such data by Banco BPI shall be maintained for as long as the Bank maintains its legitimate interest therein or until consent for their processing is withdrawn.
In any case, the image and voice data collected in the context of the activities carried out in the BPI Events are retained for a period of one year only from the date of their capture. The image and voice data collected in the context of the BPI/FBLC Solidarity Awards are retained for a period of three years only from the date of their capture.