Kutxabank, S.A. maintains a firm commitment as regards the protection of personal data and the confidentiality of our customers’ information, as well as providing updated and comprehensive information at all times of the data processing undertaken by the organisation, in accordance with prevailing regulations. We therefore inform you below of how we process your personal data in Kutxabank, S.A. (hereinafter, Kutxabank).
Basic information
Basic Information on Data Protection |
|
Controller |
Identity: Kutxabank, S.A. Postal address: Gran Vía 30-32, 48009 (Bilbao). Email address: info@kutxabank.es Data Protection Officer Contact: dpo@grupokutxabank.com |
Data categories used |
You may find detailed information in section 3 of this Policy.
|
Main purposes of processing and legitimation |
You may find detailed information in Section 4 of this Policy.
|
Recipients |
You may find detailed information in section 6 of this Policy
|
Rights |
Data subjects may submit a claim before the control authority as well exercise their rights of access, rectification, cancellation, objection, limit processing, portability and not be subject to automated individual decision making as regards their personal data, in writing by means of a communication addressed to the registered office of the process controller stated above. |
Origin |
|
Kutxabank has developed this customer personal data protection Policy, which may be accessed at any time from www.kutxabank.com/privacidad customers, were you may consult the full details of how we will use your personal data in the relationships we establish with you. Similarly, you may request this information on paper from any of our branch offices.
In order to manage your relationship with us, Kutxabank will process your personal data for each one of the purposes we inform you of in this Policy and always in accordance with prevailing regulations, respecting your rights and with total transparency.
The main regulations regulating the processing of your data are:
Other regulatory bodies which include obligations in terms of the protection of personal data are as follows:
Controller: The controller of your personal data in your contractual and business relations with us is Kutxabank, S. A., with registered office at postal address: Gran Vía 30-32, 48009 (Bilbao). Email: info@kutxabank.es.
Kutxabank has a Data Protection Officer appointed, who will assist you to answer any question relative to the processing of your personal data and the exercising of your rights. You may contact the Data Protection Officer to submit your suggestions, questions, misgivings or claims at this address: dpo@grupokutxabank.com
Kutxabank has also entered into joint responsibility processing contracts with each one of the following subsidiary entities: Kutxabank Pensiones, Baskepensiones E.P.S.V., and Kutxabank Empleo E.P.S.V., for the management and administration of Pension Plans and Voluntary Social Welfare Entities.
The mayor aspects of said agreements are as follows:
The purpose of processing the personal data of the ordinary members and beneficiaries of Pension Plans and E.P.S.V. by Kutxabank Pensiones, Baskepensiones E.P.S.V. and Kutxabank Empleo E.P.S.V. is to formalise, manage and execute the contractual relationship of adhesion of such ordinary members and beneficiaries to the Welfare Plans. The execution of this contract constitutes the legitimate basis of this processing.
The purpose of personal data processing by Kutxabank is to guarantee its customers, a high-quality service, an increased protection of their interests and better monitoring of any incident that may arise from the contractual relationship of adhesion to any of the products. The legitimate basis of this processing constitutes the legitimate interest of providing quality assistance to the members of said Entities as well as strengthening the guarantees for the correct administration of this type of transactions.
On the grounds referred to, the operation related to the processing of personal data is performed by Kutxabank, on your behalf and in its name, and in the name of each one of the joint responsible parties.
In any case, you may exercise your rights before Kutxabank S.A.
Kutxabank in addition, has put together a joint responsibility agreement with the Entities subscribed to the information sharing service for the prevention of fraud. You can find information on the Entities adhered to said file in
https://www.iberpay.es/es/servicios/servicios/prevenci%C3%B3n-del-fraude/#tab-4
Processing consists of the recording and retrieval of data of suspicious or unauthorised transactions in a common repository operated by Iberpay as process controller in an effort to detect and prevent transactions suspicious of fraud, or whose fraudulent condition has been expressly acknowledged by the affected holder. The legitimate basis is constituted by legitimate interest, of the account holders likely to be affected by the fraud committed by third parties, as well as the Entity in ensuring the detection and prevention of fraud in the incoming and outgoing transactions of your account.
Kutxabank will process different personal data in order to manage your requests for information or pre-contractual or contractual relations you enter into with us.
Outlined below are the data categories we will process, with the knowledge that not all the data categories listed are used for all data processing.
In the details of the processing activities that we carry out, contained in section 4, you may specifically consult each particular processing of the data categories used, therefore counting on the necessary information enabling you, if you wish, to exercise your rights recognised by the GDPR, particularly those of opposition and withdrawal of consent.
The data categories used in the different processing activities are as follows:
Data collected in call recordings: Kutxabank may record the calls or electronic communications it maintains with you (via email, chat, SMS, instant messaging applications, social media or any other equivalent medium that may be used) as well as keeping computer and telematics records of access to services. If necessary, Kutxabank may use such recordings as a means of evidence in legal, administrative, arbitration proceedings or of any other nature that might arise. These recordings have the basis of Kutxabank’s legitimate interest of undertaking quality and security controls and to obtain proof of the orders and transactions made by the customer or as a result of compliance with legal obligations, such as those calls relative to investment services, among others. In this regard, the recording and registering of all calls and/or communications shall be notified by Kutxabank.
In cases in which the personal data are provided by persons holding parental authority or by the legal representatives of disabled persons, the former are authorised to collect the data as well as their use and processing by Kutxabank for the purposes described in this Policy.
All data collection obtained, in the event it occurs, originating from information you have provided to third parties and is handed over by said third parties to Kutxabank, require consent prior to incorporating these into the Kutxabank S.A. databases. In this case, Kutxabank will contact you within a month at the latest in order to provide you with the information contained in this customer personal data protection Policy.
You ensure the veracity of the personal data provided to Kutxabank during the entire contractual relationship and undertake the obligation of notifying the Bank of any change thereof in accordance with this data protection policy. Kutxabank may, in any case, and without prejudice to its referred communication obligation, regularly request the review and updating of the personal data the entity maintains about you; it is also legitimated to conduct the appropriate verifications, within the prevailing regulations.
Under no circumstances will we process data that may infringe upon the principles of competition or business secrets.
It is important to understand that we do not infer any data that may contain information which reveal your ethnic or racial origin, political opinions, religious or philosophical convictions, union affiliation, the processing of genetic data, data relative to health or data relative to your life or sexual orientation (“Special data categories”).
The processing we carry out responds to different purposes and legal bases.
Description of the processing
Prior to registering your data in our systems, we will inform you of this customer personal data protection policy and then request the minimum data needed to commence the pre-contractual activity or contractual relationship you request.
Kutxabank will carry out the following processing, among others:
Purpose of the processing
The purpose of this processing is to treat your personal data in order to handle and analyse your registration as a customer, the contract request or the concluding of the contracts.
Basis of processing
The processing will be carried out in accordance with the obligations set forth in the prevailing legislation at all times as regards the acceptance and registration process of customers and the contracting processes of each one of the products.
Data categories used
The data Kutxabank will use for these purposes are:
Description of the processing
The processing operations to carry out are as follows:
Purpose of the processing
The purpose of the processing is to develop, control, maintain and update the contractual relationship we have formalised.
Basis of the processing
This processing is required for maintaining the contractual relationship we establish and failure to provide them would make it impossible to manage such relationship, as it is based on meeting the contractual and legal obligations of the Entity
Data categories used
The data Kutxabank will use for this purpose are:
Data transfers
Kutxabank may transfer your data to the competent authorities, control and supervisory bodies and legal, administrative or tax authorities, for the purpose of meeting the applicable regulations at all times, in particular, but not limited, to the banking or financial sector. In addition, Kutxabank may transfer your data to collaborators needed in processing activities such as agents, auditors, Notaries Public and Public Registries.
Description of the processing
Including without limitation, outlined is the most relevant processing carried out with these purposes.
Purpose of the processing
The purpose of the processing is to meet the accounting, legal, tax and administrative obligations.
Basis of the processing
The processing of your data is necessary for meeting the accounting, tax and legal obligations required from the Entity for its activity.
Data categories used
Transfer of data
Kutxabank may transfer your data to the competent authorities, control and supervisory bodies and legal, administrative or tax authorities, for the purpose of meeting the applicable regulations at all times, in particular, but not limited, to the banking or financial sector. In addition, Kutxabank may transfer your data to collaborators needed in processes such as agents, auditors, Notaries Public and Public Registries.
Description of the processing
The processing carried out with these purposes are as follows:
Reporting data relative to non-payments to files relative to the compliance or non-compliance of monetary obligations, in accordance with data protection regulations. Kutxabank will ensure the compliance of the regulatory obligation that its debts are exact, due and enforceable and have not been subject to legal, arbitration or administrative claim on its part.
Consulting data in asset solvency and creditworthiness files, to the extent required, to judge economic solvency prior to contracting or for the appropriate monitoring of the transactions already contracted. On the basis of these consultations, Kutxabank may come to decisions that affect you, including, where applicable, not entering into contract. If the reason for refusal of a transaction is based solely on the circumstance of your presence in the assets solvency files you will be informed of such reason.
Purpose of the processing
The purpose of the processing is to maintain the security of economic traffic, thereby contributing to safeguarding the general interest and make it possible to improve the risk analyses performed by the Entity in order to protect free commercial exchange under conditions of security and solvency.
Basis of the processing
This processing is carried out in order to meet the regulations on the responsible granting of loans and remaining applicable legal measures required.
Data categories used
Data transfers
Data relative to defaults may be reported to files relative to the compliance or non-compliance of monetary obligations, Badexcug (Experian) and Asnef (Equifax) and to CIRBE in accordance with its specific regulations.
Description of the processing
The processing carried out with these purposes are as follows:
The processing carried out for these purposes are as follows:
Purpose of the processing
The purpose of the processing is the prevention of criminal activities and those related to money laundering and the financing of terrorism as defined in the specific regulations.
Basis of the processing
This processing is carried out in order to comply with prevailing legislation on the prevention of money laundering and the financing of terrorism which obliges banking entities to obtain information and documentation from their customers as regards their identity and the economic activity in order to apply due diligence and knowledge of customer measures.
Data categories
Data transfers
In force regulations require and enable Kutxabank to share information with subsidiary Entities that form part of the Represented Group for the Prevention of Money Laundering and the Financing of Terrorism to this end.
Likewise, Kutxabank has the obligation of declaring to the Financial Ownership File the opening or cancelling of any current accounts, savings accounts, stock accounts or time deposits, and of any other type of payment accounts, as well as safety deposit box lease agreements and lease term regardless of its trade name, consequently your identification data will form part of this file created for the purpose of preventing and deterring money laundering and the financing of terrorism. The body responsible for this file is the Secretary of State for the Economy and Business Affairs.
Description of the processing
The processing carried out for this purpose is:
Purpose of the processing
The purpose of this processing is the prevention, detection and/or pursuit of fraud.
Data categories used
The data categories used for this purpose are:
Basis of the processing
The basis of the processing is the legitimate interest of the account holders who may be affected by fraud committed by third parties, as well as Kutxabank’s of ensuring the detection and prevention of fraud in the banking transactions to and from your account.
Data transfers
With the exclusive goal of preventing criminal situations, and provided it has sufficient evidence for determining the existence of a possible fraud, Kutxabank will be legitimised, in order to prevent thereof, of transferring the data of its Customers to Cajasur, or to outside companies affected by said situation.
Processing refers to the Information Sharing Service for the prevention of fraud.
Co-controllers of the processing
The co-controllers of the file are all the financial institutions adhered to said common file as co-controllers of the processing. The Entity the essential aspects of such co-controller agreement at your disposal and you may request it via the email address of our Data Protection Officer dpo@grupokutxabank.com. In addition, you may consult the updated list of entities adhered to the common list in https://www.iberpay.es/es/servicios/servicios/prevenci%C3%B3n-del-fraude/#tab-4
Description of the processing
Registering and consulting the data of suspicious or unauthorised transactions in a common repository operated by Iberpay as controller of the processing.
Basis of the processing
The basis of the processing is the legitimate interest of the account holders who may be affected by fraud committed by third parties, as well as Kutxabank’s of ensuring the detection and prevention of fraud in the banking transactions to and from your account.
Data categories used
The data categories used for this purpose are:
Conservation period
Description of the processing
The processing carried out with this purpose is sending commercial, generic or personalised communication for promoting products and services commercialised by Kutxabank through the mail, mailing, fax, SMS, email or by any other medium.
Purpose of the processing
The purpose of this processing is to offer you products and services commercialised by the Bank, and third-party collaborators dedicated to the banking and financial, real estate and services sectors, which are of interest.
Data categories used
Basis of the processing
This processing is carried out as from your explicit consent granted beforehand for remitting commercial communications. Said consent may be withdrawn at any time, through any of the channels available for exercising your rights and outlined in this Policy.
For promoting other types of products from other subsidiary companies, or third-party collaborators, and particularly in the insurance sector we also require your express prior consent. In any case, the mentioned consent is revocable, the customer may also oppose such processing at any time.
In this regard, we would like to inform you that Kutxabank has insurance bank agent status exclusive to Kutxabank Vida y Pensiones and Kutxabank Aseguradora, which means that all the insurances commercialised by the bank go through said insurance company.
As an exception, Kutxabank considers that in relation to the data subjects who were customers of the Entity prior to the entry into force of the GDPR it has the legitimate interest of promoting its business activity making offers exclusively of credit or savings products and services. In order to do this, Kutxabank has carried out the corresponding weighting analysis of its interests with the rights and freedoms of the data subjects.
Description of the processing
The processing carried out with this purpose is commercial profiling in order to identify the customer segment and to adapt the offer of products and services.
The profiling done with your personal data is as follows:
Purpose of the processing
The purpose of the processing is to apply statistical and customer segmentation techniques on your data in order to provide you with commercial offers suited to you needs and preferences as well as monitoring the services contracted.
Data categories
The data categories processed for this purpose are:
Kutxabank would like to expressly inform you that no data which you have not provided us with directly, obtained from the information contained in the asset solvency files will be used for this profiling. Kutxabank will only incorporate the information contained in such files when you request a loan or credit transaction or if we have your express consent.
Basis of the processing
The processing is carried out on the basis of legitimate interest for such processing consisting of undertaking its duties with the maximum efficiency and quality intrinsic to the Entity as well as perceived by you as a customer.
You may oppose the carrying out of this type of processing at any time by any of the means mentioned in point 8 of this Policy.
By contrast, if for producing this information external databases are used, particularly the information contained in the assets solvency files, the processing will only be carried out if you have requested a loan or credit transaction or we have your express consent.
You have the right to revoke the provision of said consent at any time.
Description of the processing
The processing carried out with this purpose is relative to the processing of your access requests for promotions or draws organised by Kutxabank, which we understand to be in your interest, without the need for you to expressly register thereof.
Purpose of the processing
The purpose of the processing is for presenting you promotions offered by the Entity to its customers without the need for you to expressly register thereof.
Data categories
The data categories we will process for this purpose are:
Basis of the processing
This processing is based on the legitimate interest for managing your contracts, but will require your consent prior to accepting a prize and therefore no processing will be carried out in the event you have previously declared your opposition to be the subject of advertising campaigns.
Description of the processing
The processing carried out for this purpose is to capture and record images through the equipment installed in Kutxabank’s offices, branch offices, buildings and corporate centres.
Purpose of the processing
The purpose of the processing is to implement the necessary security measures to protect our customers and the Entity’s assets and to prevent economic and reputational damage. The surveillance camera systems are installed for Kutxabank security purposes. Kutxabank will not be able to use surveillance cameras in a way incompatible with the purpose expressly described and agrees to save the images recorded in good faith and in accordance with such purpose.
Data categories
The data categories we will process for this purpose will be the images captured by the video surveillance cameras.
Basis of the processing
The basis of the processing is the legal obligation of Kutxabank to protect its facilities, staff and customers in accordance with Private Security Regulations.
Data transfers
The data may be transferred at the request of judicial authorities or State law enforcement bodies or forces when this is required in the fulfilment of their obligations.
Description of the processing
The processing carried out for monitoring and statistics constructing activity in the Entity, are:
Purpose of the processing
The purpose of the processing is to draft statistical reports and mathematical models for managing and monitoring the Entity’s activity.
Data categories
The data categories we will process for this purpose are:
Basis of the processing
The basis of the processing is Kutxabank’s legitimate interest of developing its business activity.
Description of the processing
The processing carried out with this purpose are:
Purpose of the processing
The purpose of the processing is the handling of complaints, as well as preventing, detecting, managing and resolving criminal, illegal conduct and/or contrary to the Entity’s internal regulations.
Data categories
The data categories we will process for this purpose will be:
Basis of the processing
This processing is carried out under the principle of legitimate interest as well as in compliance of a legal obligation.
Kutxabank will keep your data during the term of the contractual relationship.
The processing of data based on consent will be in force until you expressly revoke these or the contractual relations or business you have established with us have come to an end.
Upon the withdrawal of consent of the end of contractual or business relations, we will proceed to implement technical and organisational measures to ensure your data are only used in accordance with in force legal obligations.
The Entity will proceed with the destruction of your data in the deadlines set forth by the in-force legislation and which regulates Kutxabank’s activity, taking into account the statutes of limitations of administrative or judicial actions.
The personal data provided in the phase leading to the formalisation of the business relationship or the contracting of a product or service, will be kept by Kutxabank for at the six months at the latest, unless a longer period is determined in the request. Nevertheless, if you wish, you have the right to request the effective removal of your data in a shorter period.
As regards the video surveillance recordings, the regulations relative to Private Security applicable to Kutxabank establishes a maximum data retention period of fifteen days from the date of recording, unless the competent judicial authorities or the Law Enforcement Bodies and Forces provide otherwise.
Personal data relating to communications and investigations on regulatory breaches and the fight against corruption will only be kept for as long as necessary, and in no case may they exceed ten years. If an investigation is not commenced within three months from the submission of the communication, the communication system will be abolished, unless it is in order to keep evidence of system operation and anonymously if they are not forwarded communications.
Kutxabank will not transfer any of your data, unless such transfer is carried out based on a legal or contractual obligation with you such as those listed below:
Kutxabank does not send data transfers to other companies located or whose servers are located outside the European Economic Area. However, in those exceptional circumstances in which such international transfers do occur, Kutxabank will adopt the necessary measures for these to be sent to a country or organisation that has provided the appropriate guarantees or these can be based on legitimate principles established by regulations.
You may exercise your rights of access, rectification, opposition, cancellation, limitation, portability of your personal data, of withdrawing your consent and not be subject to automated decision-making, in accordance with the law. You may request to exercise these rights through any of the following channels, submitting your request, accompanied if necessary, by a copy of your identification document:
In addition, if you have any claim derived from the processing of your data, you may address it to the Spanish Data Protection Agency (www.aepd.es).
Rights |
Considerations and service channels |
|
If you consider we have not processed your data in accordance with regulations, you may contact the Data Protection Officer at dpo@grupokutxabank.com
|
|
|
|
|
- Opposition - Opposition to individual decisions |
|
|
|
|