The Data Controller of your personal data is Bankinter, S.A. – Sucursal em Portugal ("Bankinter"), permanent representative of Bankinter, S.A., with registered office at Paseo de la Castellana, no. 29, 28046 Madrid, Spain and its branch in Portugal, located at Praça Marquês de Pombal, no. 13, 2.º andar, 1250-162 Lisbon, registered in the Companies Registry Office of Lisbon under single registration and tax identification number 980547490.

Bankinter has appointed a Data Protection Officer (hereinafter "DPO") who can be contacted at the following email address: privacidade.pt@bankinter.com

If you are in a contractual relationship with Bankinter (whether as a Customer, representative or guarantor), all purposes set out in the following section will apply.

If you are a proxy or legal representative of a legal person, only the purposes under points a), b), c) will apply in relation to: II) Fraud prevention, III) Information about products or services similar to those contracted by the institution you represent (in these cases, you will be informed about products or services similar to those contracted by the institution you represent) and V) Performing and analysing satisfaction surveys and point d), for purposes related to:  II) Identification of customers via videoconference and III)signing documentation using biometrics.

If you are acting in the capacity as a guardian or legal representative of a minor or person with a disability, only the purposes of points a), b), c) will apply in relation to: II) Fraud prevention, III) Information about products or services similar to those contracted by the minor or disabled person you represent (in these cases, you will be informed about products or services similar to those taken out on behalf of the minor or disabled person you represents), IV) Preparation of profiles using own data  and IV) Performing and analysing satisfaction surveys and point d) for purposes in relation to: III) signing documentation using biometrics.

If you are an representative for a natural person, only the purposes indicated in points a), b), c) will apply as regards: II) Fraud prevention, III) Information about products or services similar to those contracted by the institution you represent (in these cases, you will be informed about products or services similar to those contracted by the institution you represent) and V) Performing and analysing satisfaction surveys and point d), for purposes related to:  II) Identification of customers via videoconference and III)signing documentation using biometrics.

If you act in the capacity as a potential customer, we will process your data for the purposes indicated in the specific personal data collection form for potential customers, which will be made available in each case.

Bankinter will process your data for the following purposes:

A) Processing to comply with legal obligations: 

Pursuant to Article 6(1)(c), of the GDPR, the processing of personal data is lawful when required to comply with a legal obligation. Bankinter will process your personal data to comply with obligations set out in the current legislation and any other legislation that may replace it in the future. 

 This includes but is not limited to the following legal provisions:

I) Anti-Money Laundering and Counter Terrorist Financing Regulations

Purpose: Bankinter is required to process your data to detect and prevent money laundering and counter terrorist financing, as provided for in the applicable legal regulations in force. 

The main personal data processing activities that Bankinter undertakes to this end are:

• Identification of persons with whom you establish a business relationship, as well as the continuous monitoring of the business relationship. 

• Submit the information required at any time pursuant to the current legislation and regulations each month to the Account Database File held by the Bank of Portugal.

• Make information on payment transactions available to national authorities or official organisations and those of other countries, including both members and non-members of the European Union, in the context of combating the financing of terrorism and serious forms of organised crime and the prevention of money laundering. 

• Oversight of your relationship with commercial companies and your position of control in their structure. 

• Verification of whether you hold or have held positions of responsibility and/or public office.

Legitimate basis:  Compliance with the provisions of Law No. 83/2017, of 18 August (Anti-Money Laundering and Terrorism Financing Law) and Bank of Portugal Notices No. 1/2022 and 1/2023 or any other legislation that may replace them in the future.

Origin of the data: The data processed for this purpose is obtained via: 

• Data submitted by the Data Subject at the time of registration as a Bankinter Customer, as well as data they have provided when arranging different products and/or services with Bankinter; 

• Data obtained and generated as a result of the performance of the different products and/or services arranged with Bankinter;

• Data obtained from Bankinter Group companies pursuant to the legislation in force;

• Data obtained from consolidated public lists of persons and entities subject to restrictive measures established by national and/or international organisations. 

Data category: the data categories processed by Bankinter for this purpose are as follows:

• Identification data: name and surname, identification document details, taxpayer number, social security number;

• Contact details:  home address, telephone, mobile phone, email address; 

• Professional and socioeconomic data, including data on the professional activity you undertake and the company you work for; 

• Data about your personal characteristics: marital status, age, nationality, household, place of birth, date of birth, tax residence; 

• Data about different products and/or services that you have taken out with Bankinter, or in which you are involved in some way (legal representative of a minor or person with a disability, proxy, legal representative of a legal person);

• Data in relation to the movement of funds, whether credit and/or debit, within the scope of products and/or services taken out with Bankinter;

• Image: when the identification via videoconference procedure is used.

Recipients: Your data may be transferred to the authorities and public institutions, including the courts, police authorities, the Bank of Portugal, the Portuguese Securities Market Commission and Bankinter Group companies.

Duration of processing: Bankinter will process your data for this purpose for as long as necessary to formally arrange and execute the contractual relationship and after its termination for the period of 7 (seven) years, pursuant to the Anti-Money Laundering and Counter Terrorist Financing Law. 

II) Tax regulations

Purpose: Bankinter will process your data to contribute to the fulfilment of tax reporting and control obligations (including compliance with FACTA and Common Reporting Standard CRS requirements) as well as reporting obligations under the applicable tax regulations and legislation. 

Legitimate basis: the tax legislation imposes the obligation on financial and banking institutions, in their capacity as collaborating institutions, to provide the tax authorities with information about the financial transactions and investment operations of their customers.

Origin of the data: The data processed for this purpose is obtained via: 

• Data submitted by the Data Subject at the time of registration as a Bankinter Customer, as well as data they have provided when arranging different products and/or services with Bankinter.

• Data obtained and/or generated as part of the execution of products and/or services that you have taken out with Bankinter.

Data category: the data categories processed by Bankinter for this purpose are as follows:

• Identification data: name and surname, identification document or equivalent document that replaces it, national and/or foreign tax identification number;

• Contact details: home address, telephone/mobile phone;

• Data about your personal characteristics: nationality, place of birth, date of birth, tax residence;

• Financial and investment data required to calculate tax due: namely the purchase and sale of securities, dividends or interest received, amortisations, redemptions, refunds, derivative financial products, in addition to others provided for by law.

Recipients: To comply with this legal obligation, Bankinter will communicate your data to the Portuguese Tax and Customs Authority, which may send the information to the tax authorities in the United States of America and countries with which Portugal has tax information exchange agreements in place.

III) Regulations on Financial Markets and Instruments: 

Purpose: Assess each customer's knowledge and experience and suitability of the provision of investment services, in line with the legislation relating to the financial instruments markets (MIFID I and MIFID II), as well as the implementing and complementary regulations.

 

Legitimate basis: The MIFID I and MIFID II Directives require that data is processed to assess the suitability and knowledge and experience questionnaires.

 

Origin of the data: The data processed for this purpose is obtained via: 

 

• Data transmitted by the Data Subject when registering as a Bankinter Customer, as well as the data provided to arrange different Bankinter products and/or services, including the necessary data provided in the questionnaires before taking out investment products.

• Data obtained and/or generated as part of the execution of products and/or services that you have taken out with Bankinter.

Data category: the data categories processed by Bankinter for this purpose are as follows:

• Identification data: name and surname, identification document or equivalent document that replaces it;

• Contact details: home address, telephone/mobile phone.

• Financial and investment data held by the bank, which makes it possible to determine the Customer's investment profile: the volume of investments made previously, the investment products purchased, the amounts invested, data related to the Customer's education and profession.

• Voice: when using the Telephone Banking Service or when pre-contractual information about financial instruments is made available or when taking out an investment product over the phone, Bankinter will record telephone calls to comply with its legal obligations in relation to the marketing of financial products.

Recipients: Bankinter will not transfer your data to third parties unless to comply with legal obligations. Data may be transferred at the request of the supervisory and regulatory authorities, as well as by the court authorities.

IV) Information from the Central Credit Register of the Bank of Portugal

Purpose: Communicate your data and information on credit risk to the Central Credit Register (CRC) of the Bank of Portugal.

This communication will be made with a view to:

- Allowing the competent authorities to properly exercise their powers of supervision and oversight.

- Contributing to the correct performance of other functions that are legally incumbent on the Bank of Portugal.

Legitimate basis: Compliance with the provisions of Decree-Law No. 204/2008, of 14 October (Legal System in relation to the Central Credit Register (CRC)) and Bank of Portugal Instruction No. 17/2018 or any other legislation that may replace it in the future.

Origin of the data: The data processed for this purpose is obtained via: 

• Data submitted by the Data Subject at the time of registration as a Bankinter Customer, as well as data they have provided when arranging different products and/or services with Bankinter.

• Data obtained and/or generated as part of the execution of products and/or services that you have taken out with Bankinter.

Data category: the data categories processed by Bankinter for this purpose are as follows:

• Identification data: name and surname, identification document details, taxpayer number, social security number

• Contact details:  home address, telephone, mobile phone, email address; 

• Data about your personal characteristics: marital status, age, nationality, household, place of birth, date of birth, tax residence; 

• Financial data that makes it possible to understand the customer's profile in relation to finance risks: credit risk, amount and possibility of credit recovery.

Recipients: Bank of Portugal.

V) Regulation on the granting of credit: 

Purpose: When you request or have arranged a product and/or service that involves the granting of bank credit, Bankinter is required to: (i) assess your economic solvency, with a view to analysing the possibility of you arranging these products and/or services and (ii) correctly managing the financial risk associated with the credit granted in all its phases (admission, monitoring and recovery). 

The main data processing activities that Bankinter undertakes to this end are:

 - Assessment of your solvency and/or credit risk for the granting of financial banking products or services.

- Controlling and monitoring financial products and/or contracted services with a view to ensuring the effective management of the credit risk granted.

- Preparation of profiles and internal behaviour models, preparation of statistics and credit risk scoring .

Legitimate basis:  Portuguese and EU legislation on the granting of credit (namely, Decree-Law No. 74-A/2017, of 23 June (approving the system for credit agreements in relation to real estate, establishing the rules applicable to mortgage-backed consumer credit or backed with another right over immovable property), Decree-Law No. 133/2009, of 2 June (transposing Directive No. 2008/48/EC, of the Parliament and the Council, 23 April, on consumer credit agreements), Directive 2014/17/EU of the European Parliament and of the Council, of 4 February 2014 and Directive 2008/48/EC of the European Parliament and of the Council of 23 April 2014, 2008, as well as the sectoral guidelines applicable to financial institutions issued by the European Central Bank, European Banking Authority and/or the Bank of Portugal) which require that financial institutions perform an exhaustive assessment of the solvency and financial risk of their customers for the correct management of credit risk at all stages (admission, monitoring and recovery) and avoiding irresponsible credit granting practices and/or excessive consumer indebtedness

Origin of the data: The data processed for this purpose is obtained via: 

• Data submitted by the Data Subject at the time of registration as a Bankinter Customer, as well as data they have provided when arranging different products and/or services with Bankinter.

• Data obtained and/or generated as part of the execution of the different products and/or services taken out with Bankinter.

• Solvency data available to Bankinter Group companies that provide banking or financial services, given that, pursuant to the legal regulations in force as regards the prudential requirements applicable to credit and financial institutions, they are required to assess risk based on sufficient information, including information about the other companies in your business group.

• Data obtained from credit information systems, as they provide information on asset solvency. This data will be consulted based on the legitimate interest only when requesting to arrange a product and/or service that involves granting credit, deferred payment or periodic billing.

• Data obtained from the Central Credit Register (CRC) of the Bank of Portugal to verify indebtedness with other institutions.

Data category: the data categories processed by Bankinter for this purpose are as follows:

• Identification data: name and surnames, identification document details or equivalent document replacing it and tax identification details;

• Contact details: home address, telephone/mobile phone;

• Financial and investment data, including active assets and data in relation to credit risk or non-compliance with pecuniary, financial or credit obligations, allowing the institution to perform assessment and monitoring activities accordingly;

• Data on the different products and/or services arranged with Bankinter or in which you have been involved (guarantor, holder, proxy or legal representative of a legal person);

• Professional and socioeconomic data, including data on the professional activity you undertake and the company you work for; 

• Data about your personal characteristics: marital status, age, nationality, household, place of birth, date of birth, tax residence; 

• Data in relation to products and/or services that you have taken out with Bankinter, except in cases involving specially protected data (race, political or religious opinions, trade union membership, health, data relating to your life or sexual orientation and genetic and biometric data intended to unambiguously identify a person);

• Risk assessment data or scoring .

Recipients: Your personal data may be made available to public and supervisory authorities, including courts, as well as to Bankinter Group companies when required based on applicable sectoral standards in relation to the granting and management of responsible credit risk. 

Logic applied: 

Bankinter will analyse customer data to assess their economic solvency, the potential evolution of credit risk, estimated potential expected and unexpected losses, the probability of default of customers who arrange or ask to arrange credit products and/or services. This analysis allows Bankinter to take objective decisions about granting credit and the evolution of the risk positions of customers who have arranged products and/or services with Bankinter, as well as guaranteeing the solvency of the financial system.

As part of this analysis, the following logic will be applied, assessing: (i) the conduct observed in other customers with similar characteristics or patterns; (ii) your ability to meet your credit obligations based on the bank's own data (scoring), from other Bankinter Group companies and third parties; and (iii) your personal and financial characteristics.

VI) Compliance with notifications, official notices and court rulings

Purpose: The purpose of this data processing is to fulfil the duty of collaboration with national and international court authorities.

Legitimate basis: Bankinter is required to comply to applicable legislation including but not limited to the provisions of the Code of Civil Procedure (Law No. 41/2013, of 26 June), as well as with European and international legislation on cooperation and legal assistance.

Origin of the data: the data processed for this purpose is obtained via:

• Data submitted by the Data Subject at the time of registration as a Bankinter Customer, as well as data they have provided when arranging different products and/or services with Bankinter.

• Data obtained and/or generated as part of the execution of the different products and/or services taken out with Bankinter.

Data category: the data categories processed will depend on the requirements or requests made by the court authority, with the content of the data being defined by the court authority.

Recipients: your personal data will be communicated to national and international court authorities whenever Bankinter is requested and is legally required to make them available.

B) Processing necessary for the execution of the contractual or pre-contractual relationship

As established in Article 6(1)(b) of the GDPR, this processing is necessary for the correct performance of the contractual relationship or for the performance of pre-contractual measures. Therefore, opposition to the processing of personal data for this purpose would involve the need of ending the contractual relationship with Bankinter or said relationship not being started. 

Bankinter will process your personal data for the following purposes: 

I) Formalisation and execution of the contractual or pre-contractual relationship 

Purpose: Bankinter will process your personal data to formally arrange and execute your contractual relationship with Bankinter. This purpose also includes the processing of personal data prior to the contractual relationship with Bankinter actually starting.

When, as part of the formal arrangement and execution of the contractual relationship relating to products and/or services that you have requested, Bankinter must verify your identity, perform an assessment of your knowledge and experience and suitability of certain products and/or services or analyse your financial solvency, under the terms referred to in points I), III) and V) of subparagraph a) ("Processing in compliance with legal obligations").

The main data processing activities that Bankinter undertakes to this end are:

• Collection and incorporation of all data required to formally arrange the contractual or pre-contractual relationship into Bankinter systems;

• Adequate management of the products and/or services taken out with Bankinter;

• Responding to your requests using the different communication channels that Bankinter makes available to you;

• Contact you to inform you about the products and/or services you have taken out with Bankinter accordingly. These communications will not be commercial in nature;

• Management of your access to the different channels that Bankinter makes available to you, namely, Bankinter homebanking, telephone banking, the Bankinter app.

Origin of the data:  The data processed for this purpose is obtained via: 

• Data submitted by the Data Subject at the time of registration as a Bankinter Customer, as well as data they have provided when arranging different products and/or services with Bankinter.

• Data obtained and/or generated as part of the execution of the different products and/or services taken out with Bankinter;

• Communication data between the Customer and Bankinter, using different means of communication, namely telephone calls or video calls.

• Data obtained from social networks and other virtual environments when using these channels to contact Bankinter and exclusively related to communications made by the Customer via these channels.

• Data obtained from Bankinter Group companies or partner third parties who are involved in some way in the contracted products and/or services, whenever this communication is required for the correct performance of the contractual relationship.

Data category: the data categories processed by Bankinter for this purpose are as follows:

• Identification data: name and surname, identification document details, taxpayer number, social security number;

• Contact details:  home address, telephone, mobile phone, email address; 

• Professional and socioeconomic data, including data on the professional activity you undertake and the company you work for; 

• Data about your personal characteristics: marital status, age, nationality, household, place of birth, date of birth, tax residence; 

• Data about different products and/or services that you have taken out with Bankinter, or in which you are involved in some way (legal representative of a minor or person with a disability, proxy, legal representative of a legal person);

• Data associated with the products and/or services that you have taken out with Bankinter, when they are required to arrange a new product and/or service or for the performance of those you have already taken out;

• Biometric data, when you have provided Bankinter with your consent: signature;

• Voice data: when you use the Telephone Banking service and purchase a product and/or service using this channel, Bankinter records the corresponding telephone calls;

• Data about your communications preferences indicated to Bankinter to enhance accessibility as part of our dialogue and management of daily operations;

• Data about your legal capacity: data contained in a court decision in relation to the legal capacity of the Data Subject;

• Image: when you have given your consent;

• Data in relation to situations of economic vulnerability: The Bank will only process this data when it is required to adopt measures to prevent the risk of non-compliance with obligations, namely, pursuant to Decree-Law No. 227/2012, of 25 October or any other legislation that may supplement or replace it in the future. 

Recipients: Your personal data may be made available to the administrations and public authorities, supervisory authorities, including the courts, Bankinter Group companies and partner third parties who are some way involved in the products and/or services that you arrange and whenever this communication is required for the correct performance of the contractual relationship.

C) Processing based on the legitimate interest of the data controller

Bankinter, in its capacity as the Data Controller, may process your data based on its legitimate interest, as provided for in Article 6(1)(f) of the GDPR. In these cases, before Bankinter starts processing your data, a proportionality analysis will be performed in relation to Bankinter's interest in processing your data to this end, and your interests, rights and freedoms.

Bankinter's legitimate interests will always respect the fundamental rights of its customers. 

Notwithstanding the above, you can always oppose the processing of your data based on a legitimate interest, by making contact with Bankinter using any of the channels that it makes available and which can be consulted in section 5 below on "What are your data protection rights?" 

You can consult the information regarding the weighting report prepared by Bankinter upon request via email privacidade.pt@bankinter.com. 

Bankinter will process your personal data for the following purposes:

I) Consultation and communication of your data to credit information systems; 

Purpose: Bankinter may consult your data in the credit information systems it forms part of for the purpose of assessing your solvency, when you apply for products and/or services involving the granting of credit or when you have already arranged any of these products and/or share them with these systems when you have a measurable, overdue and payable debt to Bankinter that has not yet been settled, in order to avoid default situations with Bankinter.

The main data processing activities that Bankinter undertakes to this end are: 

• Consult your data. When you request or have taken out a service and/or product that involves bank financing or deferred payment, your data in the credit information systems in which Bankinter participates will be consulted.

• Communicate your data. If you have a definite debt that past due and payable to Bankinter, without repayment having been made within the payment period established, Bankinter will communicate this non-compliance to the credit information systems in which it participates. Bankinter will request the automatic correction or deletion of data included in credit information systems when they are incorrect or do not reflect the Customer's current situation. 

Legitimate basis: 

The legitimate interest, both of Bankinter and of the other entities participating in the credit information systems, to share situations of non-compliance with pecuniary, financial and/or credit obligations in which they may be involved, with the aim of allowing an assessment, management and adequate control of credit risk by the participating entities when they receive applications to arrange credit products and, therefore, avoid economic losses to the entire financial system.

Origin of the data: The data processed for this purpose is obtained via:

• Data submitted by the Data Subject at the time of registration as a Bankinter Customer, as well as data they have provided when arranging different products and/or services with Bankinter.

• Data associated with products and/or services associated with the debt, obtained by Bankinter as part of the contractual relationship between the parties. 

• Data obtained from credit information systems.

Data category: the data categories processed by Bankinter for this purpose are as follows:

• Identification data: name and surname, identification document details, taxpayer number, social security number;

• Contact information: postal address.

• Financial data relating to non-compliance with pecuniary, financial or credit obligations.

Recipients: For this purpose, Bankinter may enter your personal data into credit information systems.

Duration of processing: The data will be processed and stored in credit information systems and must only be stored for the period required to achieve its purpose. 

Other relevant information

Joint responsibility: Bankinter and the entities that maintain these systems will be considered jointly responsible for data processing, pursuant to the provisions of Article 26 of the GDPR. You may request additional information on this matter by filing a request in writing at the following email address: privacidade.pt@bankinter.com.

II) Fraud Prevention:

Purpose: Bankinter will process your data to prevent fraud in the arrangement and performance of its products and/or services that could cause reputational or financial damage to both Bankinter and its customers.

Bankinter has also entered into agreements with suppliers specialising in the area of fraud detection, prevention and investigation, namely SIBS/Paywatch and VISA. These suppliers ensure the processes for analysing cases of card fraud and promoting measures to prevent or contain actual, potential or future fraud. 

Bankinter may process your data to detect, investigate, control and report potentially suspicious and unauthorised transactions using your current account, in the following cases:

• To report unauthorised or transactions suspected of fraud with the different payment instruments.

Legitimate basis: The legitimate interest, both of Customers who own products and/or services that may be affected by fraud committed by third parties, and of Bankinter to detect and prevent fraud in banking operations involving their account.

Origin of the data: 

• Data submitted by the Data Subject at the time of registration as a Bankinter Customer, as well as data they have provided when arranging different products and/or services with Bankinter.

• Data related to the suspicious and/or unauthorised transaction obtained by Bankinter as part of the contractual relationship between the parties

• Communication data between the Customer and Bankinter, using different means of communication, namely telephone calls or video calls.

• Data on suspicious and/or fraudulent transactions obtained by Bankinter Group companies.

Data categories: the data categories processed by Bankinter for this purpose are as follows:

• Identification data: name and surname.

• Contact details:  home address, telephone, mobile phone, email address; 

• Data about different products and/or services that you have taken out with Bankinter, or in which you are involved in some way (legal representative of a minor or person with a disability, proxy, legal representative of a legal person);

• Data on entries and transactions arising from the use of the products and/or services you have arranged with Bankinter, which are required for the purposes of fraud prevention. At no time will Bankinter process specially protected data (race, political or religious opinions, trade union membership, health, data relating to your life or sexual orientation, genetic and biometric data intended to exclusively identify a natural person).

Recipients: Bank of Portugal.  

Finally, your personal data may be communicated to Bankinter Group companies, as well as any third parties that belong to or manage systems, files and/or services with similar characteristics, of which Bankinter is a member, with a view to preventing fraud. In this case, if Bankinter signs up to these systems, files and/or services to prevent fraud, Customers will be informed accordingly.

Duration of processing: The data will be processed for the purpose indicated above as long as you maintain a contractual relationship with Bankinter and, in the event that you cease to be a customer, until any actions that can be taken to defend the legitimate interests of the Bank or its customers, or to respond to possible complaints, expire

III) Provide information about products and/or services similar to those taken out

Purpose: Unless you have expressed your opposition, Bankinter may send you, using any communication channel (including electronic channels), information about products and/or services that may be of interest to you, given their similarity to those taken out with us and that Bankinter, within the scope of its activity, is interested in selling.

Legitimate basis: The legitimate interest of Bankinter consists of undertaking commercial actions in relation to products and/or services similar to those previously arranged by customers, with a view not only to increasing the company's business volume, but also to improving the service provided to its customers, in such a way that it obtains useful information and alternatives to better manage their economic and financial needs; this is a service that the customer asks a financial institution to provide and, in this sense, falls within their reasonable expectation of privacy.

Origin of the data: The data processed for this purpose is obtained via:

• Data submitted by the Data Subject at the time of registration as a Bankinter Customer, as well as data they have provided when arranging different products and/or services with Bankinter.

• Data obtained and/or generated as a result of the performance of the different products and/or services arranged with Bankinter.

Data category: the data categories processed by Bankinter for this purpose are as follows:

• Identification data: name and surname, identification document details, taxpayer number, social security number

• Contact details:  home address, telephone, mobile phone, email address; 

• Data about the communication preferences indicated to the Bank to facilitate access to dialogue or the management of daily operations.

Recipients: This processing does not imply the communication of your personal data to third parties. Commercial communications will always be made by Bankinter.

Duration of processing: Bankinter will process your data for this purpose, unless you have objected to this type of processing. Should your relationship with the company in your capacity as a customer come to an end, Bankinter will process your data for a maximum period of 1 (one) year after the end of the contractual relationship, unless you have objected to your data being processed before the end of this period.

IV) Create commercial profiles containing your data

Purpose: Provided that you have not opposed to the processing of your data, Bankinter will process the data indicated below in order to evaluate your personal characteristics to have a better knowledge or make predictions about your economic situation, personal preferences, interests or behaviour and, based on this analysis, create a business profile that allows the Bank to find out your interest in products and/or services that the Bank is interested in marketing. To this end, Bankinter will establish the frequency for sending commercial communications about these, creating new products and/or services, as well as improving the characteristics of the products/and or services offered.

Legitimate basis: Bankinter's legitimate interest in understanding its customers' preferences with a view to: 

(i) improving the customisation of commercial actions in relation to products and/or services to better respond to the needs and interests of its customers; 

(ii) limiting the number of contacts with customers, in such a way that communications received by them are not repetitive and adapt to their needs, tastes or preferences; 

(iii) creating new products and/or improving the characteristics of the products and/or services offered to you; which falls within the customers' reasonable expectation of privacy.

With this in mind, the need for creating profiles is not only to guarantee the effectiveness of campaigns, but most importantly the need to improve the products and/or services offered and limit the target audience of campaigns insofar as possible, with a view to minimising the impact on customers, making it possible for us to provide a more customised and higher quality service.

Origin of the data: The data processed for this purpose is obtained via: 

• Data submitted by the Data Subject at the time of registration as a Bankinter Customer, as well as data they have provided when arranging different products and/or services with Bankinter

• Data obtained by Bankinter as part of the contractual relationship between both parties, including data generated from the use of Bankinter homebanking and the app by the Customer as part of their relationship with Bankinter.

• Data generated at events organised by Bankinter in which you participated.

• Communication data established with the Data Subject through different means, such as telephone calls or video calls.

Data categories: the data categories processed by Bankinter for this purpose are as follows:

• Identification data: name and surname, identification document details, taxpayer number, social security number;

• Contact details:  home address, telephone, mobile phone, email address; 

• Professional and socioeconomic data, including data on the professional activity you undertake and the company you work for; 

• Data about your personal characteristics: marital status, age, nationality, household, place of birth, date of birth, tax residence; 

• Data about different products and/or services that you have taken out with Bankinter, or in which you are involved in some way (legal representative of a minor or person with a disability, proxy, legal representative of a legal person); 

• Demographic data: statistical data associated with geographic areas, sectors of activity;

• Data on the financing and investments taken out with Bankinter;

• Data on entries and transactions arising from the use of the products and/or services you have arranged with Bankinter for a period of less than 1 (one) year. At no time will Bankinter process specially protected data (race, political or religious opinions, trade union membership, health, data relating to your life or sexual orientation, genetic and biometric data intended to exclusively identify a natural person);

• IP address, device ID and browsing history data. Also, if you have accepted the use of cookies, Bankinter may process data obtained as a result of your browsing its own or third-party websites;

• GPS data: provided that you have given your consent on the different devices. 

• Data about your status as a Bankinter shareholder (where applicable);

• Data from satisfaction surveys;

• Data about the communication preferences indicated to Bankinter to facilitate access to dialogue or the management of daily operations;

• Risk assessment or scoring.

Recipients: This processing does not provide for the transfer of personal data to third parties.

Duration of processing: Bankinter will process your data for this purpose, unless you have objected to this type of processing. Should your relationship with the company in your capacity as a customer come to an end, Bankinter will process your data for a maximum period of 1 (one) year after the end of the contractual relationship, unless you have objected to your data being processed before the end of this period.

Logic applied to the analysis: Bankinter will perform an analysis of your personal and economic characteristics to create a profile about you that allows us to predict the services and/or products that may be of interest to you or which fit your needs, tastes or preferences, as well as determining your willingness to take out these products and/or services and the likelihood of them being granted when they involve financing or deferred payment.

As a result, we can adjust your profile to the products and/or services offered and determine the appropriate frequency for communications to be sent. This analysis also allows us to detect the need to improve the products and/or services that we sell and even create new products and/or services to enhance the service we provide to you. 

When creating the profile, we will use mathematical methods and algorithms, as part of which the following variables will be taken into consideration: (i) your personal and economic situation; (ii) your preferences and needs, calculated based on our experience with you; (iii) your payment capacity, based on the internal information we have about you, as mentioned above; and (iv) prospecting customers, with characteristics similar to yours, to purchase products and/or services.

V) Preparing and analysing satisfaction surveys

Purpose: Bankinter may perform satisfaction surveys, both over the phone and electronically, with a view to assessing the products and/or services offered and that the Customer has purchased, as well as measuring service quality. 

Legitimate basis: The Bank's legitimate interest in determining the opinion and satisfaction of its Customers with the products and services offered with a view to offering a better service.

Origin of the data: The data processed for this purpose is obtained via:

• Data submitted by the Data Subject at the time of registration as a Bankinter Customer, as well as data they have provided when arranging different products and/or services with Bankinter; 

• Data obtained and generated as a result of the performance of the different products and/or services arranged with Bankinter.

Data category: the data categories processed by Bankinter for this purpose are as follows:

• Identification data: name and surname, identification document details, taxpayer number, social security number;

• Contact details:  home address, telephone, mobile phone, email address; 

• Professional and socioeconomic data, including data on the professional activity you undertake and the company you work for; 

• Data about your personal characteristics: marital status, age, nationality, household, place of birth, date of birth, tax residence; 

• Data about different products and/or services that you have taken out with Bankinter, or in which you are involved in some way (legal representative of a minor or person with a disability, proxy, legal representative of a legal person).

Recipients: This processing does not provide for the sharing of personal data with third parties.

D) Processing based on customer consent

Pursuant to the provisions of Article 6(1)(a) of the General Data Protection Regulations ("GDPR"), Bankinter will perform the following processing tasks, provided that you have given your consent.

Bankinter hereby reminds you that you can withdraw your consent at any time, using any of the channels that Bankinter makes available and which you can consult in the "5. What are your data protection rights?" section.

I) Identification of customers via videoconference:

Purpose: When you provide us with your consent, we will use video conferencing systems to verify your identity. 

Origin of the data: The data processed for this purpose is obtained via: 

• Data submitted by the Data Subject at the time of registration as a Bankinter Customer, as well as data they have provided when arranging different products and/or services with Bankinter; 

• Biometric data obtained when using video conferencing.

Data category: the data categories processed by Bankinter for this purpose are as follows:

• Identification data: name and surname, identification document details, taxpayer number, social security number.

• Image.

• Voice.

Recipients: Bankinter will not transfer your data to third parties unless to comply with legal obligations. When requested, data may be transferred to supervisory and regulatory authorities, as well as the court authorities as provided for in paragraph a) – Processing in compliance with legal obligations.

Duration of processing: Bankinter will process your data as long as it is necessary for the formal arrangement and performance of the contractual relationship. Once the contractual relationship has come to an end, Bankinter will store the data until any actions that can be taken to defend the interests of the Bank or its customers, or to respond to possible complaints and/or liability, expire.

II) Signing documentation using biometrics: 

Purpose: Bankinter will process your signature to formally arrange contracts and operations with Bankinter.

Origin of the data: The data processed for this purpose is obtained via:

• Data submitted by the Data Subject at the time of registration as a Bankinter Customer, as well as data they have provided when arranging different products and/or services with Bankinter.

Data category: the data categories processed by Bankinter for this purpose are as follows:

• Biometric data, when you have provided Bankinter with your consent: signature.

Recipients: Bankinter will not transfer your data to third parties unless to comply with legal obligations. When requested, data may be transferred upon request to supervisory and regulatory authorities, as well as the court authorities as provided for in paragraph a) – Processing in compliance with legal obligations.

Duration of processing: Bankinter will process your data as long as it is necessary for the formal arrangement and performance of the contractual relationship. Once the contractual relationship has come to an end, Bankinter will store the data until any actions that can be taken to defend the interests of the Bank or its customers, or to respond to possible complaints, expire.

III) Inform you about products and/or services that are not similar to those you have arranged.

Purpose: Bankinter will process your data with a view to sending you commercial communications about products and/or services other than those arranged with Bankinter. To this end, Bankinter will contact you using any channel (including electronic) to inform you about products and/or services distributed by Bankinter, any company in the Bankinter Group and its subsidiaries or external companies with which Bankinter has entered into collaboration agreements. 

Origin of the data: The data processed for this purpose is obtained via:

• Data submitted by the Data Subject at the time of registration as a Bankinter Customer, as well as data they have provided when arranging different products and/or services with Bankinter.

• Contact details: home address, telephone, mobile phone, email address.

• Data on communication preferences that you have indicated to the Bank to facilitate accessibility and dialogue in the management of daily operations.

Recipients: This processing does not entail the communication of your personal data to third parties. Commercial communications will always be made by Bankinter.

Duration of processing: Bankinter will process your data for this purpose provided that you have given your consent. Should your relationship with the company in your capacity as a customer come to an end, Bankinter will process your data for a maximum period of 1 (one) year after the end of the contractual relationship, unless you have objected to your data being processed before the end of this period.

IV) Preparation of commercial profiles using internal and external data

Purpose: Bankinter will include in its files and/or analyse the data indicated below, with a view to evaluating personal aspects about you, improving its knowledge of you or making forecasts about your economic situation, personal preferences, interests or behaviour and, based on this analysis, create a commercial profile that allows us to: determine your interest in products and/or services that Bankinter is interested in selling; establish the frequency with which we send commercial communications about them; create new products and/or services, and/or improve the characteristics of the products and/or services offered to you.

Origin of the data: The data processed for this purpose is obtained via:

• Data submitted by the Data Subject at the time of registration as a Bankinter Customer, as well as data they have provided when arranging different products and/or services with Bankinter; 

• Data obtained and generated as a result of the performance of the different products and/or services arranged with Bankinter;

• Data obtained by Bankinter as part of the contractual relationship between both parties, including data generated from the use of Bankinter homebanking website and the Bankinter app by the Customer as part of their relationship with Bankinter;

• Data obtained at events organised by Bankinter that you have attended;

• Communication data via the different channels made available, such as telephone calls, chat tools or video calls;

• Data on the payment of taxes or fees submitted through Bankinter. At no time will Bankinter process specially protected data (race, political or religious opinions, trade union membership, health, data relating to your life or sexual orientation, genetic and biometric data intended to unambiguously identify a natural person);

• Financial data in relation to credit risk and non-compliance with pecuniary, financial or credit obligations.

Data category: the data categories processed by Bankinter for this purpose are as follows:

• Identification data: name and surname, identification document details, taxpayer number, social security number;

• Contact details:  home address, telephone, mobile phone, email address; 

• Professional and socioeconomic data, including data on the professional activity you undertake and the company you work for; 

• Data about your personal characteristics: marital status, age, nationality, household, place of birth, date of birth, tax residence; 

• Data about different products and/or services that you have taken out with Bankinter, or in which you are involved in some way (legal representative of a minor or person with a disability, proxy, legal representative of a legal person);

• Demographic data: statistical data associated with geographic areas, sectors of activity;

• Data on entries and transactions arising from the use of the products and/or services you have arranged with Bankinter over a period of more than 1 (one) year. At no time will Bankinter process specially protected data (race, political or religious opinions, trade union membership, health, data relating to your life or sexual orientation, genetic and biometric data intended to unambiguously identify a natural person);

• IP address, device ID and browsing history data. Also, if you have accepted the use of cookies, the Bank will process data obtained as a result of your browsing its own or third-party websites;

• GPS data: if the user has provided their consent across different devices;

• Data obtained from satisfaction surveys;

• Data about your communication preferences relayed to the Bank to enable accessibility for the purposes of dialogue or the management of daily operations;

• Risk assessment or classification data:

• Financial data in relation to credit risk and non-compliance with pecuniary, financial or credit obligations.

Recipients: This processing does not provide for the transfer of personal data to third parties.

Duration of processing: Bankinter will process your data for this purpose provided it has obtained your consent. Should your relationship with the company in your capacity as a customer come to an end, Bankinter will process your data for a maximum period of 1 (one) year after the end of the contractual relationship, unless you have objected to your data being processed before the end of this period.

Logic applied to the analysis: 

Bankinter will analyse your personal and economic characteristics to create a profile about you that allows us to predict the services and/or products that may be of interest to you or which fit your needs, tastes or preferences, as well as determining your willingness to take out these products and/or services and the likelihood of them being granted when they involve financing or deferred payment.

As a result, we can adjust the products and/or services offered to your profile and determine the appropriate frequency for communications to be sent. This analysis also allows us to detect the need to improve the products and/or services that we sell and even create new products and/or services to enhance the service we provide to you. 

When creating the profile, we will use mathematical methods and algorithms, as part of which the following variables will be taken into consideration: (i) your personal and economic circumstances; (ii) your preferences and needs, calculated based on our experience with you; (iii) your payment capacity, based on the internal and external information we have about you as indicated above; and (iv) the likelihood of customers, with characteristics similar to yours, to purchase products and/or services.

V) Transfer of your data to the Bankinter Group and/or Subsidiaries

Purpose: When you consent to this processing, Bankinter will transfer your data to companies in the Bankinter Group and/or Subsidiaries. You can find more information about the companies that are part of the Bankinter Group, at www.bankinter.com, in the “corporate web” option, by selecting the “Corporate Governance” tab and then going to the “Investees and Subsidiaries” section.

These companies will use your data for 2 (two) purposes:

a) Sending you, via any channel (including electronic channels), commercial communications about your products and/or services.

b) Assessing your personal characteristics and obtaining greater knowledge or making predictions about your economic circumstances, personal preferences, interests and behaviours with a view to creating a commercial profile about you. 

Origin of the data: The data processed for this purpose is obtained via:

• Data submitted by the Data Subject at the time of registration as a Bankinter Customer, as well as data they have provided when arranging different products and/or services with Bankinter.

• Data obtained and/or generated as a result of the performance of the different products and/or services arranged with Bankinter.

• Data obtained from the financial account aggregation service, provided you have given your consent. 

Data category: the data categories processed by Bankinter for this purpose are as follows:

A. Transfer of data to the Bankinter Group for it to provide you with information about its products and services: 

• Identification data – name and surname.

• Identification document details, taxpayer number, social security number

B. Transfer of your personal data to the Bankinter Group and/or its subsidiaries to assess your personal characteristics, interests and preferences, with the purpose of creating a commercial profile:

• Identification data: name and surname, identification document details, taxpayer number, social security number

• Contact details:  home address, telephone, mobile phone, email address; 

• Professional and socioeconomic data, including data on the professional activity you undertake and the company you work for; 

• Data about your personal characteristics: marital status, age, nationality, household, place of birth, date of birth, tax residence; 

• Data on entries and transactions arising from the use of the products and/or services you have arranged with Bankinter. At no time will Bankinter process specially protected data (race, political or religious opinions, trade union membership, health, data relating to your life or sexual orientation, genetic and biometric data intended to unambiguously identify a natural person).

Recipients: This processing involves sharing data with companies in the Bankinter Group.

Duration of processing: Bankinter will process your data for this purpose provided that you have given your consent. Should your relationship with the company in your capacity as a customer come to an end, the Bank will process your data for this purpose up to 1 (one) year after the end of the contractual relationship, unless you withdraw your consent before this period has elapsed.

You may, in the cases provided for and to the extent of the applicable legislation, exercise the following rights at any time:

• Access: right to know whether or not your personal data is being processed, what this data consists of and how it is being processed;

• Rectification: right to rectify your personal data when they are incorrect or out of date.

• Erasure: right to have your personal data erased, when they are no longer necessary for the purposes for which they were collected and there is no legal rule requiring their storage for a longer period.

• Opposition:  right to oppose, at any time, the processing of your personal data, for reasons related to your specific circumstances.

• Limitation of processing: right to ask that the data controller limit its data processing activities whenever any of the circumstances provided by law occur, namely, the accuracy of personal data is contested or they are not erased when they have been processed unlawfully.  

• Data portability: right to receive your personal data from the data controller in a structured, commonly used format, for you to transfer them to another data controller. 

• Automated individual decisions: right not to be subject to decisions based solely on the automated processing of your data, including profiling, that has a legal effect on you or significantly affects you in a similar way. 

Please note that you can withdraw your consent at any time.

To exercise these rights, you can contact Bankinter through the following channels: 

• Via the Telephone Banking Service: +351 210 548 000 (Call to the national fixed-line network. The cost of the call depends on the tariff you have agreed with your telecoms provider);

• At your Bankinter branch;

• In writing to Bankinter, S.A. – Sucursal em Portugal A/C Contas e Clientes, Av. do Colégio Militar, Torre Oriente n.º 37-F, 8.º andar, 1500-180 Lisbon;

• At: www.bankinter.pt (in the private area, when available);

• By email, writing to: privacidade.pt@bankinter.com

• You are also hereby informed that you have the right to file a complaint with the Portuguese Data Protection Commission at its website: www.cnpd.pt.

Generally speaking, Bankinter will not make automated individual decisions. However, if as part of the conclusion or performance of contracts relating to our products and/or services, decisions must be made solely based on the automated processing of your data, in other words, without any human intervention, which has a legal effect on you or significantly affects you (including but not limited to the refusal of credit you have requested), Bankinter will inform you about this processing as well as the logic applied in the decision adopted. 
In these cases, Bankinter guarantees that it will adopt appropriate measures to safeguard your rights and freedoms, giving you the right to request human intervention from Bankinter, express your point of view, obtain an explanation about the decision taken based on automated processing and contest the decision adopted by Bankinter.

Based on its legitimate interest, Bankinter may anonymise personal data provided by its customers or obtained as a result of the contractual relationship within the scope of the products and/or services taken out by them, with a view to analysing consumption patterns or use of services in an anonymised manner. As a result of this, the Bank creates analytical, solvency or behavioural models that allow Bankinter to determine, for example, who is eligible for a new financing product or even detect behaviour that could be considered fraudulent.

By using anonymisation, Bankinter is able to maintain the accuracy of the results of its personal data processing, preventing them from being associated, whether directly or indirectly, to a specific customer. As a result, individuals enjoy greater guarantees of privacy.

Bankinter will retain your personal data for as long as necessary for the correct management of the products and/or services taken out. Once the contractual relationship has come to an end, Bankinter will process your data for a period of 1 (one) year to:

a) If you have provided your consent: (i) send you commercial communications about products and/or services provided by the Bankinter Group, its subsidiaries or third parties other than those taken out, (ii) create profiles with your own and/or third party data and/or (iii) communicate your data to Group companies and/or their subsidiaries.

b) If you have not opposed the legitimate interest: (i) send you communications about products and/or services from the Bankinter Group and its subsidiaries similar to those you took out and that Bankinter is interested in selling and/or (ii) create profiles with your own data; based on its legitimate interest.

Once the period of 1 (one) year has elapsed, or if you object and/or withdraw your consent for the purposes indicated above, Bankinter will keep your data blocked and it will only be processed in the following cases:

a) Compliance with legal obligations. The Anti-Money Laundering and Counter Terrorist Financing regulations require that data be stored for a period of seven (7) years.

b) Undertake the necessary actions in the defence of the Bank's interests or the interests of its customers, or respond to any complaints filed and/or possible liability arising during the legal limitation periods established to this end.

c) As regards credit information systems: your data will be stored in these systems as long as there is a definite, liquid, past due and payable debt with Bankinter and for a period of 5 (five) years from the due date of the pecuniary obligation, unless a longer legal limitation period is applicable. 

d) In the case of Fraud Prevention: the data will be processed as long as you maintain a contractual relationship with Bankinter and, in the event that you cease to be a customer, until any actions that can be taken to defend the legitimate interests of the Bank or its customers, or to respond to possible complaints, expire.

Once the  aforementioned terms have elapsed, your personal data will be permanently deleted.

As indicated for each of the different types of data processing indicated in the previous sections, Bankinter may transfer your personal data to third parties, such as administrations, public authorities and organisations (including courts), Bankinter Group companies, fraud prevention systems or files, the Bank of Portugal's Central Credit Register, credit information systems or collaborating third parties. If you would like to obtain more information about the recipients of your personal data, please consult the section dedicated to each type of processing.
Additionally, service providers that Bankinter hires or may hire and who have the status of Subcontractors may have access to your personal data. 
You can check the list of provider categories at: https://www.bankinter.pt/privacidade/fornecedores.

In general, Bankinter will only process your personal data within the European Economic Area (European Union countries, Liechtenstein, Iceland and Norway). 

Outside the European Economic Area, the level of personal data protection may not be the same, which is why, when performing international transfers, obtaining sufficient guarantees about an adequate level of protection are necessary. 

In this sense, Bankinter performs two types of transfers:

a) International transfers to international authorities and official organisations upon their request and pursuant to the regulations against organised crime and serious crime, anti-money laundering and counter terrorist financing or fraud prevention. In each of these cases, Bankinter will duly inform you about the specific type of transfer made, as well as the applicable guarantees;

b) Transfers to international service providers who provide services to Bankinter, provided that the transfer is made: a) to countries with a level of protection equivalent to that of the European Union (European Commission suitability decisions); b) subject to standard data protection clauses adopted by a supervisory authority and/or the European Commission; or c) based on any other appropriate guarantee, pursuant to the legislation in force.