Gira tu dispositivo a modo "landscape"

Portal CajaSur

 

segmentos

Privacy Policy

Cajasur, S.A.U. maintains a firm commitment as regards the protection of personal data and the confidentiality of our customers’ information, as well as providing updated and comprehensive information at all times of the data processing undertaken by the organisation, in accordance with prevailing regulations. We therefore inform you below of how we process your personal data in Cajasur, S.A.U. (hereinafter, Cajasur).

 

Basic Information

 

Basic Information on Data Protection

Controller

Identity: Cajasur, S.A.U.

Postal address: Ronda de los Tejares 18 – 24, 14001 (Córdoba).

Email address: info@cajasur.es

Data Protection Officer Contact: dpo@grupokutxabank.com

Data categories used

You may find detailed information in section 3 of this Policy

  • Data you have provided us with when taking out your contracts or during your relationship with us
  • Identification and contract data, level of income, products and services taken out, relationship with the product (condition of holder, authorised person or representative), MiFID category.
  • Data relative to the maintenance of products and services.
  • Financial data, products taken out with the Entity and historical record of payments. Data obtained from the communications between both parties on walls, videoconferences, telephone calls or equivalent media of data obtained from your browsing through our webpages or mobile applications and the browsing carried out thereof (device ID, advertising ID, IP address and search history), if you have accepted the use of cookies and similar technologies in your navigation devices. Data collected on call recordings.
  • Data inferred or deduced by Kutxabank from the analysis and processing of remaining data categories.
  • Customer groupings in categories or segments, or categorising in accordance with the Market in Financial Instruments Directive (“MiFID”).
    Scoring assigning payment or non-payment probabilities or risk limits.
  • Data you have provided to us directly, obtained from sources accessible to the public, public registers or external sources. These data are:
  • Data on asset and credit solvency obtained from the Asnef and Badexcug files
  • Data on risks maintained in the financial system obtained from the Bank of Spain’s Risk Information Centre (CIRBE)
  • Data of persons or entities included in laws, regulations, guidelines, resolutions programmes or restrictive measures in terms of international economic-financial sanctions imposed by the United Nations, the European Union, the Kingdom of Spain, the United Kingdom and/or the U. S. Department of the Treasury’s Office of Foreign Assets Control (OFAC).

Data accessible to the Public such as those resulting from press inquiries, SM, internet newspapers and official bulletins, public registries, or resolutions from Public Administrations.

Main purposes for processing and legitimation

You may find detailed information in Section 4 of this Policy

  • Customer registration, study of contracting requests, application of pre-contractual measures and performing of risk assessments.
  • Forming, managing, controlling, maintenance and updating of the contractual relationship, including managing customer complaints.
  • Meeting accounting, legal, tax and administrative obligations, including those related to creditworthiness, prevention of money laundering and/or fraudulent conduct.
  • Processing of data relating to the compliance or non-compliance of monetary obligations of legally qualified cases or based on the consent of the data subject.
  • Meeting the existing legal obligations in terms of money laundering and the financing of terrorism.

 

  • Processing aimed at the prevention of fraudulent conduct based on the legitimate interest of Cajasur.
  • Sending commercial communications protected by the consent of the recipients or, where applicable, in legitimate interest.
  • Profiling for taking out products and additional scoring and risk assessment processing, protected by the concept of legitimate interest or, where applicable, on the consent of the data subjects, according to the data used. If automated decision-making is derived from this processing which significantly affect you and are not necessary for formalising a contract, these will always be based on the compliance of legal obligations or with your consent.
  • Processing carried out for promotions and draws based on the consent of the data subject.
  • Processing of video surveillance based on Cajasur’s compliance of legal obligations in terms of Security of the transactions and bank facilities.

Processing for statistical purposes and the internal monitoring of the Entity based on its legitimate interest.            

Recipients

You may find detailed information in section 6 of this Policy

  • Regulatory and supervisory authorities (e.g., the Bank of Spain and the European Central Bank).
  • Group Companies, and official authorities or bodies including from other countries, located within or outside the European Union, in the framework of the fight against the financing of terrorism and serious forms of organised crime and the prevention of money laundering.
  • Bank of Spain’s Risk Information Centre.
  • Files relative to the failure to comply with monetary obligations in the event such non-compliance were to concur.
  • Financial Ownership File.
  • Courts of law and State Law Enforcement Forces and Bodies.
  • Audit entities.

Other entities acting as necessary collaborators in transactions, in particular Prescribers, Real Estate Market Intermediaries, linked or not such as real estate portals, Notaries Public, and Public Registries.

Rights

The data subject may submit a claim before the control authority as well exercise his/her rights of access, rectification, cancellation, objection, limit processing, portability and not be subject to automated individual decision making as regards his/her personal data, in writing by means of a communication addressed to the registered office of the process controller stated above.

Origin

  • Directly from the data subject, his/her legal representative or attorney in fact.
  • Obtained from public and private entities with which collaboration agreements are established.

Sources accessible to the Public such as the press, SM, the internet, newspapers and official bulletins, public registries, or resolutions from Public Administrations.

 

 

 

Cajasur has developed this customer personal data protection Policy, which may be accessed at any time from  www.Cajasur.com/privacidad customers, were you may consult the full details of how we will use your personal data in the relationships we establish with you, similarly, you may request this information on paper from any of our branch offices. 

 

In order to manage your relationship with us, Kutxabank will process your personal data for each one of the purposes we inform you of in this Policy and always in accordance with prevailing regulations, respecting your rights and with total transparency.

 

1 Applicable regulations.

The main regulations regulating the processing of your data are:

  • Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (hereinafter GDPR)
  • The Organic Law 3/2018, of 5 December, on the Protection of Personal Data and Guarantee of Digital Rights (hereinafter LOPD).

 

2 Controller

Controller: The controller of your personal data in your contractual and business relations with us is Cajasur, S.A.U. with registered office at postal address: Ronda de los Tejares 18-24, 14001 (Córdoba). Email: info@cajasur.es.

 

Cajasur has a Data Protection Officer appointed, who will assist you to answer any question relative to the processing of your personal data and the exercising of your rights. You may contact the Data Protection Officer to submit your suggestions, questions, misgivings or claims at this address: dpo@grupokutxabank.com

 

Cajasur also has entered into a joint responsibility processing contract with Kutxabank Pensiones, for the management and administration of Pension Plans.

 

The mayor aspects of said agreement are as follows:

 

The purpose of processing the personal data of the ordinary members and beneficiaries of Pension Plans by Kutxabank Pensiones, is to formalise, manage and execute the contractual relationship of adhesion of such ordinary members and beneficiaries to the Welfare Plans. The execution of this contract constitutes the legitimate basis of this processing.

 

The purpose of personal data processing by Cajasur is to guarantee its customers, a high-quality service, an increased protection of their interests and better monitoring of any incident that may arise from the contractual relationship of adhesion to any of the products. The legitimate basis of this processing constitutes the legitimate interest of providing quality assistance to the members of said Entities as well as strengthening the guarantees for the correct administration of this type of transactions.

 

On the grounds referred to, the operation related to the processing of personal data performed by Cajasur, on your behalf and in its name, and in the name of each one of the joint responsible parties.

 

In any case, you may exercise your rights to Cajasur S.A.U.

 

Cajasur also has a co-responsibility agreement constituted with the Entities subscribed at the information sharing service for fraud prevention. You may find information of the Entities adhered to said file at  

https://www.iberpay.es/es/servicios/servicios/prevenci%C3%B3n-del-fraude/#tab-4

 

The processing consists of the recording and consulting of suspicious or unauthorised transaction data in the common repository operated by Iberpay as controller with the aim of detecting and preventing transactions suspicious of fraud, or whose fraudulent conditions have been expressly recognised by the affected holder. The legitimate basis is constituted by the legitimate interest, of the account holders who may be affected by the fraud committed by third parties, as well as the Entity in order to detect and prevent fraud in the transactions in and out of your account.

 

3 Data categories

Cajasur will process different personal data in order to manage your requests for information or pre-contractual or contractual relations you enter into with us.

 

Outlined below are the data categories we will process, knowing that not all the data categories listed are used for all data processing.

 

In the details of the processing activities that we carry out, contained in section 4, you may specifically consult each particular processing of the data categories used, therefore counting on the necessary information enabling you, if you wish, to exercise your rights recognised by the GDPR, particularly those of opposition and withdrawal of consent.

 

The data categories used in the different processing are as follows:

 

  • Data you have provided us with when registering you contracts or during your relationship with us, be this directly or through your legal representative or attorney in fact, as well as by public and private entities with which processing agreement arrangements are established:

 

  • Identification and contract data: your identification document, name and surnames, gender, postal address, telephone and email, address of residence, nationality and date of birth information. Your condition as a Politically Exposed Person or relationship with a Politically Exposed Person in accordance with money laundering regulations and for this sole purpose.
  • Socio-economic data: details of your professional or working activity, income or remuneration, family unit or circle, level of education, equity, fiscal and tax data. 
  • Financial data: products and services entered into, relationship with the product (holder, authorised or representative status), category in accordance with Markets in Financial Instruments Directive (MiFID).
  • Biometric data: fingerprint, and facial recognition.
  • Data collected in call recordings: Cajasur may record the calls or electronic communications it maintains with you (via email, chat, SMS, instant messaging applications, social media or any other equivalent medium that may be used) as well as keeping computer and telematics records of access to services.

If necessary, Cajasur may use such recordings as a means of evidence in legal, administrative, arbitration proceedings or of any other nature that might arise. These recordings have the basis of Cajasur’s legitimate interest of undertaking quality and security controls and obtain proof of the orders and transactions made by the customer or as a result of compliance with legal obligations, such as those calls relative to investment services, among others. In this regard, the recording and registering of all calls and/or communications shall be notified by Cajasur.

  • Data recorded by video surveillance cameras exclusively for this type of processing.
  • Third-party data provided by you:

Cajasur may process personal data of third-parties provided by you the processing of which is required for the performance of a contract. In this regard, you guarantee that you have informed and obtained the consent of such third-parties for the processing of their personal data (beneficiaries, family members, guarantors, etc.) by Cajasur. You guarantee, additionally, having informed these third parties of the rights they are entitled to in terms of data protection, said third parties may contact Cajasur to exercise their rights in accordance with the procedure detailed in section 8.

In cases in which the personal data are provided by persons holding parental authority or by the legal representatives of disabled persons, the former are authorised to collect the data as well as their use and processing by Cajasur for the purposes described in this Policy.

 

All data collection, in the event it occurs, originating from information you have provided to third parties and is handed over by said third parties to Cajasur, require consent prior to incorporating these into the Cajasur S.A.U. databases.

In this case, Cajasur will contact you within a month at the latest in order to provide you with the information contained in this customer personal data protection Policy.

 

You ensure the veracity of the personal data provided to Cajasur during the entire contractual relationship and undertake the obligation of notifying the Bank of any change thereof in accordance with this data protection policy. Cajasur may, in any case, and without prejudice to its referred communication obligation, regularly request the review and updating of the personal data the entity maintains about you; it is also legitimated to conduct the appropriate verifications, within the prevailing regulations.

  • Data on the maintenance of products and services. These data are:
    • Financial data: information of the entries and transactions excluding the processing of information referring to third party issuers of bills or payment recipients, information on investments made and their evolution, information on financing, transaction statements with debit and credit cards, products entered into with the Entity and payment history.
    • Digital data: data obtained from the communications we have established between you and us on walls, videoconferences, telephone calls and equivalent means and the data obtained browsing through our websites or mobile applications and the browsing you carry our thereof (device ID, advertising ID, IP address and browsing history), in the case you have accepted the use of cookies and similar technologies in your navigation devices.

You may consult the details of the information on Cajasur’s policy of processing related to cookies on each one of the Cajasur proprietary websites. This processing carried out through cookies, except those necessary for the functioning of the website, will only be carried out if Cajasur has the consent provided in each one of the existing Webs, where you are provided in the Cookies Policy section with all the information on this type of processing.

Additionally, in the case of your browsing habits, these will include the websites visited by you. For carrying out this processing we will request your prior consent for each and every one of the said processing.

  • Geographical data: the geolocation data in your mobile device provided due to the installation and/or used of our mobile applications, when you have authorised as such in the settings of the application.

 

Under no circumstances will we process data that may infringe upon the principles of competition or business secrets.

 

  • Data inferred or deduced by Cajasur from the analysis and processing of the remaining data categories. These data are:
    • Customer groupings in categories and segments according to objective
    • criteria such as age, income level, real estate, operations, consumption of products and services, or preferences or dispositions to contracting products, or classification in accordance with the Markets in Financial Instruments Directive (“MiFID”).
    • Scorings that assign probabilities of payment or non-payment or risk limits.

 

It is important to understand that we do not infer any data that may contain information which reveal your ethnic or racial origin, political opinions, religious or philosophical convictions, union affiliation, the processing of genetic data, data relative to health or data relative to your life or sexual orientation (“Special data categories”).

 

 

  • Data you have not directly provided us with, obtained from sources open to the public, public registries or external sources. These data are:

 

  • Data on asset and credit solvency obtained from the Asnef and Badexug files.
  • Data on risks maintained in the financial system obtained from the Bank of Spain’s Risk Information Centre (CIRBE).
  • Data of persons or entities included in laws, regulations, guidelines, resolutions, programmes or restrictive measures in terms of international economic-financial sanctions imposed by the United Nations, the European Union, the Kingdom of Spain, the United Kiongdom and/or the U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC).
  • Data accessible to the Public such as those resulting from press inquiries, SM, internet newspapers and official bulletins, public registries, or resolutions from Public Administrations.

 

What processing do we carry out on your data?

 

The processing we carry out responds to different purposes and legal bases.

 

4.1Processing customer registrations and contract requests or concluding contracts.

 

Description of the processing

 

Prior to registering your data in our systems, we will inform you of this customer personal data protection policy and then request the minimum data needed to commence the pre-contractual activity or contractual relationship you request.

 

Cajasur will carry out the following processing, among others:

 

  • Collect the data of the documents required for managing the acceptance of its customers.
  • Manage the taking out of a product.
  • Apply the risk approval policies, enabling the profiling of your creditworthiness necessary for analysing the feasibility of concluding the contract requested.
  • Evaluate the appropriateness of your investment profile for taking out MiFID investment products and services.
  • Formalize the signing of the product and service contracts.

 

Purpose of the processing

 

The purpose of this processing is to treat your personal data in order to handle and analyse your registration as a customer, the contract request or the concluding of the contracts.

 

Basis of the processing

 

The processing will be carried out in accordance with the obligations set forth in the prevailing legislation at all times as regards the acceptance and registration process of customers and the contracting processes of each one of the products.

 

 

Data categories used

 

The data Cajasur will use for these purposes are:

  • Data you have provided us with when entering into contracts and during your relationship with us.
  • Data relating to maintaining products and services.
  • Data inferred or deduced by Cajasur from analysing and processing of the remaining data categories.
  • Data you have directly provided us with, obtained from sources accessible to the public, public registries or external sources.

 

  • Additionally, for entering into loan and credit transactions, Cajasur may process, where applicable, the data obtained from different information issuing entities on asset solvency and creditworthiness, including the Bank of Spain’s Risk Information Centre, as well as profile according to statistical analyses, sociodemographic data or consult asset solvency databases or other sources accessible to the public outlined in this Policy. And all, in accordance with our legal obligation of analysing the solvency and risk of the transaction requested.

 

4.2Developing, controlling and updating the contractual relationship

 

Description of the processing

 

The processing operations to carry out are as follows:

  • Processing the requests or mandates provided by you,
  • Managing operations, charges, recoveries,
  • Carrying out audit activities and where applicable, the management and control of the preliminary, administrative, judicial or arbitration files affecting Cajasur within the framework of the contractual relationship. 
  • Receiving, processing, managing, responding and reporting to claims received.

 

Purpose of the processing

 

The purpose of the processing is to develop, control, maintain and update the contractual relationship we have formalised.

 

Basis of the processing

 

This processing is required for maintaining the contractual relationship we establish and failure to provide them would make it impossible to manage such relationship, as it is based on meeting the contractual and legal obligations of the Entity.

 

Data categories used

 

The data Cajasur will use for this purpose are:

  • Data you have provided us with when entering into contracts or during your relationship with us.
  • Data relative to maintaining your relationship with us.

 

Data transfers

 

Cajasur may transfer your data to the competent authorities, control and supervisory bodies and legal, administrative or tax authorities, for the purpose of meeting the applicable regulations at all times, in particular, but not limited, to the banking or financial sector. In addition, Cajasur may transfer your data to collaborators needed in processes such as agents, auditors, Notaries Public and Public Registries.

 

4.3 Meeting accounting, legal, tax and administrative obligations.

 

Description of the processing

Including without limitation, outlined is the most relevant processing carried out with these purposes.

  • Meeting the Entity’s accounting obligations.
  • Meeting the tax obligations of the Entity as well as that of natural or legal persons as regards individual taxation as a result of the operations executed.

 

Purpose of the processing

 

The purpose of the processing is to meet the accounting, legal, tax and administrative obligations.

 

Basis of the processing

 

The processing of your data is necessary for meeting the accounting, tax and legal obligations required from the Entity for its activity.

 

Data categories used

  • Data you have provided us with when entering into contracts or during your relationship with us.
  • Data relative to maintaining your relationship with us.

 

Data transfers

 

Cajasur may transfer your data to the competent authorities, control and supervisory bodies and legal, administrative or tax authorities, for the purpose of meeting the applicable regulations at all times, in particular, but not limited, to the banking or financial sector. In addition, Cajasur may transfer your data to collaborators needed in processes such as agents, auditors, Notaries Public and Public Registries.

 

4.4 Compliance/non-compliance of monetary obligations.

 

Description of the processing

 

The processing carried out with these purposes are as follows:

 

Reporting data relative to non-payments to files relative to the compliance or non-compliance of monetary obligations, in accordance with data protection regulations. Cajasur will ensure the compliance of the regulatory obligation that its debts are exact, due and enforceable and have not been subject to legal, arbitration or administrative claim on its part.

 

Consulting data in asset solvency and creditworthiness files, to the extent required, to judge economic solvency prior to contracting or for the appropriate monitoring of the transactions already contracted. On the basis of these consultations, Cajasur may come to decisions that affect you, including, where applicable, not entering into contract. If the reason for refusal of a transaction is based solely on the circumstance of your presence in the assets solvency files you will be informed of such reason.

 

Purpose of the processing

 

The purpose of the processing is to maintain the security of economic traffic, thereby contributing to safeguarding the general interest and make it possible to improve the risk analyses performed by the Entity in order to protect free commercial exchange under conditions of security and solvency.

 

Basis of the processing:

 

This processing is carried out in order to meet the regulations on the responsible granting of loans and remaining applicable legal measures required.

 

Data categories used

  • Data you have provided us with when entering into contracts or during your relationship with us.
  • Data relative to maintaining your relationship with us.
    • Resulting from the situation of your credit transactions in default, specifically the balance due for these and the duration of the irregular situation.
  • Data you have directly provided us with, obtained from sources accessible to the public, public registries or external sources. These data are:
    • Asset and credit solvency data obtained from the Asnef and Badexcug files.
    • Data on the risks maintained in the financial system obtained from the Bank of Spain’s Risk Information Centre database (CIRBE).

 

Data transfers

Data relative to defaults may be reported to files relative to the compliance or non-compliance of monetary obligations, Badexcug (Experian) and Asnef (Equifax) and to CIRBE in accordance with its specific regulations.

 

4.5 Compliance on Money Laundering and Terrorist Financing.

 

Description of the processing

 

The processing carried out with these purposes is as follows:

  • Obtain the information and documentation necessary to meet the due diligence and knowledge of the customer obligations, particularly as regards the identity, economic activity and contractual purpose of customers. In addition, verify if you or close relatives hold or have held politically exposed positions.
  • Contrast the information obtained with external sources or databases from public registries, official bulletins or businesses that provide information services.
  • Verify your relationship with companies and, where applicable, your control position thereof.
  • Report and update your information in the Financial Ownership File, responsibility of the Executive Service for the Prevention of Money Laundering and Monetary Offences (SEPBLAC).
  • Carry out an analysis on suspicious money laundering operations in order to meet the obligations established in the specific regulations.
  • Report information to the Executive Service for the Prevention of Money Laundering and Monetary Offences (SEPBLAC).
  • Check whether you are in the lists of persons or entities on which there are sanctions and international financial counter-measures imposed by the European Union, the Kingdom of Spain and other international lists.

 

Purpose of the processing

 

The purpose of the processing is the prevention of criminal activities and those related to money laundering and the financing of terrorism as defined in the specific regulations.

 

Basis of the processing

 

This processing is carried out in order to comply with the prevailing legislation on the prevention of money laundering and the financing of terrorism which obliges banking entities to obtain information and documentation from their customer as regards their identity and the economic activity in order to apply due diligence and knowledge of customer measures.

 

Data categories

  • Data you have provided us with when entering into contracts or during your relationship with us.
  • Data relative to the maintaining of products and services.
  • Data inferred or deduced by Cajasur from the analysis and processing of the remaining data categories. These data are:
  • Data you have directly provided us with, obtained from sources accessible to the public, public registries or external sources, in particular the data of persons or entities included in laws, regulations, guidelines, resolutions, programmes or restrictive measures in terms of international economic-financial sanctions imposed by the United Nations, the European Union, the Kingdom of Spain, the United Kingdom and/or U. S. Department of the Treasury’s Office of Foreign Assets Control (OFAC).

 

 

Data transfers

In force regulations require and enable Cajasur to share information with subsidiary Entities that form part of the Represented Group for the Prevention of Money Laundering and the Financing of Terrorism to this end.

 

Likewise, Cajasur has the obligation of declaring to the Financial Ownership File the opening or cancelling of any current accounts, savings accounts, stock accounts or time deposits, as well as any modifications thereof, consequently your identification data will form part of this file created for the purpose of preventing and deterring money laundering and the financing of terrorism. The body responsible for this file is the Secretary of State for the Economy and Business Affairs.

 

4.6 Prevention of fraudulent conduct.

 

Description of the processing

The processing carried out for this purpose is:

  • Analysing and reviewing the transactions conducted through our systems for managing fraud risks and protecting our customers.
  • Consulting your data in external databases managed by law enforcement forces and bodies to protect you from fraud.

 

Purpose of the processing

 

The purpose of this processing is the prevention, detection and/or pursuit of fraud.

 

Data categories used

 

The data categories used for this purpose are:

  • Data you have provided us with when entering into contracts or during your relationship with us.
  • Data relative to maintaining products and services.
  • Data inferred or deduced by Cajasur from the analysis and processing of the remaining data categories.
  • Data you have directly provided us with, obtained from sources accessible to the public, public registries or external sources.

 

Basis of the processing

The basis of the processing is the legitimate interest of the account holders who may be affected by fraud committed by third parties, as well as Cajasur’s of ensuring the detection and prevention of fraud in the banking transactions to and from your account.

Data transfers

With the exclusive goal of preventing criminal situations, and provided it has sufficient evidence for determining the existence of a possible fraud, Cajasur will be legitimised, in order to prevent thereof, of transferring the data of its Customers to Cajasur, or to outside companies affected by said situation.

 

Processing referring to the Information Sharing Service to prevent fraud.

 

Co-controllers for processing

     

All the financial institutions adhered to such common file are responsible for the file as co-controllers of processing. The Entity has the essential aspects of such co-responsibility agreement available and you may request it through the email address of our Data Protection Officer dpo@grupokutxabank.com. Similarly, you may consult the updated list of entities adhered to the common file at

https://www.iberpay.es/es/servicios/servicios/prevenci%C3%B3n-del-fraude/#tab-4

 

Description of the processing

 

Registering and consulting data of suspicious or unauthorised transactions in a common repository operated by Iberpay as data processor.

 

Purpose of the processing

 

Processing is based on the legitimate interest, of the account holders who may be affected by fraud committed by third parties, as well as the Entity in order to ensure the detection and prevention of fraud in transactions coming in and out of your account.

 

Data categories used

 

  • Data you have provided us with when entering into contracts or during your relationship with us, either directly or through your legal representative or attorney in fact, as well as from the public or private entities with which processing agreements are established:
    • Identification details:
      • Name, Surnames and ID Card.
  • Data relative to the maintenance of products and services:
    • Data relative to a suspicious or unauthorised transaction.
    • IP connection data.
    • Geolocation.
    • Device identification.

Conservation period

 

  • Data corresponding to suspicious transactions will be conserved in the repository for a period of one month.
  • Data corresponding to unauthorised transactions will be conserved in the repository for a period of 12 months.

 

4.7 Remittance of commercial communications

 

Description of the processing

 

The processing carried out with this purpose is sending commercial, generic or personalised communication for promoting products and services commercialised by Cajasur through the mail, mailing, fax, SMS, email or by any other medium.

 

Purpose of the processing

 

The purpose of this processing is to offer you products and services commercialised by the Bank, and third-party collaborators dedicated to the banking and financial, real estate and services sectors, which are of interest.

 

Data categories used

 

  • Data you have provided us with when entering into contracts or during your relationship with us by means of interviews or forms.

 

 

Basis of the processing

 

This processing is carried out as from your explicit consent granted beforehand for remitting commercial communications. Said consent may be withdrawn at any time, through any of the channels available for exercising your rights and outlined in this Policy.

 

For promoting other types of products from other subsidiary companies, or third-party collaborators, and particularly in the insurance sector we also require your express prior consent. In any case, the mentioned consent is revocable, the customer may also oppose such processing at any time.

 

In this regard, we would like to inform you that Cajasur has insurance bank agent status exclusive to Kutxabank Vida y Pensiones and Kutxabank Aseguradora, which means that all the insurances commercialised by the bank go through said insurance company.

 

As an exception, Cajasur considers that in relation to the data subjects who were customers of the Entity prior to the entry into force of the GDPR it has the legitimate interest of promoting its business activity making offers exclusively of credit or savings products and services. In order to do this, Cajasur has carried out the corresponding weighting analysis of its interests with the rights and freedoms of the data subjects.

 

4.8 Commercial profiling.

 

Description of the processing

 

The processing carried out with this purpose is commercial profiling in order to identify the customer segment and adapt the offer of products and services.

 

The profiling done with your personal data is as follows:

  • Segmentation of profiles to offer you products and services of interest for you:

 

  • Segmentation processing based on your age, and products previously contracted with the Entity.
  • For identifying products and services we believe may be of interest for you based on the available data unused for these cases of no data obtained from external sources, including asset solvency files.

 

  • Risk profiles for offering financing products.
    • Determining your solvency and payment capacity in order to offer or respond to future financing requests as swiftly as possible. The logic we apply to such processing is essentially based on the data provided by you of your income level, which we will deduce derived from your operations with us of your savings capacity and our experience with you in previous transactions.

 

Purpose of the processing

 

The purpose of the processing is to apply statistical and customer segmentation techniques on your data in order to provide you with commercial offers suited to you needs and preferences as well as monitoring the services contracted.

 

Data categories

 

The data categories processed for this purpose are:

  • Data you have provided us with when entering into contracts or during your relationship with us by means of interviews or forms.
  • Data relative to maintaining products and services.
  • Data inferred or deduced by Cajasur from the analysis and processing of the remaining data categories.

 

Cajasur would like to expressly inform you that no data which you have not provided us with directly will be used for profiling, obtained from the information contained in the asset solvency files. Cajasur will only incorporate the information contained in such files when you request a loan or credit transaction or if we have your express consent.

 

Basis of the processing

 

The processing is carried out on the basis of legitimate interest for such processing consisting of undertaking its duties with the maximum efficiency and quality intrinsic to the Entity as well as perceived by you as a customer.

You may oppose the carrying out of this type of processing at any time by any of the means mentioned in point 8 of this Policy.

 

By contrast, if for producing this information external databases are used, particularly the information contained in the assets solvency files, the processing will only be carried out if you have requested a loan or credit transaction or we have your express consent.

You have the right to revoke the provision of said consent at any time.

 

4.9 Promotions and draws.

 

Description of the processing

 

The processing carried out with this purpose is relative to the processing of your access requests for promotions or draws organised by Cajasur, which we understand to be in your interest, without the need for you to expressly register thereof.

 

Purpose of the processing

 

The purpose of the processing is for presenting you promotions offered by the Entity to its customers without the need for you to expressly register thereof.

 

Data categories

 

The data categories we will process for this purpose are:

  • Data you have provided us with when entering into contracts or during your relationship with us.
  • Data relative to the maintenance of your products and services.

 

Basis of the processing

 

This processing is based on the legitimate interest for managing your contracts, but will require your consent prior to accepting a prize and therefore no processing will be carried out in the event you have previously declared your opposition to be the subject of advertising campaigns.

 

4.10Security of the facilities. Video surveillance

 

Description of the processing

 

The processing carried out for this purpose is to capture and record images through the equipment installed in Cajasur’s offices, branch offices, buildings and corporate centres.

 

Purpose of the processing

 

The purpose of the processing is to implement the necessary security measures to protect our customers and the Entity’s assets and to prevent economic and reputational damage. The surveillance camera systems are installed for Cajasur security purposes. Cajasur will not be able to use surveillance cameras in a way incompatible with the purpose expressly described and agrees to save the images recorded in good faith and in accordance with such purpose.

 

Data categories

 

The data categories we will process for this purpose will be the images captured by the video surveillance cameras.

 

Basis of the processing:

 

The basis of the processing is the legal obligation of Cajasur to protect its facilities, staff and customers in accordance with Private Security Regulations.

 

Data transfers

 

The data may be transferred at the request of judicial authorities or State law enforcement bodies or forces when this is required in the fulfilment of their obligations.

 

4.11 Processing for the statistical and internal monitoring purposes of the Entity.

 

Description of the processing

The processing carried out in monitoring and constructing activity statistics in the Entity, are:

  • Pooling customer data for performing statistics.
  • Organising the data for drafting reports and statistical models.

 

Purpose of the processing

The purpose of the processing is to draft statistical reports and mathematical models for managing and monitoring the Entity’s activity.

Data categories

The data categories we will process for this purpose are:

  • Data you have provided us with when entering into contracts or during your relationship with us by means of interviews or forms.
  • Data relative to maintaining products and services.
  • Data inferred or deduced by Cajasur from the analysis and processing of the remaining data categories.

 

Basis of the processing

The basis of the processing is Cajasur’s legitimate interest of developing its business activity.

 

5 How long do we keep your data?

Cajasur will keep your data during the term of the contractual relationship.

 

The processing of data based on consent will be in force until you expressly revoke these or the contractual relations or business you have established with us have come to an end.

 

Upon the withdrawal of consent of the end of contractual or business relations, we will proceed to implement technical and organisational measures to ensure your data are only used in accordance with in force legal obligations.

 

The Entity will proceed with the destruction of your data in the deadlines set forth by the in-force legislation and which regulates Cajasur’s activity, taking into account the statutes of limitations of administrative or judicial actions.

 

The personal data provided in the phase leading to the formalisation of the business relationship or the contracting of a product or service, will be kept by Cajasur for at the six months at the latest, unless a longer period is determined in the request. Nevertheless, if you wish, you have the right to request the effective removal of your data in a shorter period.

 

As regards the video surveillance recordings the regulations relative to Private Security applicable to Cajasur establishes a maximum data retention period of fifteen days from the date of recording unless the competent judicial authorities or the Law Enforcement Bodies and Forces provide otherwise.

 

 

6 What recipients do we communicate your data to?

Cajasur Banco S.A.U. will not transfer any of your data, unless such transfer is carried out based on a legal or contractual obligation with you as those listed below:

  • Supervisory authorities for compliance with monitoring and control requirements and actions.
  • Subsidiary companies obliged by the regulation of Money Laundering and the Financing of Terrorism and official authorities or bodies from other countries, located within as well as outside the European Union, in the framework of the fight against the financing of terrorism, serious forms of organised crime and the prevention of money laundering.
  • Courts and Tribunals, and State Law Enforcement Forces and Bodies, in the event Cajasur may be required to communicate personal data.
  • The Bank of Spain’s Risk Information Centre and, files relative to the non-compliance of monetary obligations, in the event such non-compliance were to occur.
  • Entities acting as necessary collaborators for processing your contracts and managing your products and services, such as Notaries Public, Public Registries and real estate market brokers and intermediaries, bound or not, such as real estate sites, expressly recognised and informed.
  • Suppliers and third parties with which Cajasur has entered into contract for the provision of services which involve the processing of personal data.

In these cases, Cajasur guarantees that said contracts for commissioning processing shall be formalised into one contract containing all the guarantees required by current legislation. The processing controllers may in no case use your data for their own purposes or others different to those specified in each one of the contracts.

 

 

7International Data Transfers

Cajasur does not make data transfers to other companies located or whose servers are located outside the European Economic Area. However, in those exceptional circumstances in which such international transfers do occur, Cajasur will adopt the necessary measures for these to be sent to a country or organisation that has provided the appropriate guarantees or these can be based on legitimate principles established by regulations.

                                            

8Exercising rights

You may exercise your rights of access, rectification, opposition, cancellation, limitation, portability of your personal data, of withdrawing your consent and not be subject to automated decision-making, in accordance with the law.

You may request to exercise these rights through any of the following channels, submitting your request, accompanied if necessary, by a copy of your identification document:

  • Via mail to our corporate address
  • Via the info@cajasur.es  email
  • Directly to our data protection official at dpo@grupokutxabank.com
  • In addition, if you have any claim derived from the processing of your data, you may address it to the Spanish Data Protection Agency (www.aepd.es).

 

Rights

Considerations and service channels

  • Access

 

  • In order to exercise your rights, you must send a written communication to Cajasur’s registered office or by sending an email to info@cajasur.es attaching a copy of your ID Card to this request in both instances.
  • Exercising these rights is free of charge.
  • If you consider we have not processed your data in accordance with regulations, you may contact the Data Protection Officer at dpo@grupokutxabank.com

 

  • In any case, you may submit a claim before the Control Authority, specifically the Spanish Data Protection Agency on C/Jorge Juan nº 6, 28001, Madrid.
  • Rectification
  • Cancellation

-  Opposition

-  Opposition to automated individual decisions

  • Limitation of processing
  • Portability

 

Menú de pie de página

Cookies settings

We use our own and third-party cookies to analyse our services and show you advertising related to your preferences, based upon a profile drawn up from your browsing habits (for example, visited pages).

You can set or reject the use of cookies or obtain more information.

Privacy Preferences Centre

Your Privacy

When you visit a website, it can store or retrieve information in your browser, primarily in the form of cookies. This information may be about you, your preferences or your device and is primarily used in order to make the site work as expected. The information does not generally identify you directly, but it may provide you with a more personalized web experience. Given that we respect your privacy, you may choose to exclude some types of cookies. You may click on the different category headers to obtain more information and change our default setting. However, if you block some types of cookies, your user experience on the website may be affected as well as the services we can provide you.

Technical cookies

Disabled Always enabled

These cookies are necessary for website function and cannot be disabled in our systems. Generally speaking, they can only be set in response to the actions you perform requesting services, such as setting you privacy preferences, initiating a session or filling in forms. You can set your browser to block or alert you regarding these cookies, but some site areas will not function. These cookies do not store any personally identifiable information.

Analysis Cookies

Disabled Enabled

These cookies enable us to keep track and analyse user behaviour on the page, and in particular, count the number of visits and traffic sources in order to assess and improve the performance of our website. They help us to know what pages are visited the most or the least, and how visitors browse through the website. All the information collected by these cookies is aggregated and is, therefore, anonymous. If you do not allow the use of these cookies, we will not know when you visited our website and we will not be able to assess whether it functioned correctly.

Personalisation cookies

Disabled Enabled

These cookies enable the website to provide a better functionality and personalization, allowing the user to access the service with some general characteristics predefined according to a series of criteria in his/her terminal such as, for example, the language, the type of browser through which he/she accesses the service, the regional setting from which he/she accesses the service, etc. This Category of cookies may be established by our company or by external suppliers whose services we have added to our pages. If you do not allow the use of these cookies, it’s quite possible that some of these services will not function correctly.

Advertising Cookies

Disabled Enabled

These cookies may include standard advertising cookies as well as behavioural advertising cookies. The former enables the effective management of advertising spaces based on criteria such as the edited content or the frequency in which the advertisements are shown. The latter are those established via our website by our advertising partners. These cookies store user behavioural information obtained via the continuous observation of their browsing habits, enabling the development of a specific profile to display advertising in accordance to it. If you do not allow these cookies, you will view less targeted advertising.