The legal basis of this data processing is your consent.

We may have requested your consent through the various channels; during your onboarding interview as a customer, through our advisors or agents, via our electronic channels, or through one of the CaixaBank Group companies that shares joint responsibility for the specific processing activity.

If we have never requested your consent, such processing will not apply to you. You may check the authorisations that you have consented to or refused, and change your decision at any time and at no cost at our branches, at the CaixaBank website (www.caixabank.es) or on mobile apps, and at the website of the CaixaBank Group companies acting as joint controllers of the processing activities.

The processing types based on your consent are indicated below, arranged from (A) to the (D). We will point out for each of them:

• Description of the purpose.
• Breakdown of types of data processed.
• Information on the use of profiles, if applicable.
• Other relevant information about the treatment.
• Whether they are procedures conducted under the system of co-responsibility with other companies of the CaixaBank Group.

A. Customisation of products and services based on an analysis of your data

Purpose: If you give us consent, and based on our data, we will create a commercial profile to identify your preferences and offer you, through your manager (in person or remotely), the products and services that we think may interest you the most.

This does not mean that you can only choose the products we have identified based on your profile.

Whether you accept or reject this processing, you will always be able to request any of our products or services.

By processing your data, we may provide you with personalised offers that we believe will be more relevant to you than generic offers.

If you also consent to receive commercial offers through other channels (refer to Point 6.1.B. of the Privacy Policy), you will receive such offers through the channels you choose.

Data processed: For this processing, we will not use any data that contains information revealing your racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union affiliations, genetic data, biometric data intended to identify you individually, health-related data or data related to your sexual life or orientation.

The data that we will process for this purpose are:

• Personal and contact details: full name, gender, postal contact information, telephone number and e-mail address, place of residence, nationality and date of birth, language for communications, identification document.
• Socioeconomic data and information about your professional or work activity: professional or work activity, income or remuneration, family unit, education level, assets, and fiscal and tax data.
• Contracting data: ontracted or requested products and services (own or of third parties), holder's condition, authorised or representative of the contracted product and/or service, categorisation according to regulations with regard to stock markets and financial instruments (MiFID category), information on investments made and their evolution and information and movements of financing operations.
• Basic financial data:current and historic balances of products and services and payment history regarding contracted services and products (own or of third parties).
• Third-party data from statements and receipts of current accounts and payment accounts: information on entries and transactions made on your accounts by third-party issuers, including the transaction type, issuer, amount and item appearing on receipts and statements of debit, credit and prepaid card transactions.
• Data on your status as a shareholder or non-shareholder of CaixaBank: if you own shares in CaixaBank or not.
• Data on any communication with you: data obtained from chats, walls, video conferences, telephone calls or any other equivalent means of communication.
• Personal browsing data: whether you have accepted the use of cookies and similar technologies on your browsing devices, the data obtained from your browsing through our websites or mobile applications and the browsing you carry out on such sites or applications: browsing history (websites visited and clicks on content), device ID, advertising ID, IP address and installed version of the application.
• Geographical data: data on the location of the merchants of your card transactions and geolocation data of your mobile device provided by the installation and/or use of our mobile applications when you have authorised this in the application settings.
• Data obtained from other processing operations provided for in this policy:
  • Risk assessment or scoring data: in operations involving financing or payments in instalments, we will infer your payment or non-payment capacity or the risk limits by applying statistical-mathematical models that are calculated using your data (processing defined in section 6.2.C).
  • Customer classification data. (processing defined in section 6.4.A).
• Data obtained from the execution of statistical models: we use the results of applying mathematical modelling to customer data to deduce consumer habits, preferences or propensity to contract or classify customers.
• Demographic and socioeconomic data: statistical data not associated with specific persons but with geographical areas, age sectors or professional activity sectors, which we will use in relation to the customers' information.
• Data on properties and vehicles associated with you: data obtained from the land registry and basic data on vehicles obtained from the Spanish Traffic Directorate, which we will use to add to the information on your properties and vehicles.
• Data on directors, functional officers and corporate relationships : data extracted from INFORMA databases that we will use to supplement the information on your activity.
• Data on agricultural subsidies and insurance: data published by the Spanish Agricultural Guarantee Fund (FEGA) and the State Agency for Agricultural Insurance (ENESA).
• Data from third-party companies where you have given your consent to share them with us: your personal data processed by other companies with which you have agreements and which you have authorised to share your information with us.
• Browsing data: if you have accepted the use of cookies and similar technologies on your browsing devices, the data obtained from your browsing on third-party websites or mobile applications and your browsing on them: browsing history (websites visited and clicks on content), device ID, advertising ID, IP address.
• Social media or internet data: social media or internet data that you have authorised us to consult.

Use of profiles: We will create a commercial profile that we will use exclusively to customise the products and services we offer you:

• Purpose of the profile: purpose of the profile: the purpose of the profile is to identify the products and services we think may interest you, based on the information we have, in order to offer you these specific contracting options instead of sending you generic commercial offers.
• Consequences: if you authorise the processing of your data, we will use commercial profiles to decide which products or services to offer you. If you do not give your authorisation, we will not use your information to customise our commercial offer.
  We will never use this profile to refuse any product or service, or to set credit limits. Refusal to accept this processing will not prevent, limit or condition your access to our full catalogue of products and services, which will always be available to you.
  If you apply for any product or service, your application will be assessed in accordance with our procedures. Acceptance or not of the analysis of your data to customise the products and services will not have an impact on the assessment.
  The non-acceptance of this data processing activity will not prevent us from contacting you to manage your products and services.
• Logic: The profile of a customer is calculated based on the data indicated in the section "Processed data".
  These data are subject to the application of mathematical formulas obtained from past behaviours observed in customers of similar characteristics, with a view to deducing the customer's future behaviour. These mathematical formulas allow us to determine the importance of all the data processed in the final result of the applicant's profile.
  This final result is the probability that the customer will be interested in a product or service.

Other relevant information: Below, you will find other relevant information on this processing:

• Preliminary check of your ability to pay: When the products or services we want to offer you involve financing or the payment of instalments, we will first verify your repayment capacity. We will do so in accordance with Point 6.2.C.
  The aim is to offer you a credit limit and payment terms that reflect our knowledge of your financial situation. This preliminary check will be carried out in accordance with the principles of accountability in the offering of financing products demanded by the Bank of Spain, and by the regulation on prudential supervision and solvency of credit institutions and of responsible lending.
  Refusal to accept this processing will not prevent, limit or condition your access to our catalogue of financing products and services. Your application will be assessed in accordance with our procedures if required.
• Validity of the processing: We will only process your data if you have given us your consent to do so. Your consent will remain valid until you revoke it. If you cancel all your products or services with us but forget to revoke your consent, we will do so automatically.
• Preparation of management reports and mathematical models: The data processed and resulting from this process will also be used to prepare management reports and mathematical models under the terms described in Point 6.4.F.

Joint data controllers: The following CaixaBank Group companies are joint data controllers of this data processing:

• CaixaBank, S.A.
• CaixaBank Payments & Consumer, E.F.C., E.P., S.A.U.
• Nuevo Micro Bank, S.A.U.
• Facilitea Selectplace, S.A., Sociedad Unipersonal
• ImaginersGen, S.A.
• VidaCaixa, S.A.U. de Seguros y Reaseguros

You can find the main aspects of the joint data controller agreements in the following section: www.caixabank.es/empresasgrupo.

B. Communication of the product and service offering through channels

Purpose: You can choose other service channels for us to send you both our customised and non-customised offer for products and services, according to your response in Section A above.

If you give consent, we will send you information about our products and services through the channels you choose:

• Website, app and email.
• Letter.
• Telephone.

We will process and use your data according to the following:

• We will only use your identifying and contact details to send generic offers if you do not wish to receive customised offers (see Section 6.1.A).
• We will use the information in your commercial profile to send customised offers if you allow us to customise the information about the products and services we send to you (see Section 6.1.A).

Data processed: For this processing, we will not use any data that contains information revealing your racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union affiliations, genetic data, biometric data intended to identify you individually, health-related data or data related to your sexual life or orientation.

The data that we will process for this purpose are:

• Personal and contact details: full name, gender, postal contact information, telephone number and e-mail address, place of residence, language for communications.
• Data obtained from other processing operations provided for in this policy:
  • Data related to the customisation of products and services based on the analysis of your data: we will also use the information in your commercial profile to send customised offers if you allow us to customise the information about the products and services we send to you (refer to the information on processing in Point 6.1.A of the policy).

Other relevant information: Below, you will find other relevant information on this processing:

• Validity of the processing: We will only process your data if you have given us your consent to do so. Your consent will remain valid until you revoke it. If you cancel all your products or services with us but forget to revoke your consent, we will do so automatically.

Joint data controllers: The following CaixaBank Group companies shall process and be jointly liable for your data:

• CaixaBank, S.A.
• CaixaBank Payments & Consumer, E.F.C., E.P., S.A.U.
• Nuevo Micro Bank, S.A.U.
• Facilitea Selectplace, S.A., Sociedad Unipersonal
• ImaginersGen, S.A.
• VidaCaixa, S.A.U. de Seguros y Reaseguros

You can find the main aspects of the joint data controller agreements in the following section: www.caixabank.es/empresasgrupo.

C. Disclose your details to other companies

Purpose: If you give consent, we will share your data with other companies so that they can send you commercial offers of their products and services. The data will vary according to the following:

• If you do not wish to receive customised offers and do not give consent (see Section 6.1.A), we will only share your identifying and contact details with these companies.
• If you wish to receive customised offers and give your consent (see Section 6.1.A), we will also share your commercial profile information with these companies, as well as information about your probability of default or repayment, or about the risk limits.

If you do not give consent, we will not share your information with other companies.

These third-party companies to which we might transfer your data are dedicated to the following activities:

• banking
• investment services
• insurance and reinsurance
• venture capital
• real-estate
• transportation
• sale and distribution of goods and services,
• consultancy services
• leisure
• charity

Data processed: For this processing, we will not use any data that contains information revealing your racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union affiliations, genetic data, biometric data intended to identify you individually, health-related data or data related to your sexual life or orientation.

The data that we will process for this purpose are:

• Personal and contact details: full name, gender, postal contact information, telephone number and e-mail address, place of residence, nationality and date of birth, language for communications, identification document.
• Data obtained from other processing activities provided for in the Privacy Policy:
  • Details regarding the customisation of products and services based on the analysis of your data: We will also use the information in your commercial profile to send customised offers (refer to Section 6.1.A) if you allow us to customise the information about the products and services we send to you.

Other relevant information: Below, you will find other relevant information on this processing:

• Information on the transfer: If we reach an agreement with a third-party company to transfer your data, the recipient company will inform you of this fact. In addition, this company will inform you of the data received and the details of the intended processing activities.
• Validity of the processing: We will only process your data if you have given us your consent to do so. Your consent will remain valid until you revoke it. If you cancel all your products or services with us but forget to revoke your consent, we will do so automatically.

Joint data controllers: The following CaixaBank Group companies shall process and be jointly liable for your data:

• CaixaBank, S.A.
• CaixaBank Payments & Consumer, E.F.C., E.P., S.A.U.
• Nuevo Micro Bank, S.A.U.
• Facilitea Selectplace, S.A., Sociedad Unipersonal
• ImaginersGen, S.A.
• VidaCaixa, S.A.U. de Seguros y Reaseguros

You can find the main aspects of the joint data controller agreements in the following section: www.caixabank.es/empresasgrupo.

D. Verification of economic activity to comply with regulations on money laundering and terrorist financing prevention.

Purpose: The current law on anti-money laundering and countering the financing of terrorism requires CaixaBank to obtain certain economic information from its customers and to conduct a check of that information.

If you give us permission, we will verify the economic activity you have reported to us by consulting the General Treasury of the Social Security.

If you do not give us permission, we may periodically ask you for documentation to justify the activity you have reported.

Processed data: The data that we will process for this purpose are:

• Identification and contact data: full name and national ID card.
• Data held by the General Treasury of the Social Security: identifying and contact data of the payer, data on professional or occupational activity (CNAE, self-employed worker and/or employee, contribution group of the worker)

Other relevant information: Below, you will find other relevant information on this processing:

• Validity of the processing: We will only process your data if you have given us your consent to do so. Your consent will remain valid until you revoke it. If you cancel all your products or services with us but forget to revoke your consent, we will do so automatically.

Party responsible for the data processing: the data controller responsible for this data processing is CaixaBank.

These data processing activities are required to manage the contracts you wish to sign or those you have already signed. In addition, you may also request pre-contractual measures, for which data processing activities must also be carried out. We will do so as established in Art. 6.1.b) of the General Data Protection Regulation (GDPR).

This data processing is necessary for you to enter into and maintain your contracts with us. If you do not want us to conduct this processing, we would be required to end these relationships, or we would be unable to establish them if these have not yet taken effect.

The processing required for the management of your contracts is indicated below, listed from (A) to (D). We will point out for each of them: the purpose, the type of data processed, information on the use of profiles, other relevant information on the processing and whether or not the processing is carried out jointly with other companies in the CaixaBank Group.

A. Arrangement, maintenance and execution of the contractual relationships

Purpose: The purpose of this data processing is to formalise and maintain the contractual relationship between you and CaixaBank. This means that CaixaBank will process your data for the following purposes:

• Manage your requests and mandates.
• Carry out the necessary steps prior to your recruitment (known as “pre-contractual relations”).
• Establish measures to ensure compliance with your contracts with CaixaBank.

This data processing means that CaixaBank will only collect the information it needs to:

• Formalise the relationship with you or process your request.
• Check whether the product or service you wish to contract is suitable for you.
• Maintain and execute your contracts correctly.

The processing operations carried out in the arrangement, maintenance and performance of contractual relationships are:

• Collection and registration of the data and documents needed to contract the requested products.
• Formalising the signing of product and service contracts.
• Managing the products and services you have contracted with us. This includes responding to your operational queries, managing incidents, recording and checking accounting entries for payments and receipts for your products, and sending operational communications. Also, all necessary steps to fulfil the commitments made when contracting specific products or services. These may include loyalty programs, fee or interest discounts, and specific offers. Verify and confirm the ownership of your accounts when there are requests for direct debit and direct credit from service or supply companies with which you have or will have a commercial relationship. This prevents any damage resulting from errors in the direct debit of these collections or payments.

Types of processed data:

• Personal and contact details
• Data on your professional or employment activity and socio-economic information
• Sensitive data regarding situations of vulnerability
• Biometric data
• Data on legal capacity
• Data on particular communication needs
• Contracting data
• Basic financial data
• Third-party data observed on demand and payment account statements and receipts
• Data on any communication with you
• Data obtained from other processing operations provided for in this policy:
• Risk assessment or scoring data (processing defined under heading 6.2.C).
• Data obtained from running statistical models
• Data on credit information systems
• Equifax RISK SCORE information
• CIRBE data:
• Data held by the General Social Security Treasury
• Data related to international sanctions
• Information obtained from sources accessible to the public, and public registers

Other relevant information:

• Automated decisions: when you request to contract a product or service, we will check whether the product is suitable for your needs, interests and objectives. We will do this taking into account the data we have indicated in the section “types of data processed” for this processing, such as your employment status, your investor profile, or your place of residence.
  Applicable regulations and internal product design policies require us to take this information into account when deciding whether or not you can contract a product or service. If, after taking your information into account, the product is not considered suitable, you will not be able to arrange it. This inability to contract the product is due to an automated decision. For example, if you are a retail client under MiFID regulations, you will not be able to contract a product that is intended for institutional professionals.
  You can request that a human review this decision by contacting CaixaBank directly at any of our branches.
• Application or tracking of commitments, discounts or preferential conditions: if you take out a product or service that requires complying with certain requirements, we will process the data needed to verify your continued eligibility. Please also note that if there are joint account holders, the other holders with whom you share accounts may indirectly know the information about your compliance with said requirements.
  For example, if you take out a product or service that gives you the right to receive a discount for belonging to a certain professional group, such as healthcare or law enforcement, we will verify throughout the term of the contract that you are still a member of that group. You should bear in mind that if you share accounts with others, they may become aware of your compliance with the requirements if they see discounts applied to the account, or that you no longer meet the requirements if the discounts are removed.

Data controller: The data controller responsible for this data processing is CaixaBank.

If you sign up for a product or service with CaixaBank but another company provides it, that company will be responsible for processing your data in relation to that contract.

For instance:

• If you take out a pension plan or VidaCaixa life insurance policy or a SegurCaixa Adeslas insurance policy with CaixaBank, these companies will be responsible for your data.
• If you contract with CaixaBank for a card issued by CaixaBank Payments & Consumer, this company will be responsible for your data.

We will specify who is responsible in the documentation for each product or service you contract.

B. MiFID classification and analysis of suitability and convenience when contracting investment products

Purpose: We use your data to classify you as a retail customer, professional customer, or eligible counterparty. This classification is established by financial market regulations to provide you with the appropriate level of protection based on your financial experience and knowledge, and to verify whether the products, investment services, and savings-investment insurance policies you wish to contract are appropriate (suitable and ideal) for you. Additionally, it allows for monitoring the suitability of the contracted product.

In order to classify you, we will collect information about your knowledge, training and experience in financial instruments. We will also monitor whether the product you have contracted is still suitable for you.

Types of processed data:

• Personal and contact details
• Information about your professional or work activity, and socioeconomic data
• Data on legal capacity
• Contracting data
• Basic financial data
• Data on any communication with you

Use of profiles:

If you request recurring advisory services and discretionary portfolio management, we will create an investment risk profile that we will use exclusively to offer you these services. We will also use it to monitor whether the product you have contracted is suitable for you.

• Purpose of the profile: To assign a level of risk aversion to the customer when making investments, based on our assessment.
• Consequences: To provide discretionary portfolio management and recurrent advisory services within the limits established by this risk profile.
• Logic: A A customer profile is calculated using the identification data and the answers to the suitability test. A simple mathematical formula is applied to this data by which the customer is assigned a level of risk aversion based on their investment objectives and financial capacity.

Other relevant information:

• Regulatory obligations: This processing is performed based on the provisions of the regulations applicable to these products and services:
  • Legislative Royal Decree 4/2015 of 23 October approving the consolidated text of the Securities Market Act (SMA), and;
  • Royal Decree-Law 3/2020, of 4 February, on urgent measures by which various directives of the European Union are incorporated into the Spanish legal system in the field of public procurement in certain sectors; private insurance; pension plans and funds; taxation and tax litigation.

Data controller: The data controller responsible for this data processing is CaixaBank.

C. Analysis of creditworthiness and repayment capacity for the granting and monitoring of credit risk

Purpose: The purpose of this data processing is to determine whether applicants or holders of products or services involving deferred payment of instalments are able to pay the agreed instalments.

Another purpose of this processing is to determine whether the holders of products or services that involve repaying money we have advanced can do so.

We will inform you of the details of this processing when you request one of the aforementioned products or services or in the corresponding contract for such product or service.

The processing activities we carry out for internal risk management and to prevent non-payment are as follows:

• Analysis of applicants' ability to pay at the time of granting the aforementioned products and services.
• Analysis of the payment capacity of the holders of the aforementioned products and services, while they are in force.

Types of processed data:>/p>

• Personal and contact details
• Information about your professional or work activity, and socioeconomic data
• Contracting data
• Basic financial data
• Third-party data observed on demand and payment account statements and receipts
• Data obtained from running statistical models
• Data on credit information systems
• Equifax RISK SCORE information
• CIRBE data:
• Demographic and socioeconomic data
• Data on properties and vehicles associated with the person
• Information obtained from sources accessible to the public, and public registers

Use of profiling: We will create a risk profile that we will use exclusively to determine whether you can repay the agreed instalments or the money we have given you in advance.

• Purpose of the profile: This profile is used for:
  • determine the probability of default at the time of granting you a product.
  • increase or reduce the amount granted in your current transactions.
  • calculate the provisions and capital requirements applicable to CaixaBank.
• Consequences: risk profiles help us decide whether or not to grant you the requested transaction. They also help us assess whether to increase or reduce the amount granted for your current transactions.
  When you request one of these products or services through electronic channels, this profile involves making automated decisions to either provide you with the product you are requesting or not.
  You can find full details in the section "Other relevant information".
• Logic: the information provided in the previous section "Types of data processed" will be used.
  Using this basic information, a specific value is attributed to each of these data. The sum of these values will give a score relative to the probability of default.
  The importance of each variable and its influence on the end result is calculated in advance through mathematical models and is included in our internal risk policies.

Other relevant information:

• Automated decisions: FTo analyse your ability to pay in applications made through electronic channels, we will use automated processing to verify whether or not we can grant you the financing you are requesting.
  If the above calculation results in us not granting you financing, you will not be able to contract the requested product through this channel. You can request that a human review this decision.
  You can contact CaixaBank directly through the channels listed in this policy and you can request the transaction again at any of our branches, where the analysis does not involve automated decisions.
• Regulatory obligations: these data processing activities are necessary to manage our contractual relationship. They are also necessary to comply with Law 44/2002 on Financial System Reform Measures, Law 10/2014 of 26 June on the Regulation, Supervision and Solvency of Credit Institutions, and other obligations and principles of responsible lending regulations, which apply to us as a credit institution.
• Enquiries to credit information systems: we will make the necessary enquiries to credit information systems to assess your payment capacity. We will make these enquiries based on our legitimate interest, as detailed in section 6.4.D.
• Enquiry and communication to the CIRBE: enquiries to the CIRBE necessary for creditworthiness analysis are performed pursuant to the provisions of Law 44/2002, of 22 November, on Financial System Reform Measures. The data required to identify persons with whom credit exposures are held will also be communicated, based on the same rule.
• Preparation of the management reports and mathematical models: we will use the data from this processing to produce management reports and mathematical models in accordance with section 6.4.F of this Policy

Joint data controllers: Applicable regulations require us to analyse your payment capacity together with the companies that form our consolidated group of credit institutions.

The following CaixaBank Group companies are joint data controllers of this data processing.

• CaixaBank, S.A.
• CaixaBank Payments & Consumer, E.F.C., E.P., S.A.U.
• Nuevo Micro Bank, S.A.U.
• CaixaBank Equipment Finance, S.A.U.
• Unión de Crédito para la Financiación Mobiliaria e Inmobiliaria, CREDIFIMO, E.F.C., S.A.U.
• Banco BPI, S.A.
• Facilitea Selectplace, S.A., Sociedad Unipersonal.
• CaixaBank Wealth Management Luxembourg

You can find the main aspects of the joint data controller agreements in the following section: www.caixabank.es/empresasgrupo.

D. Non-payment and default management.

Purpose: To establish measures to address any payment defaults that occur, or may occur, in instalment payments or the repayment of money advanced.

These measures could be, among others:

• Debt management at an early stage.
• Communication of your data to external agencies for the purpose of debt recovery.
• Communication of your data to credit information systems (credit files).
• Filing lawsuits and following up on them.
• Identification and monitoring of bankruptcy proceedings.
• Review and assessment of debt refinancing measures, debt-for-assets swaps, or files related to the Code of Good Practices.
• Sale of credit portfolios.
• In-house visits.

Types of processed data:

• Personal and contact details
• Information about your professional or work activity, and socioeconomic data
• Sensitive data regarding situations of vulnerability
• Data on legal capacity
• Data on particular communication needs
• Contracting data
• Basic financial data
• Third-party data observed on demand and payment account statements and receipts
• Data on any communication with you
• Data obtained from running statistical models
• Data on credit information systems
• Equifax RISK SCORE information
• CIRBE data:
• Data held by the General Social Security Treasury
• Information obtained from sources accessible to the public, and public registers

Use of profiling: We will draw up an economic or solvency profile, which we will use for the analysis of specific and suitable measures to recover the debt.

• Purpose of the profile: To know the most suitable measures for managing debt recovery procedures by CaixaBank. It also serves to determine the expected debt recovery for each customer.
• Consequences: The profiles are tools that support decision-making regarding debt recovery actions. They help us to determine the most suitable measures for each customer.
• Logic: The profile will use the data indicated in the previous section. Using this basic information, a specific value is attributed to each of your data, the sum of which will give a score relating to the probability of recovery of the debt and, based on this, the most suitable measures to recover it.

Other relevant information

• Disclosure to credit information systems: this processing may entail the disclosure to credit information systems of the data on the debt or non-payment situation. This would be done on the basis of our legitimate interest, as detailed in section 6.4.D.
• Obtaining contact details: external debt collection agencies may need to collect additional contact details from you in order to recover the debt. This will be done based on our legitimate interest, as detailed in section 6.4.E.
• Preparation of management reports and mathematical models: the data processed and resulting from this process will also be used to prepare management reports and mathematical models. This will be done as detailed in section 6.4.F.

Joint data controllers: Applicable regulations require us to manage credit and liquidity risk across all companies within our consolidated group.

The following CaixaBank Group companies shall process and be jointly liable for your data:

• CaixaBank, S.A.
• CaixaBank Payments & Consumer, E.F.C., E.P., S.A.U.
• Nuevo Micro Bank, S.A.U.
• CaixaBank Equipment Finance, S.A.U.
• Unión de Crédito para la Financiación Mobiliaria e Inmobiliaria, CREDIFIMO, E.F.C., S.A.U.
• Banco BPI, S.A
• Facilitea Select Place, S.A.U.
• CaixaBank Wealth Management Luxembourg

You can find the main aspects of the joint data controller agreements in the following section: www.caixabank.es/empresasgrupo.

This data processing is necessary to comply with a legal obligation placed on us, in accordance with Article 6.1.c) in the General Data Protection Regulation (GDPR).

We need to process your data so that you can enter into and maintain your contracts with us. If you do not want us to conduct this processing, we would be required to end these relationships, or we would be unable to establish them if these have not yet taken effect.

The data processing operations to comply with regulatory obligations are indicated below from (A) to (I). We will point out for each of them: the description of the purpose, the details of the processed data, information on the use of profiles, other necessary information related to the processing and whether or not these processing tasks are carried out under a regime of shared responsibility with other companies of the CaixaBank Group.

A. Processing to comply with anti-money laundering and terrorist financing regulations

Purpose: To adopt the measures imposed on our activity by the regulations on the prevention of money laundering and terrorist financing.

We will process your data for:

• Collecting information and documentation that allows us to comply with due diligence and know-your-customer measures.
• Verifying the information that you provide us with.
• Verifying whether you hold or have held positions of public responsibility.
• Assigning you a risk level. Depending on this level, different due diligence measures will be applied to you, as indicated by the regulations on the prevention of money laundering and terrorist financing.
• Analysing the operations executed through CaixaBank.
• Verifying your relationship with companies and, if necessary, your controlling position within the ownership structure of such companies.
• Proceeding to report and update the Financial Ownership File on a monthly basis. This file is the responsibility of the Executive Service of the Commission for the Prevention of Money Laundering and Monetary Offenses (SEPBLAC).

Types of processed data:

• Personal and contact details
• Data on your professional or employment activity and socio-economic information
• Contracting data
• Basic financial data
• Third-party data observed on demand and payment account statements and receipts
• Data on any communication with you
• Data obtained from other processing operations provided for in this policy:
• Risk assessment or scoring data (processing defined in section 6.2.C)
• Data obtained from running statistical models
• Data on directors, functional officers and corporate relationships:
• Data held by the General Social Security Treasury
• Information obtained from sources accessible to the public, and public registers

Use of profiling: We will create a profile exclusively for applying the measures imposed on our activity by the regulations on the prevention of money laundering and terrorist financing.

• Purpose of the profile</strong: prevent the contracting of transactions that could be subject to money laundering or terrorist financing.
• Consequences: profiles are tools that help us determine whether our customers' activities are susceptible to money laundering or terrorist financing. This allows us to decide whether or not to accept the transaction.

Joint data controllers: The following CaixaBank Group companies are joint data controllers of this data processing.

• CaixaBank, S.A.
• CaixaBank Payments & Consumer, E.F.C., E.P., S.A.U.
• VidaCaixa, S.A. de Seguros y Reaseguros
• BPI Vida e Pensões – Companhia de Seguros, S.A.
• Nuevo Micro Bank, S.A.U.
• CaixaBank Asset Management SGIIC, S.A.U
• Buildingcenter, S.A.U.
• Livingcenter Activos Inmobiliarios, S.A.U.
• Unión de Crédito para la Financiación Mobiliaria e Inmobiliaria, CREDIFIMO, E.F.C., S.A.U.
• CaixaBank Wealth Management Luxembourg, S.A.
• CaixaBank Asset Management Luxembourg, S.A.
• BPI Gestão de Ativos, SGOIC, S.A.
• Banco BPI, S.A.
• Bankia Habitat, S.L.U.
• Puerto Triana, S.A.U.

You can find the main aspects of the joint data controller agreements in the following section: www.caixabank.es/empresasgrupo.

B. Processing to comply with the applicable tax regulations

Purpose: Adopting the measures imposed by the tax regulations applicable to our activity. We are required to identify the tax residence of the people who have ownership or control of certain financial accounts. We are also obliged to report on these accounts within the framework of mutual assistance. For this reason, CaixaBank will process your data for:

• Collecting tax-related information and documentation as required by tax regulations.
• Notifying the public administration of your tax-related information, when this is established by the regulations or required by the authorities.

Types of processed data:

• Personal and contact details
• Data on your professional or employment activity and socio-economic information
• Contracting data
• Basic financial data

Joint data controllers: The following CaixaBank Group companies shall process and be jointly liable for your data:

• CaixaBank, S.A.
• VidaCaixa, S.A. de Seguros y Reaseguros
• Nuevo Micro Bank, S.A.U.
• CaixaBank Asset Management SGIIC, S.A.U

You can find the main aspects of the joint data controller agreements in the following section: www.caixabank.es/empresasgrupo.

C. Processing to comply with the obligations under international financial sanctions and countermeasures policies

Purpose: To adopt the measures imposed on our activity in programmes of international financial sanctions and countermeasures adopted by the European Union and the Kingdom of Spain.

To comply with these measures, CaixaBank will check if you are listed on any list of individuals or entities included in these sanction programs. There is no match for this segment.

Types of processed data:

• Personal and contact details
• Data related to international sanctions

Other relevant information: The international financial sanctions programmes that we will consult at CaixaBank are those adopted by:

• The Office of Financial Sanctions Implementation (OFSI) of His Majesty's Treasury (HMT) of the UK.
• The U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) based on our legitimate interest, as detailed in section 6.4.H.

Joint data controllers: The following CaixaBank Group companies shall process and be jointly liable for your data:

• CaixaBank, S.A.
• CaixaBank Payments & Consumer, E.F.C., E.P., S.A.U.
• VidaCaixa, S.A. de Seguros y Reaseguros
• Nuevo Micro Bank, S.A.U.
• CaixaBank Asset Management SGIIC, S.A.U.
• CaixaBank Equipment Finance, S.A.U.
• Buildingcenter, S.A.U.
• Livingcenter Activos Inmobiliarios, S.A.U.
• Puerto Triana, S.A.
• Bankia Habitat, S.L.U.
• Unión de Crédito para la Financiación Mobiliaria e Inmobiliaria, CREDIFIMO, E.F.C., S.A.U.
• Banco BPI, S.A.
• BPI Gestão de Ativos, SGOIC, S.A.
• CaixaBank Wealth Management Luxembourg, S.A.
• CaixaBank Asset Management Luxembourg, S.A.
• OpenWealth, S.A.U.  

You can find the main aspects of the joint data controller agreements in the following section: www.caixabank.es/empresasgrupo.

D. Processing to handle complaints and claims

Purpose: To address queries and complaints directed to CaixaBank in accordance with the regulations that apply to us as a financial institution. We are referring to Law 44/2002 of November 22 and Order ECO/73/2004, which require financial institutions to have a customer service available for our clients and users.

Data protection regulations also require us to respond to any complaints you may make to our Data Protection Officer and to manage the exercise of your rights regarding your personal data.

For this reason, CaixaBank will process your data for:

• Receiving your complaints and claims at the Customer Service Department.
• Replying to you within the specified time frame.
• Addressing requests regarding your personal data and any queries you may have for CaixaBank's Data Protection Officer.
• Collaborating with regulatory authorities such as the Spanish Data Protection Agency.

Types of processed data:

• Personal and contact details
• Data on legal capacity
• Data on particular communication needs
• Sensitive data regarding situations of vulnerability
• Contracting data
• Basic financial data
• Third-party data observed on demand and payment account statements and receipts
• Data on any communication with you
• Browsing data
• Data on credit information systems
• CIRBE data:

Data controller: The data controller responsible for this data processing is CaixaBank.

E. Internal oversight and control

Purpose: Internally supervise our activity. This monitoring is carried out to verify compliance with regulations on corporate governance and risk management.

Types of processed data:

• Personal and contact details
• Data on your professional or employment activity and socio-economic information
• Data on legal capacity
• Data on particular communication needs
• Sensitive data regarding situations of vulnerability
• Contracting data
• Basic financial data
• Third-party data observed on demand and payment account statements and receipts
• Information about your CaixaBank shareholder status:
• Data on any communication with you
• Browsing data
• Geographical data
• Data obtained from other processing operations provided for in this policy
• Data obtained from running statistical models
• Data obtained from sources accessible to the public or external sources
• Third-party browsing data

Data controller: The data controller responsible for this data processing is CaixaBank.

F. Detection of transactions involving suspected market abuse

Purpose: Prevent and detect customer transactions made with insider information and any attempts to do so. Also, to prevent and detect market manipulations that are made or attempted through CaixaBank. We will also inform the CNMV of such transactions, where applicable, in accordance with the Market Abuse Regulation.

Types of processed data:

• Personal and contact details
• Data on your professional or employment activity and socio-economic information
• Contracting data
• Basic financial data
• Third-party data observed on demand and payment account statements and receipts
• nformation about your CaixaBank shareholder status:
• Data on any communication with you
• Browsing data

Data controller: The data controller responsible for this data processing is CaixaBank.

G. Management of trades, requests for information and/or seizures

Purpose: Address requests for information or seizure orders concerning one of our customers. These requests are sent to CaixaBank by the competent administrations, authorities, law enforcement agencies, or courts

Types of processed data:

• Personal and contact details
• Data on your professional or employment activity and socio-economic information
• Sensitive data regarding situations of vulnerability
• Data on legal capacity and on particular communication needs
• Contracting data
• Basic financial data
• Data on any communication with you.
• Data obtained from sources accessible to the public and public registers:

Data controller: The data controller responsible for this data processing is CaixaBank.

H. Regulatory financial report

Purpose: Prepare reports about CaixaBank's activity as a financial institution. These reports are addressed to the competent bodies and authorities that supervise CaixaBank's activity.

To do so, it is necessary to process personal data and send the information to various regulatory and supervisory bodies, in accordance with the specific rules established by each one. These bodies include the European Central Bank, the Bank of Spain and the National Securities Market Commission. All of this is carried out in accordance with the provisions of Law 10/2014, of 26 June, on the regulation, supervision and solvency of credit institutions.

Types of processed data:

• Personal and contact details
• Data on your professional or employment activity and socio-economic information
• Data on legal capacity
• Data on particular communication needs
• Sensitive data regarding situations of vulnerability
• Contracting data
• Basic financial data
• Third-party data observed on demand and payment account statements and receipts
• Information about your CaixaBank shareholder status:
• Data on any communication with you
• Browsing data
• Geographical data
• Data obtained from other processing operations provided for in this policy
• Data obtained from running statistical models
• Data obtained from sources accessible to the public or external sources
• Third-party browsing data

The data controller: The controller responsible for this data processing is CaixaBank.

I. Managing accounting

Purpose:Manage CaixaBank's accounting. To comply with this obligation, it is necessary to process certain personal data and send information to regulatory and supervisory bodies, such as the European Central Bank, the Bank of Spain, or the National Securities Market Commission, in accordance with the requirements of Law 10/2014 on credit institutions.

Types of processed data:

• Identification details
• Contracting data

Data controller:The data controller responsible for this data processing is CaixaBank.

These processing activities are carried out to achieve the legitimate interests of CaixaBank or a third party. We will do so whenever our interests do not prevail over your interests or your fundamental rights and freedoms, as established in Article 6.1.f) of the General Data Protection Regulation (GDPR).

Before carrying out the processing activities, we will performing the weighting of your rights and our legitimate interest. We will only process the data of data subjects in the cases in which our interest prevails over the data subject's rights and liberties. You can consult the analysis of the legitimate interest of data processing by sending your inquiry to delegado.proteccion.datos@caixabank.com.

Please bear in mind that you may object to the processing of your personal data on the basis of legitimate interest. If you believe that CaixaBank must consider your personal situation or stop processing your personal data, you may object to this at no cost via the channels mentioned in section 4.

We detail these processing procedures below, organised from (A) to (N). We will point out for each of them: the legitimate interest of CaixaBank, the description of the purpose, the types of processed data, where applicable, information on the use of profiles, other necessary information about the processing and whether they are procedures conducted under the system of co-responsibility with other companies of the CaixaBank Group.

(Other relevant information) whether they are procedures conducted under the system of co-responsibility with other companies of the CaixaBank Group (Co-controllers/Data Controller),

A. Classification of customers

CaixaBank's legitimate interest: Organise the company's human resources and materials for correct and efficient customer service.

Purpose: Classify customers according to the following basic information:

• The income or money they have deposited in CaixaBank.
• Their salary or other income that is paid directly into their account.
• Age.
• Address.
• The use of the products arranged.

With this classification, we can organise our human and material resources to serve you properly.

We will process your data for:

• Grouping customers into different categories according to the way CaixaBank's commercial activity is organised. That is, we will classify customers so that we can better manage and meet their needs.
• Assigning each customer a customer service centre and/or an employee of CaixaBank. This will be the person responsible for assisting you when you need help.

Data processed:

• Personal and contact details
• Data on your professional or employment activity and socio-economic information
• Contracting data
• Basic financial data
• Third-party data observed on demand and payment account statements and receipts
• FEGA/SEGA data
• Demographic and socioeconomic data: Statistical data associated with geographical areas, age sectors or professional activity sectors, not with particular individuals.

Other relevant information:

• Right to objection to processing: If you believe that CaixaBank must consider your personal situation or stop processing your personal data, you may object to this at no cost via the channels mentioned in section 4.

Party responsible for the data processing: The data controller responsible for this data processing is CaixaBank.

B. Management of the performance of employees, agents and suppliers

Legitimate interest of CaixaBank: Managing relationships with employees and agents based on their professional performance. We will also manage the relationship with suppliers to ensure that they are doing their job properly.

Purpose: Monitor the professional performance, challenges and objectives of employees and agents. To this end, the transactions and contracts that they maintain with customers are analysed. We also monitor the activity of our suppliers.

Types of processed data:

• Personal and contact details
• Contracting data
• Basic financial data

Other relevant information:

• Right to objection to processing: If you believe that CaixaBank should stop using your data for any personal reason, you can request this free of charge and easily through the channels mentioned in section 4.
• Ancillary use of customer data: This data processing deals with customer information, but only in a manner that supports the intended purpose. This does not affect or have any consequences for the customer.

Data controller: The data controller responsible for this data processing is CaixaBank.

C. Fraud prevention

Legitimate interest: Prevent fraud involving financial or reputational losses to CaixaBank or its customers.

Purpose: TAdopt the necessary steps to avoid malicious transactions or behaviour before they are committed. It also aims to reverse any effects that may arise by identifying transactions or conduct suspected of fraud against CaixaBank or its customers.

We will process your data to:

• Verify the identity of customers to prevent fraudulent access to information or transactions.
• Review and analyse the contracting and transactions that are carried out in our systems to protect our customers from fraud on any channel and prevent cyberattacks.
• Verify your identity and the validity of the identification documents you provide us with. We will confirm that the document you provided is yours. We will do so by comparing it with national and international databases from law enforcement agencies. Also with similar organisations, such as INTERPOL (International Criminal Police Organization). We do this to protect you from identity theft, for example, where someone might impersonate you.
• Consult the information included in the PAYGUARD Fraud Prevention Service to detect fraudulent accounts, and, if applicable, report your fraudulent transactions.

Types of processed data:

• Personal and contact details
• Data on your professional or employment activity and socio-economic information
• Contracting data
• Basic financial data
• Third-party data observed on demand and payment account statements and receipts
• Data on any communication with you
• Browsing data
• Geographical data
• Data obtained from other processing operations provided for in this policy:
  • Risk assessment or scoring data (processing defined under heading 6.2.C).
• Data obtained from running statistical models

Use of profiling: We will create a profile based on your usual transactions and activities. We will use this profile to spot unusual situations that may point to attempted fraud

• Purpose of the profile: the profile used aims to identify activities that are unusual or outside your behavioural profile. These may be attempts at fraud or fraudulent access to information.
• Consequences: profiles help us to identify fraudulent transactions. Its use involves applying measures ranging from detailed review of the transaction to blocking or denying it.

Other relevant information:Below, you will find other relevant information on this processing:

• Automated decisions: to prevent fraud, we will carry out automated decision-making processes. This allows us to detect potential fraudulent transactions. For transactions that cannot be reversed once made, such as immediate payments or transfers, the automated decision may prevent you from carrying out the transaction if it detects that it may be fraudulent. Therefore, you will not be able to carry out that transaction. You can request the transaction again at any of our branches, where the analysis does not involve automated decisions.
• Right to objection to processing: if you believe that CaixaBank should stop using your data for any personal reason, you can request this free of charge and easily through the channels mentioned in section 4.
• PAYGUARD Fraud Prevention Service: CaixaBank is a member of the PAYGUARD Fraud Prevention Service, which includes the country's leading financial institutions and is managed by Sociedad Española de Sistemas de Pago, S.A. (Iberpay).
  The service aims to minimise the levels of fraud related to movements between accounts by detecting, investigating, monitoring and reporting, where applicable, suspicious and fraudulent transactions involving customers' current or savings accounts. The legal basis for the processing is the legitimate interest in preventing fraud that could affect these transactions.
  CaixaBank may include data related to the IBAN number and identifying details of the holder of the account where the suspicious or fraudulent transaction has been detected in the PAYGUARD Fraud Prevention Service. You may view the updated list of the participating companies at the following link https://www.iberpay.es/es/servicios/servicios/prevenci%C3%B3n-del-fraude/
  The data will be kept for a maximum of thirty days for suspicious transactions and one year for confirmed fraudulent transactions.
  The institutions participating in the PAYGUARD Fraud Prevention Service are jointly responsible for your data. You may request the main aspects of the joint liability agreement by sending an email to www.caixabank.com/delegadoprotecciondedatos and also exercise your rights regarding the processing of your data over any of the channels indicated in section 4. Exercising rights and filing complaints through the Spanish Data Protection Agency (AEPD).
• FrauDfense Fraud Prevention Service: CaixaBank is a member of the FRAUDFENSE Fraud Prevention Service, which includes some of the country's leading financial institutions and is managed by FrauDfense, S.A.
  This service aims to minimise the levels of fraud related to customers' transactions, by detecting, investigating, monitoring and reporting, where applicable, suspicious and fraudulent transactions involving customers' current or savings accounts in their digital banking transactions. The legal basis for the processing is CaixaBank's legitimate interest in preventing fraud in their transactions.
  CaixaBank may include data related to the IBAN number, data related to the fraudulent transaction identified, details of the device from which the fraudulent transaction was made and identification data of the holder or the account where the suspicious or fraudulent transaction has been detected in the FrauDfense Fraud Prevention Service. You may view the updated list of participating FRAUDFENSE institutions at: https://916087356-1.servicio-online.net/sobre-nosotros1/nuestros-partners.
  The details will be kept in the FrauDfense Fraud Prevention Service for a maximum of 12 months in the case of confirmed fraudulent transactions and may then be kept blocked until the applicable statute of limitation period elapses.
  The institutions participating in the FrauDfense Fraud Prevention Service are jointly responsible for processing your data. You may request the main aspects of the joint liability agreement by sending an email to www.caixabank.com/delegadoprotecciondedatos or protecciondedatos@frauDfense.com.
  You may also exercise your rights regarding the processing of your data via any of the channels indicated in section 4 Exercising Your Rights and Lodging Claims with the Spanish Data Protection Agency (AEPD), and by emailing protecciondedatos@frauDfense.com.

Joint data controllers: The following companies shall process and be jointly liable for your data:

• CaixaBank, S.A.
• CaixaBank Payments & Consumer, E.F.C., E.P., S.A.U.
• Nuevo Micro Bank, S.A.U.
• Global Payments Moneytopay, EDE, S.L.
• CaixaBank Equipment Finance, S.A.U.

You can find the main aspects of the joint data controller agreements in the following section: www.caixabank.es/empresasgrupo.

D. Enquiry and communication with credit reporting systems within the framework of the request and subsequent management of products involving financing

CaixaBank's legitimate interest: Avoid non-payments and defaults by applicants or holders of products involving financing.

Purpose:

• Determine whether applicants or holders of products or services involving deferred payment of instalments are able to pay the agreed instalments.
• Determine whether the holders of products or services that involve repaying money we have advanced can do so.
• Monitor and manage current transactions.
• Prevent and manage non-payments.

We will process your data to:

• Consult your information: Before granting you a transaction involving financing, and subsequently to monitor and manage risk, we will consult the following credit information systems (financial solvency and credit files): Asnef File and Badexcug File.
• Share your personal data: If you stop paying some money obligations that you have with us, will be able to communicate details of the non-payment to the same credit information systems. We will always do so in compliance with current regulations.

Types of processed data:

• Personal and contact details
• Contracting data
• Basic financial data
• Data on credit information systems

Other relevant information:

• Right to objection to processing: if you believe that CaixaBank should stop using your data for any personal reason, you can request this free of charge and easily through the channels mentioned in section 4

Data controller: CaixaBank is the controller for the part of the processing relating to querying credit information systems. CaixaBank and the solvency files Asnef and Badexcug are the joint controllers of the part of the processing relating to communication to credit information systems. We will provide you with the necessary information on how to contact these databases:

• Asnef file: Asnef Equifax Servicios de Información sobre Solvencia y Crédito. Apartado de Correos 10546, 28080 Madrid (sac@equifax.es)
• Badexcug file: Apartado de Correos 1188, 28108 Alcobendas (badexcug@experian.com)

E. Acquiring additional contact data for managing non-payment situations

CaixaBank's legitimate interest: Debt recovery in situations of non-payment. To do so, it is necessary to have up-to-date customer contact details.

Purpose: Collect additional contact information from customers in order to contact them in the event of a breach of their contractual obligations.

Additional contact details are obtained from public lists such as white pages, yellow pages and Lleida.net. They are also obtained from private lists such as Equifax, detectives or debt collection agencies. We will always do this in compliance with applicable regulations.

Types of processed data:

• Personal and contact details
• Information obtained from sources accessible to the public, and public registers

Other relevant information:

• Right to objection to processing: if you believe that CaixaBank should stop using your data for any personal reason, you can request this free of charge and easily through the channels mentioned in section 4

Data controller: The data controller responsible for this data processing is CaixaBank.

F. Preparation of mathematical models

Legitimate interest: Organise and improve our business activity as efficiently as possible. To achieve this, we need to create mathematical algorithms that help us analyse information in an advanced way.

Purpose: Create and maintain statistical and mathematical algorithms and models. These can be used to perform complex calculations and analyses that enable us to apply the processing described in this policy.

Types of data: The data that has already been identified in each process is used. Whenever possible, we apply techniques so that the data cannot be associated with a person (anonymisation or pseudonymisation). This ensures that the rights of data subjects are not affected and that the result is mathematical formulas or algorithms.

Other relevant information:

• Right to objection to processing: if you believe that CaixaBank should stop using your data for any personal reason, you can request this free of charge and easily through the channels indicated in section 4.
• Ancillary data processing: the objective is not to process customer data individually. It is a necessary but secondary process for creating mathematical formulas. For this reason, anonymisation techniques are used and the information is minimised. These data processing activities have no individual consequences for customers.

Data controller: When mathematical models are based on processing carried out by CaixaBank under this policy, the data controller will be CaixaBank. If carried out under joint responsibility, the same regime as the original processing will apply. You can consult the details of the jointly responsible companies and the agreements at www.caixabank.es/empresasgrupo.

G. Preparation of management reports

Legitimate Interest: Organise and improve our business activity as efficiently as possible. To do this, we need reports on the company's management and on the market.

Purpose: Prepare reports on the company's activity, its relationship with the market, the composition and evolution of its customer base, and the effectiveness of its products and services. These reports assist us in our internal analysis, planning, and decision-making processes. They are not used to make commercial offers to our customers.

Types of processed data: The data that has already been identified in each process is used. Whenever possible, we apply techniques so that the data cannot be associated with a person (anonymisation or pseudonymisation). These reports contain statistical or aggregated information, except when it is necessary to maintain traceability for proper internal management.

Other important information:

• Right to objection to processing: if you believe that CaixaBank should stop using your data for any personal reason, you can request this free of charge and easily through the channels mentioned in section 4.
• Ancillary data processing: the objective is not to process customer data individually. It is a necessary but secondary process for creating aggregate reports. For this reason, anonymisation techniques are used and the information is minimised. These data processing activities have no individual consequences for customers.

Data controller:When the reports are based on processing carried out by CaixaBank, the data controller will be CaixaBank. If carried out under joint responsibility, the same regime as the original processing will apply. You can consult the details of the jointly responsible companies and the agreements at www.caixabank.es/empresasgrupo.

H. Commercial communications based on a basic commercial profile

We will only process your data if:

• You have not informed us of your preferences regarding the commercial processing described in sections 6.1 A, 6.1 B and 6.1.C.
• You have not objected to the processing.

CaixaBank's legitimate interest: Promote the marketing of the products and services in our portfolio and build customer loyalty.

Purpose: Provide you with commercial communications about products and services similar to those you have contracted with us. We will do this based on a basic commercial profile that we will create using your data.

Types of data processed:

• Personal and contact details: full name, gender, postal contact information, telephone number and e-mail address, place of residence, nationality and date of birth, language for communications, identification document.
• Socioeconomic data and information about your professional or work activity: professional or work activity, income or remuneration, family unit, education level, assets, and fiscal and tax data.
• Contracting data: contracted or requested products and services, status of the holder, authorised parties or representative for the contracted product and service, categorisation according to the regulation on stock markets and financial instruments (MiFID category), information on investments made and their evolution, and information and movements of finance transactions
• Basic financial data: current and historic balances of products and services and payment history regarding contracted services and products.
• Details of your shareholder status, or not, of CaixaBank: if you hold CaixaBank shares, or not.
• Details of the communications we have held with you: data obtained from chats, walls, video conferences, telephone calls or any other equivalent means of communication.
• Own browsing data: if you have accepted the use of cookies and similar technologies on your browsing devices, the data obtained from your browsing on our websites or mobile applications and your browsing on them: browsing history (websites visited and clicks on content), device ID, advertising ID, IP address and installed version of the application.
• Geographical data: the geolocation data of your mobile device provided through the installation and/or use of our mobile applications, when so authorised in the set-up of the application itself.
• Data obtained from other processing operations provided for in this policy:
  • Risk assessment or scoring data:in operations involving financing or payments in instalments, we will infer your payment or non-payment capacity or the risk limits by applying statistical-mathematical models that are calculated using your data (processing defined in section 6.2.C).
  • Customer classification data. (processing defined in section 6.4.A).
• Data obtained from the execution of statistical models: we use the results of applying mathematical modelling to customer data to deduce consumer habits, preferences or propensity to contract or classify customers.
• Demographic and socioeconomic data: statistical data not associated with specific persons but with geographical areas, age sectors or professional activity sectors, which we will use in relation to the customers' information.

Use of profiling: We will generate a basic commercial profile using only the data mentioned above:

• Purpose of the profile: we will deduce the products and services that we believe may interest you. We will offer you these products instead of generic commercial offers.
• Consequences: we will provide you with customized offers on the products and services marketed by CaixaBank.
  We will only create the profile with the details provided in this section. We will never use this profile to refuse any product or service, or to set credit limits.
  Objecting to this data processing does not prevent, limit or condition your access to our complete catalogue of products and services, which is always available to you.
  If you apply for any product or service, your application will be assessed in accordance with our procedures. Objecting to this data processing will not affect this assessment.
  Objecting this data processing will not prevent us from contacting you to manage your products and services.
• Logic: this basic commercial profile is calculated based on the data specified in the "Types of Data Processed" section. We will only use data from the last thirteen months.
  These data are applied to mathematical formulas obtained from past behaviours observed in customers of similar characteristics. This allows us to deduce the customer's propensity to consume. These mathematical formulas allow us to determine the importance of all the data processed in the final result of the customer's profile. This final result is the probability that the customer will be interested in a product or service.

Other relevant information:

• Right to objection to processing: you can object to this processing easily and free of charge by clicking on the following link www.caixabank.es/ile or by calling 93 102 82 89.
  You may also object through the channels indicated in section 4.
  Please note that if you object to the processing of your data, we will cease to do so without you having to give us a reason.
• Prior verification of your repayment capacity: when the products or services we want to offer you involve financing or the payment of instalments, we will first verify your repayment capacity. We will do so in accordance with Point 6.2.C
  The aim is to offer you a credit limit and payment terms that reflect our knowledge of your financial situation. This preliminary check will be carried out in accordance with the principles of accountability in the offering of financing products demanded by the Bank of Spain, and by the regulation on prudential supervision and solvency of credit institutions and of responsible lending.
• Validity of the processing: we will stop carrying out this processing, with no other additional requirement, in any of these two circumstances:
  • When we contact you to request your consent to the commercial processing by the CaixaBank Group companies described in sections 6.1, regardless of whether you authorise them or not.
  • If you object to the processing.

Data controller: The data controller responsible for this data processing is CaixaBank.

I. International financial sanctions and countermeasure policies of OFSI and OFAC

Legitimate interest: TCaixaBank and the jointly responsible companies mentioned in this section need to process your data in order to comply with international regulations on sanctions and financial measures in the United States and the United Kingdom. This is necessary in order to operate and do business in those countries.

Purpose: Comply with the sanctions and financial controls required by the authorities in the United Kingdom and the United States.

To comply with these regulations, jointly responsible companies will check whether your name appears on lists of persons or entities subject to restrictions in the United States and the United Kingdom.

Types of processed data:

• Personal and contact details
• Data related to international sanctions

Other relevant information:

• Right to objection to processing: if you believe that CaixaBank must consider your personal situation or stop processing your personal data, you may object to this at no cost via the channels mentioned in section 4.

Joint data controllers: The following CaixaBank Group companies shall process and be jointly liable for your data:

• CaixaBank, S.A.
• CaixaBank Payments & Consumer, E.F.C., E.P., S.A.U.
• VidaCaixa, S.A. de Seguros y Reaseguros
• Nuevo Micro Bank, S.A.U.
• CaixaBank Asset Management SGIIC, S.A.U.
• CaixaBank Equipment Finance, S.A.U.
• Buildingcenter, S.A.U.
• Livingcenter Activos Inmobiliarios, S.A.U.
• Puerto Triana, S.A.
• Bankia Habitat, S.L.U.
• Unión de Crédito para la Financiación Mobiliaria e Inmobiliaria, CREDIFIMO, E.F.C., S.A.U.
• Banco BPI, S.A.
• BPI Gestão de Ativos, SGOIC, S.A.
• CaixaBank Wealth Management Luxembourg, S.A.
• CaixaBank Asset Management Luxembourg, S.A
• OpenWealth, S.A.U.  

You can find the main aspects of the joint data controller agreements in the following section: www.caixabank.es/empresasgrupo.

J. Improved efficiency of internal processes

CaixaBank's Legitimate Interest:Managing processes efficiently in order to optimise them to the maximum. This enables us to achieve a higher level of service quality and improve business continuity.

Purpose: Reviewing internal processes. Volumes, process times and customer interactions with our systems are analysed and identified. This provides aggregate information that helps to improve these internal processes and the customer experience.

Types of data processed:

• Identification and contact
• Contracting data
• Basic financial data
• Third-party data observed on demand and payment account statements and receipts
• Data on any communication with you
• Browsing data
• Data obtained from other processing operations
• Data obtained from running statistical models
• Data obtained from sources accessible to the public or external sources
• Third-party browsing data

Other relevant information:

• Right to objection to processing: if you believe that CaixaBank should stop using your data for any personal reason, you can request this free of charge and easily through the channels mentioned in section 4.

Data controller: The controller responsible for this data processing is CaixaBank.

K. Customer surveys

Legitimate interest of CaixaBank: Assessing the level of customer satisfaction. This enables you to improve the services and products you offer your customers, guaranteeing them an appropriate experience that meets their expectations.

Purpose: Conduct customer surveys to gauge their satisfaction with our services and improve internal processes where necessary.

Types of data processed

• Identification and contact details.
• Contracting data
• Browsing data
• Data obtained from other processing operations provided for in this policy:
  • Customer classification data (processing defined in heading 6.4.A).

Other relevant information

• Right to objection to processing: you may object through the channels indicated in section 4. Please note that if you object to the processing of your data, we will cease to do so without you having to give us a reason.
• Validity of the processing: we will stop carrying out this processing, with no other additional requirement, if you exercise your right to object.

Data controller: The data controller responsible for this data processing is CaixaBank. This processing is not carried out as a joint controller.

L. Determination of social measures on foreclosed assets

Legitimate interest: Detecting and reducing the risk that our activity may have on our reputation in relation to the properties we acquire. We do so in accordance with the EBA Guidelines on Risk Management and Internal Governance and the Bank of Spain Guidelines. In addition, we will ensure that we correctly apply the Code of Good Practice.

Purpose: The purpose of this processing is to determine whether there are exceptional circumstances of residential vulnerability. And, if they exist, see if they justify applying the appropriate and available social measures for the proper management of risks and social action, and for the proper management of the property.

Types of processed data: The types of data that we process for this purpose, whose content is detailed in section 5, are:

• Personal and contact details
• Data on your professional or employment activity and socio-economic information
• Sensitive data regarding situations of vulnerability
• Data on legal capacity and on particular communication needs
• Contracting data
• Basic financial data
• Details of communications with the data subject
• Health details

Other relevant information

• Right to objection to processing: if you believe that CaixaBank must consider your personal situation or stop processing your personal data, you may object to this at no cost via the channels mentioned in section 4.

Joint data controllers: For this processing, CaixaBank will manage your data jointly with the CaixaBank Group company listed below that owns the property:

• BuildingCenter, S.A.U.
• Living Center Activos Inmobiliarios, S.A.U.
• Bankia Habitat, S.L.U.

You will find the key aspects of the joint processing agreements (joint responsibility) at: www.caixabank.es/empresasgrupo.

M. Defence of the rights and interests of CaixaBank by judicial or administrative means

CaixaBank's legitimate interest: Defence of the rights and interests of CaixaBank by judicial or administrative means. CaixaBank invokes its right to effective judicial protection.

Purpose: Manage administrative or legal proceedings in which CaixaBank is the claimant or defendant.

Types of processed data: The types of data that we will process for this purpose are as follows:

• Personal and contact details
• Data on your professional or employment activity and socio-economic information
• Sensitive data regarding situations of vulnerability
• Data on legal capacity and on particular communication needs
• Contracting data
• Basic financial data
• Details of communications with the data subject
• Data obtained from sources accessible to the public and public registers:

Other relevant information:

• Right to objection to processing: if there is a particular situation or other reasons that justify us ceasing to process your data, you can request this easily and free of charge through the channels indicated in section 4.

Data controller:The data controller responsible for this data processing is CaixaBank.

N. Compilation of statistical information

Legitimate Interest: Create a set of statistical information about their business processes. This is considered a legitimate interest because it helps them improve and analyse their activity.

Purpose: The objective is to combine certain personal data to generate fully anonymised and aggregated information. This provides an overview of business processes without identifying any individuals.

Types of data processed

• Personal and contact details
• Data on your professional or employment activity and socio-economic information
• Contracting data
• Basic financial data
• Third-party data observed on demand and payment account statements and receipts
• Data of your status as a shareholder or non-shareholder of CaixaBank
• Browsing data
• Geographical data
• Data obtained from other processing operations

Other relevant information:

• Right to objection to processing: if there is a particular situation or other reasons that justify us ceasing to process your data, you can request this easily and free of charge through the channels indicated in section 4.
• Ancillary data processing: the processing of personal data is limited to the operations necessary for the creation of statistical information and is carried out using aggregation techniques until the data is fully anonymised.

Joint data controllers: The following companies shall process and be jointly liable for your data

• CaixaBank, S.A.
• CaixaBank Payments & Consumer, E.F.C., E.P., S.A.U.
• Global Payments Moneytopay, EDE, S.L.
• Comercia Global Payments Entidad de Pago, S.L.

You will find the key aspects of the joint data processing liability agreements at: www.caixabank.es/empresasgrupo.