Privacy Policy.

Within the scope of its activity, Caixa Económica Montepio Geral – Caixa Económica Bancária, S.A., hereinafter referred to as Banco Montepio, understands that the processing of your personal data requires your trust. To this end, we have developed a privacy policy subject to the highest standards of security and privacy, ensuring that personal data will be processed in accordance with their intended purposes and your rights as enshrined by law. This policy is guided by the legal principles in force regarding privacy and personal data protection, namely the provisions of Regulation (EU) 2016/679 of the European Parliament and of the Council – General Data Protection Regulation (GDPR) – Law no. 58/2019 of August 8, which ensures the implementation, in the national legal system, of Regulation (EU) 2016/679, and other applicable legislation concerning privacy and data protection, including national legislation that complements the GDPR.

Accordingly, Banco Montepio is committed to respecting best practices in the field of security and personal data protection, and has in place measures designed to protect the data provided by all those who interact in any way with Banco Montepio.

Banco Montepio is the controller of the personal data of its clients and/or potential clients, and can be contacted at:

CAIXA ECONÓMICA MONTEPIO GERAL

caixa económica bancária, S.A.

Rua Castilho, n.º 5, 1250-066 Lisboa

BBanco Montepio also has a Data Protection Officer (DPO), who (i) monitors the compliance of data processing with applicable standards, (ii) serves as a point of contact for clients regarding questions about how Banco Montepio processes their data, (iii) cooperates with the supervisory authority, (iv) provides information and advises the data controller or processor on their obligations regarding privacy and data protection.

You may contact the Data Protection Officer (DPO) by email at: DPO@bancomontepio.pt.

Personal data means any information, of any nature and regardless of the medium, relating to an identified or identifiable natural person (an identifiable person is one who can be identified directly or indirectly, in particular by reference to an identification number or to one or more elements specific to their physical, physiological, psychological, economic, cultural, or social identity).

To establish and maintain a contractual relationship with Banco Montepio, the client or potential client must provide the personal data necessary to fulfill legally required obligations, pre-contractual, and contractual duties.

Without obtaining and collecting the legally required personal data, it will not be possible to enter into or maintain contracts, execute orders, maintain the existing business relationship, or follow up on your requests.

Banco Montepio processes the personal data provided in the context of its relationship with the data subject, client, or potential client, or in the process of granting, contracting, controlling, and/or following up on a specific product/service, including, as applicable, namely:

• Identification, family, and contact data: such as name, address or other contact details (phone and email), signature, place of birth, gender, nationality, marital status, number of children, and, where applicable, legal representative;

• Professional status and activity: such as type of work, sector, employed/self-employed;

• Type and information about housing (owned/rented) and financial situation (assets, debts, solvency, income from employment or self-employment, business activity, expenses, among others), expected changes in financial situation (such as retirement age), specific financial or investment goals;

• Information related to knowledge and experience in investment products (classification and profile as per the applicable regime for financial intermediation and trading of financial instruments, MiFID II), investment relation or strategy (scope, frequency, risk profile);

• Information on risk of non-compliance and credit, considering data available in common credit information systems, the Central Credit Register of the Bank of Portugal, or sources of economic information;

• Tax information (namely, domicile and classification of the holder subject to tax rules, such as FATCA and CRS);

• Information necessary to fulfill diligence duties and other obligations under Anti-Money Laundering and Counter-Terrorism Financing rules, such as source of funds, identification of politically exposed persons, beneficial owner, as well as any other information relevant to assess a situation, operation, or ownership and the associated risk in this regard;

• Identification and authentication data in Banco Montepio's systems, namely, access keys and coordinates, digital signature, and, if applicable and duly consented to, biometric data;

• Commercial data, data derived from the proposal or contracting of products and services, transactions and movements, propensity for new contracts, cookies, and analysis of visits and use of Banco Montepio's remote channels, products and services consulted, among others;

• Information derived from recording and logging telephone conversations or communications by any means with Banco Montepio, as required by law (including those under the financial markets directive – MiFID II and related legislation), whenever the channel and means used are subject to this measure;

• Other data found in documentation provided or obtained as a result of the relationship with Banco Montepio, such as Citizen Card or other relevant identification documents, passport, notarized deeds, both in physical and digital format and, in general, any documentation and information from contacts maintained with the client through different means, including marketing campaigns.

Data processing is any operation or set of operations performed on personal data by manual or automated means, including collection, storage, use, copying, and transfer, among others.

In the course of its activities, Banco Montepio collects and processes personal data, namely those necessary for providing services and carrying out its business, as well as data it receives within the scope of its business relationship with clients or potential clients, and in compliance with applicable legal and regulatory obligations.

The processing of personal data provided by other companies of the Banco Montepio Group or by third parties is also carried out whenever relevant (for example, for the provision of services, fulfillment of contracts or obligations binding on Banco Montepio, or based on the explicit consent of the client or potential client).

Banco Montepio also processes personal data collected on its websites and mobile applications (Apps), hereinafter referred to as Channels, through which clients or potential clients have remote access to the financial services and products that Banco Montepio provides and/or markets through them, including access, consultations, instructions, transactions, and other records relating to their use.

The use of Banco Montepio’s Channels implies the collection of the IP address of the client’s or potential client’s computer used for access, as well as the collection of information relating to the client's or potential client’s Internet service provider, the type of Internet browser, or the operating system used.

The use of each of the Channels involves the collection and processing of personal data of clients or potential clients, whose privacy and security Banco Montepio, as the entity responsible for their processing, ensures under this Privacy Policy.

Banco Montepio also processes personal data obtained from publicly accessible information sources (namely lists of debtors, public list of executions, land registers, commercial and corporate registers, press, media, and the Internet) and from authorities and public bodies (such as the Central Credit Register of the Bank of Portugal), whenever there is legal legitimacy to do so.

The processing of data collected by Banco Montepio is carried out lawfully, fairly, and transparently, for specific purposes, namely the provision of services made available by Banco Montepio and contracted by clients or potential clients, tailoring services and products to their needs and interests, or managing the contractual relationship.

The collected data can also be processed for statistical purposes and for promotion or marketing actions, namely to promote new financial products and services via email, SMS, MMS, or any other electronic communication service.

The processing of personal data by Banco Montepio will always be based on one or more of the following legal grounds:

• Consent of the data subject (Article 6(1)(a) GDPR) – Whenever prior, express consent is given through unambiguous, informed, free, and specific action, such as:

            - Proof of information or instructions from clients communicated by telephone, with recording of calls/video calls (e.g., proof of identity or transmission of orders regarding financial instruments);

            - Monitoring service quality, recording calls to assess service quality;

            - Market studies, with the collection and analysis of personal data.

Processing will be carried out strictly as consented.

• Execution and/or management of the contract or other pre-contractual steps (Article 6(1)(b) GDPR), including, namely, the processing of personal data for maintaining the contractual relationship with the client or potential client and to allow operations and provision of banking or financial services, including entering into, executing, and managing contracts and handling requests (including contact requests, complaints in which personal data is transmitted), as well as all actions necessary for operating and managing a financial institution.

• Compliance with a legal obligation (Article 6(1)(c) GDPR) – As a financial institution, Banco Montepio is subject to various legal obligations (such as the General Regime of Credit Institutions and Financial Companies, anti-money laundering and counter-terrorism financing legislation, personal data protection legislation), accounting and financial reporting, as well as provisions relating to the supervision of banking activity (for example, by the European Central Bank, the European Banking Authority, the Bank of Portugal, and the Securities Market Commission).

• The purposes of data processing in this context may include, among others:

            - Assessment of creditworthiness and credit reliability, verification of identity and age, knowledge and experience, as well as investment objectives of a client or potential client;

            - Prevention, management, and response to fraud, money laundering or offenses, fulfillment of monitoring and tax information obligations, as well as analysis and risk management, especially for remote operations (such as online banking and debit or credit card transactions);

            - Video surveillance for security purposes.

• Legitimate interest (Article 6(1)(f) GDPR) – When there is a processing of personal data to safeguard the legitimate interests of Banco Montepio or third parties. Banco Montepio’s legitimate interest, as data controller, includes, in particular:

            - Direct marketing, information provision, and advertising actions via in-person or remote channels, aimed at informing and promoting Banco Montepio’s offerings to clients, which may result from profiling or analysis of client operations;

            - Client segmentation to tailor Banco Montepio’s product and service offerings to each client’s characteristics;

            - Profiling, with Banco Montepio characterizing clients in terms of the use of products and services, using statistical analysis models;

            - Consultation and collection of data from credit information systems to determine creditworthiness and default risks in granting credit;

            - Assessment of service quality satisfaction, preparation of questionnaires to evaluate acceptance of Banco Montepio’s products and services among clients;

            - Collection and analysis of data and provision of information to third parties in the context of credit assignment or securitization operations;

            - Exercise of legal rights and defense in case of legal disputes;

            - Provisions relating to the maintenance of security, network, infrastructure, and IT systems (including access controls) as well as IT management;

            - Data sharing with Montepio Group companies(1), ensuring data confidentiality, compliance with the privacy policy implemented in accordance with applicable legal requirements, and always compatible with the purposes of processing and as contractually defined;

            - Collection, classification, and storage of physical documents containing personal data in the document archive, which are mandatory evidence in the context of Banco Montepio’s activity.

Banco Montepio profiles data subjects by legal requirement and within the applicable regulatory framework for banking and financial activities, including obligations in the prevention of money laundering, counter-terrorism financing, and fraud. In the course of assessing creditworthiness, a scoring system is used (calculating the probability of the data subject fulfilling their payment obligations according to the contract, income level, expenses, outstanding debts, professional and family situation, information from information systems, and credit risk analysis, among others). The result is one of the factors in the ongoing risk assessment. Profiling in these contexts occurs as part of fulfilling or executing the contract with the client or as required by law.

Additionally, we may also create profiles to inform and actively advise you about our products and services, using assessment tools, which include market and opinion studies, as well as your consumption habits and preferences. This allows for targeted communication and advertising. Banco Montepio applies all appropriate measures to safeguard your rights and freedoms in this context. Accordingly, you may at any time exercise your rights and (i) request clarification regarding the terms and criteria under which the profile is created; (ii) contest decisions made based on automated decisions; (iii) request human (non-automated) intervention. In the case of client profiling exclusively for commercial purposes, you may object to such profiling by contacting the Data Protection Officer at the contact provided above.

Banco Montepio is the recipient of personal data, and its employees may access data strictly as necessary to fulfill Banco Montepio's contractual, pre-contractual, or legal obligations.

Personal data may also be made available to:

i. Entities of the Montepio Group and contractual partners, for sending information about products and services, as well as non-commercial informational content, if you have given specific consent for this purpose, or in the context of anti-money laundering, counter-terrorism financing, and fraud prevention, or for group-level administrative and financial management, non-fulfillment of monetary obligations, asset and credit solvency;

ii. Suppliers (namely, document management and archiving service providers) and other subcontractors who, under the GDPR, may access data for specific purposes subject to data protection safeguards, which may be based within or outside the European Union, ensuring that subcontractors with access to personal data also comply with current data protection legislation and with banking secrecy;

iii. Competent authorities to fulfill legal obligations (such as the Bank of Portugal, European Banking Authority, European Central Bank, Securities Market Commission, and tax authorities);

iv. Other credit institutions and financial service providers for executing the contractual relationship or providing complementary and/or derivative benefits from contracted products or services, such as discounts, insurance, or other situations, according to information provided to the data subject in due course, namely, insurance companies for insurance contracts, Montepio Geral Associação Mutualista for mutualist product subscriptions, pension plan or investment fund managers in case of contracting such products; and

v. Financial entities associated with the banking information exchange system (SWIFT) and entities in the same sector or with the same legal obligation regarding fraud prevention and money laundering, or for the acquisition or sale of businesses or assets, to potential acquirers of such businesses or assets.

The transfer of personal data to a third country outside the European Union occurs when necessary for the execution of the data subject's orders or requests (such as payment or investment orders), by legal requirement or with the express authorization of the data subject. In these circumstances, Banco Montepio ensures that all appropriate technical and organizational measures are adopted so that services provided by subcontracted entities with access to data are reputable and offer the highest guarantees, subject to compliance with applicable privacy and data protection legislation, including national and European law, by entering into an agreement with the European Union’s standard contractual clauses to meet the data protection level applicable in the European Union.

Banco Montepio will process and retain your personal data for the period during which you maintain a contractual relationship with us, processing and storing your personal data as necessary to comply with applicable contractual and legal provisions.

Banco Montepio processes and retains your personal data in accordance with the purposes for which they are processed. In some cases, the law requires the processing and retention of certain data after the end of the contractual relationship for a minimum period, namely for 10 years, data required for reporting to the Tax Authority, for accounting or tax purposes, or for business record-keeping, as well as for a period of 7 years for anti-money laundering and counter-terrorism financing purposes.

The retention period may also be linked to statutory limitation periods, which in many cases may extend up to 20 years.

Clients or potential clients, as personal data subjects, may exercise the following rights:

• Right of Access: the right to obtain information about which of your personal data are processed, for what purposes, retention periods, among others;

• Right to Rectification: the right to request the rectification of inaccurate personal data or the completion of incomplete personal data, such as address, Tax Identification Number, email, phone contacts, or others;

• Right to Erasure (“Right to be Forgotten”): the right to have your personal data erased, provided there are no valid grounds for their retention, such as when Banco Montepio is required to retain data to fulfill a legal obligation or because a legal proceeding is ongoing;

• Right to Portability: the right to receive the data you have provided to us in a commonly used, machine-readable digital format;

• Right to Restriction: the right to request the restriction of the processing of your personal data, in the form of: (i) suspension of processing, or (ii) limitation of the scope of processing to certain categories of data or processing purposes;

• Right to Withdraw Consent: the right to withdraw your consent, at any time, for personal data processing;

• Right to Object: the right to object to processing based on legitimate interest, provided there are no compelling or legitimate reasons that override your interests, rights, and freedoms, or for the defense of a right in a legal proceeding;

• Right to Complain: the right to lodge a complaint with the supervisory authority, the CNPD, in addition to the company or the DPO.

To exercise these rights, as well as to obtain any clarification regarding this Privacy Policy, the client or potential client should contact Banco Montepio in writing at the contact provided above, through Branches or Homebanking.

Banco Montepio has adopted various technical and organizational security measures to protect personal data against destruction, loss, accidental or unlawful alteration, unauthorized disclosure or access, as well as against any other form of unlawful processing.

Despite the security measures adopted, clients should not share their access codes with third parties. In the case of Apps, clients should also keep and maintain the mobile device on which they download Apps in secure conditions and follow the security practices recommended by the manufacturer and/or operator, particularly regarding the installation and updating of necessary security applications, such as antivirus software.