Therefore, Banco Montepio is committed to respecting the best practices in the field of security and protection of personal data, having measures in place capable of ensuring the protection of data made available by all those who, in any way, relate to Banco Montepio.
Banco Montepio is responsible for processing the personal data of its customers and/or potential customers, and can be contacted through:
CAIXA ECONÓMICA MONTEPIO GERAL
caixa económica bancária, S.A.
Rua Castilho, n.º 5, 1250-066 Lisboa
Banco Montepio also has a Data Protection Officer (DPO), who (i) monitors the compliance of data processing with applicable standards, (ii) is a point of contact with the customer to clarify questions relating to the processing of perosnal data by Banco Montepio, (iii) cooperates with the supervisory authority, (iv) provides information and advises the controller or subcontractor on their obligations regarding privacy and data protection.
The Data Protection Officer (DPO) can be contacted via the following email address: DPO@montepio.pt.
Personal data means any information, of any nature and regardless of its form, relating to an identified or identifiable natural person (a person who can be identified directly or indirectly, namely by reference to an identification number or a one or more specific elements of their physical, physiological, psychological, economic, cultural or social identity).
To establish and maintain a contractual relationship with Banco Montepio, the customer or potential customer must provide the personal data necessary to fulfill legally required obligations, pre-contractual and contractual steps.
Without obtaining and collecting the legally required personal data, it will not be possible to conclude or maintain contracts, execute orders, maintain the existing commercial relationship, or comply with requests made to the Bank.
Banco Montepio processes personal data provided in the context of the relationship with the holder, customer or potential customer, or in the process of granting, contracting, controlling and/or monitoring a specific product/services, highlighting, namely and as applicable, the following:
• Identification, family and contact data: such as name, address or other contact details (telephone and email), signature, place of birth, gender, nationality, marital status, number of children and, when applicable, a legal representative.
• Job status and activity: such as type of work, sector, employed/self-employed.
• Type and information on housing (owned/rented) and financial situation (assets, debts, solvency, income from employment or self-employment, business activity, expenses, among others) predictable changes in the financial situation (such as retirement age), concrete financial or investment objectives.
• Information regarding knowledge and experience in investment products (Classification and profile according to the regime applicable to financial intermediation activities and trading of financial instruments, MiFID II) investment relationship or strategy (range, frequency, risk profile).
• Information on default and credit risk, taking into account data available in common credit information systems, Bank of Portugal's Responsibility Center or sources of economic information.
• Tax information (namely, domicile and classification of the holder subject to tax rules, such as FACTA and CRS).
• Required information to comply with due diligence and other obligations arising from Anti-Money Laundering and Terrorism Financing rules, such as the origin of funds, identification of a politically exposed person, beneficial owner, as well as any other relevant information for the purposes of evaluating a situation, operation or ownership and the associated risk in that matter.
• Identification and authentication data in Banco Montepio’s systems, namely, access keys and coordinates, digital signature and, if applicable and duly consented, biometric data.
• Commercial data, data derived from the proposal or contracting of products and services, movements and transactions, propensity for new hires, cookies and analysis of visits and use of Banco Montepio's remote channels, products and services consulted, among others.
• Information deriving from the registration and recording of telephone conversations or communications, through any means, with Banco Montepio, as a consequence of the obligation to maintain these records (including those contained in the financial markets directive – MiFID II and related legislation), whenever the channel and medium used are subject to this measure.
• Other data contained in the documentation delivered or obtained as a result of the relationship with Banco Montepio, such as a Citizen Card or other relevant identification documents, Passport, notarial deeds, both in a physical and digital format and, in general, any documentation and information on contacts maintained with the customer through different means, including marketing campaigns.
Data processing is an operation or a set of operations carried out on personal data by manual or automated means, including collection, storage, use, copying and transfer, among others.
Within the scope of its business operations, Banco Montepio collects and processes personal data, namely data necessary for service delivery and the pursuit of its business, as well as processing data received in the scope of commercial customer relationships or those with potential customers, also within the scope of compliance with applicable legal and regulatory obligations.
Personal data provided by other Group companies or third parties are also processed whenever this is relevant (for example, for the provision of services, fulfillment of contracts or obligations that affect Banco Montepio, or based on expressed customer or potential customer consent).
The processing of data collected by Banco Montepio is carried out in a lawful, fair and transparent manner, with specific purposes, namely the provision of services made available by Banco Montepio and contracted by customers or potential customers, the adjustment of services and products to their needs and interests, or for managing the contractual relationship.
The data collected may also be processed for statistical or promotion purposes or marketing campaigns, namely to promote campaigns to publicise new financial products and services via e-mail, SMS, MMS or any other electronic communications service.
The processing of personal data carried out by Banco Montepio will always be based on one or more of the following legal foundations:
• Consent of the data subject (Article 6 nº 1 paragraph a) RGDP) - Whenever prior, express consent is given, through explicit, informed, free action and for specific purposes, such as:
- Proof of customer information or instructions communicated by telephone, with recording of calls/video calls (e.g. proof of identity of the holder or transmission of orders on financial instruments);
- Monitoring quality of service, recording calls to evaluate quality of service; - Market studies, with collection and analysis of personal data.
The processing will be carried out under strictly agreed terms.
• Execution and/or management of the contract or other pre-contractual measures (Article 6 nº 1 paragraph b) RGDP), which includes, in particular, the processing of personal data carried out for the purpose of maintaining Banco Montepio's contractual relationship with the customer or potential client holding the data and to allow operations to be carried out and provide banking or financial services, namely for the execution of contracts and processing of orders (including contact requests, presentations and complaints in the context of which personal data is transmitted) , as well as all necessary actions within the scope of conducting and managing a financial institution.
• Compliance with an obligation (Article 6 no. 1 subparagraphs c) RGDP) – Banco Montepio, as a financial institution, is subject to various legal obligations, accounting and financial reporting, as well as provisions relating to the supervision of banking activities (for example, the European Central Bank, the European Banking Authority, the Bank of Portugal and the Securities Market Commission).
The purposes of data processing within the scope of these obligations may be, among others:
- Solvency and credit reliability assessment, verification of identity and age, knowledge and experience, as well as investment objectives of a current or potential customer;
- Prevention, management and response to fraud, money laundering or infractions, compliance with monitoring and tax information obligations, as well as analysis and management of risks, particularly remote operations (such as Online Banking and transactions with debit or credit cards );
• Within the scope of a legitimate interest (Article 6 nº 1 paragraph f) RGDP) – when personal data is processed to safeguard the legitimate interests of both Banco Montepio and third parties. The legitimate interest of Banco Montepio, as data controller, is, in particular:
- Direct marketing, provision of information and advertising campaigns, through in-person or remote channels, with the aim of informing and promoting Banco Montepio's offer to the customer, which may result from profiling processes or the analysis of operations carried out by the customer;
- Customer segmentation, in order to adapt the offer of products and services made available by Banco Montepio, to the features of each customer;
- Profiling - Banco Montepio characterises customers from the perspective of the use of products and services using statistical analysis models;
- Consultation and collection of data with credit information systems to determine solvency and default risks when granting loans;
- Assessment of service quality satisfaction, preparation of questionnaires to assess the extent of acceptance of Banco Montepio's products and services among customers;
- Collection and analysis of data and provision of information to third parties in the context of credit assignment or securitisation operations;
- Exercise of legal and defense rights in the event of legal disputes;
- Provisions relating to the maintenance of Banco Montepio's security, network, infrastructures and technological systems (including access controls), as well as its IT management;
- Video surveillance for security purposes;
- Collection, classification and storage of physical documents with personal data in the document archive, which constitute mandatory evidence in the context of Banco Montepio's business activity.
Banco Montepio defines profiles as per legal requirement and in the context of the regulatory framework applicable to banking and financial activities highlighting obligations in the context of preventing money laundering, terrorist financing and fraud, in the course of evaluating its credit capacity, Banco Montepio uses the scoring system, (calculating the probability of the data subject fulfilling their payment obligations in accordance with the contract, income level, charges, outstanding debts, professional and family situation, system information information and credit risk analysis, among others). The outcome of the calculations is one of the decision factors being included in the ongoing risk assessment. Profiling in these contexts occurs as part of the execution or fulfillment of the contract with the customer or based on legal procedures.
On the other hand, we may define profiles in order to actively inform and advise you about our products and services, using evaluation instruments, which include market and opinion surveys, as well as consumption habits and personal preferences. This allows for demand-oriented communication and advertising. Banco Montepio applies all appropriate measures to safeguard your rights and freedoms in this context. To this extent, you may at any time exercise your rights and (i) request clarification regarding the terms and criteria under which the profile is created; (ii) challenge decisions that may be taken based on automated decisions; (iii) request human (non-automated) intervention. In the case of creating customer profiles exclusively for commercial purposes, you may object to the definition of that profile by contacting the Data Protection Officer, using the contact details indicated above.
Banco Montepio is the receiver of personal data, and its employees may have access to the data strictly necessary to comply with its contractual or pre-contractual and legal obligations.
Personal data may also be made available to:
i. Entities of the Montepio Geral Associação Mutualista Group and contractual partners, to send information about products and services, as well as informational content of a non-commercial nature, if you have given your specific consent for this purpose, or within the scope of preventing money laundering capital, terrorist financing and fraud, for the purposes of administrative and financial management at group level, non-compliance with monetary obligations, asset and credit solvency);
ii. Suppliers (namely suppliers of document and archive management services) and other subcontracting entities that, under the terms of the GDPR, may access data for certain specific purposes subject to guarantee measures in terms of data protection, which may be based within or outside the European Union, ensuring that subcontractors with access to personal data equally comply with current data protection legislation and bank secrecy;
iii. Authorities with due competence in complying with legal obligations (such as the Bank of Portugal, European Banking Authority, European Central Bank, Securities Market Commission and tax authorities);
iv. Other credit and financial services institutions for the execution of the contractual relationship or for providing complementary benefits and/or derivatives of contracted products or services, such as discounts, insurance or other situations, in accordance with the information made available to the data subject opportunely, namely, insurance entities in case of taking out insurance, entities managing pension plans or investment funds, in case of taking out one of these products; and
v. Financial entities registered with the banking information exchange system (SWIFT) and entities in the same sector or with the same legal obligation in relation to the prevention of fraud and money laundering, or for the acquisition or disposal of businesses or assets, to potential acquirers of these businesses or assets.
The transmission of personal data to a third country, outside the European Union, occurs when it is necessary to execute orders or requests from the data subject (namely, payment or investment orders), due to legal requirements or with the expressed authorisation of the data subject. Banco Montepio ensures that in these circumstances it adopts all technical and organisational measures considered appropriate in order to ensure that the provision of services by subcontracted entities that have access to data are reputable and offer the highest guarantees, subject to compliance with applicable legislation in this matter of privacy and data protection, including national and European legislation, by signing an agreement with European Union standard contractual clauses, to comply with the level of data protection applicable in the European Union.
Banco Montepio processes and maintains personal data for the period during which it maintains a contractual relationship with the customer, processing and storing personal data to the extent necessary in complying with applicable contractual and legal provisions.
Banco Montepio processes and stores personal data according to the purposes for which they are processed. There are cases in which the law requires the processing and storage of certain data after the termination of the contractual relationship for a minimum period of time, namely for 10 years, when it comes to the data necessary for information provided to the Tax Authority, for accounting or tax purposes or data relating to commercial bookkeeping, as well as, for a period of 7 years for the purpose of combating money laundering and terrorist financing.
The storage period may also be linked to legal limitation periods, which in many cases may be up to 20 years.
Current or potential customers as holders of personal data may exercise the following rights:
• Right of Access: right to obtain information about which of your personal data is processed, the purpose for data processing, and data storage periods, among others.
• Right to Rectification: right to request the rectification of your personal data that is inaccurate or to request completion of missing personal data, such as address, NIF (Tax Identification Number), email, telephone contacts, or others.
• Right to Be forgotten: right to have your personal data forgotten, as long as there are no valid grounds for its conservation, such as cases in which Banco Montepio is obliged to keep the data to comply with a legal obligation or due to an ongoing legal process.
• Right to Portability: current or potential customer’s right to receive data they provided in a commonly used, machine-readable digital format.
• Right to Limitation: right to request the limitation of processing of personal data, in the form of: (i) suspension of processing or (ii) limitation of the scope of processing to certain categories of data or processing purposes.
• Right to Withdraw Consent: right to withdraw consent, at any time, for the processing of personal data.
• Right to Oppose: the right to object to processing, based on legitimate interest, as long as there are no compelling or legitimate reasons that prevail over your interests, rights and freedoms, or to defend a right in legal proceedings.
• Right to complain: right to lodge a complaint with the control authority, the CNPD, in addition to the company or the DPO.
Banco Montepio has levels of security and protection of personal data, adopting various security measures of a technical and organisational nature, in order to protect personal data against destruction, loss, accidental or illicit alterations and unauthorised disclosure or access, as well as as against any other form of illicit treatment.
Despite the security measures adopted, the customer must not share access codes with third parties, and, in the case of Apps, must maintain and keep the mobile device on which they download them, in safe conditions and follow practices recommended by the manufacturer and/or operator, particularly regarding the installation and updating of the necessary security applications, namely antivirus.
Last updated: February 28, 2019