Gira tu dispositivo a modo "landscape"
Gira tu dispositivo a modo "landscape"
Kutxabank, S.A. maintains a firm commitment as regards the protection of personal data and the confidentiality of our customers’ information, as well as providing updated and comprehensive information of the data processing undertaken by the organisation at all times, in accordance with prevailing regulations. We therefore inform you below about how we process your personal data in Kutxabank, S.A. (hereinafter, Kutxabank).
|
Basic Information on Data Protection |
|
|
Controller |
Identity: Kutxabank, S.A. Postal address: Gran Vía 30-32, 48009 (Bilbao). Email address: info@kutxabank.es Data Protection Officer Contact: dpo@grupokutxabank.com |
|
Data categories used |
Detailed information can be found in section 3 of this Policy.
|
|
Main purposes of processing and legitimation |
Detailed information can be found in section 4 of this Policy.
|
|
Recipients |
Detailed information can be found in section 6 of this Policy.
|
|
Rights |
Data subjects may submit a claim before the control authority as well exercise their rights of access, rectification, cancellation, objection, limit processing, portability of the data and not be subject to automated individual decision making, as regards their personal data, including profiling in writing by means of an email or communication addressed to the registered office of the process controller stated above. |
|
Origin |
|
Kutxabank has developed this customer personal data protection Policy, which may be accessed at any time from the “Privacy” section at www.kutxabank.es or www.kutxabank.com, and in which you may consult the full details of how we will use your personal data in the relationships we establish with you. Similarly, you may request this information on paper from any of our branch offices.
In order to manage your relationship with us, Kutxabank will process your personal data for each one of the purposes we inform you of in this Policy and always in accordance with prevailing regulations, respecting your rights and with total transparency.
The main regulations regulating our processing of your data are:
Other regulatory bodies which include obligations in terms of the protection of personal data are as follows:
Controller: The controller of the personal data in your contractual and business relations with us is Kutxabank, S. A., with registered office at postal address: Gran Vía 30-32, 48009 (Bilbao). Email: info@kutxabank.es.
Kutxabank has a Data Protection Officer appointed, who will assist you to answer any questions relative to the processing of your personal data and the exercising of your rights. You may contact the Data Protection Officer to submit your suggestions, questions, misgivings or claims at this address: dpo@grupokutxabank.com.
Kutxabank has also entered into joint controller processing contracts with each one of the following subsidiary entities: Kutxabank Pensiones, Baskepensiones E.P.S.V., and Kutxabank Empleo E.P.S.V., for the management and administration of Pension Plans and Voluntary Social Welfare Entities. The mayor aspects of said agreements are as follows:
The purpose of processing the personal data of the ordinary members and beneficiaries of Pension Plans and E.P.S.V. by Kutxabank Pensiones, Baskepensiones E.P.S.V. and Kutxabank Empleo E.P.S.V. is to formalise, manage and execute the contractual relationship of adhesion of such ordinary members and beneficiaries to the Welfare Plans. The execution of the aforementioned adhesion contract constitutes the legitimate basis for this processing.
The purpose of personal data processing by Kutxabank is to guarantee its customers, a high-quality service, an increased protection of their interests and better monitoring of any incident that may arise from the contractual relationship of adhesion to any of the products. The legitimate basis of this processing constitutes the legitimate interest of providing quality assistance to the members of said Entities as well as strengthening the guarantees for the correct administration of this type of transactions.
On the grounds referred to, the operation related to the processing of personal data is performed by Kutxabank, on your behalf and in its name, and in the name of each one of the joint controllers.
In any case, you may exercise your rights before Kutxabank S.A.
Kutxabank in addition, has put together a joint responsibility agreement with the Entities subscribed to the information sharing service for the prevention of fraud. Information on the Entities adhered to said file can be found at
https://www.iberpay.com/es/servicios/sectoriales/payguard/
Processing consists of the recording and retrieval of data of suspicious or unauthorised transactions in a common repository operated by Iberpay as process controller in an effort to detect and prevent transactions suspicious of fraud, or whose fraudulent condition has been expressly acknowledged by the affected holder. The legitimate basis is constituted by legitimate interest, of the account holders likely to be affected by the fraud committed by third parties, as well as the Entity in ensuring the detection and prevention of fraud in the incoming and outgoing transactions of your account.
Kutxabank will process different personal data in order to manage your requests for information or the pre-contractual or contractual relations you enter into with us.
Outlined below are the data categories we will process, with the knowledge that not all the data categories listed are used for all data processing.
In the details of the processing activities that we carry out, contained in section 4, you may specifically consult each particular processing of the data categories used, therefore counting on the necessary information enabling you, if you wish, to exercise your rights recognised by the GDPR, particularly those of opposition and withdrawal of consent.
The data categories used in the different processing activities are as follows:
In cases in which the personal data are provided by persons holding parental authority or by the legal representatives of persons with disability, the latter are authorised to collect the data as well as their use and processing by Kutxabank for the purposes described in this Policy.
All data collection obtained, in the event it occurs, originating from information you have provided to third parties and is handed over by said third parties to Kutxabank, require consent prior to incorporating these into the Kutxabank S.A. databases. In this case, Kutxabank will contact you within a month at the latest in order to provide you with the information contained in this customer personal data protection Policy.
You ensure the veracity of the personal data provided to Kutxabank during the entire contractual relationship and undertake the obligation of notifying the Bank of any change thereof in accordance with this data protection policy. Kutxabank may, in any case, and without prejudice to its referred communication obligation, regularly request the review and updating of the personal data the entity maintains about you; it is also legitimated to conduct the appropriate verifications, within the prevailing regulations.
Under no circumstances will we process data that may infringe upon the principles of competition or business secrets.
It is important to understand that we do not infer any data that may contain information which reveal your ethnic or racial origin, political opinions, religious or philosophical convictions, union affiliation, the processing of genetic data, data relative to health or data relative to your life or sexual orientation (“Special data categories”).
The processing we carry out responds to different legal purposes and bases.
Description of the processing
Prior to registering your data in our systems, we will inform you of this customer personal data protection policy and then request the minimum data needed to commence the pre-contractual activity or contractual relationship you request.
Kutxabank will carry out the following processing, inter alia:
Purpose of the processing
The purpose of this processing is to treat your personal data in order to handle and analyse your registration as a customer, the contract request or the concluding of the contracts.
Basis of the processing
The processing will be carried out in accordance with the obligations set forth in the prevailing legislation at all times as regards the acceptance and registration process of customers and the contracting processes of each one of the products.
Data categories used
The data Kutxabank will use for these purposes are:
Verification services of Iberpay account ownership
Additionally, your identification and account data will be processed in order to enable verification of the ownership of your account at the request of a third party with whom you have initiated a contractual relationship that entails direct debiting or debit to an account.
The processing of the data in order to verify ownership of the account in which the formalisation of an immediate or future collection or payment is intended, is based on the contractual relationship maintained with the third party requesting the verification, as well as with Kutxabank and seeks the proper compliance of the contract signed between the parties, in such a way that a prior check is carried out in order to prevent pecuniary losses arising from an error of the payment into the direct debit account.
Description of the processing
The processing operations to carry out are as follows:
Purpose of the processing
The purpose of the processing is to develop, control, maintain and update the contractual relationship we have formalised.
Basis of the processing
This processing is required for maintaining the contractual relationship we establish and failure to provide them would make it impossible to manage such relationship, as it is based on meeting the contractual and legal obligations of the Entity, or in its legitimate interest, for which appropriate weighting analyses have been carried out.
Data categories used
The data Kutxabank will use for this purpose are:
Data disclosures
Kutxabank may disclose your data to the competent authorities, control and supervisory bodies and legal, administrative or tax authorities, for the purpose of meeting the applicable regulations at all times, in particular, but not limited, to the banking or financial sector. In addition, Kutxabank may disclose your data to collaborators needed in processing activities such as prescriptors, auditors, Notaries Public and Registers and Public Bodies, as well as private banking and insurance companies at group level for the sole purpose of improving efficiency in internal administrative and operational management, provided that they belong to such segment and to which they may object to at any time.
Description of the processing
Including without limitation, the most relevant processing carried out with these purposes is outlined:
Purpose of the processing
The purpose of the processing is to meet accounting, legal, tax and administrative obligations.
Basis of the processing
The processing of your data is necessary for meeting the accounting, tax and legal obligations required from the Entity for its activity.
Data categories used
Data disclosures
Kutxabank may disclose your data to the competent authorities, control and supervisory bodies and legal, administrative or tax authorities, for the purpose of meeting the applicable regulations at all times, in particular, but not limited, to the banking or financial sector. In addition, Kutxabank may disclose your data to collaborators needed in processes such as Notaries Public and Public Registries
Payee verification service for immediate transfers
Entities involved in a transfer may process the payee’s details (name, surname, ID) and account number (IBAN) for the purpose of verifying that the payee designated by the payer is actually the holder of the account receiving the transfer. In cases where there is no exact match between the name provided by the payer and that registered by the beneficiary’s institution, the payer may be informed of the registered name.
The processing carried out in connection with the verification of a transfer payee is based on the legal obligation applicable to the controller, established by Regulation (EU) 2024/886 as regards immediate transfers, which imposes on payment service providers (PSP) the obligation to provide a matching verification service between the payee’s name and the IBAN, in order to avoid erroneous or fraudulent payments.
Description of the processing
The processing carried out with these purposes is as follows:
Purpose of the processing
The purpose of the processing is to maintain the security of economic traffic, thereby contributing to safeguarding the general interest and make it possible to improve the risk analyses performed by the Entity in order to protect free commercial exchange under conditions of security and solvency.
Basis of the processing
This processing is carried out in order to meet the regulations on the responsible granting of loans and remaining legal measures required by applicable legislation.
Data categories used
Data disclosures
Data relative to defaults may be reported to files relative to the compliance or non-compliance of monetary obligations, Badexcug (Experian) and Asnef (Equifax) and to CIRBE in accordance with its specific regulations.
Description of the processing
The processing carried out with these purposes is as follows:
Purpose of the processing
The purpose of the processing is the prevention of criminal activities and those related to money laundering and the financing of terrorism as defined in the specific regulations.
Basis of the processing
This processing is carried out in order to comply with prevailing legislation on the prevention of money laundering and the financing of terrorism which obliges banking entities to obtain information and documentation from their customers as regards their identity and their economic activity in order to apply due diligence and knowledge of customer measures.
Data categories
Data disclosures
In force regulations require and enable Kutxabank to share information with subsidiary Entities that form part of the Represented Group for the Prevention of Money Laundering and the Financing of Terrorism to this end.
Likewise, Kutxabank has the obligation of declaring to the Financial Ownership File the opening or cancelling of any current accounts, savings accounts, stock accounts, deposits and of any other type of payment accounts, as well as safety deposit box lease agreements and lease terms regardless of its trade name, consequently your identification data will form part of this file created for the purpose of preventing and deterring money laundering and the financing of terrorism. The controller of this file is the Secretary of State for the Economy and Business Affairs.
Description of the processing
The processing carried out for this purpose is:
Purpose of the processing
The purpose of this processing is the prevention, detection and/or pursuit of fraud.
Data categories used
The data categories used for this purpose are:
Basis of the processing
The processing is based on the legitimate interest of the account holders who may be affected by fraud committed by third parties, as well as Kutxabank’s of ensuring the detection and prevention of fraud in the banking transactions to and from your account.
Data disclosures
With the exclusive goal of preventing criminal situations, and provided it has sufficient evidence for determining the existence of a possible fraud, Kutxabank will be legitimised, in order to prevent thereof, to disclose the data of its customers to outside companies affected by such situation..
Processing referring to the Information Sharing Service for the prevention of fraud.
Joint controllers for the processing
The joint controllers of the file are all the financial institutions adhered to said common file as joint controllers of the processing. The Entity has the essential aspects of such joint controller agreement at your disposal and you may request it via the email address of our Data Protection Officer dpo@grupokutxabank.com. In addition, you may consult the updated list of entities adhered to the common list at https://www.iberpay.com/es/servicios/sectoriales/payguard/
Description of the processing
Registering and consulting the data of suspicious or unauthorised transactions in a common repository operated by Iberpay as controller of the processing.
Basis of the processing
The processing is based on the legitimate interest of the account holders who may be affected by fraud committed by third parties, as well as Kutxabank’s of ensuring the detection and prevention of fraud in the banking transactions to and from your account.
Data categories used
Conservation period
Functionality for preventing fraud in cross-border payments in the EU
On the occasion of issuing a cross-border transfer between EU-based financial institutions, we inform you that the personal data related to your target account number and your name as beneficiary holder thereof, may also be processed to detect anomalies and fraud patterns through the European payment systems.
The object of this processing is the identification of anomalous or irregular transactions and the detection of risk behaviours and patterns that enable them to be identified.
The legitimate basis for processing the mentioned data for such purpose is the legitimate interest of Kutxabank in detecting and preventing fraud in the banking transactions into or out of your account. Additionally, the processing described is conducted in the interest of the holders of the accounts which might be affected by fraud committed by third parties.
The processing to be conducted on occasion of the detection of anomalies and fraud patterns will be as follows:
Kutxabank will not disclose the data collected as regards this processing to any third party other than your counterpart in the transfers and will proceed to delete them when they cease to be necessary for the purpose for which they were collected and, in any case, within a period of 14 months since these have been collected.
Confirma File
In order to prevent and avoid possible attempts of fraud, Kutxabank is affiliated to the Confirma File. Personal data you provide to Kutxabank in the context of a transaction request (for example, a current account opening request) will be communicated to the Confirma File for the purpose of collating requests and transactions recorded in the File by the affiliated entities in order to assess the likelihood of fraud in the request.
The joint controllers of the processing are the entities affiliated to the Confirma File Regulation, and the controller of the processing is Confirma Sistemas de Información, S.L., based in Avda. de la Industria, 18, Tres Cantos (28760) Madrid. You can consult the list of Entities that are currently affiliated to the Confirma File Regulation at https://confirmasistemas.es/fichero-confirma. The data communicated to the Confirma File may be consulted by the rest of the entities affiliated to the Confirma File Regulation. You can request additional information, as well as the essential aspects of the co-responsibility agreement between the affiliated entities, via the e-mail address dpo@grupokutxabank.com.
The legitimate basis is the joint controller’s legitimate interest in preventing fraud to avoid possible negative economic consequences and possible legal breaches by applicants. Reducing the likelihood of fraudulent transactions implies a reduction, in general terms, of the crime involved and the implications for other crimes such as money laundering or the financing of terrorism. Therefore, this File is clearly in your own interest as it aims to protect you from fraudulent practices by third parties.
Consulting the Confirma File is ideal in view of the objective pursued, and proportional to the benefit obtained by the member entities and the impact on the privacy of the applicants. Furthermore, the processing of data is within the reasonable expectations of data subjects as it is a common practice and occurs in the context of a contracting application. In order to avoid harm and negative consequences for applicants, technical and organisational measures have been taken to strengthen the confidentiality and security of this information.
The maximum data retention period shall be five years. The data communicated to the Confirma File may be consulted by the Entities affiliated to the Confirma File Regulation. No transfer of data to a third country or international organisation is envisaged.
In accordance with the current regulations on data protection, you can exercise your rights of access, rectification, deletion, opposition, limitation of processing and portability by contacting the address of the controller, Confirma Sistemas de Información, S.L., at the address above. You may also submit a complaint to the Spanish Data Protection Agency (www.aepd.es). Confirma Sistemas de Información, S.L. has appointed a Data Protection Officer who can be contacted via the email address dpo@confirmasistemas.es for privacy requests related to the Confirm File.
Description of the processing
The processing carried out with this purpose is the sending of commercial, generic or personalised communications for promoting products and services commercialised by Kutxabank, as well as the remittance of communications relative to personal events, such as birthdays or anniversaries, and public events, such as Christmas and other socially accepted or recognised festivities, sports, social and/or cultural events, through postal mail, fax, SMS, email or by any other medium, including electronic.
Purpose of the processing
The purpose of this processing is to offer you products and services commercialised by the Bank, and third-party collaborators dedicated to the banking and financial, insurance, real estate and services sectors, which are of interest. In addition, if we have your consent, we will send you communications related to personal events, such as birthdays or anniversaries, and public events, such as Christmas and other socially accepted or recognised festivities, sports, social and/or cultural events, which we believe may be of interest to you.
Data categories used
Basis of the processing
This processing is carried out on the basis of your explicit consent previously given for the sending of commercial communications. Such consent may be withdrawn at any time by any of the channels enabled for the exercising of rights and explained in this Policy, as well as through the Online Banking and Mobile Banking service, being able to select, if you wish, the media that best suit your needs (telephone calls, push notifications/sms, e-mail, postal mail).
For promoting other types of products from other subsidiary companies, or third-party collaborators, and particularly in the insurance sector, we will also require your express prior consent. In any case, the mentioned consent is revocable, the customer may also oppose such processing at any time.
In this regard, we would like to inform you that Kutxabank has insurance bank agent status exclusive to Kutxabank Vida y Pensiones and Kutxabank Aseguradora, which means that all the insurances commercialised by the bank go through said insurance company.
As an exception, Kutxabank considers that in relation to the data subjects who were customers of the Entity prior to the entry into force of the GDPR, it has the legitimate interest of promoting its business activity making offers of credit or savings products and services as well as insurance products which are related to the credit financial products or services it maintains contracted. In order to do this, Kutxabank has carried out the corresponding weighting analysis of its interests and the rights and freedoms of the data subjects.
Description of the processing
The processing carried out with this purpose is commercial profiling in order to identify the customer segment and to adapt the offer of products and services.
The profiling done with your personal data is as follows:
With all this, we will be able to identify products and services we believe may be of interest to you according to the data available, not using for these cases any data obtained from external sources, including asset solvency files.
Purpose of the processing
The purpose of the processing is to apply statistical and customer segmentation techniques on your data in order to provide you with commercial offers suited to your needs and preferences as well as monitoring the services contracted.
Data categories
The data categories processed for this purpose are:
Kutxabank would like to expressly inform you that no data that you have not provided us with directly, obtained from the information contained in the asset solvency files or other external sources reported in section 3 of this Policy will be used for this profiling. Kutxabank will only incorporate the information contained in such files when you request a loan or credit transaction or if we have your express consent. The information incorporated in the rest of the external sources such as the aggregation service, will only be used for profiling if we have your express consent.
Basis of the processing
This processing is carried out on the basis of the Entity’s legitimate interest, consisting of undertaking its duties with the maximum efficiency and quality intrinsic to the Entity as well as perceived by you as a customer. In order to do this, Kutxabank has carried out the corresponding weighting analysis of its interests and the rights and freedoms of the data subjects. You may oppose the carrying out of this type of processing at any time by any of the means mentioned in point 8 of this Policy.
By contrast, if external databases are used for producing this information, particularly the information contained in the assets solvency files, the processing will only be carried out if you have requested a loan or credit transaction or we have your express consent. Similarly, in the case of producing this information, information included in the aggregation service is used, the processing will only be carried out if we have your express consent. You have the right to withdraw the provision of such consent at any time and through any of the channels enabled for this purpose and are reported in this Policy.
Description of the processing
The processing carried out with this purpose is relative to the processing of your access requests for promotions or draws organised by Kutxabank, which we understand to be in your interest, without the need for you to expressly register therein.
Purpose of the processing
The purpose of the processing is for presenting you promotions offered by the Entity to its customers without the need for you to expressly register therein.
Data categories
The data categories we will process for this purpose are:
Basis of the processing
This processing is based on the legitimate interest for managing your contracts, but will require your consent prior to accepting a prize. Similarly, no processing will be carried out in the event you have previously declared your opposition to be the subject of advertising campaigns.
Description of the processing
The processing carried out for this purpose is to capture and record images through the equipment installed in Kutxabank’s offices, branch offices, buildings and corporate centres.
Purpose of the processing
The purpose of the processing is to implement the necessary security measures to protect our customers and the Entity’s assets and to prevent economic and reputational damage. The surveillance camera systems are installed for Kutxabank security purposes. Kutxabank will not be able to use surveillance cameras in a way incompatible with the purpose expressly described and agrees to save the images recorded in good faith and in accordance with such purpose.
Data categories
The data categories we will process for this purpose will be the images captured by the video surveillance cameras.
Basis of the processing
The basis of the processing is the legal obligation of Kutxabank to protect its facilities, staff and customers in accordance with Private Security Regulations.
Data disclosures
Data may be disclosed at the request of judicial authorities or State law enforcement bodies or forces when this is required in the fulfilment of their obligations.
Description of the processing
The processing carried out for the monitoring and constructing statistics of the activity in the Entity, are:
In the case of providing data to third parties for statistical purposes, the Entity undertakes to apply the pertinent anonymisation techniques or provide information on an aggregate basis, such that said information bears no relation to an identified or identifiable natural person.
Purpose of the processing
The purpose of the processing is to draft statistical reports and mathematical models for managing and monitoring the Entity’s activity.
Data categories
The data categories we will process for this purpose are:
Basis of the processing
The basis of the processing is Kutxabank’s legitimate interest of developing its business activity.
Description of the processing
The processing carried out with this purpose is:
Purpose of the processing
The purpose of the processing is the handling of complaints, as well as preventing, detecting, managing and resolving criminal, illegal conduct and/or contrary to the Entity’s internal regulations.
Data categories
The data categories we will process for this purpose will be:
Basis of the processing:
This processing is carried out under the principle of legitimate interest as well as in compliance of a legal obligation.
Description of the processing
The processing carried out for this purpose is communicating identification, contact and profiling data to other companies so they may remit commercial communications, including by electronic means, of the products and services commercialized by them.
Purpose of the processing
If we have your consent, we will disclose the data to Kutxabank Group companies, as well as collaborating and/or investee companies, in order for them to make commercial offers of the products and services they commercialize.
Data categories
If you do not grant us consent for this processing, we will not disclose your data. If you do consent, the data we will communicate to other companies will vary depending on whether you have refused, or not, to commercial profiling to adapt the offer of products and services:
Basis of the processing:
This processing is carried out from your prior explicit consent for communicating data to other companies. This consent may be withdrawn at any time through any of the channels enabled for exercising rights and outlined in this Policy, as well as through the Online Banking and Mobile Banking service.
Data disclosures
The companies to which we may disclose your data provided we have your express consent can be viewed in detail on the following link: https://portal.kutxabank.es/cs/Satellite/kb/es/sociedades-del-grupo-kutxabank/documento.
Kutxabank will keep your data during the term of the contractual relationship or as long as is necessary for the particular purpose of each processing.
The processing of data based on consent will be in force until you expressly withdraw it or the contractual relations or business you have established with us have come to an end.
Upon the withdrawal of consent or the end of contractual or business relations, we will proceed to implement technical and organisational measures to ensure your data are only used in accordance with in force legal obligations.
The Entity will proceed with the destruction of your data within the deadlines set forth by the in-force legislation and which regulates Kutxabank’s activity, taking into account the statutes of limitations of administrative or judicial actions.
The personal data provided in the phase leading to the formalisation of the business relationship or the contracting of a product or service, will be kept by Kutxabank for a maximum of six months, unless a longer period is determined in the request. Nevertheless, if you wish, you have the right to request the effective removal of your data in a shorter period.
As regards the video surveillance recordings, the regulations relative to Private Security applicable to Kutxabank establishes a maximum data retention period of fifteen days from the date of recording, unless the competent judicial authorities or the Law Enforcement Bodies and Forces provide otherwise.
Personal data relating to communications and investigations on regulatory breaches and the fight against corruption will only be kept for as long as necessary, and in no case may this exceed ten years. If an investigation is not commenced within three months from the submission of the communication, the communication system will be abolished, unless it is in order to keep evidence of system operations and anonymously if they are not forwarded communications.
Kutxabank will not disclose any of your data, unless such disclosure is carried out based either on your consent, or on a legal or contractual obligation with you, such as those listed below:
As a general rule, Kutxabank does not send data transfers to other companies located or whose servers are located outside the European Economic Area. However, in those exceptional circumstances in which such international transfers do occur, Kutxabank will adopt the necessary measures for these to be sent to a country or organisation that has provided the appropriate guarantees, or failing this, these can be based on legitimate principles established by regulations.
You may exercise your rights of access, rectification, opposition, cancellation, limitation, portability of your personal data, of withdrawing your consent and not be subject to automated decision-making, in accordance with the law. You may request to exercise these rights through any of the following channels, submitting your request, accompanied, if necessary, by a copy of your identification document:
In addition, for processing covered by your express consent, you can withdraw or give such consent at any time through the Online Banking and Mobile Banking service.
In addition, if you have any claim derived from the processing of your data, you may address it to the Spanish Data Protection Agency (www.aepd.es).
| Rights | Considerations and service channels |
|
|
|
|
|
|
|
|
|
|
|
Information about the Protection of Personal Data:
Controller:
Kutxabank, S.A. Gran Vía 30, 48009 Bilbao.
Purpose and Legitimation:
Variable according to the specific processing.
Recipients:
The data contained in this form will not be disclosed to third parties, except under legal obligation.
Rights:
You may exercise your rights of access, rectification, opposition, cancellation, limitation, portability and/or withdraw your consent by email at info@kutxabank.es. In addition, you are entitled to submit a claim to the AEPD or competent control authority.
Additional information:
You may consult additional and detailed information on Data Protection in the “Privacy” section of our website: www.kutxabank.es.
Access to the Kutxabank, S.A. (hereinafter “Kutxabank”) website and information relating to any of the products and services presented therein implies the submission to and acceptance of the conditions set out in this Legal Notice. Therefore, we recommend that you read its content carefully if you wish to access and make use of the information and services offered on the Kutxabank website.
The information provided on this site does not constitute investment or banking advice. As this is not banking advice, the information provided is not based on an objective and comprehensive analysis of the banking services available on the market. Nor does it take into account the user's personal and financial situation, preferences or objectives.
Users should be aware that products appearing on this website may not be suitable for their personal situation or financial position, or their risk profile, as they have not been taken into consideration when preparing the information contained herein, as a result of which users should make their own investment decisions by taking these circumstances into account and seeking any specific, specialist advice that may be necessary.
Kutxabank declines all responsibility for any use that may be made of the site in this regard, and it must be specifically understood that such information, subject to the legislation in force in Spain, will not be intended for users acting under other jurisdictions of states requiring compliance with various requirements for the provision, disclosure or advertising of financial services and/or products.
The conditions listed below are those in force from the date of their last update. However, Kutxabank reserves the right to update, amend and/or delete the information contained on its website at any time and may limit or even deny access to such information without prior notice, particularly when technical difficulties arise which, in the opinion of Kutxabank, reduce or cancel out the standard security features adopted for it to work properly.
If this Legal Notice is amended at any given time, the conditions contained herein shall enter into force on the date of their publication and shall apply to all users from that date.
Some areas of this site may have specific legal notices relating to their content or functionality, so reading them is recommended. Specifically, this refers to those areas where Kutxabank may offer the user the possibility of contracting certain products or services and where it makes the applicable general terms and conditions of the contract available to interested users.
If you do not agree to the terms of this Legal Notice, please refrain from using this website or contracting any of the products or services offered by Kutxabank.
1) Ownership of the website.
This website is owned by Kutxabank, as the credit institution responsible for processing the data on behalf of the organisation. The identification and contact details of Kutxabank as an information society service provider in accordance with the provisions in Article 10 of Law 34/2002 of 11 July on information society services and electronic commerce are listed below:
2) Personal data protection policy.
As a general rule, the use of the Kutxabank website does not require users to disclose their personal data as a prior condition.
Notwithstanding the foregoing, in those cases where users require certain services and communicate their personal data to Kutxabank, the Company guarantees the confidentiality of such data and compliance with the provisions of Regulation (EU) 2016/679 of the European Parliament and the Council on the protection of individuals with regard to the processing of personal data and the free movement of such data and Organic Law 3/2018 of 5 December, on the Protection of Personal Data and guarantee of Digital Rights, which offers sufficient guarantees regarding the implementation and maintenance of appropriate technical and organisational measures to ensure the protection of their data.
In these cases, we will ask for the essential data required to proceed in processing your request and these data will be processed with the sole purpose of responding to your request. As a general rule, we will ask you for your identification and contact data.
The legal basis for this processing will be based at all times on your express consent by sending the corresponding form, where you will also find information on the Data Protection Policy of Kutxabank S.A.
The data collected will not be disclosed to third parties, except in those cases in which Kutxabank is legally obliged to do so, specifically to Public, Judicial authorities or State law enforcement forces or bodies, neither will Kutxabank initially, make international transfers thereof, and if done so exceptionally these will always be performed with the appropriate safeguards, such as standard contract clauses approved by the European Commission. In this case, users may request a copy of the safeguards adopted.
You may at any time, with reference to disputes related to personal data processing, contact Kutxabank’s data protection officer at dpo@grupokutxabank.com, submit a claim to the competent supervisory authority, as well as exercise your rights of access, rectification, cancellation, opposition, limitation of processing, portability and to not be subject to automated individual decision-making of your personal data, you may exercise these rights by way of written communication addressed to the registered office of Kutxabank as stated above, or by sending an email to infor@kutxabank.es attaching in both cases, if necessary, a copy of a document proving your identity.
The data will be processed and stored as required for the relationship established with the User. Data will also be retained in order to comply with the requirements of each applicable regulation, prevent unlawful actions and to settle different types of disputes or controversies. Once the processing of your data becomes unnecessary, Kutxabank will proceed to delete and/or block it. You will find details on the different storage time limits in Kutxabank’s Data Protection Policy.
Please use the following link to view our Personal Data Protection Policy.
3) Industrial and intellectual property.
All the contents of the Kutxabank website, understood as such, including but not limited to, all texts, documents, photographs, drawings, images, icons, graphic representations, audiovisual and sound contents, as well as their graphic design and source code, trademarks, trade names or other distinctive signs, are the exclusive property of Kutxabank or third parties (the latter being the legitimate licensee) and are protected by Industrial and Intellectual Property Laws.
Access by users to the contents of the Kutxabank website does not grant them any rights or ownership over them.
Any form of exploitation, reproduction, distribution, modification, public communication, disclosure or transformation or any other form of dissemination of the information or elements contained on the Kutxabank website referred to in this section is strictly prohibited by any means and medium that has not been expressly authorised beforehand. The content of this website may only be downloaded to the user's terminal provided it is for his/her private use and not for any commercial purpose.
The infringement of any of the above rights may constitute a breach of these terms and/or Industrial and Intellectual Property Laws. Kutxabank reserves the right to take the appropriate legal action against users who violate or infringe the intellectual and/or industrial property rights of this website, its information or its contents.
4) Prohibited uses.
It is strictly forbidden to create links to the Kutxabank website from third-party websites without the express permission and written consent of Kutxabank, or to present the Kutxabank website or the information contained therein under the frames or frameworks, distinctive signs, brands or social or commercial names of another person, company or entity.
In any case and in accordance with the requirements, any links to the Kutxabank website from other websites, will allow such access, but will not reproduce its contents in any form (in whole or in part) except for the Kutxabank logo or company name for information purposes only.
5) Responsibilities.
Kutxabank does not guarantee continuous access to or the correct viewing, download or use of the elements and information contained on the Kutxabank website, which may be impeded, hindered or interrupted by factors or circumstances beyond its control.
Kutxabank shall not be responsible for the accuracy, completeness or updating of information which is not of its own creation, or for information and other content on third party websites or spaces that are accessible from the Kutxabank website by means of links or hyperlinks, nor for information and other content included on third party websites or spaces from which the Kutxabank website is accessed by means of links or hyperlinks. Likewise, Kutxabank shall not be responsible for the information and content of any third-party websites which is displayed in the guise of or under the distinctive signs of Kutxabank, unless expressly authorised by the latter. Consequently, Kutxabank is not responsible for and does not guarantee the proper functioning, availability, accessibility or continuity of the information and other content included on such third-party websites or spaces. Kutxabank accepts no liability whatsoever regarding the information, content of any kind, products and services offered or provided by third parties or entities through the Kutxabank website, particularly for any damages of any kind linked to the aforementioned that may be caused by: (a) absence or gaps in the information provided to users or in its truthfulness, accuracy and sufficiency; (b) non-performance, defective or late performance of pre-contractual contracts or relationships; (c) failure to fulfil obligations incumbent on providers of information society services; (d) infringement of the rights of consumers and users; (e) infringement of intellectual and industrial property rights; unfair competition or unlawful advertising; (f) infringement of the right to data protection, of professional secrecy and of the rights to honour, personal and family privacy and the image of individuals; and (g) in general, non-compliance with any applicable laws, customs or codes of conduct.
Kutxabank accepts no liability whatsoever for damages, harm, losses, claims or expenses, caused by: (a) interference, interruptions, failures, omissions, telephone breakdowns, delays, blockages or disconnections in the operation of the electronic system, caused by deficiencies, overloads or errors in telecommunications lines and networks, or by any other cause beyond the control of Kutxabank; (b) unlawful interference through the use of malicious software of any kind and through any means of communication, such as computer viruses or any other means; (c) improper or inappropriate use of the Kutxabank website; (d) security or browsing errors caused by a malfunctioning browser or the use of outdated versions of the browser.
In any event, users of the Kutxabank website shall be liable for any damages of any kind that Kutxabank may suffer as a result of a user’s failure to comply with the obligations to which they are subject under this Legal Notice, or under the particular conditions that may apply to them.
Kutxabank is not responsible for any discrepancies which may arise, on a temporary basis, between the printed version of its documents and the electronic version thereof published on its websites.
6) Publications.
Any publication provided through this website does not replace, in any way, any publication that must be made through the relevant official communication channels (such as, for example: Official Journal of the European Union, Official State Bulletin, Official Journal of the corresponding Autonomous Communities, Provincial Bulletins, Official Gazette of the Mercantile Register, widely distributed newspapers, etc.).
7) Security policy.
Access to the website does not imply any obligation on the part of Kutxabank to ensure the absence of viruses or any other harmful computer element. In any event, it is the user's responsibility to ensure that adequate tools are available for the detection and disinfection of software and hardware.
Kutxabank is not responsible for any damage to the computer equipment of users or third parties while they are accessing the corporate website.
For the security of the telematic services provided, Kutxabank informs you of the existence and use of computer mechanisms that do not have to identify the User but which can collect browsing, technical and usage data or data on the use of pages and content and whose purpose may be to obtain statistics on use and operation, the resolution of incidents or the proposal or development of new services or products, and Users may configure their browser at any time in such a way as to prevent the obtaining of such information.
Kutxabank is firmly committed to the protection of personal data and the confidentiality of User information.
Kutxabank guarantees compliance with the security, organisational and technical measures that are appropriate for ensuring a level of security that is adequate for the risk that may arise from processing data, in order to ensure the security and integrity of personal data and prevent their alteration, loss or unauthorised processing or access, taking into account the state of the technology, the application costs, the nature of the data stored, the scope of the processing, as well as the risks to which they are exposed and the impact that this may have on the rights and freedoms of natural persons, whether they come from human action or the physical or natural environment, thus complying with the requirements of current legislation.
However, the User has been informed and accepts that Internet security measures are not impregnable.
8) Cookies policy.
Users may set and accept the installation of cookies on their equipment. Detailed information on Kutxabank's cookies policy can be found contained on this website and viewed on the following link.
9) Applicable legislation and jurisdiction.
These conditions are subject to Spanish legislation and may be revised and modified at any time in order to adapt to any modification of current legislation.
Through the information published on this website, Kutxabank meets in an updated manner the transparency principle of Order EHA/2899/2011, of 28 October, on transparency and protection of customers of banking services, access to information and good governance, with the appropriate mechanisms to provide accessibility, interoperability, quality and reutilization of the information, as well as its identification and localisation.
10) Entity affiliated to Confianza Online.
Our entity is affiliated to Confianza Online (a non-profit association), registered in the National Register of Associations Group 1, Section 1, national number 594400, TIN G85804011, Calle la Palma 59, Bajo A., 28015 Madrid (Spain), telephone (+34) 91 309 13 47 and fax (+34) 91 402 83 39 (www.confianzaonline.es).
These General Conditions are governed by Spanish law. In addition, in accordance with the Alternative Dispute Resolution Law, we inform consumers that, as an affiliated entity and in the terms of the Code of Ethics, users may use Confianza Online for the alternative resolution of any potential disputes (https://www.confianzaonline.es/como-reclamar/formulario-de-reclamaciones/).
If these refer to electronic transactions with consumers, or on data protection when they are related to this field, the claims will be resolved by the Confianza Online Mediation Committee certified for the alternative resolution of disputes in terms of consumption. If the claims deal with digital advertising, or data protection related to this field, they will be subject to the AUTOCONTROL Advertising Board.
In addition, users may access the European Union Online Dispute Resolution platform by using this link: https://consumer-redress.ec.europa.eu/index_es.
In Kutxabank, S.A. (hereinafter, “Kutxabank”), we consider that we must be clear as regards the way in which we collect and use your data.
In order to offer an increased level of transparency, this policy provides detailed information about what types of cookies this website uses and how to configure them.
1. What are cookies?
Cookies are files which websites store in the browser of the user who visits them and that enable information to be obtained relative to the user’s browsing with different purposes.
The specific purposes for which we use cookies on this website are detailed in the section below.
2. Types of cookies and purposes for which we use cookies
On this website we use own cookies (owned and generated by Kutxabank from this domain), as well as third-party cookies (managed by third parties and generally generated from the corresponding third-party domain). Some of these are session cookies (they store and gather information while the user accesses the website, and are deleted upon conclusion of the session) and persistent cookies (of longer duration, which may range from a few minutes to several years).
Some of these cookies enable the functions and services provided on the website (generally referred to as, strictly necessary cookies). We also use cookies for the following purposes:
Own cookies:
|
Purpose |
Storage period |
|---|---|
|
Preference or personalization cookies: these allow information to be remembered so that the user can access the website with certain characteristics that can differentiate his/her experience from that of other users, such as, for example, the aspect and content of the website according to the type of user (businesses, young people or private individuals). |
4 months |
Third-party cookies:
|
Purpose |
Third party |
Storage period |
More information |
|---|---|---|---|
|
Analytics or measurement cookies: these allow the monitoring and analysis of user behaviour. The information collected by means of this type of cookies is used to measure the activity of the website (for example, the number of visits) in order to make improvements according to the usage analysis the users make of the website. |
Sizmek |
2 years
5 years |
how Google uses cookies, types of cookies Google uses and information about Google Analytics) Sizmek (more information in English) |
|
Behavioural advertising cookies: these allow collecting information on the behaviour of users, obtained through the continuous observation of their browsing habits, in order to develop a specific profile and show personalized advertising according to it. |
Google Ads / DoubleClick
Sizmek
|
Persistent
540 days
Persistent
Persistent
90 days
Persistent |
Google Ads / DoubleClick Sizmek |
3. How to disable or delete cookies?
Users may, at any time, accept, configure and reject cookies from the configuration panel.
In addition, users may allow, block or delete the cookies installed on their equipment by modifying the configuration parameters of the browser installed in their equipment. The main browsers have cookies blocking and deleting options, but the procedure may differ from one Internet browser to another and, consequently, please use the instructions provided by your Internet browser manufacturer. In the case of mobile devices, it is also common for the browser to have these options in the Settings section.
Included below are instructions provided by some browsers:
Some third-parties also provide opt-out systems or other solutions:
If the user accepts the use of cookies and then rejects it, some of these cookies will remain installed in his/her device. If you wish to delete them, you may do so from your browser, as indicated above in this section.
4. Additional information on data protection
This section provides information regarding the processing of personal data which completes the information provided in the remaining sections of this cookies policy and in the Protection of Personal Data Policy.
Legal basis for processing: consent, which the user may withdraw at any time as referred to in section 3 of this policy (“How to disable or delete cookies?”).
Data recipients: the third parties identified in section 2 of this policy (“Types of cookies and purposes for which we use cookies”).
Profiling: user browsing may be observed for profiling in the terms and with the purposes referred to in section 2 (“Types of cookies and purposes for which we use cookies”) of the cookies policy. For more details, you can consult the privacy policies of the third parties identified in such section.
Transfers to third countries: As regards third parties identified in section 2 (“Types of cookies and purposes for which we use cookies”), users may consult their respective privacy policies to inquire, when applicable, about the transfers they make.
5. Updating and changes of the Cookies Policy
Kutxabank may modify this Cookies Policy in accordance with new legislative, regulatory requirements, or in order to adapt such policy to the instructions dictated by the Spanish Data Protection Agency.
Users will be informed when significant changes are made in this Cookies Policy and, where necessary, their consent will be requested for using the cookies.
|
PROTECTION POLICY OF CUSTOMER PERSONAL DATA |
|||
|---|---|---|---|
|
Version V01.2025 |
|||
|
Controller |
Regulatory Compliance and Group Control |
||
|
Date |
Approval body |
Version |
Changes made |
|
25/04/2019 |
Kutxabank Board of Directors |
V01.2019 |
Creation. |
|
18/07/2019 |
Cajasur Board of Directors |
V01.2019 |
Creation. |
|
30/04/2020 |
Kutxabank Board of Directors |
V01.2020 |
Inclusion of employees EPSV. Inclusion in the current Policy of compliance by Entities in terms of information and transparency obligations. |
|
23/07/2020 |
Cajasur Board of Directors |
V01.2020 |
Inclusion of employees EPSV. Inclusion in the current Policy of compliance by Entities in terms of information and transparency obligations. |
|
25/03/2021 |
Kutxabank Board of Directors |
V01.2021 |
Adaptation to AEPD criteria. |
|
20/04/2021 |
Cajasur Board of Directors |
V01.2021 |
Adaptation to AEPD criteria. |
|
28/10/2021 |
Kutxabank Board of Directors |
V02.2021 |
Incorporation of fraud file processing. |
|
16/12/2021 |
Cajasur Board of Directors |
V02.2021 |
Incorporation of fraud file processing. |
|
26/05/2022 |
Kutxabank Board of Directors |
V01.2022 |
Qualification of information delivery on data protection to new potential customers. |
|
21/07/2022 |
Cajasur Board of Directors |
V01.2022 |
Qualification of information delivery on data protection to new potential customers. |
|
25/05/2023 |
Kutxabank Board of Directors |
V01.2023 |
Incorporation of Kutxabank Store. Inclusion of regulatory references with an impact in terms of data protection. Inclusion of new processing. |
|
20/07/2023 |
Cajasur Board of Directors |
V01.2023 |
Incorporation of Kutxabank Store. Inclusion of regulatory references with an impact in terms of data protection. Inclusion of new processing. |
|
30/11/2023 |
Kutxabank Board of Directors |
V02.2023 |
Commercial communications of related insurance products protected by legitimate interest. Use of transactional |
|
20/12/2023 |
Cajasur Board of Directors |
V02.2023 |
Commercial communications of related insurance products protected by legitimate interest. Use of transactional |
|
29/02/2024 |
Kutxabank Board of Directors |
V01.2024 |
Adaptation of the Policy to new models of consent. |
|
28/02/2024 |
Cajasur Board of Directors |
V01.2024 |
Adaptation of the Policy to new models of consent. |
|
24/07/2024 |
Kutxabank Board of Directors |
V02.2024 |
Incorporation of the Iberpay account ownership verification service. Inclusion of the functionality for the prevention of fraud in cross-border payments in EU. |
|
18/07/2024 |
Cajasur Board of Directors |
V02.2024 |
Incorporation of the Iberpay account ownership verification service. Inclusion of the functionality for the prevention of fraud in cross-border payments in EU. |
|
30/10/2025 |
Kutxabank Board of Directors |
V01.2025 |
Adaptation of wording for the integration of Cajasur. Processing to improve the internal administrative and operational efficiency of private banking and insurance. Incorporation of the payee verification service for immediate transfers. Inclusion of the Confirma File for fraud prevention. Adaptation of the contact media for the forwarding of commercial communications. |
Last update 28/01/2026
