• caja rural de navarra

    Clients Data Protection Policy

    Política de Protección de Datos

ADDITIONAL DATA PROTECTION INFORMATION
(applicable from 25 may 2018)

  1. Manager. Who will process your data?
    1. Caja Rural de Navarra, Sociedad Cooperativa de Crédito, with tax code CIF F31021611 and based in Pamplona, at Plaza de los Fueros 1, CP 31003. Contact us via the customer services email info@crnavarra.com, or by calling 948 168 100 or drop into our network of offices.
    2. The Data Protection Delegate (henceforth DPD) is the person who oversees the safeguard of your privacy in our entity. If you need to contact them, please write to protecciondedatos@crnavarra.com or send a letter to the address above, including the “Data Protection Delegate” reference.
  2. Joint controllers:

    Article 26 of the GDPR determines that when two or more managers decide together on the processing objectives and methods, they will be considered joint controllers of the processing. In this respect, our Entity acts as a joint controller of the processing along with the following entities:

    1. Entities that have joined the joint fraud service (Payguard): processing to prevent fraud as described in section 6.4.6 of this document is carried out as joint controllers with the entities that have joined the joint service. These entities can be consulted via the following link https://www.iberpay.com/es/servicios/sectoriales/payguard/
    2. Experian Bureau de Crédito, S.A.U and the entities participating in the system. When the processing relates to consulting and including data in compliance and noncompliance files concerning monetary obligations, our Entity acts as a joint controller in the processing. More information in the following link https://www.experian.es/legal/salir-fichero/informacion.
  3. Compatible processing.

    As we will explain below, other forms of data processing might be necessary for the contracted or requested service, and other voluntary or addition types, that are considered to be compatible with the former, as they are only intended to improve our products and services, and to send out the most suitable advertising. Depending on the case, these additional voluntary purposes require either that we have received your consent, or that you have not objected, as there is a “legitimate interest” in the processing. The definition of legitimate interest is given below.

  4. Legitimisation. What is “legitimate interest”?
    1. The rules indicate that there is legitimate interest to process your data when processing is necessary to meet the needs of the manager or a third party, whenever this does not affect your privacy. This implies analysing both questions case by case. For example, the actual rules recognise legitimate interests associated with marketing or sharing data between a group of companies for internal administrative purposes.
    2. In the same way, the data protection authorities have completed some cases of legitimate interest, subject to certain requirements, as happens when covering fraud prevention, informing you about pre-granted loans or similar operations with certain requirements and running a prior solvency analysis to offer them, adjust the commercial offers to your specific profile, devise behaviour patterns or models based on anonymous or "pseudonymised"1 data, update essential data from your contracts or precontracts with public sources or manifestly public data, including social media, etc.
    3. Our Entity has weighed up your rights against our legitimate interest, and we concluded that the latter prevails over your rights in processing that we carry out based on legitimate interest and for which there is no specific rule and/or resolution from the data protection authorities that recognises our Entity’s legitimate interest. At any point, you can consult the analysis of the legitimate interest weighting for data processing based on the Entity’s legitimate interest by consulting our DPD at the address stated in section 1 of this document.
    4. If you object, processing based on legitimate interest can stop at any time as stated in section 6.4 of this document.
  5. Legitimisation. Why is data processed?
    1. Data is processed to be able to produce contracts or precontracts where you are involved or your applications. This data processing is legally based on the fact that it is necessary to manage the contracts that you request or of which you are part, or to apply, if you so request, precontractual measures, as stated in art. 6.1.b) of the GDPR. Therefore, this is necessary processing for you to be able to set up and maintain contractual relations with us. If you objected, we would finalise these relations, or we would not be able to set them up if they had not yet begun.
      This legitimate base includes all contracts for products and services sold by our Entity that might include but not be limited to: current account, card, loan, guarantees, mortgages, etc.
    2. The data is processed to meet the rules. This data processing is legally based on the fact that it is necessary to meet a legal obligation that is required of us, as stated in art. 6.1.c) of the GDPR.
      The main rules that should be applied for this data processing will be identified along with each type of processing mentioned in this document.
      If you objected, we would finalise these relations, or we would not be able to set them up if they had not yet begun.
    3. The data is processed based on the Entity’s legitimate interest. As indicated in the previous section, this processing is legally based on satisfying the legitimate interests pursued by our Entity or by a third party, as long as your interests or your rights and fundamental freedoms do not prevail over those interests, as stated in article 6.1.f) of the GDPR. Based on the type of processing, we might differentiate any that might be objected to from any to which it is not possible to object due to legitimization recognised by the applicable legislation and the competent authority.
    4. The data are processed based on compliance of a mission carried out in public interest, in the terms established in article 6.1.e) of the (EU) Regulation 2016/679.
    5. The data is processed based on your consent, that can always be revoked without any prejudice. When the legal basis for the purpose of the processing is not covered by any of the previous bases, your consent will be requested. You can always revoke this consent at any time.
  6.  Purposes. What will your data be used for?
    1. Processing required to execute a contract or precontractual measure:
      1. We process data relating to your personal characteristics to answer your requests for information on products and services.
        If the product you wish to contract implies paying a pecuniary amount, requires financing, postponed payments or periodic invoicing, we will process data relating to your personal characteristics and your economic, financial and insurance situation to analyse your economic capacity, and to consult Experian BADEXCUG patrimonial solvency and credit files, to evaluate the risk of non-payment for the operations and decide whether to grant them. As an example, this processing will be done to grant credit cards, personal loans or mortgages, overdraft authorisations, loans pre-granted on an account, renting services, leasing, discounted instruments, confirming or other similar products which require prior analysis of this capacity. This processing can be used to devise profiles and automated decision-making (see section 7.6 of this document for more information). In addition, the request for financing operations might involve processing health data and/or data relating to vulnerable collectives, considered to be data that is particularly protected according to article 9 of the GDPR.
      2. In the case of requesting an investment proposal, your financial situation will be evaluated, alongside your investment goals, and your experience and knowledge of financial markets, to be able to act in your best interest and recommend the right products and services for your investment profile according to the results obtained from the suitability assessment. To carry out this processing, categories of data will be processed with regard to your personal characteristics, employment, economic, financial and insurance details. This processing can be used to devise profiles.
      3. We process data relating to your personal features, social circumstances, employment, economic, financial and insurance details and transactions of goods and services, for execution, development and maintenance of the contract, and appropriately offer you the services provided by the Entity (sales, transfers, payment and collection of invoices, cheques, use of credit or debit cards. etc.).
      4. Compile and conserve recordings of phone calls made to the Entity’s hotline service, to accredit, even before third parties that might be judicial bodies, identification by technical means and acceptance of contract conditions, precontracts, operations or services that are carried out via the available phone lines. To perform this data processing, data will be processed relating to your personal characteristics, economic, financial and insurance data, transactions involving goods and services, and any data that you provide in telephone calls.
      5. Update your data relating to your personal features (identification data, and other included as necessary in each contract) and enrich it with public data (public records, land registry or data that you have manifestly made public) to meet identification obligations and other obligations indicated throughout this additional information clause.
      6. If you are acting on behalf of a legal person, or a third party, your data relating to characteristics will also be processed to maintain the contractual relationship with the legal person that you are representing.
      7. If you are not a customer and use our economic and financial services to perform banking operations, such as truncating cheques/promissory notes, truncating bills of exchange/receipts, issuing receipts over the counter, etc. data relating to your personal characteristics (name, surname, ID number, date and place of birth, nationality and residence) will only be processed to adopt due diligence measures as prevention methods in compliance with Law 10/2010 of 28 April, on Prevention of Money Laundering and Financing Terrorism.
      8. In addition, the personal data relating to your name, surname, ID card and IBAN will be processed by the data controller in order to verify that you are the holder of your account at the request of any third party with whom you have initiated a contractual relationship which justifies direct debit.  The purpose of this processing of a customer’s identification and account data so that it can be verified by the assignee bank (the beneficiary's payment service provider) is correct fulfilment of the contract signed by the parties in such a way that, in those cases in which the Applicant is to receive payment or collection, prior, even automatic, verification that the bank account holder data coincides with the data provided by the data holder for such purposes can be performed, the contract can be properly fulfilled and any damages resulting from an error in the direct debit account for payment can be avoided for the holder.
    2. Processing required to meet legal obligations:
      1. During the execution of contracts that imply a risk of non-payment for the manager, legislation obliges solvency analysis to provide accounting provisions (reserve money in case there is non-payment). Once again, this implies creating profiles and making automated decisions, and making your data anonymous, or adding it, to create standard references to meet the legislation in force. To carry out this processing, data might be processed relating to your economic, financial and insurance situation.
      2. In the event of contracting products that are associated with a higher risk level and to comply with the MIFID standard, the suitability test will be used to evaluate your investment goals, your financial situation and your knowledge and experience in the financial markets, to assign you a determined profile and risk. This implies creating profiles and automated decision-making. To carry out this processing, data might be processed with regard to your personal characteristics, employment details and economic, financial and insurance data.
      3. To deal with, manage and process claims, complaints and enquiries that are received through customer services and/or other channels enabled by the Entity for this. To perform this data processing, data will be processed relating to your personal characteristics, economic, financial and insurance data, transactions involving goods and services, and any data that you provide in your written correspondence and/or complaints.
      4. If you are a remote bank customer using our APP (ruralvia), digital data will be collected to apply reinforced authentication measures required by the Directive 2015/2366 on paid services in the domestic market (PSD2).
      5. Making profiles and automated decisions so that the contracts being proposed suit the customer’s needs and convenience, particularly due to the obligation stated in Royal Decree Law 3/2020 of 4 February. To carry out this processing, data might be processed with regard to your personal characteristics, employment details, and economic, financial and insurance data.
      6. Informing the Banco de España Risks Information Centre (CIRBE) about your identification data (and for the rest of the participants) and any relating to the credit risks that they maintain directly or indirectly with the Entity. The data sent to the CIRBE might process data relating to your personal characteristics, economic, financial and insurance data and transactions involving goods and services.
      7. Data relating to your personal characteristics, social circumstances, employment details and economic, financial and insurance data and transactions involving goods and services will be processed to prevent fraud, to prevent money laundering and for the Foreign Account Tax Compliance Act (FACTA) and Common Reporting Standard (CRS), carrying out the processing that includes precise automated profiles or decisions for the obligations imposed by Law 10/2010, of 28 April, on prevention of money laundering and financing terrorism.
      8. Your data relating to personal categories (name, surnames and ID no.) and for anyone who visits our facilities, could be processed to record access to the Entity’s facilities, to guarantee their security, integrity and safeguard.
      9. By virtue of article 21 of Law 34/2002 on Information Society Services, if you are our customer and the contractual relationship is active, your data relating to personal characteristics and economic, financial and insurance data will be processed to send sales information out electronically. However, you will be able to object to receiving these commercial communications at any time. This processing can be used to devise profiles.
      10. By virtue of Law 11/2018 of 28 December, concerning non-financial and diversity information, data regarding your personal characteristics might be processed for the purposes of surveys to collect non-financial information or related to the Entity’s corporate social responsibility. However, you will be able to object to receiving these surveys at any time.
      11. Your economic, financial and insurance data might be processed for the purposes of complying with the obligations imposed by taxation rules or by judicial and administrative mandates, by national and international organisations or institutions, which implies reporting your balances, positions and other elements from your products and/or services that affect your taxation with these organisations. And meet the judicial and administrative orders concerning embargo of balances or products or compliance with requests for information that are legally sent to us.
    3. Processing based on the Entity’s legitimate interest:
      1. Guaranteeing the security of our networks and information, for which data categories might be processed relating to personal characteristics, economic, financial and insurance data, transactions involving goods and services and digital data. The GDPR recognises the legitimate interest for this processing in point 49.
      2. In the same way, to provide your personal data to the business group and affiliate entities, but only for internal administrative purposes, including processing of customer data, data might be sent relating to personal characteristics, economic, financial and insurance data, transactions involving goods. The GDPR recognises the legitimate interest for this processing in point 48.
      3. Creating behaviour models through our pseudonymised and anonymous data, to generate new products and services, improve them or the attention that we give them.
      4. Processing data relating to personal characteristics and when appropriate, data relating to the function or position of the individuals who provide services to a legal entity. This data will be exclusively processed when the data is necessary for professional localisation and to maintain commercial relations or others of any type with the legal person where the affected person provides their services. The same processing is envisaged for freelance professionals and individual business owners when referring to them uniquely in this condition, and the processing is not to initiate a relationship with them as physical persons.
    4. Processing based on the Entity’s legitimate interest regarding which you can express, at any time, your right to object to the address given in this additional information clause:

      All the financial entities added to this common file are responsible for this file, henceforth the “joint processing managers”. You can request additional information on the essential aspects of the joint responsibility agreement between the Entities by writing to the DPD email address. Furthermore, you can consult the updated list of the entities that joined the common file through this link https://www.iberpay.es/es/servicios/servicios/prevenci%C3%B3n-del-fraude/#tab-4..

      The legitimising base for the processing is legitimate interest, both from holders of the accounts that might be affected by the fraud committed by third parties, and this Entity to detect and prevent fraud in the banking operations to and from your account.

      To do this, we will be able to:

      The data that might be included in this file by this Entity will be related to the IBAN number, account holder and when appropriate, it might also include the IP connection data, geopositioning, identification of the device where the suspicious or unauthorised operation was detected.

      The file can only be accessed, and the information used, by the jointly responsible member entities, exclusively for the purposed described relating to detecting, preventing and controlling fraud.

      Furthermore, we might inform you that IBERPAY, as administrator of the common file, is considered to be the Data Processing Supervisor, so that it can only use this data for merely managing this common file. For this purpose, a contract has been signed between IBERPAY and the joint-managers, with the necessary guarantees and security measures.

      1. Sending you commercial communications on products and services sold by our entity, within your reasonable expectation of privacy (such as products similar to any you have already contracted), by any means including by phone, postal, and email, text message, equivalent media, or notification during browsing. The products that our entity sells are credit products, any related to investment and insurance, as we have our own banking-insurance operator and with collective policies available to you. This implies making profiles and data might be processed relating to personal characteristics, social characteristics, employment details, commercial information, economic, financial and insurance data, transactions of goods and digital data.
        This legitimacy is covered by the Entity’s legitimate interest in accordance with what was laid down by the Spanish Data Protection Agency in Legal Reports 164/2018 and 173/2018.
      2.  Drawing up specific profiles to adjust our relationship with you that will be based on data that is no more than one year old, relating to transactions you performed (movements and concepts of your current account, operations and contracts, card payments and browsing data on our website, in particular). This legitimacy is covered in the Legal Report by the Spanish Data protection Agency 195/2017. Data might be processed relating to personal characteristics, social characteristics, employment details, commercial information, economic, financial and insurance data, transactions of goods, and digital data.
      3. Analysing your solvency with internal data to send out communications on pre-granted credits or financing. This implies creating profiles and automated decision-making. This legitimacy is covered in the Legal Report by the Spanish Data protection Agency 195/2017. Data might be processed relating to personal characteristics, social characteristics, employment details, commercial information, economic, financial and insurance data, transactions of goods, and digital data.
      4. The data relating to your personal characteristics, the digital data and data for use in the different channels, products and services could be used to receive perks, take part in prize draws and benefits that the Entity offers its customers. The weighting of legitimate interest has been analysed, stating the prevalence of the entity’s legitimate interest.
      5. Carrying out satisfaction surveys concerning the contracted products and services. Consequently, data will be processed relating to your personal characteristics. The weighting of legitimate interest has been analysed, stating the prevalence of the entity’s legitimate interest.
      6.  Data relating to your personal characteristics might be processed in order to send you invitations to events and webinars that our Entity might organise relating to products and services that we sell. The weighting of legitimate interest has been analysed, stating the prevalence of the entity’s legitimate interest.
      7. Processing carried out to prevent fraud: to detect, investigate, control and possibly report suspicious and unauthorised operations, taking place in your current or savings account, the Entity is a member of a common file to prevent fraud in banking operations, managed by Sociedad Española de Sistemas de Pago, S.A. (IBERPAY).

        •  Report unauthorised or suspicious fraud operations to the common file for fraud prevent.

        • You should be aware that your personal information might be included by the Entity in a common file for prevention of fraud in banking operations, managed by the Spanish Payment Systems Society (Iberpay) to detect, investigate, control and possibly report unauthorised or suspicious operations committed in your current or savings account.

        • Consult unauthorised or suspicious fraud operations to the common file for fraud prevention.

        • Your personal data might be consulted by the Entity in the common file for fraud prevention in banking operations, managed by the Sociedad Española de Sistemas de Pago (Iberpay) to detect, investigate, control and possibly report unauthorised or suspicious operations that took place in your current or savings account.

      8. Processing based on the existence of public interest:
        1. Compile and keep video-surveillance pictures for the purposes of private security for the times determined by Law 5/2014 of 4 April, on Private Security and Organic Law 3/2018, of 5 December, on Protection of Personal Data and guarantee of digital rights.
        2. Your data relating to personal characteristics will be processed to consult the advertising exclusion systems to exclude processing your data when there is an objection or refusal to receive direct marketing communications. This processing might imply processing data relating to your personal characteristics, and creating profiles and automated decisions.
        3. Your data relating to personal characteristics, social circumstances, employment details and economic, financial and insurance data, transactions involving goods and services, and any others that you provide, must be processed for the purposes of managing our Entity’s complaints channel in compliance with article 31.bis of Organic Law 10/1995 of 23 November of the Criminal Code.
      9. The following is also voluntary processing based on your consent, that can always be revoked without this affecting you at all:
        1. Sending you commercial communications on our own and third-party products and services, and products that are not similar to any you have already contracted, by any means including by phone, postal, and email, text message, equivalent media, or notification during browsing. Particularly from the financial, insurance, motor, home, health, investment, real estate, electronic, telecommunications, leisure, hospitality and travel sectors. This can involve making profiles. Data might be processed relating to personal characteristics, social characteristics, employment details, commercial information, economic, financial and insurance data, transactions of goods, and digital data.
        2. Consulting your information in the TGSS (General Social Security Treasury) to identify and check your economic activity to meet the Money Laundering Prevention legislation and other rules, as well as tax verification codes, with the same purpose. Data might be processed relating to personal characteristics and employment data.
        3. Releasing your data to companies from the Caja Rural group so that they can send you special offers on their products. The list of companies belonging to the Caja Rural group is given in Annexe I of this additional information clause. The categories of data that will be sent to these companies are personal characteristics.
        4. Using “cookies” to improve your browsing. You can find out more by referring to the “cookie policy” that will appear for consent before you start browsing. This can involve making profiles. Digital data can be used for this.
        5. Your geopositioning, when you consent to this to provide a service as required, in the way that will be conveniently explained with the device that you are using, or with the corresponding “App”. This might imply making profiles and involves processing geographic data.
        6. Enriching your data through the information obtained via the financial aggregator, to be able to adapt and segment our offers to you. This involves making profiles. Data might be processed relating to personal characteristics, social characteristics, employment details, commercial information, economic, financial and insurance data and transactions of goods.
        7. Enriching your data with other manifestly public data (records, networks, etc.) to adapt and segment our offers to you. Data might be processed relating to personal characteristics, social characteristics, employment details, commercial information, economic, financial and insurance data and transactions of goods.
        8. Enhancing your data with other data from private entities that supply commercial, financial, sector-based and marketing information such as Informa D&B and Experian.
        9. In the event of signing operations or contracts on a digital tablet, the biometric data inherent to the signature will be processed (position, speed, execution, time, time difference, pressure and direction and slope), to take custody of the electronic document where the subscribed operation is authorised, check the handwritten or digitalised signatures that appear on the documents subscribed with the Entity, and identify the signees when managing and developing contractual relations.
      10. “Profiling” and automated decisions. Why are they used and what for?

        Profiling consists of using your personal data to evaluate certain aspects of a physical person, particularly for us to analyse or predict aspects relating to your economic situation that involve processing economic, financial and insurance data (such as to be able to meet the solvency legislation that obliges us to make provisions, and also to grant, or refuse, operations with a risk of non-payment), personal preferences and interests that involve processing personal characteristics, social circumstances, employment details, commercial information, economic, financial and insurance data, transactions of goods, geographic data and digital data (to be able to adapt the sales offers to your specific profile, such as informing you about pension plans according to your age or, investments according to your investor profile), reliability, behaviour (as in cases where the legislation obliges us to evaluate your training and experience to check that you understand the risks of certain investments), location or movements (such as when you have activated geopositioning services on a device to benefit from a service or locate us, etc.)

        Occasionally, these profiles mean that completely automated decisions are taken, in other words, without human intervention, as this means that decisions are uniform, the same for everyone, that take into account objective data and tendencies depending on age, place of residence, economic capacity, inclusion or not in solvency or insolvency files, training, profession, economic activity, etc. This happens when an automatic reply is given through the website to some loan requests, as one example. In this way, decisions are fairer as they are the same for everyone. In any case, in these situations, you always have the right to ask to speak to a person, to express your point of view and contest the decision, as we wish to always provide you with the most efficient service possible. If this happens, please go to our DPO or to customer services.

        To sum up, this processing allows us to particularly meet the obligations to provide statistical forecasts (generic) in the light of possible non-payments, given that this makes it possible to meet the obligation to predict possible losses that affect activity sectors, demographics or other sectors analysed statistically, such as those which affect a profession or economic activity in the event of a general economic crisis. Evaluate the operations with a non-payment risk, taking data from the person to be able to analyse their economic capacity to be able to return what was entrusted. In addition, the legislation obliges us to analyse your experience, training and capacity to be able to perform certain investment or contractual operations, by means of a suitability and appropriateness test.

        Finally, just by evaluating your specific profile, it can send you advertising that might really interest you depending on your particular circumstances.

  7. Time limits. How long do we keep your data?
    1. Unless you have given us your consent, we only keep your data while you are a customer of our entity. From this moment on, the minimum necessary data will be kept but it will be blocked (meaning that is available to the corresponding authorities and for the entity’s defence) relating to operations and transactions carried out to be able to deal with any claims while our obligations are still valid. In general, the applicable time limits for these responsibilities are 10 years derived from the Money Laundering Prevention standard and 20 years for mortgage legislation. Once the statute of limitations has passed, the data will be cancelled and deleted.
    2. If you are not a customer and you have made any type of contract request, we will keep your data while this offer is valid, or if no time limit was fixed, for 90 days to facilitate your contract and avoid requesting the same information from you several times.
    3.  When looking at a contracting request that involves asking the CIR for data due to operations that might have been denied, the support documents will be kept for these requests for six years, as generally stated in article 30 of the Commerce Code.
    4. Pictures taken for video-surveillance will be held for one month, unless the law authorises longer time limits, such as when they might have been kept to confirm acts committed against the integrity of persons, goods or facilities. The same will happen with access data for private buildings, for the purposes of identification and security.
    5. The data that is sent to the common file for fraud in banking operations, managed by the Sociedad Española de Sistemas de Pago S.A. (Iberpay), will be kept for a maximum of thirty (30) days in the case of suspicious operations and one (1) year in the case of fraudulent operations (confirmed fraud), leading to official removal when the processed data is no longer exact and does not truthfully meet the real and current situation of the affected person.
    6.  The data collected as a consequence of providing the banking aggregation service will be kept for ten (10) years according to Royal Decree-Law 19/2018 dated 23 November, on paid services and other urgent financial matters.
  8.  What data and processing are compulsory and what are the consequences of not delivering them?

    Notice that, in the data collection forms, the fields marked with an asterisk (*) are compulsory to be able to maintain and execute the contract, pre-contract or the request for it, and to meet the laws and other rules. Consequently, this data will be necessary for these purposes and without it, the operating procedure cannot continue.
    All other data and purposes are optional, require consent or are based on legitimate interest, so that it is always possible to object to them in compliance with what has been indicated, without withdrawal of consent or that this objection conditions the execution of the contract, or the request for it, or generating any damage.

  9. Recipients. Who will be able to see my data?
    1. The data will be processed by the manager, and by the agents and suppliers with whom the Entity contracts a service provision. This will always use contracts and guarantees subject to models approved by the authorities regarding data protection.
      The categories of suppliers for our Entity are juridical and legal, computer and telecommunications, personnel-HR, accounting management and administration, advertising and marketing and security service providers.
      Some of the subcontracted services might involve international data transfers. However, in the case of international data transfers, this will be done under the requirements set in the data protection legislation, such as:
      • Transfers to countries with a comparable protection level to the European Union by means of adequacy decisions from the European Commission.
      • Adequate guarantees, such as binding corporate rules; standard clauses for protection of data adopted by the European Commission; or standard clauses for protection of data adopted by a control authority, among others.
    2. If you contract an insurance policy that we sell, the data is sent to the corresponding insurance company, normally the entity from our group RGA MEDIACIÓN, OPERADOR DE BANCA SEGUROS VINCULADO, S.A. and the insurance companies RGA RURAL VIDA S.A. SE SEGUROS Y REASEGUROS, RGA SEGUROS GENERALES RURAL S.A. DE SEGUROS Y REASEGUROS, RGA RURAL PENSIONES S.A. EGFP.
    3. In addition, your data will be surrendered to the authorities to meet the rules, such as the State Tax Administration Agency, the Banco de España, particularly CIRBE, to the SEPBLAC (Executive Money Laundering Prevention Service), to the “Financial Holders File” depending on the Secretary of State for the Economy and Business Support, where identification data will be sent concerning the holders, real holders, representatives or authorised persons or any other persons with dispositive powers over current and savings accounts, securities accounts, time deposits, and the opening, cancellation or modification of these products.
    4. In the case of non-payment, the debt and data relating to your personal characteristics will be included in one of the following credit information files: BADEXCUG, managed by Experian Bureau de Crédito S.A.
    5. In the case of legitimate interest, for fraud control or internal administration, your data may be passed on to Caja Rural group companies and the Asociación Española de Cajas Rurales (AECR). Or, when you have given your consent, your data might be passed on to GESCOOPERATIVO, S.A., SGIIC, for renting to RURAL RENTING, S.A., for pensions at RURAL PENSIONES E.G.F.P., S.A. and for insurance to RGA MEDIACIÓN, O.B.S.V., S.A. and the insurance companies RGA, SEGUROS GENERALES RURAL, S.A. and RGA RURAL VIDA, S.A. A list of the group companies and the Cajas (Banks) associated with the AECR and the group companies can be consulted in Annex I.
    6. The data relating to the IBAN, account holder, IP connection data, geopositioning and identification of the device could be sent to the common file for fraud prevention in banking operations managed by Sociedad Española de Sistemas de Pago, S.A. (Iberpay), in the terms indicated in section 5.4.6 of this information clause.
    7. Remember that if you use a financial aggregator, or in the case of portability, with your consent, the data will be surrendered to your designated entity.
    8. Finally, the credit entities and other paid service providers, and the payment systems and related technological service providers, to whom the data is transmitted to carry out the transaction, can be obliged by the legislation in the State where they operate, or by agreements signed by it, to provide information on the transaction to the authorities or official organisations from other countries, located in and outside the European Union, within the framework of the fight against financing terrorism and severe forms of organised crime and the prevention of money laundering.
    9. Your data relating to personal characteristics, economic, financial and insurance data, and for transactions involving goods and services could be sent to global technology networks that guarantee the use of credit and debit cards, such as Visa and Mastercard. These communications imply making international data transfers so that the correct guarantees can be adopted to meet standards:
      • Mastercard. International transfers are legitimised by Binding Corporate Rules.
      • VISA. International transfers are legitimised by means of adopting standard clauses approved by the European Commission.
  10. Rights. What are your rights regarding your data?

    In the case of decisions based entirely on automated decisions that have legal effects on you, or that significantly affect you in a similar way to these legal effects, you have the right to obtain human intervention on this decision, and express your point of view, and you can challenge this decision if you wish.

    You can also contact our Data Protection Delegate using the email address protecciondedatos@crnavarra.com.

    To exercise any of the rights stated above, you can send your application in writing to Caja Rural de Navarra – Departamento de Protección de Datos at Plaza de los Fueros, nº1, CP 31003, Pamplona or to the email address protecciondedatos@crnavarra.com attaching a copy of your ID document.

    1. Right of access: You have the right to know what type of data we are processing and the characteristics of the processing that we are carrying out, in accordance with article 15 of the General Data Protection Regulation (GDPR henceforth).
    2. Right of rectification: Right to request modification of your data because it is inaccurate, untrue or out of date.
    3. Right to objection: Request that your personal information is not processed for certain purposes. So, when the processing is based on your consent, you have the right to withdraw this consent at any time. In the same way, you will be able to object to your data being processed, particularly processing used in devising profiles or automated decisions. All this in accordance with article 21 of the GDPR.
    4. Right to cancellation or removal: Request the removal of your personal data when processing is no longer necessary.
    5. Right to processing limitation: You will be able to request that processing of your data is limited, in which case it will only be kept for making or defending complaints, attending to judicial requirements or legal demands.
    6. Portability. Right to request the portability of the data that you have provided to us, to receive it in a structured form, for common use and mechanical reading, and for it to be sent to another manager, in accordance with article 20 of the GDPR.
    7. Revoking consent. You can revoke the consent that you have given at any point, without any type of detriment or prejudice.
    8. Presenting a complaint. You have the right to present any complaint before the competent control authority, considering that, in Spain, this is the Spanish Data Protection Agency, without affecting the competences that, when appropriate, might be held by other regional or supranational entities, in accordance with the Data protection Regulation and the national legislation.
  11. Origin of the data. Where is my data obtained?
    1. From you, either directly or through third parties to whom you have given your authorisation, as would be the supposition of contracting via voluntary or legal representatives (as happens for minors or the disabled).
    2. From our relationship with you, although processing data that comes from this source will never relate to special data categories. This source includes: (I) transactions performed, meaning the data coming from movements and concepts from your current account, operations and contracts held and payments with cards; (ii) the data derived from chatbots, phone calls or by video-conference, or, in the event that you have given your consent to the cookie policy, the browsing data for our website or App (device identification, advertising identity, IP address and browsing history); geolocation data for an App, as long as your device has been authorised and configured for this. It also includes data derived from browsing third party pages, when you have permitted and accepted that we collect these third party cookies. In this respect, you should be aware that data will not be processed that is obtained from using and maintaining the contracted products revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a person's sex life or sexual orientation.
    3.   From legal files such as: (i) joint credit information systems, (ii) joint fraud control services, (iii) CIRBE file (Bank of Spain Risk Information Database).
    4.   From public access sources: Legally accessible such as the Property Cadastre, the Property Registry, the Mercantile Register and the General Social security Treasury, Professional Guides and the phone lists, as long as their standards are followed. Social media are also public access sources if their data are manifestly public, although it is not currently planned to capture information from this source, except to make or defend a complaint.
    5.    From another manager that you have authorised: the origin of your data can come from exercising your right to bring your data from other manager to our entity.
    6.   From official organisations and Law Courts: Rules on prevention of money laundering, international treaties, judicial orders and other provisions can provide information to meet public duties or comply with rules. In the same way, with your consent, your employment history and your income tax declaration will be verified with the General Social Security Treasury and with the Tax Office, respectively.
    7. From an aggregator: if you use a financial aggregator and give them your consent, your data will come from this channel.
    8. From segmenting and profiling that can be done to meet the rules or adapt to our search criteria or product selection, as sometimes by using previous data, groupings (segmenting) are made by type of customer, location, age, contracted products, same answers for the convenience test. It is also possible to make classifications to include profiles with higher or lower non-payment risk propensity, risk limits or higher or lower interest in receiving offers of certain products or services.
  12. Categories of data to be processed:

    Our Entity can process various categories of personal data, whether you have provided them yourself or they have been obtained when developing your relationship with us, as stated in the section above.
    1. Specifically protected data: biometric data such as data relating to handwritten electronic signatures or the Advanced Electronic Signatures (AdES), and the signature image and health data (percentage of disability) and data relating to particularly vulnerable collectives.
    2. Personal characteristics: Name and surname, signature, phone number, postal or electronic addresses, image/voice, ID number, civil status, family data, date of birth, place of birth, age, gender and nationality.
    3.  Social circumstances: Characteristics of accommodation, dwelling, properties, possessions, etc.
    4. Employment details: Basic professional data (CNO and CNAE), profession, job title, non economic data, payroll, employment history, level of studies, etc.
    5. Sales information: activities and businesses, subscriptions to publications/media, etc.
    6. Economic, financial and insurance: revenue, income, investments, patrimony, credit, loans, endorsements, banking data, pension plans, economic payroll data, tax deduction data, etc.
    7. Transactions involving goods and services: Goods and services provided by the affected party, goods and services received by the affected party, financial transactions, as notes in the accounts, in the credit or debit cards, history of payments and details of investments, compensation/indemnities.
    8. Your picture in the case of security video surveillance or to arrange a contract via video identification and your voice in the event of using a telephone channel to sign a contract.
    9. Data inferred by the Entity: Data on risk analysis, scoring, grouping and segmenting of customers with commercial purposes (please see “Profiling” and automated decisions. Why are they used and what for? for detailed information).
    10. Digital data: The data obtained from the communications that we set up between you and ourselves in chats, walls, video-calls, phone calls or equivalent media, and the data obtained from your browsing through out websites or mobile apps and the browsing you do in them (device ID, advertising ID, IP address and browsing history, users and passwords) if you have accepted the use of cookies and similar technology in the browsing devices.
    11. Geographic data: The geolocation data for your mobile device provided by the installation and/or the use of our mobile apps, when you have authorised this in the application configuration.
  13.  What are my obligations when sending my data?
    1. The interested party, or whoever is acting on their behalf, should notify the manager of any variations that take place in the data provided. This is particularly important in cases where, for example, there is a change of address (to avoid your letters being sent to the wrong address), cases where you have contracted transaction notifications to your phone, and for example a change of number (to prevent your information being made available to others when your former number is reassigned, etc.).
    2. In addition, if you supply data from third parties, such as authorised parties or other third parties, you should have their consent and send them this information clause which will be understood to be accepted by them.

ANNEX I

CAJA RURAL GROUP COMPANIES
  • BANCO COOPERATIVO ESPAÑOL, S.A.
  • RGA RURALVIDA S.A.
  • SEGUROS GENERALES RURAL, S.A.
  • RURALPENSIONESE.G.F.P.,S.A.
  • RGA MEDIACIÓN,O.B.S.V.,S.A.
  • GESCOOPERATIVO,S.A.
  • RURALRENTING,S.A.
CAJAS RURALES (BANKS) ASSOCIATED WITH THE ASOCIACIÓN ESPAÑOLA DE CAJA RURALES:
  • Caja Rural de Navarra, S.C.C
  • Caja Rural de Albacete, Ciudad Real y Cuenca, S.C.C.
  • Caja Rural del Sur.S.C.C.
  • Caja Rural de Granada.S.C.C.
  • Caja Rural de Asturias.S.C.C.
  • Caja Rural de Jaén.S.C.C.
  • Cajasiete Caja Rural.S.C.C.
  • Caja Rural de Burgos, Fuentepelayo, Segovia y Casteldans.S.C.C.
  • Caja Rural de Zamora.S.C.C.
  • Caja Rural de Soria.S.C.C.
  • Caja Rural Central de Orihuela.S.C.C.
  • Caja Rural de Extremadura.S.C.C.
  • Caixa Popular, Caixa Rural. S.C.C.
  • Caja Rural de Teruel.S.C.C.
  • Caja Rural de Salamanca.S.C.C.
  • Caixa Rural Galega, S.C.C.L.G.
  • Caja Rural de Gijón.S.C.C.
  • Caja Rural Regional San Agustín de Fuente Álamo.S.C.C.
  • Caja Rural Ntra. Sra. de La Esperanza de Onda. S.C.C.V
  • Caixa Rural D'Algemesí. S.C.C.V
  • Caixa Rural de L'Alcudia. S.C.C.V
  • Caja Rural San José de Alcora. S.C.C.V
  • Caja Rural San José de Almassora. S.C.C.V.
  • Ruralnostra, S.C.C.V.
  • Caja Rural de Albal. S.C.C.V
  • Caja Rural de Villamalea. S.C.C.A.
  • Caja Rural de Casas Ibáñez.S.C.C.
  • Caja Rural San Isidro de les Coves de Vinromá. S.C.C.V.
  • Caja Rural de Aragón., S.C.C.
  • Caja Rural Vinarós.
OTHER CAJA RURAL ENTITIES
  • Caja Rural de Almendralejo
  • Caja Rural La Vall, San Isidro
  • Caixa Rural Benicarló
  • Caja Rural de Utrera
  • Caja Rural de Baena
  • Caja Rural Cañete de LasTorres
  • Caja Rural Ntra. Sra. delRosario de Nueva Carteya
  • Caja Rural Ntra. Madre del Sol de Adamúz

1 “Pseudonymization”: processing personal data so that it can no longer be attributed to an interested party without using additional information, as long as this additional information appears separately, and it is subject to technical and organisational measures intended to guarantee that the personal data is not attributed to an identified or identifiable physical person.