To manage your relationship with us, at OpenWealth we will process your personal data for different purposes, always in accordance with the provisions set out in current regulations, respecting your rights and in complete transparency.
To this end, in this Privacy Policy, which you may access at any time via (www.openwealthcabk.com/en/privacy-policy/) you may view the full details on how we will use your data during the relationship we establish with you.
The main regulations that govern the processing we will perform on your personal data are:
> Regulation (EU) 2016/679 of the European Parliament and of the Council, of 27 April 2016, regarding the protection of individuals as regards personal data processing and the free flow of such data, repealing Directive 95/46/EC (hereinafter, the GDPR)
> Organic Law 3/2018 of 5 December on Personal Data Protection and Digital Rights Guarantee (hereinafter LOPD (Personal Data Protection Act)).
Data controller: The party responsible for processing your personal data in your contractual and business relationships with us (“Contractual Relationships”) is OpenWealth, S.A.U. (“OpenWealth”), with Tax ID no. (NIF) A-28512655 and address at plaza de Colón, 1, Madrid.
OpenWealth and CaixaBank Group companies have appointed a Data Protection Officer, who will attend to any questions you may have regarding your personal data processing and exercising your rights.
You may contact the Data Protection Officer to make suggestions, enquiries, doubts or, complaints at the following address: www.caixabank.com/delegadoprotecciondedatos.
You may exercise your rights to access, rectification, object, erasure, restriction, data portability, withdraw your consent and to not be subject to automated decisions, in accordance with the law.
You may ask to exercise your rights over the following channels:
> By writing to the e-mail address: contacto@openwealthcabk.com; and
> Sending a letter addressed to OpenWealth, Plaza de Colón, 1, 28046.
Additionally, if you have any complaint arising from the processing of your data, you may address it to the Spanish Data Protection Agency (www agpd.es).
We will use the data specified below for the processing set out in our Privacy Policy.
Not all the data that we specify are used for all data processing activities. In section 6, where we specify our data processing activities, you may specifically consult the processed data categories for each particular activity.
The classifications and details of the data used in the processing set out section 6 are as follows:
> Data that you have provided when signing your contracts or during your relationship with us by means of interview or forms.
These are the types of data and their details:
> Personal and contact details: full name, gender, postal address, telephone number and email address, place of residence, nationality and date of birth, language for communications, identity document.
> Information about your professional or work activity, and socioeconomic data: professional or work activity, income or remuneration, family unit, education level, assets, and fiscal and tax data.
> Data on legal capacity and on particular communication needs: data on a person’s ability to act, established though court ruling and data provided by disabled interested parties to enable accessible communication and operational management.
> Contracting data: contracted or requested products and services, status of the holder, authorised parties or representative for the contracted product and service, categorisation according to the regulation on stock markets and financial instruments (MiFID category), information on investments made and their evolution, and information and movements of finance transactions.
> Basic financial data: current and historic balances of products and services and payment history regarding contracted services and products.
> Data observed in the contracting and maintenance of products and services that are marketed to you (our own).
These are the types of data and their details:
> Contracting data: contracted or requested services, accountholder status, authorised or representative, for the contracted service.
> Details of any communication with you: data obtained from chats, walls, video conferences, telephone calls or any other equivalent means of communication.
> Personal browsing data: the data obtained from your browsing through our websites or mobile applications, and the browsing you carry out thereon: browsing history (websites visited and clicks on content), device ID, advertising ID, IP address, should you have accepted the use of cookies and similar technologies on your browsing devices.
We carry our different processing tasks on your data for different purposes, and they have different legal bases:
> Processing necessary to perform Contractual Relationships
> Processing necessary to comply regulatory obligations
In addition to the general processing that we specify below, we may carry out specific processing not mentioned in this policy arising from requests made by you regarding services. We will provide you with the detailed information on such processing when we handle the specific request.
The legal basis for this data processing is the fact that it is necessary to manage the contracts that you request and to which you are a party, in accordance with Article 6.1.b) of the General Data Protection Regulation (GDPR).
Therefore, these are necessary procedures for you to establish and maintain Contractual Relations with us. If you were to oppose this, we would end these relationships, or would be unable to establish them where they have not yet taken effect.
The required processing to perform contractual relationships is set out below. We would like to highlight: the description of the purpose (Purpose), the type of data processed (Processed Data Type), where appropriate, information on the use of profiles (Use of Profiles) and any other necessary information related to the processing (Other Relevant Information).
Arrangement, maintenance and performance of Contractual Relationships
Purpose: The purpose of this data processing is to arrange and maintain Contractual Relationships that we may establish together, including the processing of requests or mandates, and the establishment of measures to ensure compliance with the contracts you have with us.
This data processing entails collecting the information needed to establish the relationship or manage the request, know your financial profile and process the required information for proper maintenance and performance of contracts.
The processing operations carried out in the arrangement, maintenance and performance of Contractual Relationships are:
> Collection and registration of the data and documents needed to contract requested services
> Formalise the signing of service contracts
> Manage operations related to services that you have taken out with us, including dealing with your queries, the management of arising incidents and sending operational notifications.
Types of processed data: The types of data that we process for this purpose, whose content is detailed in section 5, are:
> Personal and contact details
> Information about your professional or work activity, and socioeconomic data
> Data on legal capacity and on particular communication needs
> Contracting data
> Basic financial data
> Details of any communication with you
Party responsible for the data processing: The data controller is OpenWealth. This processing is not carried out as joint controllers.
The contractual documentation for each service will provide detailed information on this.
The legal basis for this data processing is the fact that it is necessary to comply with a legal obligation placed on us, in accordance with Article 6.1.c) in the General Data Protection Regulation (GDPR).
Therefore, these are necessary procedures so that you can establish and maintain contractual relationships with us. If you were to oppose this, we would end these relationships, or would be unable to establish them if these have not yet taken effect.
The data processing operations to comply with regulatory obligations are indicated below from (A) to (B). We will point out for each of them: the description of the purpose (Purpose), the type of data processed (Processed Data Type), where appropriate, information on the use of profiles (Use of Profiles) and any other necessary information related to the processing (Other Relevant Information).
(A) Processing to comply with tax regulations
Purpose: The purpose of this processing is to adopt the measures imposed on our business by Law 58/2003 of 17 December on General Taxation, Royal Decree 1021/2015 of 13 November that establishes the obligation to identify the tax residence of individuals and other current tax regulations.
The processing operations carried out to comply with tax regulations are:
> Collecting tax-related information and documentation established by tax regulations
> Notifying the public administration of your tax-related information, when this is established by the regulations or required by the authorities.
Types of processed data: The types of data that we process for this purpose, whose content is detailed in section 5, are:
> Identification and contact details
> Socioeconomic data and information about your professional or work activity
> Contracting data
Data controller: The data controller is OpenWealth. This processing is not carried out as a joint controller.
(B) Processing to handle complaints and claims.
Purpose: Queries, complaints and claims that are made to OpenWealth
Act 3/2018 of 5 December on Personal Data Protection and Digital Rights Guarantee obliges the data controller, in this instance OpenWealth, to deal with claims made to its Data Protection Officer, as well as handle rights with regard to data protection that interested parties may exercise.
Processing operations that are carried out to comply with complaints and claims regulations comprise:
> Receipt of user complaints or claims by the OpenWealth Customer Service Department
> Responding to the submitted complaint or claim within the set deadline.
> Protecting data protection rights and queries made to the OpenWealth Data Protection Offices, as well as any necessary activities to collaborate with the Supervisory Authority (Spanish Data Protection Agency).
Types of processed data: The types of data that we will process for this purpose are:
> Personal and contact details: full name, gender, postal address, telephone number and email address, place of residence, nationality and date of birth, language for communications, identify document.
> Contracting data: contracted or requested services.
> Basic financial data: payment history regarding contracted services.
Data controller: The data controller is OpenWealth. This processing is not carried out as a joint controller.
Controller and joint controller of the data processing
The data we process about you as an OpenWealth customer is processed by OpenWealth.
Data communication in outsourcing services
We sometimes turn to service providers with potential access to personal data.
These providers offer suitable and sufficient guarantees in relation to data processing, since we carry out a responsible selection of service providers that includes specific requirements in the event that the services involve the processing of personal data.
The classification of services that we can outsource to service providers is:
> Administrative support services
> Audit and consultancy services
> Legal services
> Marketing and advertising services
> Logistic services
> IT services (system and information security, cybersecurity, IT systems, architecture, hosting, data processing)
> Telecommunication services (voice and data)
> Printing, packaging, mailing and courier services
> Information storage and destruction services (digital and physical)
> Maintenance services for buildings, facilities and equipment
Retention to maintain Contractual Relationships
We will process your data while the Contractual Relationships that we have established remain in force.
Retention to comply with legal obligations and arrangement, performance and defence of claims
Once the authorisation for use of your data has been revoked through the withdrawal of your consent, or upon completion of the contractual or business relationship that you have established with us, we will keep your data solely to comply with the legal obligations and to allow for the arrangement, exercise and defence of claims during the statute of limitation period relating to the actions arising from contractual relationships.
We will process this data by applying the technical and organisational measures necessary to ensure that they may only be used for such purposes.
Data destruction
We will destroy your data once the retention periods established by the regulations governing the activities of OpenWealth have elapsed, as well as bearing in mind the statute of limitation periods of the administrative and judicial actions arising from the relationships established between you and us.
At OpenWealth, we process your data within the European Economic Area and, in general, we hire service providers that are also located within the European Economic Area or in countries that have been declared to have an adequate level of protection.
If we need to use service providers that perform processing outside of the European Economic Area or in countries that have not been declared to have an adequate level of protection, we would ensure processing security and legitimacy of your data is guaranteed.
For this, we demand suitable guarantees from those service providers in accordance with what is established in the GDPR so as to ensure they have, for example, implemented binding corporate standards that guarantee data protection in a manner similar to what is established by European regulations, or that they subscribed to the standard clauses applicable within the European Union.
We will undertake a review of this Privacy Policy whenever it becomes necessary to ensure you are duly informed, for example, on the occasion of the publication of new regulations or criteria, or the performance of new processing.
We will notify you over the usual communication channels whenever substantial or major changes are made to this Privacy Policy.