logo

PRIVACY POLICY OF BUILDINGCENTER, S.A.U.

CONTENTS

  1. How we process your personal data
  2. Who processes your data
  3. Data Protection Officer
  4. Exercising rights and submitting complaints to the Spanish Data Protection Agency (AEPD)
  5. Data processed
  6. What types of processing we carry out using your data
    • Processing based on your consent.
    • Processing required for the performance of contractual relationships
    • Processing required to comply with regulatory obligations
    • Processing based on the legitimate interest of BuildingCenter
  7. Recipients of the data
  8. Data retention periods
  9. Data transfers outside the European Economic Area
  10. Automated decisions
  11. Revision

 

 

  1. How we process your personal data

To manage your relationship with us, at BuildingCenter, S.A.U. we will process your personal data for various reasons, always in accordance with the provisions of current legislation, respecting your rights and with complete transparency.

Therefore, in this Privacy Policy, which you can access at any time at https://buildingcenter.es/es/politica-de-privacidad-y-proteccion-de-datos/, you can see complete details on how we will use your data in the relationships we establish with you.

The main legislation governing the processing of your personal data is as follows:

  • Regulation (EU) 2016/679 of the European Parliament and of the Council of 27th April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (hereinafter the GDPR)
  • Organic Law 3/2018 of 5th December on the Protection of Personal Data and the Guarantee of Digital Rights (hereinafter the LOPD)

 

  1. Who processes your data

Data controller: The data controller for your personal data for contractual and business relations with us («Contractual Relations») is BuildingCenter, S.A.U. («BuildingCenter»), with tax ID number (NIF) A-63106157 and registered office at calle Avenida Manoteras, 20, Edificio París, Madrid.

Joint data controllers: Furthermore, for certain types of processing that we will explain in detail in this policy, BuildingCenter will jointly process your data with other companies, deciding jointly on the objectives (“why your data is used”) and the methods used (“how your data is used”), thereby acting as joint data controllers.

The purposes for which BuildingCenter will jointly process your data with other companies is described in detail in section 6 “What types of processing we carry out using your data”.

You will also find the list of the companies that process your data, as well as the essential aspects of the joint data controller agreements at: www.caixabank.es/empresasgrupo.

 

  1. Data Protection Officer

BuildingCenter, CaixaBank and CaixaBank Group companies have appointed a Data Protection Officer, who will deal with any matters related to the processing of your personal data and the exercising of your rights.

You can contact the Data Protection Officer to send your suggestions, queries or claims by going to:  www.caixabank.com/delegadoprotecciondedatos.

 

  1. Exercising rights and submitting complaints to the Spanish Data Protection Agency (AEPD)

 

 

You can exercise your rights of access, rectification, objection to processing, erasure, restriction, the portability of your personal data, to withdraw your consent and not be subject to automated decision-making, in accordance with the law.

You can exercise these rights through the following channels:

Additionally, if you have any complaints related to the processing of your data, you can send them to the Spanish Data Protection Agency (www.aepd.es)

 

  1. Data processed

For the types of processing explained in this policy, the following data will be used.

Not all the data that we detail are used for all types of data processing. You can see the specific type of data processed for each type of processing in section 6, detailing the type of data processing that we perform.

Regarding processing that is subject to your consent, we will also inform you of the details of the specific data used.

The types and details of the data used in the different processing operations described in section 6 are as follows:

> Data you provide when registering for a service or during your relationship with us through interviews or forms.

The data types and details are as follows:

  • Identification and contact details: full name, sex, telephone and email contact information, address of residence, nationality and date of birth, language choice, identification document.
  • Details of your professional or work activity and socio-economic data: details related to your job, income or remuneration, household, level of education, assets, tax and fiscal data.
  • Sensitive data related to situations of vulnerability: data related to personal situations of vulnerability that may be required to implement special measures to manage contracts and adopt the measures set out in Royal Decree-Law 6/2012, on urgent measures for the protection of mortgage debtors without resources, in the 24/2015 Act of 29th July on urgent measures to tackle the housing emergency and energy poverty, and other similar regulatory provisions whose objective is the protection of the right to housing of people in situations of vulnerability.

 

> Data from the contracting and maintenance of marketed products and services (own or third-party).

The data types and details are as follows:

  • Contract details: contracted or requested products and services, account holder, authorised distributor or representative status of the product and service contracted.
  • Basic financial data: current and historical balances for products and services and payment history of contracted products and services.
  • Third-party data from statements and receipts of instant accounts and payment accounts: information on entries and transactions that third-party issuers make to your accounts, including transaction type, issuer, amount, and the item as it appears on receipts and statements for debit, credit and prepaid card transactions (note: the processing of this type of data is restricted to the data obtained by CaixaBank Group companies that process data jointly with BuildingCenter for the prevention of money laundering, in accordance with the explanation included in section 6.3 below).
  • Data on communications maintained with you: data obtained in emails, chats, communication walls, video conferences, telephone calls or any other equivalent means of communication.
  • Your browsing data: data obtained from your browsing of our websites or applications and your browsing history on these websites: browsing history (pages visited and clicks on content), device ID, advertising ID, IP address, and whether you have accepted the use of cookies and similar technologies on your browsing devices.

> Data inferred or deduced by analysing and processing other data.

The data types and details are as follows:

  • Data obtained from the execution of statistical models: we use the results of applying mathematical modelling to client data, which helps us combat fraud, detect your consumer habits, preferences or product tendencies, for regulatory compliance, and to manage your products and services.

> Data obtained from public access sources, public records or external sources.

The data types and details are as follows:

  • Data on credit information systems: obtained by consulting the Asnef, Experian and INFORSA credit reporting databases, which provide information on debts, financial solvency and credit (debtor, creditor and debt).
  • Data from the General Treasury of the National Social Security Institute: data obtained from the General Treasury of the National Social Security Institute related to the type of employment (self-employed or salaried) and the corresponding CNAE (National Classification of Economic Activities).
  • Data relating to international sanctions: data on people or entities included in laws, regulations, guidelines, resolutions, programmes or restrictive measures regarding international economic and financial sanctions, imposed by the United Nations, the European Union, Spain, the Office of Financial Sanctions Implementation (OFSI) of Her Majesty’s Treasury (HTM) of the United Kingdom and/or the US Department of the Treasury’s Office of Foreign Assets Control (OFAC).
  • Demographic and socio-economic data: statistical data not related to specific people but geographical areas, age sectors or professional activity sectors, which we will use to put them into context with customer information.
  • Details of properties associated with you: these are data obtained from the land registry and the property registry, which we will use to complement the information about your properties.
  • Details of directors, functional officers and corporate relationships: these are data taken from companies registries that we will use to complement the information about your activities.
  • Data from third-party companies to which you have given your consent to share data with us: your data processed by other companies with which we have agreements, and which you have authorised to share your information with us.
  • Information obtained from public access sources and public records: data provided by public access sources and public records to compare the information you provide to enter into, maintain and fulfil contractual relationships, and additional contact data obtained from telephone directories (White Pages, Yellow Pages), to contact our customers in the event of a breach of contractual obligations.

 

  • Your browsing data: data obtained from your browsing of third-party websites or applications and your browsing history on these websites: browsing history (pages visited and clicks on content), device ID, advertising ID, IP address, and whether you have accepted the use of cookies and similar technologies on your browsing devices.

 

6. What types of processing we carry out using your data

The types of processing that we will carry out using your data are varied, and are for various purposes and legal reasons:

  • Processing based on your consent.
  • Processing required for the performance of contractual relationships
  • Processing required to comply with regulatory obligations
  • Processing based on the legitimate interest of BuildingCenter

In addition to the general types of processing listed below, we may carry out specific types of processing not included in this policy, arising from your requests for products or services. The information about these types of processing will be provided to you when fulfilling the specific request.

6.1 PROCESSING BASED ON YOUR CONSENT

The legal basis for this processing is your consent, as laid out in art. 6.1.a) of the General Data Protection Regulation (GDPR).

We may have requested this consent through various channels, for example, when you sign a rental contract, when you sign a contract to make a purchase or through CaixaBank Group companies, among others.

If, for any reason, we have never asked you for your consent, this processing will not apply to you.

You can view the consent you have given or denied and change your decision at any time free of charge at: www.buildingcenter.es/ejerciciodederechos/.

The types of processing based on your consent are listed below from (A) to (D). For each item, we will indicate: a description of the purpose (Purpose), the details of the processed data (Processed data), if applicable, information on the use of profiling (Use of profiling), other relevant processing information (Other relevant information) and whether or not the processing is carried out jointly with other CaixaBank Group companies (Joint data controllers/Data controller).

 

A. Disclosure of your data to CaixaBank, S.A.

Purpose: If we have your consent, we will disclose your data to CaixaBank, S.A. so that it can send you marketing communications to offer you the finance for the property that you are interested in.

If, by giving your specific consent under the terms provided at the beginning of this section (A), you authorise us to disclose your data to CaixaBank S.A., said disclosure will be performed immediately. Therefore, by giving your consent for BuildingCenter to perform this disclosure, you are simultaneously authorising CaixaBank S.A. to process the personal data that BuildingCenter provides it with by virtue of this consent, so that CaixaBank can offer you, on paper and/or by electronic means, banking products and services for the financing of the property in which you have shown an interest.

 

In this regard, and in order to comply with the obligations on providing information to the data subject provided in article 14 of the General Data Protection Regulation (GDPR), we hereby inform you of the following points regarding data processing by CaixaBank if you give this consent:

  • Data controller: CaixaBank S.A., with tax ID number (NIF) A-08663619 and registered office at calle Pintor Sorolla, 2-4, Valencia.
  • Data Protection Officer contact details: caixabank.com/delegadoprotecciondedatos
  • Purposes of the processing: The sending of marketing communications about products and services for the financing of the property of interest.
  • Legal basis:
  • Data category: As listed in the following section.
  • Retention period: CaixaBank will only process your data if you have given us your consent to do so, which will remain in force for as long as required to retain it for the aforementioned purpose or until you withdraw it.
  • To see the complete description of how CaixaBank will use your data in the relationships that it establishes with you, you can read the Privacy Policy of CaixaBank, which you can access at any time at: caixabank.com/politicaprivacidad. Also, if you wish, you can request this information on paper at any CaixaBank branch.

The data we will process for this purpose are:

  • Identifying and contact details: full name, postal, telephone and email contact information, language choice, identification document.

Other relevant information: The following section includes other relevant data processing information:

  • Duration of data processing: We will only process your data if you have given us your consent to do so and for as long as required for the aforementioned purpose. If you cancel all your products or services but forget to revoke your consent, we will do so automatically.

Data controller: The data controller of this processing is BuildingCenter. This processing is not carried out jointly.

 

B. Marketing communications by BuildingCenter about own and third-party products and services

Purpose: If we have your consent, we will send you marketing communications about own and third-party products and services.

Data processed: The data we will process for this purpose are:

  • Identification and contact details: full name, postal, telephone and email contact information, address of residence, nationality and date of birth, language choice, identification document.

Other relevant information: The following section includes other relevant data processing information:

 

 

 

 

  • Data transfer information: If we reach an agreement with a third-party company to transfer your data to it, the recipient company will inform you of this situation and the details of the processing they intend to carry out.
  • Duration of data processing: We will only process your data if you have given us your consent to do so, and your consent will remain valid until you withdraw it. If you cancel all your products or services but forget to revoke your consent, we will do so automatically.

Data controller: The data controller of this processing is BuildingCenter. This processing is not carried out jointly.

 

C. Marketing surveys

Purpose: If we have your consent, we may contact you to complete marketing surveys.

Data processed: The data we will process for this purpose are:

  • Identification and contact details: full name, postal, telephone and email contact information, address of residence, nationality and date of birth, language choice, identification document.
  • Duration of data processing: We will only process your data if you have given us your consent to do so, and your consent will remain valid until you withdraw it. If you cancel all your products or services but forget to revoke your consent, we will do so automatically.

Data controller: The data controller of this processing is BuildingCenter. This processing is not carried out jointly.

D. Sending of electronic invoice for the rental contract

Purpose: If we have your consent, we may send you your rental contract in electronic format by electronic means.

Data processed: The data we will process for this purpose are:

  • Identification and contact details: full name, postal, telephone and email contact information, address of residence, nationality and date of birth, language choice, identification document.
  • Duration of data processing: We will only process your data if you have given us your consent to do so, and your consent will remain valid until you withdraw it. If you cancel all your products or services but forget to revoke your consent, we will do so automatically.

Data controller: The data controller of this processing is BuildingCenter. This processing is not carried out jointly.

6.2 PROCESSING REQUIRED FOR THE PERFORMANCE OF CONTRACTUAL RELATIONSHIPS

The legal basis for this processing is that the data are required in order to manage the contracts that you request or in which you are a party, or to apply pre-contractual measures if you request them, as established in art. 6.1 .b) of the General Data Protection Regulation (GDPR).

Therefore, this processing is necessary for you to establish and maintain Contractual Relations with us. If you object to it, we will end these relations, or we will not be able to establish them if they have not yet started.

 

A. Signing, maintenance and performance of Contractual Relations

Purpose: The purpose of this data processing is to formalise and maintain the contractual relationships established between you and us, including the processing of your requests or orders, the steps prior to entering into a contract (pre-contractual relationships), the establishment of measures to ensure the fulfilment of the contracts you have with us and, if appropriate, the sending of communications required for the correct performance of the contractual relationship.

This data processing involves collecting the information necessary to establish the relationship or manage the request, evaluating the suitability of contracts and processing the information required to properly maintain and perform the contracts.

The processing activities involved in signing, maintaining and performing the Contractual Relations are:

  • Collecting and recording the data and documents required for the contract.
  • Analysing the suitability of the contract based on the documentation provided, through the calculation of the solvency ratio (difference between income and expenditure).
  • Formalising the signing of contracts and managing their performance.
  • Establishing or changing owners’ associations or urban management boards and participating in meetings organised by them and managing the related points.
  • Analysing and managing incidents arising from the contractual relationship or an application for a contract.
  • Carrying out the communications required for the performance of the contract, and dealing with requests for information about properties.

Type of data processed: The types of data we will process for this purpose, the content of which is listed in section 5, are:

  • Identifying and contact details
  • Details of your professional or work activity and socio-economic data
  • Sensitive data related to situations of vulnerability
  • Contract details
  • Basic financial information
  • Data on communications maintained with you
  • Credit information system data
  • Data relating to international sanctions
  • Information obtained from public access sources and public records
  • Demographic and socio-economic data
  • Details of properties associated with you
  • Data from third-party companies to which you have given your consent to share data with us

Data controller: The data controller of this processing is BuildingCenter. This processing is not carried out jointly.

 

 

 

6.3 PROCESSING REQUIRED TO COMPLY WITH REGULATORY OBLIGATIONS

The legal basis for this processing is that the data are required in order to comply with a legal obligation that is required of us, as laid out in art. 6.1.c) of the General Data Protection Regulation (GDPR).

Therefore, this processing is necessary for you to establish and maintain Contractual Relations with us. If you object to it, we will end these relations, or we will not be able to establish them if they have not yet started.

The types of processing required to comply with regulatory obligations are listed below, listed from (A) to (H). For each item, we will indicate: a description of the purpose (Purpose), the type of the processed data (Processed data type), if applicable, information on the use of profiling (Use of profiling), other relevant processing information (Other relevant information) and whether or not the processing is carried out jointly with other CaixaBank Group companies (Joint data controllers/Data controller).

A.Processing to comply with legislation on the prevention of money laundering and terrorist financing

Purpose: The purpose of this processing is to adopt the measures imposed on our activity by the 10/2010 Act on the Prevention of Money Laundering and Terrorist Financing.

The types of processing that are carried out to comply with anti-money laundering and terrorist financing legislation are:

  • Collecting information and documentation that allows us to comply with due diligence and customers knowledge measures
  • Checking the information that you provide us with
  • Checking if you hold or have held a position of public trust
  • Categorising your risk level, based on which the various due diligence measures will be applied in accordance with prevention of money laundering and financing of terrorism legislation
  • Analysing the transactions executed through BuildingCenter, in accordance with legal obligations
  • Checking your relationship with companies and, if necessary, your controlling position within their ownership structure, and
  • Reporting and updating your information monthly in the Financial Ownership File, managed by the Executive Service of the Spanish Commission for the Prevention of Money Laundering and Financial Crimes (SEPBLAC).

Type of data processed: The types of data we will process for this purpose, the content of which is listed in section 5, are:

  • Identifying and contact details
  • Details of your professional or work activity and socio-economic data
  • Contract details
  • Basic financial information
  • Data on communications maintained with you
  • Third-party data from statements and receipts of current accounts and payment accounts
  • Data obtained from the execution of statistical models
  • Details of directors, functional officers and corporate relationships

 

  • Data from the General Treasury of the National Social Security Institute
  • Information obtained from public access sources and public records

Use of profiling: This processing involves creating a profile that we use exclusively for adopting the necessary measures in accordance with the provisions of the 10/2010 Act on the Prevention of Money Laundering and the Financing of Terrorism.

  • Purpose: The purpose of the profile is to prevent the contracting of operations susceptible to money laundering or the financing of terrorism.
  • Consequences: Profiles are tools that help money laundering and terrorist financing prevention units determine whether operations are likely to be subject to money laundering or terrorist financing and, therefore, whether to accept or decline them.

Joint data controllers: The following CaixaBank Group companies will process your data jointly.

  • CaixaBank, S.A.
  • CaixaBank Payments & Consumer, E.F.C., E.P., S.A.U.
  • VidaCaixa, S.A. de seguros y reaseguros
  • BPI Vida e Pensões – Companhia de Seguros, S.A.
  • Nuevo Micro Bank, S.A.U.
  • CaixaBank Asset Management SGIIC, S.A.U
  • Telefónica Consumer Finance, E.F.C., S.A.
  • Buildingcenter, S.A.U.
  • Livingcenter Activos Inmobiliarios, S.A.U.
  • Unión de Crédito para la Financiación Mobiliaria e Inmobiliaria, CREDIFIMO, E.F.C., S.A.U.
  • Corporación Hipotecaria Mutual, S.A.U., Establecimiento Financiero de Crédito
  • CaixaBank Wealth Management Luxembourg, S.A.
  • CaixaBank Asset Management Luxembourg, S.A.
  • BPI Gestão de Ativos, SGOIC, S.A.
  • Banco BPI, S.A.
  • Bankia Habitat, S.L.U.
  • Puerto Triana S.A.U.

You will find the essential elements of the joint data controller agreements at: www.caixabank.es/empresasgrupo.

B. Processing to comply with tax legislation

Purpose: The purpose of this processing is to adopt the measures imposed on our activity by the 58/2003 Act of 17th December, the General Tax Law, and other current legislation.

The processing operations carried out to comply with tax legislation are:

  • Collection of information and documentation regarding your tax situation as required by tax laws, and
  • Reporting details relating to your tax situation to government agencies when required by law or by a competent authority.

Type of data processed: The types of data we will process for this purpose, the content of which is listed in section 5, are:

 

 

  • Identifying and contact details
  • Contract details
  • Basic financial information

Data controller: The data controller of this processing is BuildingCenter. This processing is not carried out jointly.

C. Processing to comply with obligations arising from sanctions policies and international financial countermeasures

Purpose: The purpose of this processing is to adopt the measures imposed on our activity by the international financial sanctions and countermeasures programmes adopted by the European Union and Spain.

In accordance with international financial sanctions programmes and countermeasures, we will check if you appear in lists of people or entities included in laws, regulations, guidelines, resolutions, programmes or restrictive measures regarding international economic and financial sanctions imposed by the United Nations, European Union, Spain, the Office of Financial Sanctions Implementation (OFSI) of Her Majesty’s Treasury (HTM) of the United Kingdom and/or the US Department of the Treasury’s Office of Foreign Assets Control (OFAC).

Type of data processed: The types of data we will process for this purpose, the content of which is listed in section 5, are:

  • Identifying and contact details
  • Data relating to international sanctions

Joint data controllers: The following CaixaBank Group companies will process your data jointly.

  • CaixaBank, S.A.
  • CaixaBank Payments & Consumer, E.F.C., E.P., S.A.U.
  • VidaCaixa, S.A. de seguros y reaseguros
  • Nuevo Micro Bank, S.A.U.
  • CaixaBank Asset Management SGIIC, S.A.U
  • Telefónica Consumer Finance, E.F.C., S.A.
  • Buildingcenter, S.A.U.
  • Livingcenter Activos Inmobiliarios, S.A.U.
  • Unión de Crédito para la Financiación Mobiliaria e Inmobiliaria, CREDIFIMO, E.F.C., S.A.U.
  • Corporación Hipotecaria Mutual, S.A.U., Establecimiento Financiero de Crédito
  • Banco BPI, S.A.
  • CaixaBank Wealth Management Luxembourg, S.A.
  • Bankia Habitat, S.L.U.
  • Puerto Triana S.A.U.

You will find the essential elements of the joint data controller agreements at: www.caixabank.es/empresasgrupo.

D. Processing for managing complaints and claims relating to personal data protection

Purpose: By virtue of the obligation of the data controller, in this case BuildingCenter, the 3/2018 Act of 5th December on the Protection of Personal Data and the Guarantee of Digital Rights, the purpose of this processing is to handle claims that are submitted to its Data Protection Officer and carry out the activities required to cooperate with the supervising authority (the Spanish Data Protection Agency), and respond to any data protection rights exercised by data subjects.

Type of data processed: The types of data we will process for this purpose, the content of which is listed in section 5, are:

  • Identifying and contact details
  • Details of your professional or work activity and socio-economic data
  • Contract details
  • Basic financial information
  • Sensitive data related to situations of vulnerability
  • Data obtained from public access sources, public records or external sources
  • Third-party data from statements and receipts of current accounts and payment accounts

Data controller: The data controller of this processing is BuildingCenter. This processing is not carried out jointly.

 

E. Management of mortgage-related legal proceedings

 

Purpose: The purpose of this processing is the obtaining, by BuildingCenter, of the ownership of a property through mortgage-related legal proceedings, by virtue of the obligation established by the 8/2012 Act of 30th October on the write-down and sale of real estate assets in the financial sector, in that it states that assets awarded or received in the payment of debts must be delivered by the credit institutions to a limited company under the established terms.

Type of data processed: The types of data we will process for this purpose, the content of which is listed in section 5, are:

  • Identifying and contact details
  • Basic financial information
  • Details of your professional or work activity and socio-economic data
  • Sensitive data related to situations of vulnerability

Data controller: The data controller of this processing is BuildingCenter. This processing is not carried out jointly.

 

F. Carrying out appraisals

 

Purpose: The purpose of this processing is to carry out the appraisal of properties that are, or will soon be owned by BuildingCenter, in accordance with the provisions of article 13 of the 5/2019 Act of 15th March and of Circular 4/2017 of the Bank of Spain, which establishes the frequency for the valuation of assets and guarantees.

Type of data processed: The types of data we will process for this purpose, the content of which is listed in section 5, are:

  • Identifying and contact details
  • Contract details
  • Basic financial information

Data controller: The data controller of this processing is BuildingCenter. This processing is not carried out jointly.

 

 

G. Processing to comply with legislation regarding empty homes, housing protection and rentals for vulnerable groups and improved access to housing.

 

Purpose: The purpose of this processing is compliance with legislation regarding empty homes, housing protection for vulnerable groups and legislation on improved access to housing. As the legal competence in these matters has both a national and regional dimension, which leads to a proliferation of regulations on the subject by both autonomous communities and the central government, and given that these matters are also subject to continual amendments (whether through the approval of new legislation that amends previous legislation or through the publication of legislation that is purely temporary in nature), in order to adapt the regulatory framework to the social situation at any given time, in this section we will only present a list including (but not limited to) the applicable regulations in these matters:

  • on empty homes: the 18/2007 Act of 28th December on the right to housing, and other applicable national or regional legislation
  • on the protection of housing and rentals for vulnerable groups: the 6/2012 Royal Decree-Act of 9th March on urgent measures for the protection of mortgage debtors without financial resources, and the 1/2013 Act of 14th May on measures to improve protection for mortgage debtors, the restructuring of debt and rented social housing, and other related legislation, and legislation through which urgent complementary measures are adopted in the social and economic sphere to deal with Covid-19 in the housing and rental sector, and
  • on improved access to housing: the 24/2015 Act of 29th July on urgent measures to deal with the emergency in the housing market and energy poverty, the 4/2016 Act of 23rd December on measures protecting the right to housing of people at risk of residential exclusion, and the 17/2019 Decree-Act of 23rd December on urgent measures to improve access to housing, and other applicable national and regional legislation.

The processing operations carried out to comply with this legislation are:

  • Collecting information and documentation regarding the situation of the data subject.
  • Reporting details relating to your situation to government agencies when required by law or by a competent authority.
  • Offering, if appropriate, a rental (whether social housing or the continuation of the existing rental) or another housing solution (if possible), when the legally established conditions are fulfilled.

Type of data processed: The types of data we will process for this purpose, the content of which is listed in section 5, are:

  • Identifying and contact details
  • Contract details
  • Details of your professional or work activity and socio-economic data
  • Sensitive data related to situations of vulnerability

Data controller: The data controller of this processing is BuildingCenter. This processing is not carried out jointly.

 

H. Disclosure of data to organisations for the purposes of regulatory reporting and legislation compliance

 

 

 

 

 

Purpose: The purpose of this processing is to carry out all disclosures of data to public bodies (or to the parent company – CaixaBank -, so that it in turn can comply with its relevant obligations regarding reporting at Group level) that must be carried out as required or ordered by law.

Type of data processed: The types of data we will process for this purpose, the content of which is listed in section 5, are:

  • Identifying and contact details
  • Contract details
  • Basic financial information
  • Details of your professional or work activity and socio-economic data
  • Contract details

Data controller: The data controller of this processing is BuildingCenter. This processing is not carried out jointly.

 

6.4 PROCESSING BASED ON THE LEGITIMATE INTEREST OF BUILDINGCENTER

The legal basis for this processing is the satisfaction of legitimate interests pursued by BuildingCenter or by a third party, provided that these interests do not take precedence over your interests or your fundamental rights and freedoms, in accordance with art. 6.1.f) of the General Data Protection Regulation (GDPR).

This processing will imply that we have considered your rights and our legitimate interest and we have concluded that the latter prevails. Otherwise, we would not process the data. You can ask about the analysis that is done to consider the legitimate interest of a processing operation at any time by emailing your enquiry to delegado.proteccion.datos@caixabank.com

We also remind you that you have the right to object to processing based on a legitimate interest. You can do this simply and free of charge through the channels indicated in section 4.

The types of processing are listed below, listed from (A) to (E). For each item, we will indicate: the legitimate interest of BuildingCenter (Legitimate Interest of BuildingCenter) a description of the purpose (Purpose), the type of the processed data (Processed data type), if applicable, information on the use of profiling (Use of profiling), other relevant processing information (Other relevant information) and whether or not the processing is carried out jointly with other CaixaBank Group companies (Joint data controllers/Data controller).

 

A. Management of legal proceedings

Legitimate interest of BuildingCenter: The legitimate interest of BuildingCenter to carry out this processing is to exercise its right to effective legal protection in the exercise of its rights and legitimate interests, thereby preventing it from being defenceless, by virtue of the provisions of article 24 of the Spanish Constitution.

Purpose: The purpose of this processing is to manage legal proceedings in which BuildingCenter is a party and, if required, to defend its legitimate interests.

Type of data processed: The types of data we will process for this purpose, the content of which is listed in section 5, are:

  • Identifying and contact details
  • Contract details

 

 

 

  • Details of your professional or work activity and socio-economic data
  • Sensitive data related to situations of vulnerability
  • Basic financial information

Other relevant information: The following section includes other relevant data processing information:

  • Right of opposition to processing: You have the right to object to processing based on a legitimate interest. You can do this simply and free of charge through the channels indicated in section 4.

Data controller: The data controller of this processing is BuildingCenter. This processing is not carried out jointly.

 

B. The creation of statistical reports for the monitoring and management of BuildingCenter’s business

 

Legitimate interest of BuildingCenter: The legitimate interest of BuildingCenter to carry out this processing is to monitor the progress of the company’s business, analyse the performance and progress of its portfolio of customers, products and services and design new products and services.

Purpose: The purpose of this processing is to create statistical reports and mathematical models that will enable the monitoring of the company’s business.

The types of processing carried out in the creation of statistical reports for the monitoring and management of BuildingCenter’s business are:

  • The grouping together of customer data and their contractual relationships in order to prepare statistics
  • The processing of statistical data for the preparation of management reports and the creation of mathematical models

Type of data processed: The data we will process for this purpose are data that have been identified previously for each processing type. We will apply, whenever possible, anonymisation or pseudonymisation techniques to ensure that this processing does not have an impact on the rights of the data subjects, and that the result of the processing is reports containing statistical or aggregated data, or mathematical or algorithmic formulas.

Other relevant information: The following section includes other relevant data processing information:

  • Right of opposition to processing: You have the right to object to processing based on a legitimate interest. You can do this simply and free of charge through the channels indicated in section 4.
  • Ancillary data processing: The purpose of processing data for the creation of statistical reports and mathematical models is not to process individual customer data.

This data processing is necessary, but secondary, to the main purpose of preparing management reports or algorithmic or mathematical formulas, and is therefore carried out using, whenever possible, anonymisation techniques or, failing that, pseudonymisation techniques, and minimising the data processed.

This processing has no effects or consequences on the individual data subject.

Data controller: The data controller of this processing is BuildingCenter. This processing is not carried out jointly.

 

C. Fraud prevention

 

Legitimate interest of BuildingCenter: The legitimate interest of BuildingCenter for carrying out this processing is to prevent fraud that could lead to financial or reputational damage to the company or its customers.

Purpose: The purpose of this processing is to adopt the necessary measures to prevent malicious transactions or conduct before they occur or to mitigate their impact if they do occur by identifying suspicious transactions or conduct that could involve an attempt to defraud the institution or its customers.

The types of processing carried out in the fight against fraud are:

  • Verifying the identity of customers that interact with the bank to prevent fraudulent access to information or transactions.
  • Reviewing and analysing the contracts and transactions carried out in our systems to protect our customers from fraud through any channel and prevent cyber attacks.
  • Checking your identity and the validity of the identity documents provided against national and international databases managed by police forces and similar organisations such as INTERPOL (The International Criminal Police Organization), to confirm that you are the owner of the identity document that you have provided to us and to protect you against identity theft (when another person impersonates you).

Type of data processed: The types of data we will process for this purpose, the content of which is listed in section 5, are:

  • Identifying and contact details
  • Details of your professional or work activity and socio-economic data
  • Contract details
  • Basic financial information
  • Data on communications maintained with you
  • Your browsing data
  • Data obtained from the execution of statistical models

Other relevant information: The following section includes other relevant data processing information:

  • Right of opposition to processing: You have the right to object to processing based on a legitimate interest. You can do this simply and free of charge through the channels indicated in section 4.

Data controller: The data controller of this processing is BuildingCenter. This processing is not carried out jointly.

 

  1. Performance management of employees, agents and suppliers

Legitimate interest of BuildingCenter: The legitimate interest of BuildingCenter to carry out this processing is to manage relationships with employees and suppliers based on their professional performance.

Purpose: The purpose of this processing is to monitor the professional performance, targets and challenges of employees, agents and suppliers, through an analysis of the transactions and contracts that they maintain with customers.

Type of data processed: The types of data we will process for this purpose, the content of which is listed in section 5, are:

  • Identifying and contact details
  • Contract details
  • Basic financial information

Other relevant information: The following section includes other relevant data processing information:

  • Right of opposition to processing: You have the right to object to processing based on a legitimate interest. You can do this simply and free of charge through the channels indicated in section 4.
  • Ancillary use of your data: These data processing activities deal with customer information, but their information is ancillary to the purpose pursued. This processing has no effect or consequence on the data subject.

Data controller: The data controller of this processing is BuildingCenter. This processing is not carried out jointly.

 

D. Management of the occupation of properties owned by BuildingCenter

Legitimate interest of BuildingCenter: The legitimate interest of BuildingCenter to carry out this processing is to manage any occupations that occur in properties that are owned by BuildingCenter and to consequently rectify the situation.

Purpose: The purpose of this processing is to solve situations of occupation of properties.

Type of data processed: The types of data we will process for this purpose, the content of which is listed in section 5, are:

  • Identifying and contact details
  • Details of your professional or work activity and socio-economic data
  • Sensitive data related to situations of vulnerability

Other relevant information: The following section includes other relevant data processing information:

  • Right of opposition to processing: You have the right to object to processing based on a legitimate interest. You can do this simply and free of charge through the channels indicated in section 4.

Data controller: The data controller of this processing is BuildingCenter. This processing is not carried out jointly.

 

E. Recipients of the data

Data controller and joint data controllers

The data we process in your capacity as a BuildingCenter customer is processed by BuildingCenter. If data is processed by joint data controllers, it will be processed by CaixaBank Group companies in accordance with the provisions of the above sections on processing.

Authorities and official bodies

As a subsidiary of a credit institution such as Caixabank, we could be legally required to provide information on the transactions we carry out to authorities or official bodies in other countries located both within and outside the European Union. This obligation is within the context of the fight against financing terrorism, serious forms of organised crime and money laundering, as well as the prudential supervision of credit institutions by the Bank of Spain and the European Central Bank.

 

Also as a large holder of properties, we could be required to provide information on the rental or ownership situation of our properties to the competent public authorities regarding empty housing and the protection and improvement of access to housing.

Disclosure of data to outsourced service providers

We sometimes use service providers with potential access to personal data.

We ensure these providers grant adequate and sufficient safeguards related to the processing of your data, because we carefully screen service providers by including specific requirements if their services involve the processing of personal data.

The type of services we can assign to service providers is:

  • Property management services
  • Marketing services
  • Administrative support services
  • Auditing and consulting services
  • Legal services and asset and non-payment recovery services
  • Marketing and advertising services
  • Survey and/or call centre services
  • Logistics and/or physical security services
  • IT services (system and information security, cyber security, information systems, architecture, hosting, data processing)
  • Telecommunications services (voice and data)
  • Printing, enveloping, postal and courier services
  • Data retention and destruction services (digital and physical)
  • Office, facilities and equipment maintenance services

 

  1. Data retention periods

Retention to maintain Contractual Relations

We will process your data as long as the Contractual Relations we have established remain in force.

Retention of authorisations for processing based on consent

We will carry out the processing of data based on your consent until you revoke said consent.

If you cancel all your product and service contracts with us but do not revoke the consent you have given us, we will automatically void said consent from when you cease to be a customer.

Retention to comply with legal obligations and to make, enforce and defend claims

Once authorisations for use have been revoked through the withdrawal of your consent, or the contractual or business relations established with us have ended, we will only keep your data to comply with legal obligations and to allow to make, enforce or defend claims during the limitation period for actions arising from these contractual relations.

We will process these data by applying the technical and organisational measures required to guarantee that they are only used for these purposes.

Data destruction

We will destroy your data when the retention periods imposed by the regulations governing BuildingCenter’s activity have passed and the limitation periods for administrative or judicial actions arising from the relations established between you and us have elapsed.

  1. Data transfers outside the European Economic Area

At BuildingCenter we process your data within the European Economic Area and, in general, we have service providers located within the European Economic Area or in countries deemed to have an adequate level of data protection.

If we need to use service providers that carry out processing outside the European Economic Area or in countries not deemed to have an adequate level of data protection, we will ensure that your data are processed securely and in accordance with the law.

To do this, we require these service providers to apply suitable safeguards in accordance with the GDPR, so that they have, for example, binding corporate standards that guarantee data protection in a similar way to European standards or we require that they subscribe to European Union standards.

  1. Automated decisions

Section 6 of this Policy contains information on the type of processing that incorporates automated decision-making.

Additionally, if during the Contractual Relationships you maintain with us we use mechanisms that could take decisions based solely and exclusively on automated processing (i.e. without the participation of a person) that could have legal effects for you or that could significantly affect you (not allow you to contract a certain product, for example), we will inform you of this, as well as of the reasoning behind the decision, in the contractual documentation of the product or service you have requested.

At that time, we will also adopt measures to safeguard your rights and interests by giving you the right to request human intervention, to express your views and to challenge the decision.

  1. Revision

We will revise this Privacy Policy whenever it is necessary to keep you duly informed, when publishing new standards or criteria or when we engage in new processing activities, for example.

We will notify you through the usual communication channels whenever there are substantial or important changes to this Privacy Policy.

 

[POLICY REVIEW IN PROGRESS. An update to this Policy will be posted soon.]