Privacy Policy

1. Our commitment

This document translates our commitment to (i) communicate in a transparent manner which personal data we process and under what conditions; (ii) protect the safety of personal data and their owners’ privacy; (iii) provide the right mechanisms for the data subjects to exercise their rights; (iv) abide by the provisions of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 - General Data Protection Regulation (GDPR) – and additional applicable legislation, including Portuguese legislation that complements the GDPR (law 58/2019 of August the 8th); and (v) comply with the secrecy duties resulting from the Legal Framework for Credit Institutions and Financial Companies approved by Decree-Law no. 298/92, of 31 December 1992.

If you are our Client, potential Client, or in any other way in a relation with the Bank, providing us with your personal data, or if you use our websites or mobile apps (Client), we recommend reading this document, the data protection and privacy page on our website and the Terms and Conditions of our products and services.

2. Who we are

ActivoBank is responsible for the treatment of personal data of Clients and Collaborators and who, in that ambit, decides what data is collected, the means of treatment and purposes for which the data is treated. The respective contact is the following:

ActivoBank
Av. Prof. Dr Cavaco Silva (Tagus Park) Edif. 1, nº 32
2740-256 Porto Salvo
Phone: 707 50 24 24
E-mail adress: secretariado.sociedade@millenniumbcp.pt

ActivoBank has a Data protection officer who (i) monitors data processing compliance with the applicable regulations, (ii) is one of its contacts for clarifying questions related to data processing, (iii) cooperates with Comissão Nacional de Proteção de Dados (CNPD), the Portuguese Data Protection Authority, in its capacity as a supervisory authority, and (iv) provides information and advises ActivoBank or the processors on their obligations within the scope of privacy and data protection.
Contact information of the Data Protection Officer:

ActivoBank
Data Protection Officer
Av. Prof. Dr Cavaco Silva (Tagus Park) Edif. 4, nº 26
2740-256 Porto Salvo
E-mail adress: protecao.dados.pessoais@activobank.pt

3. Which data we collect and process

Basically, personal data means any information that (regardless of its nature or media) directly or when combined with other data, could identify a natural person.

The following table presents the main categories of personal data that we process regarding our Clients:

Personal data categories Examples
Identification and contact information Name, identification document number, tax identification number, photograph, signature, address, phone number or e-mail address.
Biographical data Date of birth, gender, nationality, place of birth, marital status, family, schooling or information regarding professional activities.
Financial Data Financial assets, liabilities in the financial industry, or monthly salary.
Products and Services Account number, account balance, debit/credit card number, and other information concerning products and services acquired or subscribed to by the Client and respective conditions (e.g. duration and interest rate of consumer loan).
Transactions Date, time, description and amount of banking transactions (e.g. Deposits, withdrawals, transfers and payments).
Segments and profiles Commercial segment, profile or credit risk level, investor profile or willingness to acquire products.
Opinions and preferences Comments on the Bank's profiles or areas in social networks or answers to satisfaction surveys.
Contents Information in written communications between the Client and the Bank, recorded call (e.g. stock market orders given by phone) or surveillance footage.
Access accounts User account, user authentication credentials or multichannel code.
Use of websites and applications Pages seen or information on devices used (e.g. IP address, geographic location, browser used).

ActivoBank collects these personal data through the following means for collection (or production) of data:

Means of collection Examples
Data supplied by the subjects Data or contents supplied directly by the subjects (i) when they subscribe to or purchase products and services, (ii) interactions with the branch network or call center, (iii) in letters or e-mails sent, (iv) participation in the Bank's promotional actions, or (v) answers to satisfaction surveys.
Data collected when subjects use products and services Data related to banking operations and transactions ordered by the subjects to the Bank (e.g. Deposits, withdrawals, transfers, payments).
Profiling Data produced by the Bank through analytical models using subjects’ data and data regarding the subjects’ use of the Bank’s products and services.
Persistent Cookies Data regarding the use of Bank websites and applications (e.g. pages opened, user preferences), collected from cookies sent by the Bank or third parties. You can find more information on the type of cookies used by the Bank and on the data collected in the cookie policy available on the Bank’s website www.activobank.pt/en.
Data collected by third-parties Data the Bank procures with third-parties with which it works, including (i) Banco de Portugal, (ii) public authorities, (iii) insurance companies, (iv) agents working on behalf of the Bank or (v) Bank’s partners in connection with loyalty programmes.

Obligation to provide personal data

Within the scope of business and contractual relationships, it is mandatory to provide and collect personal data from Clients, potential Clients and other subjects (e.g. guarantors, representatives, beneficial owners) as necessary to meet the obligations and diligences necessary prior to and to enter into a contract, as well as those resulting from the regulations in force. As a general rule, without such data, ActivoBank will be forced to refuse entering into an agreement or executing an order, or even terminate the agreement. For instance, pursuant to the legal provisions deriving from the regime for preventing money laundering, it is necessary to identify the Client before and during a business relation, usually trough an identification document, collecting the information therein, otherwise the instruction or request must be refused.

4. How we process personal data

Data processing means any operation or set of operations which is performed on personal data manually or by automated means, including collection, storage, use, copy and transmission.
At ActivoBank, data is processed lawfully, fairly and in a transparent manner and for specific purposes. The following sections describe and illustrate the main purposes of data processing at ActivoBank, grouped according with their lawfull basis for processing:

Performance of a contract

ActivoBank processes data necessary for entering into, performing and managing contracts to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract.

Processing purpose Examples
Account opening and management Collection and storage of data pertaining to the subject and representatives, opening current accounts, altering account holders and respective data or issuing bank statements.
Subscription and management of financial products and services Subscription, production and delivery of means of payment (e.g. debit, pre-paid and credit cards), simulation, formalization and management of savings and investment products, or provision of information on products and services acquired or subscribed by the Client.
Credit granting and management Simulation, registration, decision and formalization of credit operations and respective collaterals, or collection and settlement of instalments.
Management of bank operations Processing deposits in cash or cheques, direct debits, withdrawals, top-ups, payments, domestic and international transfers, collection of bank fees, or execution of the Client’s orders (e.g. purchase and sale of securities).
Collections Activities for recovering loans in default.
Subscription and management of services related to electronic channels Subscription of electronic channels (e.g. online banking, mobile banking, call center), management of access credentials, channels customization, or activation and deactivation of related services.
Contact and claims management Receiving, analyzing and answering information requests and claims from Clients.
Insurance mediation Collection and analysis of data for the subscription of insurance products, wherein the Bank acts as mediator with the insurance company.

Compliance with a legal or regulatory obligation

ActivoBank processes data as necessary to comply with the various legal requirements - Portuguese and European - that bind it, including (i) the Legal Framework for Credit Institutions and Financial Companies, (ii) legislation regarding the prevention and fight against money laundering and terrorism financing, (iii) legislation regarding financial intermediation activities, securities trading and taxation, (iv) provisos regarding the supervision of banking activities, (v) legislation on personal data protection and (vi) the EU Capital Requirements Regulation and all other regulatory obligations that bind it, issued namely by Banco de Portugal, European Central Bank, European Banking Authority, Comissão do Mercado de Valores Mobiliários, European Securities and Markets Authority, Competition Authority.

Processing purpose Examples
Risk management Credit risk analysis, or verification of Client’s identity and age, knowledge and experience, risk profile and investment goals.
Fraud prevention Detection, analysis, and answer to potential fraud attempts, particularly in what regards remote operations (e.g. transactions with debit or credit cards, online banking).
Prevention of crimes related to money laundering and terrorism financing Verification of lists of persons and entities subject to financial or trade sanctions, or identification and reporting of suspicious transactions.
Provision of information and answering requests from the Public Authorities Provision of mandatory information (prudential and other) and different requests from industry regulators (e.g. Banco de Portugal, European Central Bank, CMVM), public authorities (e.g. Courts, Police, Tax Authority), external auditors, or under the Foreign Account Tax Compliance Act, 2010 (FATCA) or the Common Reporting Standard (CRS).
Accounting and Financial Reporting Accounting records and production and disclosure of the Bank’s financial statements.
Management of document archive Collection, categorization and storage of physical documentation with personal data in the document archive, consisting of mandatory evidence within the context of the Bank's activity.
Video-surveillance Video-surveillance of the Bank’s physical premises, aiming at the protection of assets and individuals and the prevention of crime, providing the collection of evidence. As defined by Law 34/2013 of May, 16th, amended by Law 46/2019 of July the 8th., the cameras deployed ensure the identification of individuals and the protection of physical servicing areas, safekeeping of values and vaults, cash dispensers and automatic teller machines areas.
Contact and claim management Reception, analysis and feedback to Client’s information requests and claims.

Legitimate interests

ActivoBank makes the necessary data processing in order to safeguard its legitimate interests or those from third parties.

Processing purpose Examples
Management of credit risk Consultation and exchange of data with credit information systems to determine solvency risks and of default in loans granted to clients.
Provision of Information to Clients Remittance of information of a diverse nature (e.g. Information safety, financial markets trends) or in the context of purchase or subscription of products or services by the Clients.
Direct Marketing Providing information or developing and deploying campaigns through phone, SMS or email to promote the use or the purchase or subscription of financial products and services for Clients, eventually as a result of profiling the client or events generated by real time assessment of transactions made by the Client with the Bank.
Clients segmentation Characterization and segmentation of Clients to better address and adequate the Bank’s commercial offer of products and services to the specific characteristics of the Clients.
Profiling The Bank processes the Client’s personal data to define their profile regarding the use of our products and evaluate his/her appetite towards them. The objectives of these types of data processing are the creation of products and services that better match the interests and preferences of our clients and the customization of offers disclosed to them. For those purposes, the Bank processes the personal data that you supply us (e.g. Your age, your address) and personal data generated by the use of our products and services (e.g. data regarding financial entries and transactions made with means of payment).
Evaluation of the satisfaction and quality of service Development and deployment of surveys, in order to assess the client’s satisfaction, about products or services provided by the Bank and the quality of the service provided, or remittance of proposals for altering the terms and conditions of products and services purchased or subscribed by the Clients (e.g. Proposal to increase the plafond of the credit card).
Products and Services Development Collection and analysis of data for the development or adjustment of new products and services of the Bank in order to best serve Client specific needs.
Management of litigation Exercise of contractual or legal rights or of defense in case of litigations in and out of court emerging, namely, from situations of default or non-compliance with duties of any nature whatsoever of the data subject before ActivoBank
Credit assignment Collection and analysis of data and provision of information to third parties in the context of credit securitization operations.
Credit collection Processing with the purpose of non-performing loans’ collection.
Internal Audit Collection and analysis of information within an internal audit on the Bank’s processes and operations.
Management and security of the Information systems and premises Processes for the management and monitoring of the information systems and technological infrastructures, record of accesses and use of systems, detection processes, analysis and reply to potential information security incidents, control over identities and accesses to the Bank’s information systems or control on the physical access to the Bank’s premises.

Consent of the data subject

ActivoBank may make other types of data processing after getting the prior consent of the data subject; in order to be valid, such consent must be a clear affirmative act, establishing a freely given, specific, informed and unambiguous indication of the data subject’s agreement to the processing of his/hers personal data, for specific purposes.

Processing purpose Examples
Evidence of information or instructions transmitted by phone Recording of call/video calls as a mean to evidence information or instructions transmitted within the context of a pre-contractual relation (e.g. Evidence of the subject’s identity) or instructions transmitted within the context of a contractual relation (e.g. Stock exchange orders).
Monitoring of the service quality Recording of calls to directly monitor the quality of the service provided to the Client.
Market studies Collection and analysis of personal data within the context of market studies or research.
Customize the experience on the Bank’s websites and Apps. Use of persistent cookies to record the activity and preferences of clients on the Bank’s websites.

ActivoBank only processes personal data, if the data processing activity is supported by one of the previously described lawfull basis and has been previously informed to the data subject. Further data processing shall only be made if (i) compatible with the purposes authorized and communicated to the subjects or (ii) are object of a specific and explicit consent from the data subject.

5. How long can data be stored and processed

ActivoBank stores and processes personal data for the time necessary and while the legitimate purposes, according to which the data are processed, are in effect, for compliance with contractual, legal and regulatory duties or for the protection of the legitimate interests of the Bank and of third Parties.

Reason for storage Storage Period
Contract execution Period while the contract is in effect. ActivoBank may keep the personal data for periods exceeding the duration of the contractual relation, in order to ensure rights or duties related with the contract, or based on legitimate interests, namely the Bank’s defence in legal proceedings, or based on the consent provided by the client.
Legal, tax or regulatory duty Legal limitation deadlines associated to legal, tax or regulatory duties or deadlines foreseen in special legislation (for example, 7 years after the end of the contractual relation foreseen within the scope of the law for the prevention of money laundering and terrorism financing), the longer one.
Storage of recorded calls to be used as contractual evidence Duration of the contract, plus the 6 months limitation and expiration deadline.
Storage of recordings of calls to assess service quality 30 days.
Storage of video-surveillance footage 30 days.

6. Which are your rights as a personal data subject

ActivoBank ensures the exercise of the rights of the data subject in relation to the respective processing.

Right of the data subject Description
Access Without prejudice to the protection of the rights of third parties, Clients have the right to have access to personal data concerning them, as well as to obtain information on the respective treatment conditions.
Rectification The Clients are entitled to request the rectification of their personal data which are inaccurate or incomplete (e.g. address, e-mail address, phone numbers).
Opposition The Clients are entitled to oppose to data processing grounded on the legitimate interest of ActivoBank.
Withdrawal of consent The Clients are entitled to withdraw the consent they granted for data processing based on such ground.
Erasure The Clients are entitled to request the deletion of their personal data held by ActivoBank, provided that there are no valid arguments for the maintenance of their storage (e.g, compliance with a legal duty, Bank’s defense or defense of third parties in a lawsuit).
Limitation The Clients are entitled to request the limitation of data processing when (I) they challenged the accuracy of the personal data and for a period of time that allows ActivoBank to verify their accuracy, (ii) the processing is unlawful and they opposed the deletion of the personal data ; (iii) ActivoBank no longer needs the personal data but those data are required by the Client for the purposes of invoking, exercising or defending a right in legal proceedings; (iv) they opposed the processing and while the request they made to ActivoBank is being assessed by the latter.
Portability The Clients are entitled to receive the personal data they provided to ActivoBank in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller.
Not remain subject to exclusively automated decisions The Clients are entitled to request human intervention or to challenge decisions made based solely on automated data processing systems (e.g. decision of not granting a loan based on risk classification algorithms, definition of profiles) which may produce significant effects in their legal frameworks or in their private life, unless such processing is required for legal compliance. ActivoBank has mechanisms to ensure the human intervention in data processing based on automated decisions, enabling the data subject to express his/her point of view and to challenge the automated decision.
Lodging a Claim with CNPD The Clients are entitled to lodge claims with CNPD regarding issues linked with the exercise of their rights and the protection of their personal data.

You may exercise your rights on data protection, through letter or e-mail addressed to the contacts of ActivoBank or the Data Protection Officer. ActivoBank will reply to the requests within 30 days, with the exception of particularly complex requests. In those cases, ActivoBank will inform the subjects on the need to extend the deadline for an additional period of 60 days and on the grounds for such an extension.

When the Bank deems that it is not possible to respond to the requests, the subjects shall be informed of the Bank’s reasons, within the deadlines set forth above.

The exercise of the rights is free of charge, except when situations are deemed excessive, irregular and /or bad faith. In these situations, ActivoBank will previously inform the data subjects of the fees that will be charged and respective justification.

ActivoBank has the appropriate mechanisms to verify and confirm the identity of the data subjects that wish to exercise the rights, being accepted only those made by persons whose identity can be confirmed and through a channel that allows the Bank to keep evidence of the request and of the respective answer.

7. Sharing personal data

ActivoBank’s employees are given access to personal data as necessary to comply with their duties, namely within the scope of diligences necessary prior to and to enter into a contract, as well as those resulting from the regulations in force. In addition, personal data may be provided to third-parties - entities that are separate from ActivoBank:

Third-parties Examples
Group Companies Companies controlled or partly owned by Millennium bcp (Banco Comercial Português Group, herinafter “Group”) or joint ventures (agrupamentos complementares de empresas - ACE) incorporated by the Group, within the scope of the prevention of money laundering, terrorism financing and fraud, or for administrative or financial management at Group level.
Government entities and supervision authorities Banco de Portugal, European Banking Authority, European Central Bank, Comissão do Mercado de Valores Mobiliários and tax authorities, always to meet legal or regulatory obligations, for instance reporting information (i) to the Accounts Database, Central Credit Register and the List of Cheques’ Users that offer Risk (LUR) under the terms of the applicable legislation, (ii) during investigations, claim or proceedings, to Government Entities, Courts and Law Enforcement entity responsible for the matter, or (iii) to official authorities or entities of other countries of the European Union or not, for purposes of fighting terrorism financing, serious forms of organized crime and preventing money laundering.
Other credit and financial services institutions Entities to which ActivoBank transfers personal data for the performance of the agreement entered into with the Client or for the provision of additional benefits and/or benefits resulting from the product or service subscribed, under the terms of the respective agreements, namely without limitation (i) to entities that process discounts and loyalty programmers, (ii) to insurance companies within the scope of the insurance policies associated to loans, cards or accounts, (iii) to financial entities users of the Worldwide Interbank Financial Telecommunication (SWIFT) system, (iv) to entities of the same industry or with the same legal obligations in what regards the prevention of fraud and money laundering, or (v) to entities that acquire loans or assets, part of operations to assign or dispose of loans or assets, and joint-venture entities (ACE).
Processors Processors and service providers that act on behalf of ActivoBank or pursuant to its instructions (e.g. document management and archive service providers; IT service providers).

ActivoBank is subject to bank secrecy duty pursuant to the General Framework for Credit Institutions and Financial Companies, therefore personal data are only sent to third-parties when such is authorized within the banking relationship and/or when the processors engaged by ActivoBank also ensure compliance with bank secrecy, as well as with all other data protection regulations and legislation.

Transfers of personal data to third countries or international organizations

The transfer of data to countries outside the European Union only occurs when such is necessary (i) to execute orders or requests (for example, payment transfers to other countries), (ii) due to legal requirements, or (iii) when expressly authorized by the data subject.

If it is necessary to resort to service providers in third countries, ActivoBank will ensure, by contractual clauses, that these entities comply with all the data protection legal requirements, processing them in accordance with ActivoBank 's prior and documented instructions.

8. Find out how we protect your data

The protection of confidentiality and data integrity has long been considered by ActivoBank as a fundamental pillar for building a relation of trust with our Clients, employees, regulators and business partners.

ActivoBank also has implemented organizational measures, security processes and systems that are appropriate to protect personal data, under its control, from destruction, alteration and unauthorized access, including: (i) mechanisms to control access to information systems and data; (ii) specialised security systems (e.g. firewalls, antivirus, intrusion detection systems); (iii) mechanisms to record actions of employees, Clients and other users of information systems (e.g. access, alteration, deletion of personal data); (iv) mechanisms for data encryption and pseudonymisation and for rendering data anonymous; (v) encryption measures applicable to mobile devices; (vi) physical security measures to protect the premises (e.g. physical access control, surveillance, various alarms); (vii) a programme to train and raise awareness of ActivoBank’s employees and partners regarding information security and personal data protection.

9. Changes to the privacy policy

ActivoBank reserves the right to, at all times, alter this document to update it and adjust it to the best market practices or to future legal and regulatory amendments. The updated version is permanently available at any ActivoBank branch or on the website www.activobank.pt.

Whenever there are substantial and relevant amendments, the Bank shall undertake the adequate and reasonable efforts to inform Clients, using the regular channels and mechanisms.