Personal Data Protection Policy

In accordance with EU Regulation 2016/679 of the European Parliament and the Council of April 27, 2016. (RGPD), CajaSur  informs you that by accepting this Privacy Policy, you are giving your informed, express, free and explicit consent for the data you provide to CajaSur to be processed by the information systems for which CajaSur is responsible for processing, and to which the security, technical and organisational measures provided for in current legislation are applied.
Identification of the data controller
The data controller of this website is CajaSur Banco S.A.U. with tax identification number A95622841 and registered office at Avda. Ronda de los Tejares, Nº 18-24, 14001, Córdoba Its e-mail address is info@cajasur.es and that of the corporate data protection officer is dpo@grupokutxabank.com
Origin of processing, processed data categories and provision for transfers
Personal data are obtained on this website directly from the user, their legal representative or legal proxy.
Likewise, the user’s data will only be communicated in the event of legal authorisation or if the user has consented thereto, to group companies and authorities or official bodies of other countries located both inside and outside the European Union in the context of the fight against fraud, the prevention of money laundering and monetary offences of a similar nature or the management of risks and information on matters of capital and credit solvency, as well as to the courts, tribunals and state security forces in the event of an injunction and to any other entities acting as necessary collaborators in certain transactions.
Moreover, CajaSur hereby informs you that it does not transfer data to other companies located or whose servers are located outside the European Economic Area. However, in those exceptional cases where such international transfers occur, CajaSur will take the necessary measures to ensure that they are made to a country or organisation that has offered adequate guarantees or that they can be based on the legitimate principles established by law.
Purpose and legitimacy of data processing
The user is hereby advised that, depending on the channels and services consumed by the user, data may be processed for the following purposes:


1. Regarding the processing of user data through this website
In order for CajaSur to be able to study a possible contract application from an interested party, CajaSur will carry out admission management, reporting and capital calculation, as well as verifying the feasibility of contracting a product, among other activities, so as to be able to analyse the feasibility of the contract. In this case, the processing of data is necessary for the application of pre-contractual measures and, where appropriate, the formalisation of the contract requested by the interested party.
CajaSur will carry out risk assessments on credit or contractual matters for the same purpose, and can create the creditworthiness profiles required for the feasibility analysis of executing the contract requested. In compliance with its legal obligation to analyse the solvency and operational risks inherent in the interested party's application, in these cases, where appropriate, CajaSur may process the data obtained from different entities that issue information on financial solvency and creditworthiness, including the Bank of Spain's Risk Information Centre.
Likewise, the maintenance of the contractual relationship with CajaSur, where applicable, legitimises the adaptation of said services to the preferences and tastes of the user, the study of the use of the services by the user and the design of new services related to the same for the management, administration, provision, extension and improvement of the services which the user decides to request


2. Regarding the fulfilment of obligations of various kinds.
Please be advised that, in order to meet the various accounting, tax or administrative regulatory compliance requirements, it may be necessary to process or transfer data of different types to different bodies with competence in the field, to consult common information files on financial solvency and creditworthiness, to obtain information that makes it possible to comply with additional requirements in relation to the prevention of money laundering and prevent possible fraudulent conduct.


3. Regarding the management of possible requests for information or complaints made through the web.
CajaSur is authorised to process the data of the interested parties (whether or not they are customers of the institution) in order to guarantee the correct handling of the requests made.


4. Regarding the sending of commercial communications.
The entity will send promotional communications (by post, fax, SMS, e-mail and any other means) of a general nature or adapted to personal characteristics, as well as to offer the user and/or contract products and services marketed by the bank or other Kutxabank Group companies and third party collaborators dedicated to the banking, financial, insurance, real estate and service sectors, which may be of interest.
These communications will be sent in the legitimate interest of CajaSur to promote its activity or, when applicable, after obtaining the consent of the interested parties. In any event, this consent may be revoked and the customer may also object at any time to such processing.
For the purposes of this Policy, the Kutxabank Group consists of, among others, the following companies: Kutxabank, S.A., Cajasur Banco, S.A.U., Kutxabank Gestión S.G.I.I.C., S.A.U., Kutxabank Vida y Pensiones, S.A.U., Kutxabank Aseguradora, S.A.U., Bilbao Bizkaia Kutxa Fundación Bancaria-Bilbao Bizkaia Kutxa Banku Fundazioa, Fundación Bancaria Kutxa-Kutxa Banku Fundazioa and Caja Vital Kutxa Fundación Bancaria. You can obtain detailed, up-to-date information about the Kutxabank Group at any CajaSur branch.


5. Regarding the organisation of promotions and prize draws.
CajaSur sometimes organises promotions and prize draws that may be of interest to users. In these cases, CajaSur will put in place the appropriate procedures to ensure compliance with the provisions of the applicable data protection legislation.


6. Regarding the recording of calls of customers, potential customers and other stakeholders.
Please be advised that, due to regulatory compliance requirements, CajaSur may record calls or electronic communications it has with the user and keep computer and telematic records of access to services, based on a legitimate interest, for the purposes of control quality and security, or as a consequence of compliance with legal obligations. If necessary, CajaSur may also use such recordings as evidence in judicial, administrative, arbitration or any other proceedings that may arise. In this regard, CajaSur will provide information on all calls and/or communications that are to be recorded and a record of such a circumstance.


7. Regarding the processing of data that are received physically or electronically from applicants.
In order to take part in CajaSur’s current selection processes or those that may be required in the future, these data will be processed in internal information systems and will be kept unless otherwise specified, provided that such personal data are valid for selection processes based on the professional profile of the applicants. This processing will always be carried out with the consent of or affirmation by the various candidates (either in person or online), and express acceptance may be required to continue with the processing before the personal profile becomes part of the internal databases of applicants. No transfers will be made without the express consent of the interested party.


8. Regarding the processing of own and third party cookies.
Users may obtain detailed information about CajaSur 's policy on processing the aforementioned data at the following link: POLICY COOKIES


9. Regarding the processing of third party data.
CajaSur may process third party data provided by the user. In this regard, the user guarantees that they have informed and obtained the consent of such third parties for the processing of their personal data by CajaSur. The user also guarantees that they have informed these third parties of their rights in terms of data protection and that they may contact the registered office of CajaSur to exercise their rights, attaching a photocopy of their ID document.
In those cases where personal data are provided by persons who have parental authority or by legal representatives of persons with disabilities, these people will authorise the collection of data, as well as their use and processing by CajaSur for the purposes described in this website Privacy Policy.

Security and users' rights on the website

For the security of the telematic services provided, CajaSur informs you of the existence and use of computer mechanisms that do not have to identify the user but which can collect browsing, technical and usage data or data on the use of pages and content and whose purpose may be to obtain statistics on use and operation, the resolution of incidents or the proposal or development of new services or products, and the user may configure their browser at any time in such a way as to prevent the obtaining of such information.
 CajaSur is firmly committed to the protection of personal data and the confidentiality of user information.
CajaSur guarantees compliance with the security, organisational and technical measures that are appropriate for ensuring a level of security that is adequate for the risk that may arise from processing data, in order to ensure the security and integrity of personal data nature and prevent their alteration, loss or unauthorised processing or access, taking into account the state of the technology, the costs of application, the nature of the data stored, the scope of the processing, as well as the risks to which they are exposed and the impact that this may have on the rights and freedoms of natural persons, whether they come from human action or the physical or natural environment, thus complying with the requirements of the current legislation.
However, the user has been informed and accepts that Internet security measures are not impregnable.
In the event of disputes relating to the processing of personal data, users may contact the CajaSur data protection officer at any time at dpo@grupokutxabank.com, submit a complaint to the competent supervisory authority and exercise their rights of access, rectification, deletion, opposition, limitation of processing, portability and not to be the subject of individual automated decisions regarding their personal data, and may exercise these rights by writing to the registered office of CajaSur indicated above, attaching a photocopy of their ID document.
In relation to the processing horizon, data will be processed and stored for as long as necessary for the relationship established with the user. Data will also be retained to comply with the requirements of the applicable legislation, to prevent illegal actions, resolve disputes or settle controversies of various kinds. Once the processing of data is not required, CajaSur  shall delete and/or block them in accordance with the corporate data retention and deletion policy and the legally established statutes of limitation.
Any changes made to this Privacy Policy will be notified on this website, without retroactive changes that reduce the rights to privacy, unless legally required, involving the user in these cases to obtain the corresponding consent for the processing carried out, where appropriate.