o   Data categories that can be processed:

§  name;

§  image;

§  date of birth;

§  identification document;

§  tax identification number;

§  nationality;

§  place of birth;

§  permanent residence or domicile for tax purposes;

§  email address;

§  telephone number;

§  mobile telephone number;

§  sex;

§  gender;

§  marital status;

§  occupation/job and employer;

§  financial data;

§  information on decisions imposing penalties, security measures, fines, additional penalties or other sanctions;

§  information on public offices held;

§  family relations.

o   The Banco de Portugal, as part of its supervisory tasks, may process personal data relating to various data subjects (such as shareholders, members of the management bodies) of supervised entities, in particular for the following purposes:

§  monitoring and surveillance of compliance with applicable legislation and issuance of supervisory measures;

§  assessing requests for information and/or complaints by natural persons and promotion of the necessary steps to address them;

§  determining whether there are any conflicts of interest in the granting of credit to members of corporate bodies and holders of qualifying holdings;

§  acquisitions, increases or decreases of qualifying holdings;

§  archives of public interest;

§  authorisation for the establishment of entities and withdrawal of the authorisation granted;

§  assessment of the suitability of managers of branches and representative offices established in Portugal of institutions headquartered outside the EU and of managers of branches established in countries outside the EU;

§  assessment of the suitability of members of corporate bodies and key function holders, and withdrawal of authorisation to perform functions;

§  granting of an authorisation to carry out activities and the withdrawal of that authorisation;

§  disclosure of information in compliance with a legal obligation;

§  issuing recommendations, specific orders, corrective measures and other supervisory measures, including the performance of audit work;

§  suspension of the exercise of the voting rights attached to the shares held by qualified shareholders;

§  ex officio qualifying holding decision by the supervisor;

§  registry of information subject to special registration and disclosure on the Banco de Portugal’s website, where applicable;

§  withdrawal of the authorisation granted or cancellation of the registration granted;

o   Personal data may be disclosed to third parties for the performance of a task carried out in the public interest or in the exercise of official authority vested in the Banco de Portugal and for compliance with legal obligations;

o   Personal data processed for these purposes may be kept for varying periods of time depending on the nature of their specific purpose.

o   Data categories that can be processed:

§  name;

§  image;

§  date of birth;

§  Identification document;

§  tax identification number;

§  nationality;

§  place of birth;

§  permanent residence or domicile for tax purposes;

§  email address;

§  marital status;

§  occupation/job and employer;

§  career (developments and events that affect it);

§  annual income tax return;

§  vocational training data;

§  academic qualifications;

§  information on decisions imposing penalties, security measures, fines, additional penalties or other sanctions;

§  information on public offices held;

§  family relations;

§  real estate identification data – registry number;

§  place of work;

§  payslip;

§  credit balance.

o   The Banco de Portugal may sanction entities subject to its supervision, namely natural persons, if suspected of non-compliance with the applicable regulations. To that end, the purpose of processing personal data is to collect appropriate, relevant and limited information to establish the existence of non-compliant practices with the regulations and/or to consolidate the need for sanctions.

o   The Banco de Portugal shall carry out inspections to verify compliance with the regulations it has to oversee, including in the context of its internal databases.

o   The Banco de Portugal also carries out actions for the prevention of money laundering and terrorist financing, including within the scope of its internal databases.

o   The data listed may also be used for reporting purposes in the context of the prevention of money laundering and terrorist financing, for purposes of issuing supervisory measures.

o   The Banco de Portugal may also regulate, oversee and promote the smooth operation of cash recirculation. This activity involves, among other things, specific training courses on euro banknotes and coins, the recording of counterfeits and banknotes neutralised by IBNS, as well as on-site and off-site controls of related information.

o   Personal data processed for these purposes may be kept for varying periods of time depending on the nature of their specific purpose.

o   Data categories that can be processed:

§  name;

§  image;

§  Identification document;

§  tax identification number;

§  nationality;

§  permanent residence or domicile for tax purposes;

§  email address;

§  telephone number;

§  mobile telephone number;

§  IBAN;

§  employer;

§  place of work;

§  other.

o   The Banco de Portugal may process personal data for treasury operations including, but not limited to:

§  customer services related to databases and requests for information made in person, as well as their scheduling;

§  customer services for professional cash handlers, regarding deposit and withdrawal transactions;

§  business continuity;

§  exchange of banknotes and coins for different denominations, including analysing damaged euro banknotes, while fulfilling its obligations arising under the framework for preventing and combating money laundering and terrorist financing;

§  issuance and destruction of banknotes;

§  automatic distribution of letters and information on the misplacement, theft, robbery, forgery, counterfeiting or illegal use of personal identification documents, as well as the recovery, replacement or other development related to such documents or their expiry date;

§  training in cash handling, under the legislation applicable to recirculation activities;

§  international transport of euro banknotes and/or coins.

o   Personal data may be disclosed to credit institutions and financial companies, as well as to the appropriate authorities in case of an investigation.

o   Personal data processed for these purposes may be kept for varying periods of time depending on the nature of their specific purpose.

o   Any citizen may address the Banco de Portugal to lodge a complaint, and report or request information. In turn, the Banco de Portugal may use the data provided for the purpose of analysing and investigating the situation reported.

o   The data provided may also be disclosed to relevant third parties to analyse the situation reported (namely to the financial service providers concerned).

o   Personal data collected as part of these reports are kept as long as necessary for the investigation and verification of the issues raised and the data subject may request clarification as to the duration of this period.

o   Data categories that can be processed:

§  name;

§  date of birth;

§  Identification document;

§  tax identification number;

§  permanent residence or domicile for tax purposes;

§  email address;

§  marital status;

§  occupation/job and employer;

§  career (developments and events that affect it);

§  vocational training data;

§  information on decisions imposing penalties, security measures, fines, additional penalties or other sanctions;

§  academic qualifications;

§  household information;

§  seizure of assets;

§  annual tax income return;

§  trade union membership;

§  real estate identification data – registry number;

§  place of work;

§  membership ofprofessional bodies;

§  attachment of assets;

§  payslip;

§  current accounts / securities accounts.

o   The Banco de Portugal processes the personal data of its employees in the context of performing the employment contract concluded with them.

o   The purpose of such processing may be to manage career development, initiate and terminate the contractual relationship, discharges, loans, court seizures, examination of applications from employees, providing training.

o   These data may be stored for varying periods of time after the end of the contractual relationship, depending on the specific purpose of the processing under contract management.

o   Similarly, data can be transmitted to several authorities, such as:

§  tax authority;

§  training entities;

§  Fundo de Compensação do Trabalho (labour compensation fund);

§  Fundo de Garantia de Compensação do Trabalho (labour compensation guarantee fund);

§  insurers;

§  social security services;

§  Sociedade Gestora de Fundos e Pensões (pension fund management company);

§  courts of law.

o   The Banco de Portugal also processes personal data under its contractual relationship with suppliers and processors.

o   Data categories that can be processed:

§  name;

§  image;

§  Identification document;

§  tax identification number;

§  career (developments and events that affect it);

§  vocational training data;

§  information on decisions imposing penalties, security measures, fines, additional penalties or other sanctions;

§  household information;

§  foreign language proficiency;

§  employer;

§  academic qualifications;

§  online identifiers;

§  place of work.

o   These personal data are processed on the basis of the consent of the data subject, which is given by the data subject through the SuccessFactors platform prior to providing the data.

o   The Banco de Portugal stores the data for a period of five years.

o   During recruitment, the data subject’s data may be transmitted to the Bank’s service providers responsible for parts of the candidate selection procedure.

o   Personal data to be processed:

§  image;

§  location data;

§  vehicle registration plates.

o   The Banco de Portugal monitors the production system and is committed to the protection of people and property, in particular through video surveillance systems in its buildings.

o   Video surveillance recordings made to protect people and property are stored for 30 days from the date of recording.

o   Video surveillance recordings made for to monitor the production system are stored for 90 days from the date of recording.

o   Data categories that can be processed:

§  name;

§  image;

§  identification document.

o   The Banco de Portugal records data on all visitors entering restricted access areas of its premises for security and access management purposes.

o   Data subjects entering the Banco de Portugal’s premises must state their name and allow security staff at the premises to verify their identification documents.

o   Images of visitors captured by the video surveillance systems of the Banco de Portugal fall under the provisions established above for video surveillance.

o   The Banco de Portugal does not keep any copies of the photograph stored on the visitor’s identification document.

o   Data processed for the purpose of access management is stored for 180 days.

o   Data categories that can be processed:

§  name;

§  image;

§  email address;

§  telephone number;

§  mobile telephone number;

§  sound.

o   Personal data of the data subjects involved in the events organised by the Bank may be processed, using information technologies (e.g. videoconferencing) or not.

o   The Banco de Portugal carries out some of its communications, meetings, events and interviews through audio visual systems for conferences. The Bank uses service providers for this purpose.

o   The use of some of these tools (e.g. Webex, Jabber, SharePoint and Microsoft Teams) may involve the transfer of data to third countries (hence, there is no way to ensure that personal data are not transferred, for example, to the United States).

o   Data processed within these platforms shall be stored for as long as necessary for the purposes of processing.

o   Data categories that can be processed:

§  name (event forms);

§  date of birth (event forms);

§  tax identification number (event forms);

§  permanent residence or domicile for tax purposes(event forms);

§  email address (event forms and contact with the Banco de Portugal);

§  employer (event forms);

§  IP address (cookies).

o   The Banco de Portugal does not collect users’ personal data on its website without first obtaining their consent (e.g. by filling in forms or consenting to the use of cookies).

o   By filling in forms or contacting the Banco de Portugal through the channels provided, the Bank may process data for their specific purposes.

o   Personal data processed in connection with forms and questionnaires for registration at events are stored for a period of two years.

o   The Banco de Portugal’s institutional website uses cookies for access to some of its contents and for improved functionality, therefore you should read the Banco de Portugal’s cookie policy.

o   Consent to cookies can be given or withdrawn at any time.

o   Regarding cookies, the Bank’s institutional website uses Google Analytics, therefore it cannot guarantee that personal data are not transferred to the United States or need to be transferred to the United States authorities.

o   On the other hand, the Banco de Portugal is not responsible for the content or privacy policies of other pages to which it may be linked, and it is therefore advisable to read their policies separately.

o   Data categories that can be processed:

§  name;

§  image;

§  voice.

o   The Banco de Portugal may process photographs and videos of data subjects in order to document its activities and events.

o   Personal data processed by the Bank in the context of events are stored on the basis of the consent of the data subjects and are erased as soon as the purpose for the processing has ended.

o   The Banco de Portugal is on various social networks, each with its own privacy and data protection policy. Social media may be used for institutional communication purposes.

o   You are advised to read the data protection policies of each of the platforms used by the Banco de Portugal:

§  Instagram;

§  LinkedIn;

§  Twitter.

The Banco de Portugal, as a member of the ESCB, shares information with the ECB and other central banks that are members of that system. 

Within the framework of the European banking supervision and resolution systems and the Banking Union, the Banco de Portugal shares information with the other members, including similar authorities, the European Central Bank/Single Supervisory Mechanism, the Single Resolution Board/Single Resolution Mechanism and the European Systemic Risk Board.

The Banco de Portugal may also, under the legal terms and abiding by its cooperation duty, share data with national supervisory authorities, national resolution authorities, as well as other public entities, including, but not limited to courts, the Public Prosecutor's Office, the Tax and Customs Authority, and the Social Security services.

The Banco de Portugal may transfer data to similar authorities of third countries and international organisations that guarantee data protection conditions equivalent to those applied by the Banco de Portugal, or in other cases of public interest where the law so permits.

 Depending on the legal system and entity, such transfers may take place under, but are not limited to:

o   Adequacy Decisions, in which the European Commission has determined that a given country or institution ensures an adequate level of personal data protection;

o   Standard Contractual Clauses adopted by the European Commission or by supervisory authorities for this purpose;

o   binding corporate rules;

o   legally binding and enforceable instruments between authorities or bodies;

o   Codes of conduct and certification mechanisms.

The Banco de Portugal may also transfer data to service providers acting exclusively under its guidance and complying with equivalent technical and organisational measures.

Even in the case of multinational service providers based in the EEA, there is no way to ensure that personal data will not be transferred to the main establishment in a third country or that they need to be transferred to the authorities of that third country.

o   The data subject has the right to receive a copy of the personal data kept by the Banco de Portugal concerning the subject, as well as to obtain information on how Banco de Portugal uses those data;

o   This right may be exercised at any time, provided that the Banco de Portugal stores the personal data of the data subject and without prejudice to eventual restrictions in specific cases.

o   The data subject is entitled to request that the Banco de Portugal update or correct personal data relating to them, if such data are incorrect, outdated or incomplete.

o   This right may be exercised at any time, provided that the Banco de Portugal stores the personal data of the data subject.

o   The data subject has the right to request the deletion of personal data from the Banco de Portugal’s registers and systems.

o   This right applies only in certain circumstances, specifically where the purpose for the processing has ended or where the data subject withdraws the consent the processing is based on and where there are no other legal grounds such data to be processed.

o   This right shall not apply to the extent that processing is necessary for compliance with a legal obligation or for the fulfilment of a task carried out in the public interest or in the exercise of official authority.

o   The data subject has the right to request the Banco de Portugal to restrict the processing of personal data, i.e., the Banco de Portugal may only store the data, subject to a few exceptions.

o   This right applies only in a limited range of situations, namely:

§  from the moment the data subject contests the accuracy of the personal data stored by the Banco de Portugal until the moment the Bank submits its reply;

§  where the processing is unlawful but the data subject opposes erasure of the personal data;

§  if the Banco de Portugal no longer needs the personal data for the purposes of the processing, but they are required by the data subject for judicial purposes;

§  where the data subject has objected to processing and the Banco de Portugal is verifying whether the legitimate grounds for the processing override the rights and interests of the data subject.

o   The data subject has the right to receive the personal data in a format that enables their transmission to a third-party institution, where the processing is based on consent or on a contract and the processing is carried out by automated means.

o   Where technically feasible, the data subject may request that the Banco de Portugal transmit the personal data directly to the third party institution.

o    This right shall not apply to processing necessary for a task to be performed in compliance with a legal obligation or carried out in the public interest or in the exercise of official authority vested in the Banco de Portugal.

o   This prevents this right from being exercised in respect of many of the personal data stored by the Banco de Portugal, as most of these data are processed for the purposes of the institution’s obligations and the pursuit of the public interest.

o   The data subject has the right to object to the processing of personal data by the Banco de Portugal in certain circumstances.

o   Irrespective of the data subject’s opposition, the Banco de Portugal may continue to process the data subject’s personal data if there is a legitimate basis for doing so or if the data are necessary for judicial purposes.

o   This right applies to the processing of data by the Banco de Portugal in the public interest.

o   The data subject has the right not to be subject to a decision based solely on automated processing (without human intervention), which produces legal effects or similarly significantly affects the data subject.

o   This right applies only to automated decisions.

o   This right does not apply if the decision is authorised by Union or Member State law to which the controller is subject.