Data protection
The Banco de Portugal, as central bank and financial supervisor, processes personal data for the purpose of carrying out its tasks, particularly under the Treaty on European Union, the Treaty on the Functioning of the European Union, the Statute of the European System of Central Banks (ESCB), the decisions and guidelines of the European Central Bank (ECB) in the context of the Single Supervisory Mechanism and the Single Resolution Mechanism, the Portuguese Legal Framework of Credit Institutions and Financial Companies (RGICSF) and the Statute of the Banco de Portugal.
These tasks include:
- defining and implementing the monetary policy of the euro, with the primary objective of maintaining price stability;
- managing assets and reserves;
- tasks in prudential supervision, banking conduct supervision and supervision for the purpose of preventing money laundering and terrorist financing and for preventing and repressing illicit financial activity;
- conducting administrative sanctioning proceedings;
- applying enforcement measures other than sanctions;
- ensuring the orderly resolution of failed banks, to guarantee the stability of the financial system;
- defining and implementing macroprudential policy;
- regulating, overseeing and promoting the smooth operation of payment systems;
- regulating the operation of the foreign exchange market and overseeing foreign currency trading and foreign exchange transactions;
- issuing coins and banknotes and putting them into circulation;
- collecting and compiling monetary, financial, foreign exchange and balance of payments statistics;
- producing research and analyses of the Portuguese economy, the euro area economy and its international environment, and of financial markets and systems;
- cooperating with international bodies;
- acting as intermediary in the international monetary relations of the State and advising the Government in the economic and financial fields;
- promoting financial literacy and training for bank customers.
The Controller
The Banco de Portugal is the controller responsible for the processing of the personal data that it collects and uses for the performance of its tasks.
The Banco de Portugal only processes strictly necessary personal data categories that are appropriate and relevant to the pursuit of the public interest attributed to it by law, within the scope of its powers as a public authority or in compliance with a legal obligation.
Collection of personal data
The data used by the Banco de Portugal to carry out its tasks may be collected:
directly from the data subjects themselves;
indirectly through third parties (for example, from supervised institutions).
Security of personal data
The Banco de Portugal implements technical and organisational measures to ensure that the personal data it processes are not lost or used by unauthorised third parties. The personal data stored for processing by the Banco de Portugal are kept in a secure environment with an internationally certified infrastructure.
The Banco de Portugal’s institutional websites use HTTPS, meaning that all communication between the user’s browser and the Banco de Portugal’s servers is encrypted.
However, if you wish to contact the Banco de Portugal or its staff by email, be aware that email protocols cannot guarantee the confidentiality of the information transmitted. We therefore recommended that you contact the Banco de Portugal using the forms and channels created for this purpose if you wish to communicate confidential information.
Personal data categories
The categories of personal data the Banco de Portugal processes to perform its institutional tasks and the way in which these data are processed are provided below.
o Data categories that can be processed:
§ name;
§ image;
§ date of birth;
§ identification document;
§ tax identification number;
§ nationality;
§ place of birth;
§ permanent residence or domicile for tax purposes;
§ email address;
§ telephone number;
§ mobile telephone number;
§ sex;
§ gender;
§ marital status;
§ occupation/job and employer;
§ financial data;
§ information on decisions imposing penalties, security measures, fines, additional penalties or other sanctions;
§ information on public offices held;
§ family relations.
o The Banco de Portugal, as part of its supervisory tasks, may process personal data relating to various data subjects (such as shareholders, members of the management bodies) of supervised entities, in particular for the following purposes:
§ monitoring and surveillance of compliance with applicable legislation and issuance of supervisory measures;
§ assessing requests for information and/or complaints by natural persons and promotion of the necessary steps to address them;
§ determining whether there are any conflicts of interest in the granting of credit to members of corporate bodies and holders of qualifying holdings;
§ acquisitions, increases or decreases of qualifying holdings;
§ archives of public interest;
§ authorisation for the establishment of entities and withdrawal of the authorisation granted;
§ assessment of the suitability of managers of branches and representative offices established in Portugal of institutions headquartered outside the EU and of managers of branches established in countries outside the EU;
§ assessment of the suitability of members of corporate bodies and key function holders, and withdrawal of authorisation to perform functions;
§ granting of an authorisation to carry out activities and the withdrawal of that authorisation;
§ disclosure of information in compliance with a legal obligation;
§ issuing recommendations, specific orders, corrective measures and other supervisory measures, including the performance of audit work;
§ suspension of the exercise of the voting rights attached to the shares held by qualified shareholders;
§ ex officio qualifying holding decision by the supervisor;
§ registry of information subject to special registration and disclosure on the Banco de Portugal’s website, where applicable;
§ withdrawal of the authorisation granted or cancellation of the registration granted;
o Personal data may be disclosed to third parties for the performance of a task carried out in the public interest or in the exercise of official authority vested in the Banco de Portugal and for compliance with legal obligations;
o Personal data processed for these purposes may be kept for varying periods of time depending on the nature of their specific purpose.
o Data categories that can be processed:
§ name;
§ image;
§ date of birth;
§ Identification document;
§ tax identification number;
§ nationality;
§ place of birth;
§ permanent residence or domicile for tax purposes;
§ email address;
§ marital status;
§ occupation/job and employer;
§ career (developments and events that affect it);
§ annual income tax return;
§ vocational training data;
§ academic qualifications;
§ information on decisions imposing penalties, security measures, fines, additional penalties or other sanctions;
§ information on public offices held;
§ family relations;
§ real estate identification data – registry number;
§ place of work;
§ payslip;
§ credit balance.
o The Banco de Portugal may sanction entities subject to its supervision, namely natural persons, if suspected of non-compliance with the applicable regulations. To that end, the purpose of processing personal data is to collect appropriate, relevant and limited information to establish the existence of non-compliant practices with the regulations and/or to consolidate the need for sanctions.
o The Banco de Portugal shall carry out inspections to verify compliance with the regulations it has to oversee, including in the context of its internal databases.
o The Banco de Portugal also carries out actions for the prevention of money laundering and terrorist financing, including within the scope of its internal databases.
o The data listed may also be used for reporting purposes in the context of the prevention of money laundering and terrorist financing, for purposes of issuing supervisory measures.
o The Banco de Portugal may also regulate, oversee and promote the smooth operation of cash recirculation. This activity involves, among other things, specific training courses on euro banknotes and coins, the recording of counterfeits and banknotes neutralised by IBNS, as well as on-site and off-site controls of related information.
o Personal data processed for these purposes may be kept for varying periods of time depending on the nature of their specific purpose.
o Data categories that can be processed:
§ name;
§ image;
§ Identification document;
§ tax identification number;
§ nationality;
§ permanent residence or domicile for tax purposes;
§ email address;
§ telephone number;
§ mobile telephone number;
§ IBAN;
§ employer;
§ place of work;
§ other.
o The Banco de Portugal may process personal data for treasury operations including, but not limited to:
§ customer services related to databases and requests for information made in person, as well as their scheduling;
§ customer services for professional cash handlers, regarding deposit and withdrawal transactions;
§ business continuity;
§ exchange of banknotes and coins for different denominations, including analysing damaged euro banknotes, while fulfilling its obligations arising under the framework for preventing and combating money laundering and terrorist financing;
§ issuance and destruction of banknotes;
§ automatic distribution of letters and information on the misplacement, theft, robbery, forgery, counterfeiting or illegal use of personal identification documents, as well as the recovery, replacement or other development related to such documents or their expiry date;
§ training in cash handling, under the legislation applicable to recirculation activities;
§ international transport of euro banknotes and/or coins.
o Personal data may be disclosed to credit institutions and financial companies, as well as to the appropriate authorities in case of an investigation.
o Personal data processed for these purposes may be kept for varying periods of time depending on the nature of their specific purpose.
o Any citizen may address the Banco de Portugal to lodge a complaint, and report or request information. In turn, the Banco de Portugal may use the data provided for the purpose of analysing and investigating the situation reported.
o The data provided may also be disclosed to relevant third parties to analyse the situation reported (namely to the financial service providers concerned).
o Personal data collected as part of these reports are kept as long as necessary for the investigation and verification of the issues raised and the data subject may request clarification as to the duration of this period.
o Data categories that can be processed:
§ name;
§ date of birth;
§ Identification document;
§ tax identification number;
§ permanent residence or domicile for tax purposes;
§ email address;
§ marital status;
§ occupation/job and employer;
§ career (developments and events that affect it);
§ vocational training data;
§ information on decisions imposing penalties, security measures, fines, additional penalties or other sanctions;
§ academic qualifications;
§ household information;
§ seizure of assets;
§ annual tax income return;
§ trade union membership;
§ real estate identification data – registry number;
§ place of work;
§ membership ofprofessional bodies;
§ attachment of assets;
§ payslip;
§ current accounts / securities accounts.
o The Banco de Portugal processes the personal data of its employees in the context of performing the employment contract concluded with them.
o The purpose of such processing may be to manage career development, initiate and terminate the contractual relationship, discharges, loans, court seizures, examination of applications from employees, providing training.
o These data may be stored for varying periods of time after the end of the contractual relationship, depending on the specific purpose of the processing under contract management.
o Similarly, data can be transmitted to several authorities, such as:
§ tax authority;
§ training entities;
§ Fundo de Compensação do Trabalho (labour compensation fund);
§ Fundo de Garantia de Compensação do Trabalho (labour compensation guarantee fund);
§ insurers;
§ social security services;
§ Sociedade Gestora de Fundos e Pensões (pension fund management company);
§ courts of law.
o The Banco de Portugal also processes personal data under its contractual relationship with suppliers and processors.
o Data categories that can be processed:
§ name;
§ image;
§ Identification document;
§ tax identification number;
§ career (developments and events that affect it);
§ vocational training data;
§ information on decisions imposing penalties, security measures, fines, additional penalties or other sanctions;
§ household information;
§ foreign language proficiency;
§ employer;
§ academic qualifications;
§ online identifiers;
§ place of work.
o These personal data are processed on the basis of the consent of the data subject, which is given by the data subject through the SuccessFactors platform prior to providing the data.
o The Banco de Portugal stores the data for a period of five years.
o During recruitment, the data subject’s data may be transmitted to the Bank’s service providers responsible for parts of the candidate selection procedure.
o Personal data to be processed:
§ image;
§ location data;
§ vehicle registration plates.
o The Banco de Portugal monitors the production system and is committed to the protection of people and property, in particular through video surveillance systems in its buildings.
o Video surveillance recordings made to protect people and property are stored for 30 days from the date of recording.
o Video surveillance recordings made for to monitor the production system are stored for 90 days from the date of recording.
o Data categories that can be processed:
§ name;
§ image;
§ identification document.
o The Banco de Portugal records data on all visitors entering restricted access areas of its premises for security and access management purposes.
o Data subjects entering the Banco de Portugal’s premises must state their name and allow security staff at the premises to verify their identification documents.
o Images of visitors captured by the video surveillance systems of the Banco de Portugal fall under the provisions established above for video surveillance.
o The Banco de Portugal does not keep any copies of the photograph stored on the visitor’s identification document.
o Data processed for the purpose of access management is stored for 180 days.
o Data categories that can be processed:
§ name;
§ image;
§ email address;
§ telephone number;
§ mobile telephone number;
§ sound.
o Personal data of the data subjects involved in the events organised by the Bank may be processed, using information technologies (e.g. videoconferencing) or not.
o The Banco de Portugal carries out some of its communications, meetings, events and interviews through audio visual systems for conferences. The Bank uses service providers for this purpose.
o The use of some of these tools (e.g. Webex, Jabber, SharePoint and Microsoft Teams) may involve the transfer of data to third countries (hence, there is no way to ensure that personal data are not transferred, for example, to the United States).
o Data processed within these platforms shall be stored for as long as necessary for the purposes of processing.
o Data categories that can be processed:
§ name (event forms);
§ date of birth (event forms);
§ tax identification number (event forms);
§ permanent residence or domicile for tax purposes(event forms);
§ email address (event forms and contact with the Banco de Portugal);
§ employer (event forms);
§ IP address (cookies).
o The Banco de Portugal does not collect users’ personal data on its website without first obtaining their consent (e.g. by filling in forms or consenting to the use of cookies).
o By filling in forms or contacting the Banco de Portugal through the channels provided, the Bank may process data for their specific purposes.
o Personal data processed in connection with forms and questionnaires for registration at events are stored for a period of two years.
o The Banco de Portugal’s institutional website uses cookies for access to some of its contents and for improved functionality, therefore you should read the Banco de Portugal’s cookie policy.
o Consent to cookies can be given or withdrawn at any time.
o Regarding cookies, the Bank’s institutional website uses Google Analytics, therefore it cannot guarantee that personal data are not transferred to the United States or need to be transferred to the United States authorities.
o On the other hand, the Banco de Portugal is not responsible for the content or privacy policies of other pages to which it may be linked, and it is therefore advisable to read their policies separately.
o Data categories that can be processed:
§ name;
§ image;
§ voice.
o The Banco de Portugal may process photographs and videos of data subjects in order to document its activities and events.
o Personal data processed by the Bank in the context of events are stored on the basis of the consent of the data subjects and are erased as soon as the purpose for the processing has ended.
o The Banco de Portugal is on various social networks, each with its own privacy and data protection policy. Social media may be used for institutional communication purposes.
o You are advised to read the data protection policies of each of the platforms used by the Banco de Portugal:
§ Instagram;
§ LinkedIn;
§ Twitter.
Transfer of personal data
In the exercise of its institutional functions, the Banco de Portugal may transfer personal data to other entities whenever required or permitted by law or contract.
The Banco de Portugal, as a member of the ESCB, shares information with the ECB and other central banks that are members of that system.
Within the framework of the European banking supervision and resolution systems and the Banking Union, the Banco de Portugal shares information with the other members, including similar authorities, the European Central Bank/Single Supervisory Mechanism, the Single Resolution Board/Single Resolution Mechanism and the European Systemic Risk Board.
The Banco de Portugal may also, under the legal terms and abiding by its cooperation duty, share data with national supervisory authorities, national resolution authorities, as well as other public entities, including, but not limited to courts, the Public Prosecutor's Office, the Tax and Customs Authority, and the Social Security services.
Likewise, the Banco de Portugal keeps the details of the contact points of the entities it cooperates with or which it otherwise needs to contact.
International transfers
In the exercise of its institutional functions, the Banco de Portugal may transfer personal data to third parties located outside the EEA whenever required or permitted by law or contract
The Banco de Portugal may transfer data to similar authorities of third countries and international organisations that guarantee data protection conditions equivalent to those applied by the Banco de Portugal, or in other cases of public interest where the law so permits.
Depending on the legal system and entity, such transfers may take place under, but are not limited to:
o Adequacy Decisions, in which the European Commission has determined that a given country or institution ensures an adequate level of personal data protection;
o Standard Contractual Clauses adopted by the European Commission or by supervisory authorities for this purpose;
o binding corporate rules;
o legally binding and enforceable instruments between authorities or bodies;
o Codes of conduct and certification mechanisms.
The Banco de Portugal may also transfer data to service providers acting exclusively under its guidance and complying with equivalent technical and organisational measures.
Even in the case of multinational service providers based in the EEA, there is no way to ensure that personal data will not be transferred to the main establishment in a third country or that they need to be transferred to the authorities of that third country.
Cookies and institutional website management
The management and maintenance of the Bank’s institutional website and its functionalities are carried out by service providers established in third countries outside the European Economic Area (EEA) or the parent companies of which are established outside the EEA. The use of these services means that the Bank cannot guarantee that the personal data processed by such service providers cannot be transferred to a third country.
Rights of the data subjects and how to exercise them
Pursuant to the applicable law, the Banco de Portugal provides the data subjects with the means necessary to exercise their rights to information, access, rectification, erasure, limitation and opposition to the processing of their personal data, as well as the right to lodge a complaint in this regard.
The Banco de Portugal's Data Protection Officer monitors compliance of personal data processing with the General Data Protection Regulation (GDPR) and other EU data protection provisions, communicates with the data subjects and cooperates with the Comissão Nacional de Proteção de Dados (CNPD – the Portuguese data protection authority), working as a point of contact between the latter and the former regarding personal data processing matters.
Data subjects may exercise their rights:
- at any of the Banco de Portugal’s information desks;
- by post; or
- by email to info@bportugal.pt.
If the data subjects consider that their rights have not been properly considered, or wish to submit a complaint, they can contact the Data Protection Officer:
- by email to encarregado.protecao.dados@bportugal.pt
- by post, to:
Gabinete de Proteção de Dados do Banco de Portugal
Rua do Comércio, 148
1100-150 Lisboa
o The data subject has the right to receive a copy of the personal data kept by the Banco de Portugal concerning the subject, as well as to obtain information on how Banco de Portugal uses those data;
o This right may be exercised at any time, provided that the Banco de Portugal stores the personal data of the data subject and without prejudice to eventual restrictions in specific cases.
o The data subject is entitled to request that the Banco de Portugal update or correct personal data relating to them, if such data are incorrect, outdated or incomplete.
o This right may be exercised at any time, provided that the Banco de Portugal stores the personal data of the data subject.
o The data subject has the right to request the deletion of personal data from the Banco de Portugal’s registers and systems.
o This right applies only in certain circumstances, specifically where the purpose for the processing has ended or where the data subject withdraws the consent the processing is based on and where there are no other legal grounds such data to be processed.
o This right shall not apply to the extent that processing is necessary for compliance with a legal obligation or for the fulfilment of a task carried out in the public interest or in the exercise of official authority.
o The data subject has the right to request the Banco de Portugal to restrict the processing of personal data, i.e., the Banco de Portugal may only store the data, subject to a few exceptions.
o This right applies only in a limited range of situations, namely:
§ from the moment the data subject contests the accuracy of the personal data stored by the Banco de Portugal until the moment the Bank submits its reply;
§ where the processing is unlawful but the data subject opposes erasure of the personal data;
§ if the Banco de Portugal no longer needs the personal data for the purposes of the processing, but they are required by the data subject for judicial purposes;
§ where the data subject has objected to processing and the Banco de Portugal is verifying whether the legitimate grounds for the processing override the rights and interests of the data subject.
o The data subject has the right to receive the personal data in a format that enables their transmission to a third-party institution, where the processing is based on consent or on a contract and the processing is carried out by automated means.
o Where technically feasible, the data subject may request that the Banco de Portugal transmit the personal data directly to the third party institution.
o This right shall not apply to processing necessary for a task to be performed in compliance with a legal obligation or carried out in the public interest or in the exercise of official authority vested in the Banco de Portugal.
o This prevents this right from being exercised in respect of many of the personal data stored by the Banco de Portugal, as most of these data are processed for the purposes of the institution’s obligations and the pursuit of the public interest.
o The data subject has the right to object to the processing of personal data by the Banco de Portugal in certain circumstances.
o Irrespective of the data subject’s opposition, the Banco de Portugal may continue to process the data subject’s personal data if there is a legitimate basis for doing so or if the data are necessary for judicial purposes.
o This right applies to the processing of data by the Banco de Portugal in the public interest.
o The data subject has the right not to be subject to a decision based solely on automated processing (without human intervention), which produces legal effects or similarly significantly affects the data subject.
o This right applies only to automated decisions.
o This right does not apply if the decision is authorised by Union or Member State law to which the controller is subject.
Withdrawal of consent
The data subject has the right to withdraw consent at any time from any processing activity lawfully carried out by the Banco de Portugal based on consent. However, the withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal.
Lodging a complaint with the supervisory authority
The data subject has the right to lodge a complaint at any time with the Comissão Nacional de Proteção de Dados (CNPD – the Portuguese data protection authority) where the data subject considers that the Banco de Portugal is not lawfully processing their personal data or is not properly acting on the data subject’s request to exercise one or more rights.
Other data protection policies of the Banco de Portugal
In addition to this general data privacy policy page, the Banco de Portugal has specific policies in place, namely:
- Accounts Database (in Portuguese);
- Central Credit Register (in Portuguese);
- Fundo de Garantia de Depósitos;
- Fundo de Resolução (in Portuguese);
- List of cheque defaulters (in Portuguese);
- Money Museum.
Uncertainties and Questions
The Banco de Portugal's Data Protection Officer monitors compliance of personal data processing with the General Data Protection Regulation (GDPR) and other EU data protection provisions, communicates with the data subjects and cooperates with the Comissão Nacional de Proteção de Dados (CNPD – the Portuguese data protection authority). Hence, the Data Protection Officer acts as a point of contact between the latter and the former regarding personal data processing matters.
Should you have any questions regarding any aspect of this data protection policy, please contact the Banco de Portugal's Data Protection Officer at encarregado.protecao.dados@bportugal.pt.