Data protection

The data controller is the person (natural or legal) who determines the purposes and means by which your personal data are processed.

In general terms, this condition will be assumed by Banca March, S.A. (hereinafter, "Banca March"), with CIF A-07004021 and registered office at Avinguda Alexandre Rosselló 8, Palma, Balearic Islands, Spain, in most of the data processing.

However, as a consequence of the services provided within the framework of our relationship with our clients, there may be situations in which, together with Banca March, other entities (third party suppliers) act as data controllers. An example of this co-responsibility, among others, could be the case of courier companies who decide the means and purposes of the processing in order to be able to provide a certain service.

Throughout the relationship with its customers, Banca March may process some of the following types of personal data.

• Identification and contact details (including postal and e-mail addresses).
• Identification codes or passwords for access and operations within the Remote Banking channels offered by Banca March.
• Data on the signature of your customers (including digitalised signature).
• Socio-demographic data, such as:
  • Nationality.
  • Tax data.
  • Family situation data.
  • Employment information.
  • Professional and academic information.
• Financial and solvency data.
• Data derived from the operations carried out, such as:
  • Data relating to the purchase of specific services or products, including banking, financial and transactional data.
  • Bank or securities account details, credit card number, cash transfers, available assets, investment profile and spending patterns.
  • Data relating to your consumer preferences.
  • Card payment data and in particular location data on locations of cash withdrawals and payments made.
  • Data from complaints or legal proceedings.
  • Data obtained as a result of obligations arising from money laundering prevention regulations.
  • Telephone conversation data.
  • Video surveillance.

On the other hand, Banca March may process data indirectly. That is to say, it will be the client who provides us with third party data. This may be the case of:

• Guarantors or other guarantors.
• Authorised persons.
• Family members.
• Minors represented by the client.
• Beneficial owners and shareholders of companies.
• Employees of legal entities.
• Beneficial owners of transactions.
• Usufructuaries and owners.

The detailed data may be required by Banca March throughout the contractual relationship. Depending on the product or service contracted, they must be provided on a compulsory basis in order to process the application. The above is understood to be without prejudice to any others that may be requested by Banca March in accordance with the applicable regulations at the time of processing said application and the refusal to provide them could mean the impossibility of contracting certain products. Hereinafter, we will jointly refer to the detailed data as "Personal Data".

All the Personal Data that Banca March processes from its customers are those data provided through Banca March's data collection documents, as well as those provided when formalising the contracting of a product or service, either through the web, the call centre or the different Banca March branches.

Banca March may also obtain Personal Data through:

• Public registers.
• Official gazettes.
• Entities that provide information on solvency and delinquency.
• Social networks and the internet.
• Fraud prevention agencies.
• Databases for money laundering prevention purposes.
• The Tax Agency.
• The General Treasury of the Social Security.

Banca March processes the Personal Data of its clients as a consequence of:

The execution of the contract with the client:

• To manage the request of an interested party in the contracting of products and services of Banca March or of third parties when these are contracted through Banca March, and to maintain the contractual relationship. In the case of contracting third party products, Banca March will communicate the necessary Personal Data of the customer to the company whose products and/or services are marketed by Banca March, in order to simplify and speed up the contracting.
• In order to manage the possible complaints, claims and suggestions that may be made by the customers within the scope of the execution of the contract signed between the customer and Banca March.
• In the same way, Banca March will process all the data derived from both extrajudicial and judicial claims and will carry out all the procedures that may be necessary to comply with said requirements.
• In order to carry out appraisals of assets on which the customer decides to constitute a real right such as a mortgage or intends to use it in other operations such as the constitution of a guarantee.

Compliance with a legal obligation:

• To evaluate the solvency and credit risk of the interested party. In order to be able to analyse the risk of the interested party and, if necessary, to evaluate the viability of contracting the product or the need to make its validity conditional on the constitution of a payment guarantee, Banca March will process the information provided by the interested party, and that obtained from the consultation of internal files, as well as files of third parties of capital solvency or consulting the Central Risk Information Centre of the Bank of Spain (CIRBE). ). Based on these consultations, Banca March will be able to internally classify its customers according to risk and adopt decisions with legal effects or that affect them, which may result in the non-contracting of the product requested by the customer or condition its validity to the constitution of a payment guarantee, all in accordance with the risk that is estimated by Banca March and the credit rating that results from the analysis of the information obtained.
• Within the framework of the fight against the financing of terrorism and serious forms of organised crime and the prevention of money laundering, for the formal and real identification of those intervening or applying for products offered by Banca March, as well as the identification of the professional or business activity.
• With regard to the obligations derived from the regulations on the prevention of money laundering and the financing of terrorism, Banca March may:
  (i) share such information with the rest of the Banca March Group entities or investee companies,
  (ii) report certain transactions to the Executive Service for the Prevention of Money Laundering and Monetary Offences (SEPBLAC),
  (iii) obtain information from credit institutions and other payment service providers,
  (iv) to make periodic reports to the Fichero de Titularidades Financieras (Financial Ownership File).
• To make certain reports to regulatory banking authorities such as the Bank of Spain, the European Central Bank or the European Banking Authority.
• In order to comply with the European regulations on Markets in Financial Instruments (commonly known as MiFID), Banca March may process personal data obtained through the recording of calls.
• In order to comply with international regulations on the exchange of information on financial matters between tax administrations.
• In order to comply with private security regulations, Banca March carries out video surveillance in its branches.

Banca March's legitimate interest:

The following activities are carried out based on the legitimate interest of Banca March. Having carried out a thorough analysis of such data processing and verifying with such analysis that the rights of customers in terms of data protection have not been violated:

• Share personal customer data with the rest of the Banca March Group companies or their subsidiaries, third party companies or to common systems on the exchange of fraudulent conduct exclusively for purposes related to fraud prevention.
• To update personal data, either with our own sources (customer databases) or through data that the interested party has made manifestly public or other public sources (official registers, professional lists, etc.).
• For purely administrative purposes, identification, accounting, internal audits, management and direction of complaints or internal business valuations, Banca March may share customer data with the rest of the Banca March Group entities or its subsidiaries.
• In order to be able to verify the quality of the services, communications, procedures, treatment received, as well as the products offered or to be offered, Banca March will carry out satisfaction surveys among its customers.
• To record calls with its customers in order to be able to accredit the content of different procedures or requests sent in accordance with the subscribed contract, or, on occasions, to be able to evaluate or control the quality of the services provided. The customer will be informed that the call will be recorded, and may object to the recording of the call.
• To carry out promotional communications about Banca March products and services both by ordinary means (post and telephone) and electronic means (e-mail, SMS, instant messaging, application). In order to be able to send personalised offers on its own products and services, Banca March may carry out an analysis using the scoring technique or customer score based on their credit risk, using the data provided by the customer and the data generated in the relationship with Banca March (with information obtained through internal databases), historical behaviour in the operations that may have been subscribed in the past, commercial interests provided by the customer in the use of the service or based on the completion of surveys, as well as the information identified or estimated by Banca March based on the credit risk that the customer shows in their contractual relationship).
• To elaborate basic profiles, including by means of automated techniques, with the purpose of evaluating and determining the degree of propensity with respect to specific products and to personalise in detail the offer of the same. For the elaboration of the basic commercial profiles we will analyse your preferences using the data of your relationship with Banca March, such as identification and contact data, economic and solvency data, transactional data, data of products and services contracted with Banca March or marketed by it, the data of the use of the channels and services that Banca March makes available to you, including the navigation information that we collect and digital behaviour data obtained from platforms and media centres assigned to cookies or devices when you give us your consent to our web and mobile cookies policy. The use of legitimate interest as a basis for the present treatment resides in the fact that the purpose of the same is to allow the advertising sent to our clients, in relation to the execution of a contract, to be less generic and more appropriate to their preferences.

The express consent of the customer:

The following processing of personal data is carried out by Banca March only when it has the customer's express consent to do so:

• Requesting the General Treasury of the Social Security for information on their professional or business activity, with the exclusive purpose of being able to verify the information relating to the customer's economic and professional activities, necessary to process the contracting requested by the customer. In the event that the client does not consent to Banca March carrying out this request, it will be necessary for the client to provide the necessary information for the identification of his/her professional or business activities.
• To carry out promotional communications both by ordinary means (post and telephone) and electronic means (e-mail, SMS, instant messaging, application) of products and services of the entities of the Banca March Group and its subsidiaries, such as insurance, real estate, etc. In order to be able to send personalised offers on products and services, Banca March may carry out an analysis by means of the scoring technique or customer scoring based on their credit risk, using the data provided by the customer, those generated in the relationship with the Bank (e.g. transactions) and those obtained from external sources. Banca March will be able to complete the customer data with information obtained through internal databases, historical behaviour (e.g. transactions) in the operations that may have been subscribed in the past, commercial interests provided by the customer in the use of the service or based on the completion of surveys, as well as the information identified or estimated by Banca March based on the credit risk that the customer shows in their contractual relationship. Banca March may also use other sources for these purposes (from third party companies, solvency files, internet, etc.) or through interactions that the interested party makes with Banca March, (navigation data, cookies).
• To transfer customers' personal data to the rest of the Banca March Group entities, its subsidiaries or collaborating entities (mainly insurance companies) so that they can send personalised commercial communications, both by ordinary means (post and telephone) and electronic (e-mail, SMS, instant messaging, application).
• Digitalise the writing or signature through the devices or tablets available at Banca March branches, in order for the customer to carry out operations, requests, instructions, contracts, orders, declarations or documents of any kind whose subscription through such devices requires the treatment and conservation of the customer's biometric data obtained through the digitalisation of his/her signature and registration of such data in order to be able to accredit the identity of the signatory and the authenticity of the documentation or operation subscribed.
• Obtain information from third parties relating to guarantors (guarantors, guarantors, etc.) or affected third parties (beneficiaries, relatives, etc.) when this is required by the contract signed by the customer, with the customer expressly declaring that the third party information communicated is truthful and in accordance with reality, as well as that they have been informed of the communication of their data and have obtained their consent to communicate their personal information in the corresponding process.
• Process personal data of minors contracting products or affected by contracts entered into by the customer (e.g. authorised), only with the duly signed authorisation of the legal representative (mother/father/guardian).
• To process your data, once the contractual relationship has ended, in order to offer you conditions to try to continue with Banca March. For this purpose, Banca March may contact you, both by ordinary and electronic means.

By the following means:

• Specific boxes both through the online forms and in physical format.
• Telephone calls.
• Digitalised signature as proof of the will expressed by the customer.

The personal data to which you have access will be processed for as long as the contractual relationship is maintained. In this sense, there are certain regulations that oblige Banca March to keep the documentation for a certain period of time. Banca March, on the basis of the obligation derived from the Law for the Prevention of Money Laundering and Financing of Terrorism, will keep the Personal Data for a period of 10 years from the termination of the business relationship.

Banca March communicates the data of its customers to:

• Public bodies and institutions of the General State Administration, Autonomous Community and Local Administrations, including Jurisdictional Bodies to which it is legally obliged to provide them.
• Tax Authorities, both national and international.
• Financial sector supervisory bodies, based on compliance with legal obligations.
• In the cases of contracting collective investment vehicles or pension funds and plans, the data will be sent to the Management Company of Collective Investment Institutions of Banca March.
• In the cases of transfers, contracting of other products that imply communication with a third entity, the data will be sent to said entity according to the client's request.
• Common solvency or credit risk files (common files of non-compliance with monetary obligations and to the Bank of Spain's Central Credit Register).
• For administrative purposes and to prevent fraudulent conduct, customer data may be sent to the different companies of the Group, as well as Banca March and third party companies or centralised information systems.
• With your consent, to the different companies of the Banca March Group, subsidiaries and third party collaborators (mainly insurance companies).
• Potential buyers or investors.
• Third party service providers that may have access to the personal data of customers in order to provide their services, such as lawyers, solicitors, consultancy services, advisory services, IT development and maintenance, physical security, video surveillance, administrative services and destruction of documentation, among others. Banca March pre-selects these suppliers on the basis of data protection compliance criteria, has signed data protection contracts with all of them and controls that they comply with their obligations in this area.

The personal data of Banca March customers may be transferred to suppliers located in third countries for the provision of certain services associated with the execution of their contracts. In any case, before these transfers take place, Banca March will adopt all the necessary guarantees to ensure that the conditions affecting these transfers are adequate. In particular, Banca March will adopt some of the following guarantees:

• Standard data protection clauses (a guarantee that will be adopted as a matter of course);
• Binding corporate rules;
• Codes of conduct;
• Certification mechanisms.

Customers may exercise their rights of access, rectification and deletion of data, as well as request that the processing of their personal data be limited, oppose the processing, or request the portability of their data, through the Banca March Customer Service Department.

Customers who believe that their data protection rights have been violated or who have any claim related to their personal information may contact the Data Protection Delegate of Banca March through the following e-mail address dpo@bancamarch.es. In any case, interested parties may always turn to the Spanish Data Protection Agency, the supervisory authority in the field of data protection. C/ Jorge Juan 6, 28001, Madrid. Telephone numbers: 901.100.099 / 91.266.35.17.

The Banca March Group is structured according to the two activities it carries out. On the one hand, the banking activity, complemented by insurance and management of collective investment institutions; on the other hand, the investment activity, dedicated to investment in industrial holdings.

Since 1926, Banca March, S.A., the Group's parent company, has been engaged in the banking business.

In the insurance business, March Risk Solutions and March Vida, S.A. de Seguros y Reaseguros form part of the Group. The management of collective investment institutions is carried out through March Asset Management, S.G.I.I.C., S.A. and March Gestión de Pensiones, S.G.F.P., S.A.

Banca March, S.A. also owns 100% of the shares of Banco Inversis, S.A., a benchmark company in the Spanish financial system, specialising in the provision of investment services related to the execution, custody and settlement of securities (including investment funds), the administration and depositary of collective investment undertakings and pension funds, as well as the distribution of investment funds of the main international fund managers through its fund platform.