General Data Protection Regulation 

Here you can find all the information regarding the implementation of the General Data Protection Regulation (GDPR) at Banco Carregosa, including frequently asked questions about their impact and our Privacy Policy.

  • What is the GDPR?
    The General Data Protection Regulation (Regulation (EU) 2016/679 of the European Parliament and of the Council) entered into force on 25 May 2018. The Regulation will be applied in a uniform way in all Member States, aiming at strengthening the protection of privacy rights of citizens of the European Union.
  • What are the implications of this Regulation?
    The Regulation ensures that data subjects have more control over the circulation of their personal data. Therefore, the entities processing their data should do so with maximum transparency and on a legal basis, allowing them to have access to any relevant information related to the processing of such data.
  • The rights of data subjects are strengthened.
    The Regulation establishes a set of rights aiming at protecting the personal data of individuals, strengthening the ways in which they can exercise such rights and giving them back the ability to control the circulation of their data. Data subjects can consult our Privacy Policy to find out more about their rights.
  • Giving consent to receive marketing communications.
    Marketing communications will always depend on the free, informed and explicit consent of data subjects, which may be withdrawn at any time. If you are our client, you may withdraw consent for the ending of marketing e-mails through your homebanking, under the "Settings” tab, or by contacting the Data Controller. If you do not have access to homebanking, you should contact our Data Controller. If you are not our client, you can manage the topics of interest you have subscribed and consented to using the link provided in the marketing communications we sent you. Alternatively, you can contact our Data Controller.
  • The role of Banco Carregosa. 
    Banco Carregosa will secure maximum transparency in processing your personal data, while ensuring the utmost respect for your right to privacy. Moreover, we have appointed a Data Controller who will independently answer any questions regarding the processing of your data.

Banco Carregosa’s Privacy Policy

Our Privacy Policy has been reviewed to better ensure the protection of your personal data.

Who is responsible for processing my personal data?

Banco L. J. Carregosa is responsible for processing the personal data of its clients and/potential clients. Our contact details are as follows:
Address: Avenida da Boavista, 1083, 4100-129, Porto.
Telephone: 22 608 64 60

How can I contact the Data Controller of Banco L. J. Carregosa?

Banco L. J. Carregosa has appointed a Data Controller, who is in charge of monitoring compliance with the legislation, managing the interaction of data collected from data subjects, and for cooperating with the Portuguese Data Protection Authority, the national supervisory authority. Any questions regarding the processing of your personal data should be sent to the following e-mail:

How does Banco L. J. Carregosa collect my personal data?

Banco L. J. Carregosa collects your personal data in the following ways:
  1. Completion of account opening forms either online or in-person;
  2. Through the authentication and validation services of homebanking operations; 
  3. Completion of forms to obtain consent to receive marketing communications or to participate in events and other promotional activities; and
  4. Using the website of Banco L. J. Carregosa.

For what purposes and on what grounds does Banco L. J. Carregosa collect and process my personal data?

Pursuant to the General Data Protection Regulation, processing means " any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction”.
Banco L. J. Carregosa promotes the lawful and transparent processing of your data, using validated forms of legitimation and using them only for the purpose described below.

Processing for contract performance purposes
Some personal data are processed by Banco L. J. Carregosa as they are proved to be necessary for the performance of a contract or for carrying out pre-contractual proceedings:

  • Opening of accounts and recording and preservation of information necessary for the provision of banking and financial intermediation services.
  • Provision of information as part of the marketing of products and services provided by the Bank, and investigation as to whether that are suitable to the client’s profile. 
  • Management of the business relation through the recording of banking operations, in particular: transfers, transfer of titles, cheque and cash deposits, execution of orders in financial instruments, etc.
  • Examination and response to complaints, requests for clarification, and suggestions.
  • Adherence to and management of services linked to electronic channels, such as homebanking and e-trading platforms.
  • Management of credit operations, in particular as regards the simulation and granting thereof, and also the provision of associated guarantees.
Processing based on a legal obligation
Banco L. J. Carregosa’s activity is subject to a set of legal requirements under which the bank has to collect and process a set of data, namely:
  • Legislation on the prevention of money laundering and terrorist financing;
  • The body of legislation on financial intermediation, headed by the Second Markets in Financial Instruments Directive (MiFID II);
  • Legislation applicable to the exercise of the banking activity, especially the Legal Framework of Credit Institutions and Financial Companies; and
  • Regulatory legislation issued by Banco de Portugal and the Portuguese Securities Market Commission;
  • Determining risk profiles and investigation of knowledge, experience and investment objectives for the acquisition of certain financial instruments.
  • Using screening and filtering tools to prevent crimes related to money laundering and terrorist financing.
  • Responding to requests from supervisory bodies – Banco de Portugal and the Portuguese Securities market Commission – and from other public authorities.
  • Compliance with tax and accounting obligations.
  • Recording of images through videosurveillance cameras, in compliance with Decree-law No. 34/2013.
  • Recording of communications carried out when placing orders in financial instruments. 
  • Establishment of a documentary archive.

Processing based on the legitimate interest of the Bank
Data processing carried out based on the legitimate interest of Banco L. J. Carregosa aims, above all, to continuously improve the business relationship and client experience, unless the interests or fundamental rights and freedoms of the data subject prevail and require the protection of personal data, in particular if the data subject is a minor.
  • Providing information to clients on financial markets, technical analyses, etc...
  • Sending marketing communications via SMS and e-mail on promotional campaigns or aimed at boosting the purchase of the products and services offered by the Bank.  
  • Using the historical data of interactions with clients and the financial information collected to define profiles and categories to increase the quality of communications and services provided.
  • Checking the levels of satisfaction and the quality of services provided.
  • Managing defaults (litigation) or the exercise/defence of a right, regardless of whether it is a legal proceeding or an administrative or out-of-court proceeding.
  • Accessing credit information systems in determining credit risk.
  • Keeping and managing information systems to protect their integrity, namely through access control and monitoring.

Processing based on the consent of the data subject
The data subject may enable Banco L. J. Carregosa to process certain data by giving their free, express, informed, specific and explicit consent (orally or by other verifiable means):
Collection of biometric data for the purpose of authenticating access to homebanking and validating operations.
Adapting the browsing experience on the Bank’s website, according to:   
  • The counting the number of hits (visits to the site), visitor origin, site viewing time and the pages consulted within the website;
  • The optimisation of contents, based on the browsing history; and
  • The optimisation of browsing based on the operative systems and browsers used.
Call recording with a view to monitoring the quality of services. 
Other legal grounds for processing personal data set out in the General Data Protection Regulation are as follows:
  • When the processing of data is necessary to protect a vital interest of the data subject or of any other person; and
  • When the processing is carried out in the public interest and is done by a compliance officer vested with public authority.

What type of personal data can Banco L. J. Carregosa collect?

Full name;
Date of birth;
Tax identification number or equivalent number issued by a competent foreign authority;
Social Security identification number;
Civil identification number (Citizen Card, identity card, passport or residence permit), their issuing entity and date of issue/validity;
Place of birth;
Marital status;
Matrimonial property regime;
Name, address and TIN of fiscal representative, if applicable;
Politically Exposed Person status;
Biometric data
Facial images;
Voice recordings;
Professional information
Qualifications nd academic background;
Profession and employer;
Professional address;
Mobile phone;
E-mail address; 
Permanent residence address;
Fiscal address;
Financial and business relationship data
Knowledge and experience in investment and financial instruments;
Financial situation;
Purposes to be assigned to the securitised bank account;
Business correspondence;
History of monetary transactions and financial instruments from, to and in accounts held at Banco L. J. Carregosa;
History of contacts with the support services;
Recordings of telephone calls.
Data collected indirectly through the Banco Carregosa website
Date, duration and location of visit to the website;
Browser type, operating system and details of the device;
IP address

To whom will my data be transferred?

Banco L. J. Carregosa transmits your personal data to service providers and public authorities as required by law or only when necessary for the performance of contracts for financial intermediation and banking services. 
Your data will not be transferred to countries outside the European Economic Area unless the country in question is subject to an adequacy decision of the European Commission, offering safeguards at least equivalent to those in the General Data Protection Regulation regarding the protection of privacy rights of data subjects.
Whenever requested by the data subjects, Banco L. J. Carregosa will identify the sub-contractors it used to provide its services.
You may contact our Data Controller to clarify any doubts regarding the transfer of your data to third parties.

What security measures have been implemented to keep my data secure?

  • Implementation of information system controls by computer; 
  • Provision of profiles for restricted access to data, based on a need-to-know basis, and respective control of consultations;
  • Installation of Firewalls to prevent unauthorised access.

How long will the Bank keep my data?

In the case of processing based on consent, the data will be deleted as soon as the data subject withdraws consent or exercises the right to erasure. As regards the data collected based on legal requirements, Banco L. J. Carregosa is obliged by Article 51(1) of Law No. 83/2017 to retain, for a period of 7 years after the end of the business relationship, the following elements:
The copies, records or electronic data obtained from all documents obtained or made available to the Bank by clients or any other persons under the identification and due diligence measures provided for in the law referred to in the preceding paragraph;
The documents of the processes or files concerning their customers and their accounts, including any commercial correspondence sent;
Any documents, records and analyses, internal or external, that formalise the compliance with the legal and regulatory provisions in the said law.
Additionally, pursuant to Article 6(f) of the General Data Protection Regulation, the data referred to above and also those relating to the use of accounts held with Banco L. J. Carregosa – including, but not limited to, bank and financial statements, proof of transactions and invoices – may be kept until the limitation period for contractual liability which, under the law, is set at 20 years.

How can I withdraw consent for the processing of my data?

If you are a client of Banco L. J. Carregosa, you can withdraw consent for the processing of data collected based on this form of legitimation through your homebanking, under the "Settings” tab, or by contacting the Data Controller. If you do not have access to homebanking, you should contact our Data Controller.  
If you are not our client, you can manage the topics of interest you have subscribed and consented to using the link provided in the marketing communications we sent you. Alternatively, you can contact our Data Controller.

What rights do I have in relation to the processing of my personal data?

The General Data Protection Regulation strengthens the guarantees already provided by previous legislation and also grants new rights to data subjects. Therefore, you may exercise the following rights with Banco L. J. Carregosa:
Request additional information regarding the types of data kept, the purposes of their processing, and to whom they are transmitted;
Request copies of data;
Request the portability of your data provided under the performance of the contract to another data controller;
Demand the rectification of inaccurate or incorrect data;
Request the deletion of data in respect of which processing has become unlawful, for example, because you have withdrawn consent or because the retention period imposed by mandatory legislation has expired;
Oppose to the processing when it is carried out on the basis of public interest or in the interest of the data controller and there are no compelling legitimate reasons overriding the interests, rights and freedoms of the data subject, or the data are not necessary for establishing, exercising or defending legal claims.
Demand the limitation of processing operations in the following cases:
When you contest the accuracy of your data;
When the processing of your data has become unlawful, but you do not intend to request the deletion thereof;
When the processing has already ceased, but Banco L. J. Carregosa needs the data for the purpose of stating, exercising or defending a right in legal proceedings.
Whenever you exercise any of these rights, Banco L. J. Carregosa or the Data Controller will reply within one month. In cases where the request is particularly complex, this deadline will be extended by one month and the reply will b accompanied by a statement of reasons.
If the reply from Banco L. J. Carregosa or from our Data Controller does not meet your expectations or if you are dissatisfied with the processing operations carried out, you should lodge a complaint with the Portuguese Data Protection Authority, the competent supervisory authority, through the following contacts:
Address: Rua de São Bento, n.º 148, 3º, 1200-821, Lisbon.
Telephone: 213928400