Shareholder Privacy Policy

At CaixaBank, we will process your personal data for different purposes, always in accordance with the provisions set out in current regulations, respecting your rights and in complete transparency.

To this end, in this Privacy Policy, which you may access at any time at https://www.caixabank.com/en/shareholders-privacy.html, you may view the full details on how we will use your data during the relationship we establish with you as a CaixaBank shareholder, authorised representative of a shareholder or you fill in forms or sign up for events related to shareholders on our corporate website at CaixaBank.com.

Bear in mind that if you have other interactions with CaixaBank (for example, you are a customer or employee), details of how we use your data can be consulted in the corresponding Privacy Policies held by the bank. In the case of the Customer Privacy Policy, at https://www.caixabank.es/particular/general/privacy-policy.html or in the case of bank employees, in the private area of the corporate Intranet.

The main regulations that govern the processing we will perform on your personal data are:

• Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 regarding the protection of individuals with regard to personal data processing and the free flow of these data and repealing Directive 95/46/EC (General Data Protection Regulation, hereinafter GDPR).
• Organic Law 3/2018 dated 5 December 2018 on Personal Data Protection and Digital Rights Guarantee (hereinafter LOPD (Personal Data Protection Law).
• Royal Legislative Decree 1/2010, of 2 July, which approves the revised text of the Spanish Capital Companies Act.

Data controller: The party responsible for processing your personal data as part of your relationships as a shareholder is CaixaBank, S.A. ("CaixaBank"), with Tax ID number A-08663619 and address at calle Pintor Sorolla, 2-4 Valencia.

CaixaBank has appointed a Data Protection Officer, which will attend to any questions you may have regarding your personal data processing and the exercise of your rights. You may contact the Data Protection Officer to make suggestions, enquiries, doubts o complaints at the following address: 
https://www.caixabank.es/particular/general/dpo_en.html.

You may exercise your rights to access, rectify, oppose, delete, limit, transfer your personal data and withdraw your consent as provided by law.

You may request to exercise these rights via the following channels:

• Sending an email: accionista@caixabank.com
• By sending a letter to Apartado de Correos 209, Valencia, with postal code 46080, stating your condition as a shareholder in the bank. If you are a member of the Shareholder Advisory Committee, you must indicate this condition.

Furthermore, shareholders can exercise the rights provided for in the regulations by writing to "Sociedad de Gestión de los Sistemas de Registro, Compensación y Liquidación de Valores, S.A.", hereinafter, Iberclear (Plaza de la Lealtad, 1, 28014 Madrid). 

Additionally, if you have any complaint arising from the processing of your data, you may address it to the Spanish Data Protection Agency  (www.aepd.es/en).

We will use the data specified below for the processing set out in our Privacy Policy.

Not all the data that we specify in this section are used for all data processing activities. In section 6, where we specify our data processing activities, you may specifically consult the processed data categories for each particular activity.

In the event of the processing based on your consent, we will additionally inform you of the details of the specific data that are used.

The classifications and details of the data used in the processing set out section 6 are as follows:

Data provided by Iberclear when you acquire the shares, or provided by you to CaixaBank as part of the shareholder relationship, including when practicing your rights as a shareholder:

These are the data classifications and details thereof:

• Identification and contact data: full name, gender, postal contact information, telephone number and e-mail address, place of residence, nationality and date of birth, language for communications, identification document, image and voice, signature. In the event of using it, your electronic signature.
• Information about your professional or work activity: the data you provide on your CV that must be submitted when applying to serve on the CaixaBank Shareholder Advisory Committee.
• Data on particular communication needs: data provided by interested parties to enable accessible communication and operational management.
• Data on legal capacity: data on a person's capacity to act, established by a court ruling.
• Data related to the shares: shareholder code, number of shares and issuance, holder's condition (holder, bare ownership, usufructuary ownership or authorised representative), depositary company; securities account code and settlement account; transaction date (execution and effective date).
• Data of the authorised representatives of shareholders: full name, identifying document, accreditation of the power they are acting in.
   

Data provided when filling in forms or signing up to events related to shareholders on our institutional website:

These are the data classifications and details thereof:

• Personal and contact details: full name, postal address, telephone number, email address, language of communication, identification document, only for face-to-face events.

We carry our different processing tasks on your data for different purposes, and they have different legal bases:

• Processing required for the execution of the shareholder relationship.
• Processing based on consent.
• Processing based on legitimate interest.

In addition to the general processing that we specify below, we may carry out specific processing not mentioned in the aforementioned policy. We will provide you with the detailed information on such processing when we handle the specific request.

6.1. Processing necessary to perform shareholder relationships

The legal basis for this data processing is the fact that it is necessary to manage your shareholder relationships or the relationships for which you have been named an authorised representative or when you fill in forms or sign up to events related to shareholders on our institutional website or to apply, if you so request, pre-contractual measures, in accordance with the provisions of Article 6.1.b) of the General Data Protection Regulation (GDPR).

Therefore, are processing necessary to that you can establish and maintain contractual relationships with us. If you were to oppose this, we would end these relationships, or would be unable to establish them where they have not yet taken effect.

The processing necessary to implement contractual relations are indicated below from (A) to (E). We will point out for each of them: the description of the purpose (Purpose), the type of data processed (Processed Data Type), where appropriate, information on the use of profiles (Use of Profiles) and any other necessary information related to the processing (Other Relevant Information), as well as the data controller.

A. Maintenance of the Shareholder Register

Purpose: The aim of this of processing is to manage and maintain the existing shareholder relationship between us by including your condition as a shareholder in the Register. This Register and its maintenance is necessary to the control the ownership of shares in CaixaBank. 

Types of processed data: The types of data that we process for this purpose, whose content is detailed in section 5, are:

• Identification and contact details.
• Data on legal capacity.
• Data related to shares.
• Data of the authorised representatives of shareholders.

Other relevant information: Below, you will find other relevant information on this processing:

• Source of the data: In any case, regardless of the Company in which you deposit your shares, the personal data for the maintenance of the Shareholder Register are obtained via the company legally set up to keep the record of book entries, Iberclear.
• Regulatory obligations: This processing is based on the provisions of Royal Legislative Decree 1/2010, of 2 July, enacting the restated text of the Spanish Corporate Enterprises Act in relation to the duty to identify shareholders.
• Storage period: We will process your data while the shareholder relationship that we have established with you remains in force; once it comes to an end, the data will be stored for a period of 12 months, blocking it and storing it for a period of 10 years, pursuant to the provisions of the anti-money laundering regulations.

 
Data controller: The data controller responsible for this data processing is CaixaBank.

B. Management of the General Shareholders Meeting

Purpose: The purpose of this processing activity is to prepare, call, hold and disclose the General Shareholders Meeting of CaixaBank S.A. in so far as its status as a public limited company, pursuant to the requirements of the Spanish Corporate Enterprises Act.

The processing operations performed are as follows:

• Calling the General Meeting: this includes sending the corresponding statement containing information on the call for the meeting, attaching the attendance, delegation and customised vote cards.
• Exercise of your attendance rights (including online), delegation of your vote (in advance, as per the enabled mechanisms) and vote (in advance or the same day as the General Meeting; all via the enabled mechanisms).
• Right to information: resulting from the exercise of the right to information by shareholders, as provided for by law.
• Online Shareholder Forum, the purpose of which is to facilitate communications between shareholders, before the General Shareholder Meetings are held, as provided for in the legislation in force.

Types of processed data: The types of data that we process for this purpose, whose content is detailed in section 5, are:

• Identification and contact details.
• Data on particular communication needs.
• Data on legal capacity.
• Data related to shares.
• Data of the authorised representatives of shareholders.

Other relevant information: Below, you will find other relevant information on this processing:

• Regulatory obligations: This processing is based on the provisions of Royal Legislative Decree 1/2010, of 2 July, enacting the restated text of the Spanish Corporate Enterprises Act in relation to all aspects to manage the General Shareholders Committee.
• Categories of specially protected data or particularly sensitive data: The data on particular communication needs and your legal capacity will be used exclusively to guarantee your right to information jus disponendi and the necessary resources for you to vote. In this case, the data will be processed pursuant to the provisions of Article 514 of the Spanish Corporate Enterprises Act and Article 9.2.b of the RGPD.
• If you are the authorised representative of a shareholder, please note that your data will be processed by CaixaBank to manage the development, fulfilment and control of the shareholder relationship, for the exercise of the rights of attendance, delegation and voting at the General Shareholder Meeting and that have been provided by the shareholder that you represent.
• Disclosure of the General Shareholders Meeting: as a public limited company, the CaixaBank S.A. General Shareholders Meeting is recorded and streamed for the purposes of facilitating shareholder participation, pursuant to the corporate good governance regulatory principles required by listed companies.

Pursuant to the foregoing, the image of attendees may be recorded, on an ancillary basis, during the recording and streaming of the General Shareholders Meeting.

• For reasons of confidentiality, data protection and the right to honour and personal image, attendees at the General Shareholders Meeting may not record or disseminate the Meeting or the interventions made by shareholders (or their representatives). The Bank will not be responsible for the recording and/or unauthorised disclosure of personal data by attendees at the Meeting or other third parties who may have access to this data.
• Attendance and intervention at the General Shareholders Meeting: when intervening at the General Shareholders Meeting, your image and voice may be recorded. As indicated in section 6.1.A of this document, you are entitled to authorise or reject the broadcasting of your image live.

If you do not authorise the recording of your image, as part of the processing indicated in section 6.2.A of this document, your intervention may be made from a position in which your image is not broadcast. In any case, your voice will be broadcast and recorded.

• Filing period: in relation to the call, attendance, celebration and development of the General Shareholders Meeting, we will only process the data necessary to ensure the correct fulfilment of our shareholder relationship. Once the Meeting ends, we will store your data until the resolutions are effectively adopted.

As regards corporate resolutions, we will store this information for the entire life time of the company; in the event of its dissolution, for a period of six years as provided for in Article 30.1 of the Code of Commerce, starting from the last entry made in the books, unless these resolutions may be considered as being against public safety as provided for in Article 205.1 of the Spanish Corporate Enterprises Act. In this case, we will block this information permanently, owing to the fact that, in such cases, challenges to corporate resolutions can be made at any time.

Finally, regarding the recording of the General Shareholders Meeting session, the interventions of the Chair, the Chief Executive Officer and the Directors will be kept available to the public on the corporate website for five years, in order to disseminate compliance with the regulatory principles of good corporate governance required of listed companies.

The remaining data from the recording of the General Shareholders Meeting session will be processed for the purpose of preparing the minutes of the session, in accordance with Article 279 of the Consolidated Text of the Spanish Companies Act. Once the minutes have been prepared, the recordings will be retained, duly blocked, for six years, to be made available to the competent Public Authorities, Judges and Courts or the Public Prosecutor’s Office, in accordance with the provisions of Article 30.1 of the Commercial Code. After this period, they will be deleted.

Data controller: The data controller responsible for this data processing is CaixaBank.

C. Management of the Shareholder Advisory Committee.

Purpose: the purpose of this processing is to manage the activity of the CaixaBank Shareholder Advisory Committee.

The processing operations included are as follows:

• Receive, process and assess candidate applications made via the sign-up form available on CaixaBank's corporate website.
• If the application is accepted, to manage your membership on the Committee, as provided for in its rules of operation.
• Respond to and handle suggestions, contributions or communications that shareholders make to the Committee, using the form available on the CaixaBank corporate website

Types of processed data: The types of data that we process for this purpose, whose content is detailed in section 5, are:

• Personal and contact details
• Information about your professional or work activity
• Data related to shares

Other relevant information: Below, you will find other relevant information on this processing:

• Storage period: as a member of the Shareholder Advisory Committee, we will store your data while you continue to hold the condition of member and subsequently, on the basis of our legitimate interest, to contact you to send you invitations to corporate events related to said Committee, as indicated in section 6.3.A of this document.

If your candidacy is rejected, we will store the data for a period of 3 years, as per the limitation periods for offences provided for in Article 72 of the LOPDGDD. Once this period has elapsed, the data will be deleted.

Data controller: The data controller responsible for this data processing is CaixaBank.

D. Sending communications and invitations to events

Purpose: If you sign up on CaixaBank's corporate website to the Shareholder Information Service or events published in the Investor Agenda, the aim of this processing is to send communications containing corporate information, as well as inviting you to participate in events, courses and corporate meetings, either in person or online.

Types of processed data: The types of data that we process for this purpose, whose content is detailed in section 5, are:

• Identification and contact details.

Other relevant information: Below, you will find other relevant information on this processing:

• Filing period: in relation to sign-up forms for informative material from the Shareholder Information Service, we will store your data for as long as your subscription remains active. When it ends, we will delete your data.

For events, courses and corporate meetings, the data is stored until these are held. Once the event has taken place, we will store the data for a period of 3 years, as per the limitation periods for offences provided for in Article 72 of the LOPDGDD. Once this period has elapsed, the data will be deleted.

Data controller: The data controller responsible for this data processing is CaixaBank.

E. Performance of enquiries via the Shareholder Office

Purpose: The purpose of this processing is to manage enquiries or suggestions that you make using the available forms at CaixaBank.com or to schedule an appointment with the Shareholder Relations team to relay questions about shares, dividends or the company.

Types of processed data: The types of data that we process for this purpose, whose content is detailed in section 5, are:

• Identification and contact details.

Other relevant information: Below, you will find other relevant information on this processing:

• Storage period: in relation to the forms for making enquiries at the Shareholder Office, we will keep your data for as long as they are necessary to respond to the enquiry received. Once managed, we will completely delete this data.

Data controller: The data controller responsible for this data processing is CaixaBank.

6.2. Processing based on consent.

The legal basis for this processing is your consent, according to the provisions of Article 6.1.a) of the General Data Protection Regulation (GDPR).

If for any circumstance, we have never requested your consent, such processing will not apply to you.

The processing types based on your consent are indicated below, arranged from (A) to the (B). We will point out for each of them: the description of the purpose (Purpose), the breakdown of data processed (Processed data), where applicable, information on the use of profiles (Use of Profiles), other necessary information related to the processing (Other relevant information), as well as the data controller.

A. Interventions made at the General Shareholders Meeting

Purpose: the purpose of this processing is to record your image, in case you attend and make an intervention at the General Shareholder Meeting and expressly consent thereto.

Shareholders or their authorised representatives who make an intervention in person during the General Shareholder Meeting will have the power to authorise or reject the recording of their image and its live streaming. If you do not authorise this, your intervention may be made from a position in which your image is not broadcast. In any case, your voice will be recorded, as described in section 6.1. B of this document.

Types of processed data: The types of data that we process for this purpose, whose content is detailed in section 5, are:

• Identification and contact data: full name; identification document, image and voice.
• Data related to the shares: shareholder code, number of shares.
• Data of the authorised representatives of shareholders: full name, identifying document, accreditation of the power they are acting in.

Other relevant information: Below, you will find other relevant information on this processing:

• Storage period: we will process the recording and broadcast of your image at the General Shareholders Meeting, should you make an intervention and provide us with your consent.

This consent shall only be valid for the General Shareholders Meeting being held and for which you have provided us with your consent and not for subsequent General Shareholders Meetings, where you be asked once again for your consent.  We will store your authorisation for a period of 5 years in view of the limitation period for personal actions provided for in Article 1964 of the Civil Code; once this period has elapsed, the data will be deleted.

Data controller: The data controller responsible for this data processing is CaixaBank.

6.3. Processing based on legitimate interest.

The legal basis for this processing is to pursue our legitimate interest, as set forth in Article 6.1.f) of the General Data Protection Regulation (GDPR).

To justify this processing on our legitimate interest, we have previously weighted your rights; the result of this analysis was positive and is available for consultation.

Processing based on our legitimate interest is indicated below, next to letter (A). For the above processing, we will provide: the description of the purpose (Purpose), the breakdown of data processed (Type of processed data), where applicable, information on the use of profiles (Use of Profiles), other necessary information related to the processing (Other relevant information), as well as the data controller.

A. Sending invitations to events for former members of the Shareholder Advisory Committee

CaixaBank's legitimate interest: The legitimate interest of CaixaBank to undertake this processing is to maintain a network of contacts with people who have previously served on the Advisory Committee, given that their experience and knowledge remain valuable for future interactions, activities and events related to the organisation. This interest is based on the need to strengthen professional connections that offer strategic and reputational value.

Purpose: the purpose of this processing is to send invitations to events for former members of the Shareholder Advisory Committee

Types of processed data: The types of data that we process for this purpose, whose content is detailed in section 5, are:

• Identification and contact: full name, telephone number and email address.

Other relevant information: Below, you will find other relevant information on this processing:

• Storage period: we will continue with this processing until you oppose it.
• Right to object to processing: You have the right to object to data processing based on legitimate interest. You can do so easily and for free via the channels indicated in section 4.

Data controller: The data controller responsible for this data processing is CaixaBank.

Authorities or public institutions

Listed companies such as CaixaBank may be legally obliged to provide information on the transactions that we carry out to the authorities or public institutions located in other countries both inside and outside of the European Union. This obligation arises within the framework of the fight against the financing of the terrorism and serious forms of organised crime, and for the prevention of the money laundering, as well as within the framework of the prudential supervision of credit institutions and listed that is carried out by the Bank of Spain, the Bank of Portugal, the European Central Bank and the National Securities Market Commission.

This obligation may also apply to payment systems and providers of technological services with which we maintain relationships and to which we transfer the data in order to carry out transactions.

Likewise, the data indicated in section 5 and related to processing as regards General Shareholder Meetings will be relayed to the Notary Public that attends the Meeting to prepare the minutes and company legally set up to keep the record of book entries, Iberclear, as the central Spanish securities depositary company.

Data communication in outsourcing services

We sometimes turn to service providers with potential access to personal data.

These providers offer suitable and sufficient guarantees in relation to data processing, since we carry out a responsible selection of service providers that includes specific requirements in the event that the services involve the processing of personal data.

The classification of services that we can outsource to service providers is:

• Backoffice services
• Audit and consultancy services
• Legal services
• Layout services
• Call centre services
• Logistic services
• Physical security services
• IT services (system and information security, cybersecurity, IT systems, architecture, hosting, data processing)
• Telecommunication services (voice and data)
• Printing, packaging, mailing and courier services
• Information storage and destruction services (digital and physical)
• Maintenance services for buildings, facilities and equipment

We will process the data indicated in section 5 by applying the technical and organisational measures necessary to ensure that they may only be used for each of the described purposes.

You will find the storage periods under each of the data processing activities of this policy. In any case, upon completion of the relationship that you have established with us, we will keep your data solely to comply with the legal obligations and to allow for the arrangement, exercise and defence of claims during the statute of limitation period relating to the actions arising from shareholder relationships. Once these periods have elapsed, we will delete them.

At CaixaBank we process your data within the European Economic Area and, in general, we hire service providers that are also located within the European Economic Area or in countries that have been declared to have an adequate level of protection.

If we need to use service providers that perform processing outside of the European Economic Area or in countries that have not been declared to have an adequate level of protection, we would ensure processing security and legitimacy of your data is guaranteed.

For this, we demand suitable guarantees from those service providers in accordance with what is established in the GDPR so as to ensure they have, for example, implemented binding corporate standards that guarantee data protection in a manner similar to what is established by European regulations, or that they subscribed to the standard clauses applicable within the European Union. You may request a copy of the appropriate guarantees required by CaixaBank from these suppliers by contacting the Data Protection Delegate at www.caixabank.com/dataprotectionofficer.

Section 6 of this Policy informs you of the processing operations that incorporate automated decisions.

Furthermore, if in the course of the contractual relationship you have with us, we should use mechanisms that may make decisions based solely and exclusively on automated processing (i.e. without the involvement of a person) that could produce legal effects on you, or that could significantly affect you, we will inform you of this in the contractual documentation, together with the rationale by virtue of which the decision is made.

Similarly, at that time, we will adopt measures to safeguard your rights and interests providing you with the right to obtain human intervention, to express your point of view and to challenge the decision.

We will undertake a review of this Privacy Policy whenever it becomes necessary to ensure you are duly informed, for example, on the occasion of the publication of new regulations or criteria, or the performance of new processing.

The latest version of the document will be available on CaixaBank´s corporate website, under “Shareholder Privacy”.