Privacy policy

CIMD SV

Privacy policy

PRIVACY POLICY

This policy has been drawn up in accordance with the provisions of Organic Law 3/2018 of 5 December on the Protection of Personal Data and Guarantee of Digital Rights (hereinafter, “LOPDD”) and Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (hereinafter, “GDPR”).

 

  1. PERSONAL DATA CONTROLLER

Identity: CORRETAJE E INFORMACIÓN MONETARIA Y DE DIVISAS, SOCIEDAD DE VALORES, S.A. (hereinafter “CIMD, SV, S.A.”).

CIMD, SV, S.A. is a subsidiary company of the CIMD Group.

VAT REGISTRATION NUMBER: A-78750932

Registered in:

Postal address: C/ Príncipe de Vergara, 131 planta 3ª, (CP) 28002, Madrid.

Telephone: 914 326 400

Email: cumplimientonormativo@grupocimd.com

Data Protection Officer (DPO): Seguridad y Privacidad de Datos S.L. – FORLOPD

Contact DPO: infodpo@forlopd.es | www.forlopd.es

 

  1. PERSONAL DATA WE COLLECT

If you have contacted us by telephone, e-mail or this website, in general these data may be:

 

  1. Identification and contact details: name and surname, ID card number, address, email…
  2. Data on personal characteristics: profession, current job, country of birth, country of residence…
  3. Socio-demographic data: age, province, family situation, gender…
  4. Data on your professional and socio-economic situation: income, professional activity or job…
  5. Browsing data: as indicated in the Cookies Policy.

 

  1. PURPOSES AND GROUNDS FOR LEGITIMISATION OF THE PROCESSING

We process your personal data for different purposes and on different legal bases.

  • USERS/NAVIGATORS OF THE CONTROLLER’S WEBSITE

We will process your personal data provided through our web forms and other electronic means, for the following purposes:

  • a) To deal with requests and incidents communicated through our channels incorporated in the website for this purpose.

    Legal basis: consent of the data subject (who may subsequently withdraw or revoke it, or object at the time of collection of personal data), in accordance with Article 6(1)(a) of the GDPR.
    The communication of your personal data is necessary to carry out the processing for the purposes indicated, the refusal to provide your personal data will make it impossible to attend to and manage your request.
    On the other hand, to deal with communications made through the complaints channel:Legal basis: in the cases required by law, compliance with legal obligation (Law 2/2023 of February, regulating the protection of persons who report regulatory offences and the fight against corruption, Law 10/2010 on the prevention of money laundering and terrorist financing and Organic Law 7/2021 of 26 May, on the protection of personal data processed for the purposes of prevention, detection, investigation and prosecution of criminal offences and the enforcement of criminal penalties), as set out in Article 6.1.c) of the GDPR.The communication of the data subject’s personal data is necessary in order to comply with the legal obligations that affect our activity, including the reported person, who may not oppose the processing of his or her personal data for this purpose (without prejudice to the possibility of submitting anonymous reports in accordance with the applicable regulations).Additionally, for those cases in which communication is not mandatory under current legislation, the public interest may be mandatory (Article 8.2 LOPD), in accordance with Article 6.1.e) of the RGPDIn this case, the data subject (respondent) may not object to the processing of his or her personal data on compelling legitimate groundsAs far as the right of access is concerned, the identity of the complainant will not be accessible to respondents and interested third parties (such as those who may be named in the complaint).The identity of the informant or whistleblower shall be kept absolutely confidential throughout the process, and may only be communicated to the judicial authority, the Public Prosecutor’s Office or the competent administrative authority in the framework of a criminal, disciplinary or sanctioning investigation. Anonymous whistleblowing is also possible.

  • b) To deal with complaints and claims made through our customer service channels, as well as complaints and the exercise of data protection rights by data subjects.

    Legal basis: compliance with legal obligation (Law 44/2002, of 22 November, on measures to reform the financial system and Order ECO/734/2004, of 11 March, on customer service departments and services and the customer ombudsman of financial institutions, with regard to complaints and claims, and LOPDD and RGPD, with regard to personal data protection), as established in Article 6.1.c) of the RGPD.The communication of your personal data is necessary to carry out the treatment with the indicated purpose, the refusal to provide your personal data will lead to the impossibility of dealing with your claim or request.

  • c) Use of cookies and similar technologies on the website.

    Legal basis: consent of the data subject (who may subsequently withdraw or revoke it, or object at the time of collection of personal data), in accordance with Article 6(1)(a) of the GDPR.Refusal to provide your personal data will make it impossible to process your data for the aforementioned purposes.

  • d) To protect, exercise and defend our rights and interests in any administrative, pre-judicial and/or judicial proceedings arising out of or in connection with the relationship with you or to respond to claims of any kind.

    Legal basis: the satisfaction of the legitimate interest pursued by CIMD, SV, S.A. or by a third party, in guaranteeing and enforcing your right   to effective judicial protection, and/or defending your rights and interests, provided that your interests or your fundamental rights and freedoms do not prevail over this legitimate interest, as established in article 6.1.f) of the General Data Protection Regulation (GDPR).

In this case, the data subject may not object to the processing of his or her personal data on compelling legitimate grounds.

CLIENTS

We will process your personal data provided by different means for the following purposes:

  • a) Formalisation, maintenance and execution of commercial and contractual relations.

    Legal basis: execution of a contract entered into with CIMD, SV, S.A. or pre-contractual relations that have arisen between you and CIMD, SV, S.A., as established in article 6.1.b) of the RGPD.The communication of your personal data is necessary to carry out the treatment with the indicated purpose, the refusal to provide your personal data will lead to the impossibility of executing your contract or attending to your requests.

  • b) Collection of personal data in order to comply with the legal obligations applicable to us, such as:- Compliance with MiFiD II and its implementing regulations (classification obligations, assessment of suitability and appropriateness of financial instruments, transparency, etc.).

    Legal basis: compliance with legal obligation (Law 6/2023 of 17 March on Securities Markets and Investment Services, Delegated Regulation (EU) 2017/565 and MiFiD II Directive 2014/65/EU), as set out in Article 6(1)(c) of the GDPR.The communication of your personal data is necessary in order to comply with the legal obligations that affect our activity, the data subject may not object to the processing of his personal data for this purpose.– Compliance with regulations on the prevention of money laundering and terrorist financing.Legal basis: compliance with legal obligation (Law 10/2010 on the prevention of money laundering and terrorist financing), as set out in Article 6.1.c) of the GDPR.

    The communication of your personal data is necessary in order to comply with the legal obligations that affect our activity, the data subject may not object to the processing of his personal data for this purpose.

    – Prevention of market abuse (detection, analysis and reporting of suspicious insider dealing and market manipulation in the securities market).

    Legal basis: compliance with legal obligation (Regulation 596/2014 on market abuse), as set out in Article 6(1)(c) of the GDPR.

    The communication of your personal data is necessary in order to comply with the legal obligations that affect our activity, the data subject may not object to the processing of his personal data for this purpose.

    – Compliance with tax and fiscal regulations.

    Legal basis: compliance with legal obligation (Law 58/2003 of 17 December 2003 on General Taxation, Royal Decree 1021/2015 of 13 November 2015, which establishes the obligation to identify the tax residence of persons who hold ownership or control of certain financial accounts and to report on them in the field of mutual assistance, and other tax regulations in force), as set out in Article 6.1.c) of the GDPR.

    The communication of your personal data is necessary in order to comply with the legal obligations that affect our activity, the data subject may not object to the processing of his personal data for this purpose.

  • c) To deal with requests and incidents communicated through our channels incorporated in the website for this purpose.Legal basis: consent of the data subject (who may subsequently withdraw or revoke it, or object at the time of collection of personal data), in accordance with Article 6(1)(a) of the GDPR.The communication of your personal data is necessary to carry out the processing for the purposes indicated, the refusal to provide your personal data will make it impossible to attend to and manage your request.

  • d) To deal with complaints and claims made through our customer service channels, as well as complaints and the exercise of data protection rights by data subjects.

    Legal basis: compliance with legal obligation (Law 44/2002, of 22 November, on measures to reform the financial system and Order ECO/734/2004, of 11 March, on customer service departments and services and the customer ombudsman of financial institutions, with regard to complaints and claims, and LOPDD and RGPD, with regard to personal data protection), as established in Article 6.1.c) of the RGPD.The communication of your personal data is necessary to carry out the treatment with the indicated purpose, the refusal to provide your personal data will lead to the impossibility of dealing with your claim or request.

  • e) To protect, exercise and defend our rights and interests in any administrative, pre-judicial and/or judicial proceedings arising out of or in connection with the relationship with you or to respond to claims of any kind.

    Legal basis: the satisfaction of the legitimate interest pursued by CIMD, SV, S.A. or by a third party, in guaranteeing and enforcing your right to effective judicial protection, and/or defending your rights and interests, provided that your interests or your fundamental rights and freedoms do not prevail over this legitimate interest, as established in article 6.1.f) of the General Data Protection Regulation (GDPR).In this case, the data subject may not object to the processing of his or her personal data on compelling legitimate grounds.

  1. RECIPIENTS

Your data may be communicated to:

  • Courts and Tribunals
  • Public Administrations.
  • State Security Forces and Corps.
  • Banks, Financial Institutions and Investment Services Companies.
  • Authorities and Official Bodies.
  • Bodies responsible for the supervision of financial and securities markets.
  • Companies belonging to the CIMD Group in order to be able to attend to your requests as well as to comply with the legal obligations that affect our activity.
  • Other professionals in the financial environment, when such communication is required by regulation or is necessary for the performance of the services you have contracted.
  1. INTERNATIONAL DATA TRANSFERS

Your personal data is processed within the European Economic Area, we will not transfer or pass it on to third parties outside the European Economic Area, unless we are legally obliged to do so.

  1. CONSERVATION PERIODS

The personal data provided will be kept for the time necessary to fulfil the purposes for which they were originally collected.

Retention for the maintenance of contractual relations: we will process your data for as long as the contractual relations established are in force.

Retention of consent-based authorisations: we will process your data until you revoke this consent or ask us to delete your data.

If you have provided us with your CV, we will keep your data for a maximum period of one year from the receipt of your CV by any of the entities of the CIMD group, unless you have authorised us to keep your data for a longer period.

The personal data obtained from reports made through the Whistleblowing Channel shall be kept in the system for the time required for their investigation (3 months, which may be extended for a further 3 months) in accordance with the applicable regulations, Law 2/2023. Once this time has elapsed, the data may be processed by the Department designated for this purpose, in order to provide evidence of the functioning of the Group’s Crime Prevention Model.

Retention for the fulfilment of legal obligations, and the formulation, exercise and defence of claims:

Once the data is no longer necessary for the processing in question, you have revoked the authorisations to use your data by withdrawing your consent, or the contractual relations you have established with us have ended, the data will be kept duly blocked in order to, where appropriate, make them available to the competent Public Administrations and Bodies, Judges and Courts or the Public Prosecutor’s Office, during the period of limitation of the actions that may arise from the contractual relationship maintained with the customer and/or the legally established retention periods.

Destruction of data:

The personal data will be destroyed when the retention periods imposed by the regulations governing the activity of CIMD, SV, S.A. and the statute of limitations for administrative or legal actions arising from the established relationships have elapsed.

  1. RIGHTS

Data subjects may, at any time and free of charge, exercise their rights of access, rectification and erasure, as well as request that the processing of their personal data be restricted, object to the processing, request the portability of their personal data (where technically possible) or withdraw the consent given, and, where appropriate, not to be subject to a decision based solely on automated processing, including profiling.

You may exercise your rights by sending a letter to the data controller: CIMD, SV, S.A. – Unidad de Cumplimiento Normativo, at the following address: c/ Príncipe de Vergara nº 131 Planta 3ª, (CP) 28002, Madrid or by e-mail to the following address: cumplimientonormativo@grupocimd.com

In both cases, a copy of your ID card or equivalent document must be enclosed in order to prove your identity.

We will analyse your request and/or complaint to give you an answer and solve the incident as soon as possible.

Likewise, we inform you that CIMD, SV, S.A. has a Data Protection Officer (DPO), to whom you may address any queries, complaints or incidents that you may have regarding the processing of your data or the exercise of your rights (for example, if you do not understand any section of this Policy, if you have doubts about our legitimate interests or if you have already made a complaint and have not received a satisfactory response, among others that you may consider). To do so, you can contact us at our registered office or at the contact e-mail address indicated in the corresponding section.

You may also lodge a complaint with the competent Data Protection Supervisory Authority (Spanish Data Protection Agency), through its website: www.aepd.es, if you feel that your rights concerning the protection of your personal data have been infringed, if you consider that you have not obtained satisfaction in the exercise of your rights or if you have not obtained a response to your requests or complaints made.

  1. AUTOMATED DECISIONS AND PROFILING

The entity does not make automated decisions and does not engage in profiling.

  1. VERACITY OF DATA

The interested party guarantees that the data provided are true, accurate, complete and up to date; undertaking to inform of any change with respect to the data provided, through the channels provided for this purpose and indicated in point one of this policy. He/she shall be liable for any damage or harm, both direct and indirect, that may be caused as a result of non-compliance with this obligation.

  1. MODIFICATIONS / UPDATES TO THIS POLICY

This Privacy Policy may be modified and/or updated according to the established legal requirements or in order to adapt said policy to the instructions issued by the Spanish Data Protection Agency or to changes in our website. For this reason, we advise users to periodically visit our privacy policy.

If you have any questions about this policy, you may contact CORRETAJE E INFORMACIÓN MONETARIA Y DE DIVISAS, SV, S.A. at the following email address: cumplimientonormativo@grupocimd.com