Privacy Notice

Last update: 15 February 2025
The Banco Português de Fomento, S.A. (hereinafter BPF) is committed to ensuring the protection of personal data, in accordance with the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (GDPR), Law no. 58/2019 of 8 August, and other applicable legislation.

This Privacy Notice describes how BPF collects, uses, shares, and protects personal data, as well as the rights of the respective data subjects.
1. Who is responsible for the processing of personal data?
The Banco Português de Fomento, S.A. (BPF), headquartered at Rua Professor Mota Pinto, n.º 42-F, 2nd Floor, Room 2.11, 4100-353 Porto, is the entity responsible for processing personal data in accordance with the GDPR.

For any questions related to data protection, you may contact the Data Protection Officer (DPO) via email: protecao.dados.pessoais@bpfomento.pt.


2. What personal data is collected?
BPF collects and processes, directly or indirectly, through partners, suppliers, service providers or other legitimate sources, the personal data necessary for providing its services, accessing its platforms, complying with legal and contractual obligations, and pursuing public interest. The data collected includes, but is not limited to, the following categories: 

Data CategoriesData Types (Examples)
Personal identification data
Full name, date of birth, age, gender, nationality, marital status, type and number of identification documents, Tax ID (NIF), health number, social security number
Contact data
Address, phone number (mobile and landline), email address, professional contact
Professional and academic data
Educational qualifications, academic history, field of study, additional courses, previous professional experience, current role, position, employer, CV, professional references
Financial and tax data
IBAN, bank account number, income, salary/remuneration, withholdings and deductions, tax regime, contributions, assigned benefits, support received, payment history
Authentication and verification data
Signature (manual or digital), login and password, proof of address documents, utility bills, certificates, bank statements, credit checks, background check results
Location, image and audio data
Images and videos captured at events, public sessions or CCTV systems, geolocation data, call recordings (where applicable)
Sensitive data (where applicable)
Health data (e.g. accessibility at events), trade union or judicial data (only if strictly necessary and with legal grounds)
Digital interaction and navigation data
IP address (anonymised whenever possible), cookies, browser type and version, operating system, pages visited, duration, clicks, traffic source, unique device identifiers
Service usage and communications data
Data regarding the use of BPF services, interactions with marketing and communication campaigns, survey responses, complaints records, sent and received communications
Institutional relationships and external interests
Participation in management or supervisory bodies of other entities, declared external business interests, record of institutional offers received (gifts, invitations, hospitality) in the context of representing BPF


3. For what purposes do we process your personal data?
BPF processes your personal data for the following purposes, based on different legal grounds, such as compliance with legal obligations, public interest, performance of contracts, legitimate interests of BPF or your consent, as applicable:

  • Management and performance of contractual relationships, including:
    • Performance of contracts with clients, suppliers or partners;
    • Processing of pre-contractual measures at the request of the data subject;
    • Administration and maintenance of existing contractual relationships;
    • Provision of services within the scope of BPF's activity.

  • Compliance with legal and regulatory obligations, including:
    • Legal and regulatory requirements applicable to the financial sector;
    • Tax and accounting obligations;
    • Compliance with the anti-money laundering and counter-terrorism financing regime;
    • Response to requests and communications from competent authorities.

  • Recruitment and application management, with or without consent, including:
    • Ranking of candidates;
    • Management of recruitment processes and internships;
    • Validation of qualifications, references and professional experience;
    • Communication with candidates during the process.

  • Complaints management and irregularity handling, including:
    • Analysis and resolution of suggestions and complaints submitted through institutional channels;
    • Investigation and follow-up of reports or non-conformities;
    • Recording and documentation of occurrences.

  • Marketing and business development, where consent is given, including:
    • Sending newsletters, promotional campaigns and other marketing communications;
    • Dissemination of services and initiatives of BPF and partner entities;
    • Conducting market studies and collecting feedback.

  • Event and institutional initiative management, including:
    • Planning, organisation and promotion of events such as webinars, fairs, conferences and forums;
    • Registration of participants, collection of images and other data for institutional communication purposes;
    • Logistical and operational management of events.

  • Digital interaction and online presence, including:
    • Interaction with users of BPF's website and social media;
    • Communication through video conferencing platforms;
    • Data collection for statistical analysis and continuous improvement purposes;
    • Monitoring of navigation patterns and collection of anonymised statistics through analytical cookies;
    • International transfer of data associated with the use of technological services (e.g. Google Analytics).

  • Relationship with website users, including:
    • Sending information about products, services or initiatives;
    • Response to contact requests or queries;
    • Collection of opinions and suggestions about the user experience;
    • Participation in market studies or surveys.

  • Establishment, exercise or defence of legal rights, including:
    • Management of administrative, judicial or arbitral proceedings;
    • Recording of relevant communications;
    • Preservation of evidence for legal purposes.

  • Processing for historical and statistical purposes, including:
    • Production of activity reports and performance indicators;
    • Data collection for impact analysis and strategic planning;
    • Recording of data for institutional memory.

Should you choose to provide your personal data for specific purposes based on consent, such as receiving marketing communications, you may withdraw that consent at any time, with future effect, without prejudice to the lawfulness of processing carried out until that moment.

      3.1. Banco Português de Fomento's presence on social media and video conferencing platforms
      When browsing BPF's website, you may find direct links to the social media where the Bank maintains an institutional presence, as well as to video conferencing platforms used in the context of its promotional and communication activities. By accessing these links, you will be redirected to external pages managed by third parties.

      It should be clarified that the operator of each platform is solely responsible for the processing of data associated with your user profile, namely regarding the collection, retention and use of such data, to which BPF does not have direct access.

      BPF currently operates the following institutional pages:


      And uses the following video conferencing platforms for events and meetings:


      Each of these platforms autonomously manages its technological infrastructure and defines its own data protection policies. The use of the platforms may involve the processing and storage of personal data on servers located outside the European Economic Area, under the terms defined in their respective privacy policies, which are the sole responsibility of the operators.

      For more information, we recommend consulting the respective privacy policies:


      Purposes and Legal Basis

      BPF's data processing on these platforms aims to:

      • Inform about BPF's products, services and initiatives;
      • Promote interaction with users and event participants;
      • Respond to queries, comments, suggestions or compliments received.

      BPF is responsible only for the content it publishes on these platforms and does not assume responsibility for data processing carried out directly by their managing entities.

      Where applicable, data processing is carried out on the grounds of pursuit of public interest, as provided for in Article 6(1)(e) of the GDPR.

      BPF reserves the right to remove content published on its institutional pages when justified. It may also, where the platform permits, share publications or interact with users.

      Recipients and Categories of Recipients

      As a rule, personal data provided confidentially is not shared with third parties outside BPF. However, data may be processed by subcontracted partners who act on behalf of and under the instructions of BPF, contractually bound and subject to security and confidentiality obligations, pursuant to Article 28 of the GDPR. These partners are pre-selected and audited by BPF.

      When browsing BPF's website, it is noticeable that there are links to the social media where BPF operates, or video conferencing platforms that BPF uses in the context of its commercial promotion activities. Using this link redirects to the respective pages. Furthermore, the operator is solely responsible for all matters relating to your user profile data, to which BPF does not have access.


      3.2. Newsletter Sending
      Purposes and Legal Basis

      BPF's newsletter content includes institutional and commercial information, namely about products, services, events, initiatives and other activities promoted by Banco Português de Fomento, its partner entities and stakeholders in the ecosystem in which it operates.

      The processing of personal data associated with newsletter sending is based on the data subject's consent, pursuant to Article 6(1)(a) of the GDPR.

      The data subject may, at any time, withdraw their consent, with future effect, using the cancellation mechanisms provided:

      After unsubscribing, the data subject's personal data will be removed from BPF's newsletter distribution lists and other mailings within a maximum period of six months.

      Recipients and Categories of Recipients

      Should BPF use third parties to send the newsletter or to manage service-related assessments, these entities will act as subcontractors, under a contract entered into pursuant to Article 28 of the GDPR, being subject to confidentiality and security obligations.

      4. How do we use navigation data and cookies?
      Banco Português de Fomento's website uses cookies and similar technologies to ensure the proper functioning of the platform, improve the browsing experience and collect statistical data about website usage.

      Essential cookies are used, which allow maintaining the user's session during browsing, and consent management cookies, responsible for recording and identifying users' privacy preferences. These cookies are stored in the browser and may have session or persistent validity, depending on their function.

      Additionally, BPF uses performance cookies associated with the Google Analytics 4 service. These cookies collect aggregated data about users' interaction with the website, enabling the production of statistics for optimisation purposes. The processing of this data involves the transfer of information outside the European Economic Area, namely to the United States of America. The provider of these services, Google LLC, is certified under the Data Privacy Framework, with other adequate safeguards also being adopted pursuant to the General Data Protection Regulation, such as Standard Contractual Clauses approved by the European Commission.

      Users may, at any time, accept, refuse or configure the cookies used through the consent management panel available on the website. For more information, please consult the Cookie Notice.

      5. How long do we retain your personal data?
      Personal data is retained only for the period strictly necessary to fulfil the purposes that motivated its collection and processing, respecting applicable legal, regulatory and contractual deadlines.

      Where no specific legally provided period exists, data will be deleted or anonymised once it is no longer necessary for the purpose that justified its processing.


      6. With whom do we share your personal data?
      BPF may share your personal data with third parties whenever this proves necessary and appropriate, ensuring that sharing is carried out securely and in compliance with the GDPR.

      The categories of recipients include:

      • Public authorities and regulators, in cases where such sharing is imposed by law or regulatory obligation;
      • Partners, suppliers and service providers who act on behalf of BPF, by contract and subject to confidentiality and security obligations;
      • Social media and video conferencing platforms where BPF maintains an institutional presence;
      • Technology service providers, including hosting, maintenance and web traffic analysis services.

      All sharing is carried out in accordance with the principles of minimisation, purpose and data integrity, with recipient third parties being carefully selected and bound by appropriate contractual clauses.


      7. What security measures are adopted?
      Banco Português de Fomento implements a set of appropriate technical and organisational measures to ensure the security, integrity and confidentiality of the personal data it processes, preventing unauthorised access, loss, destruction or improper disclosure thereof.

      These measures include:
      • Access control and secure authentication;
      • Data encryption and pseudonymisation, where applicable;
      • Continuous system monitoring and security audits;
      • Internal procedures for responding to security incidents;
      • Ongoing training of teams with responsibilities in personal data processing.

      BPF undertakes to regularly review and update these measures to ensure compliance with applicable legislation and adaptation to emerging risks.

      8.  Why does BPF share personal data?
      Banco Português de Fomento may share personal data with third parties whenever this is necessary for fulfilling processing purposes or required by applicable legislation.

      Situations in which such sharing may occur include:
      • Compliance with legal or regulatory obligations, namely before public authorities and regulatory entities;
      • Performance of contracts, through the intervention of partners, suppliers or service providers acting on behalf of BPF, based on specific instructions and through the conclusion of subcontracting agreements pursuant to Article 28 of the GDPR;
      • Protection of vital interests of the data subject or third parties;
      • Defence of BPF's legal rights and legitimate interests, namely in the context of administrative or judicial proceedings;
      • Situations where the data subject has given prior and informed consent.

      All subcontractors are carefully selected and required to implement appropriate technical and organisational measures that ensure the security and confidentiality of processed data.

      9. Under what circumstances do we transfer your personal data to third countries? 
      Whenever there is a need to transfer personal data outside the European Economic Area (EEA), BPF ensures that such transfer complies with the requirements established in the GDPR.

      Data transfers to third countries are only carried out when: 
      • The country in question ensures a level of data protection considered adequate by the European Commission;
      • Standard Contractual Clauses approved by the European Commission or other adequate safeguards are adopted;
      • The data subject has provided their explicit consent, after being informed of the inherent risks;
      • The transfer is necessary for reasons of important public interest, for the exercise or defence of a right in legal proceedings or to protect vital interests of the data subject or another person.

      In the specific case of using the Google Analytics 4 service, used for statistical purposes, data is transferred to the United States of America. The service provider, Google LLC, is certified under the Data Privacy Framework, recognised by the European Commission, which ensures an adequate level of protection for the transferred data.

      10. How do we use "Cookies"?
      For more information about what cookies are, the types used and how BPF uses them on its website, please consult the Cookie Notice, where you will also find instructions on how to manage your consent preferences.


      11. What are your rights as a data subject?
      Under applicable legislation, as a personal data subject, you have the right to:
      • Access: obtain confirmation as to whether your data is being processed and access to that data;
      • Rectification: request the correction of inaccurate or incomplete personal data;
      • Erasure: request the deletion of your personal data, in legally provided cases;
      • Restriction of processing: request the restriction of the processing of your data in certain circumstances;
      • Portability: receive your data in a structured, commonly used and machine-readable format, and transmit it to another data controller;
      • Objection: object to the processing of your data, including for direct marketing purposes;
      • Not to be subject to exclusively automated decisions, including profiling, which produce legal effects concerning you or similarly significantly affect you;
      • Withdrawal of consent: whenever processing is based on consent, you may withdraw it at any time, without compromising the lawfulness of processing carried out until that date.

      To exercise your rights, you should complete and submit online the rights exercise form available on BPF's website or send it by post to:

      Banco Português de Fomento
      Rua Professor Mota Pinto, n.º 42-F, 2nd Floor, Room 2.11
      4100-353 Porto
      For the attention of the Data Protection Officer

      The data subject also has the right to lodge a complaint with the Portuguese Data Protection Authority (CNPD), or to resort to any other judicial remedy, should they consider that their personal data is not being processed lawfully, in accordance with current legislation and this notice.


      12.  Changes to the Privacy Notice
      Banco Português de Fomento reserves the right to change, totally or partially, this Privacy Notice whenever this proves necessary to ensure its compliance with legislative or regulatory changes, or to reflect changes in the personal data processing practices adopted by BPF.

      Whenever an update occurs, the new version will be published on BPF's institutional website with indication of the date of the last update. Therefore, regular consultation of this Notice is recommended, in order to remain informed about how BPF protects your personal data.


      13.  Contact Details of BPF's Data Protection Officer
      For more information about the processing of your data, contact Banco Português de Fomento's Data Protection Officer via email: protecao.dados.pessoais@bpfomento.pt