Privacy notice

Personal data is defined by the GDPR and Law 58/2019, August 8 (collectively, ‘the Data Protection Legislation’), as ‘information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier.’ 

In simplest terms, personal data is any information about you that allows you to be identified. This includes obvious information such as your name and contact details, as well as less obvious information like location data, electronic coordinates, and other identifiers. 

The personal data we process depends on our relationship with you, so we advise you to consult the most specific data protection notice, as appropriate: 

• Our clients, business partners, institutions, distributors, counterparties, suppliers, and other third parties. 

• Visitors or participants on our public websites or social media profiles/pages, subscribers to our newsletter, or those who interact with us through our digital spaces. 

• Employees or individuals who maintain some kind of collaboration with us. 

• Recruitment candidates or those who submit spontaneous applications. 

• Visitors, attendees, or the public in general. 

Under data protection legislation, we must always have a lawful basis for using your personal data. Thus, processing will be based on the following grounds: 

• Your consent. 

• Execution of a contract to which you are a party or during pre-contractual procedures. 

• Compliance with a legal obligation to which we are subject. Or 

• The legitimate interest of the organization or a third party. 

When processing special categories of personal data, it will be based on the need for processing for the purposes of complying with a legal obligation or your explicit consent. 

We will only use your personal data for the purposes for which it was originally collected, unless we believe that another purpose is compatible with the original purposes, and we need to use your personal data for that purpose. If we need to use your personal data for a purpose unrelated to, or incompatible with, the purpose(s) for which it was originally collected, we will inform you and explain the lawful basis on which we can do so. 

We may also use your information during internal audits to demonstrate our compliance with applicable standards. 

In some circumstances, where permitted or required by law, we may process your personal data without your knowledge or consent. This will only be done within the limits of Data Protection Legislation and your rights. We may also be required to collect and process your data for the purposes of investigation, reporting, and detection of crime, and to comply with the laws that apply to us. 

Personal data shall not be processed for a longer period than necessary for the purposes for which the personal data was collected. Legislation to which we are subject may also require us to keep data for different periods. However, at the end of this period, the data is deleted. 

Retention periods may change significantly when justified for historical or statistical archiving purposes, and ebankIT undertakes to adopt appropriate conservation and security measures. 

When we have obtained your consent to process your personal data, we will do so in accordance with the information provided at the time of collecting. When the period for which you have given your consent expires, we will seek to obtain your updated consent. If this has not been done or you have withdrawn your consent, we will no longer process your data and will delete it if there is no other lawful basis for processing that data. 

We will not share any of your personal data with third parties for any purpose whatsoever, apart from a few exceptions duly covered by law. 

We may share your personal data with your consent, in strict compliance with the legal obligations’ incumbent on ebankIT, within the scope of our legitimate interest, in a cooperation module, or via subcontracting. Regardless of the purposes for which they are shared, they are subject to data protection agreements or clauses. 

The following classes of recipients can be identified: 

• Service providers 

• Partners 

• Regulatory bodies 

• Financing entities and intermediaries in accessing funds 

In some limited circumstances, we may be legally obliged to share certain personal data, which may include yours, if we are involved in legal proceedings, in compliance with legal obligations, a court order, or on instructions from a government authority. 

Data may be stored in several different places, including on paper, in the organization's systems, and in other computer systems (including the email system). We may store some of your personal data in countries outside the European Economic Area (EEA). These are known as “third countries.” We will take additional steps to ensure that your personal data is treated with the same privacy principles as it would be within the EEA and under Data Protection Legislation, as follows: 

• We will only store or transfer personal data in countries that are deemed to provide an adequate level of protection for personal data; or 

• We will use specific, approved data protection agreements that guarantee the same levels of protection for personal data as applied under the Data Protection Legislation.

Data security is a high priority for us. We will ensure that personal data is kept secure, both against external threats and internal threats. We have taken technical and organizational measures to protect your personal data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, access. 

We use a set of security technologies and procedures deemed appropriate. Your personal data will generally be stored in our databases or databases maintained by our service providers, which we require to have the same level of security. Nevertheless, we cannot fully guarantee the security of information beyond our reasonable control. All our professionals are bound by professional secrecy and confidentiality obligations.  

We also have procedures for dealing with data breaches, including notifying you when we are legally obliged to do so. 

Data subjects have the following rights, which we always strive to uphold: 

• Right to be informed: You have the right to know about the collection and use of your personal data. 

• Right of access: You can request access to the personal data we hold about you. 

• Right to rectification: If any personal data we hold about you is inaccurate or incomplete, you have the right to have it corrected. It is important that your personal data is accurate and up to date. If any of your personal data changes, please inform us so we can update our records. 

• Right to erasure: Also known as the right to be forgotten, you can request the deletion of your personal data. 

• Right to restrict processing: You can request that we limit the processing of your personal data. 

• Right to object: You can object to the processing of your personal data for specific purposes. 

• Right to withdraw consent: If we rely on your consent to process your personal data, you can withdraw that consent at any time. 

• Right to data portability: You can request a copy of your personal data to be reused with another service if we process it by automated means with your consent or for a contract.
• Rights related to automated decision-making and profiling: You have the right to prevent automated decision-making and profiling, understand the reasons behind decisions made about you, and object to certain scenarios.
  

There is usually no charge for a request. However, if your request is ‘manifestly unfounded or excessive’ (e.g., repetitive requests), a fee may be charged to cover our administrative costs. 

We will respond to your request within one month of receiving it and verifying your identity. In some cases, particularly if your request is complex, we may need more time, up to a maximum of three months. You will be kept informed of the progress. 

Further information on your rights can be obtained from the Supervisory Authority that primarily regulates us – Comissão Nacional de Proteção de Dados (Portuguese Authority). 

If you have a complaint about our use of your personal data, you have the right to lodge a complaint with the Supervisory Authority – CNPD (https://www.cnpd.pt/cidadaos/participacoes/). However, we would appreciate the opportunity to resolve your concerns first, so please contact us using through dpo@ebankit.com. 

We may change this Notice from time to time. When we post changes to this information, we will update the 'update date.' Any such changes will become binding on your first use of our site after the changes have been made. Therefore, we advise you to check this page periodically. 

In the event of a conflict between the current version of this Notice and any previous version, the provisions in force shall prevail unless expressly stated otherwise. 

Updated on 12th June 2025