Privacy Policy
PRIVACY POLICY
This Privacy Policy is published in compliance with the current regulations on Personally Identifiable Information (PII) protection and as part of BLADEX's effective PII management strategy. Through this document BLADEX wants to share with the PII principals, the legitimate interest for the processing, the purposes for which these PII is requested, the processing we perform to such PII, the protection measures we use to ensure its confidentiality, integrity and availability and the rights that can be exercised by the PII principals and/or their duly authorized representatives.
Controller
BLADEX, in its role of Controller, is committed to the protection of the PII and every information that may compromise the personal integrity and/or privacy of its customers and with regulatory compliance in each of the jurisdictions where our organization has a presence.
PII Collected
The PII that Bladex collects and processes through your use of our Customer Care platform includes:
- Personal details (e.g. first name, last name, identification information).
- Contact details (e.g. telephone, email, mobile number)
- Professional details (e.g.: company, company position, company contact)
- Transactional details (e.g., complaint or suggestion information).
- Call recording. Where local law and regulations require or permit Us to do so, we monitor or record your communications with Us, including telephone calls and emails. We will use these recordings to verify instructions to us and for other evidentiary purposes, to evaluate and improve Our services to You, and for training and quality purposes.
- We collect PII and other data from individuals who use our Website, as well as our Customer Care platform. In the event that you use our Customer Care platform, Bladex will request certain PII for the purpose of proper identification. We also collect information from individuals who visit the Site through the use of cookies and similar technology. (For more information, see our Cookie Policy).
- Video Surveillance. We use surveillance cameras in and around our facilities for crime prevention and detection, which monitor and collect images in accordance with local legal requirements.
Purpose
The PII we handle at BLADEX is requested from our customers for the sole purpose of carrying out the proper provision of the financial services and products we offer to our customers and to comply with the bank's regulatory obligations.
PII will only be subject to the processing authorized by law, by the existing contractual relationship or by the prior, informed and express consent of the PII principals of the data received. In general terms, PII will be used to:
- Manage the relationship with our customers.
- Manage the products and services of our customers.
- Process instructions or requests from our customers.
- Research and analysis to improve our services.
The PII received in the terms and for the purposes mentioned in this Privacy Notice, will not be shared without prior and express authorization of the PII principals with third parties not directly related to the financial products or services originated by the contractual relationship between the holder of the PII and BLADEX.
Exceptionally, PII may be shared when there is a court order and/or mandate or in the cases established in current legislation and regulations, based on which a judicial or regulatory authority can and must have access to the PII managed by BLADEX. In these cases, access will only be allowed to the PII specifically described and indicated on the basis of the situation or subject matter and not to all personal information held by our organization.
BLADEX does not use automated decision systems, including profiling.
Actions
Collection. We collect the PII necessary for the proper provision of the services we offer and that are covered by the existing contractual relationship between BLADEX and the organization to which the PII principal belongs. The information is collected from forms filled out by the PII principal when requesting information about a service and/or product; from the service contract, from electronic correspondence and some PII is collected from visits to our website, through cookies (see Cookies Policy at www.bladex.com).
Processing. PII is processed for the purpose of providing the contracted services or carrying out the operations and/or transactions that the PII principal requires. They may also be used to improve our websites and other digital applications available to our customers and to keep them informed about changes in our opening hours and other banking services that should be informed in a timely manner for their benefit. In any case, our policy limits access to the PII managed and access to such information is only allowed to collaborators and third parties who, for legitimate purposes, need access to such personal information. For more information on the processing carried out by BLADEX, please refer to our data protection policy published at www.bladex.com.
Transfer. Bladex operates internationally, so we will need to share information with our other offices in order to conduct our business and support our customers.
When providing a global service to our customers, PII may be accessed from Bladex offices internationally when necessary for the completion of a transaction with the customer, or to comply with legal or regulatory requirements imposed on us. Any other transfer of PII must be expressly authorized in advance by the PII principal. (A complete list of our locations is available on our website but may be revised and updated at any time).
For the contracting of external hosting services, BLADEX will require its suppliers to comply with equal or higher levels of PII protection and will not host information on servers located in countries that do not have PII protection laws similar or more stringent than those established in the Republic of Panama. In any case, the communication between our systems and external servers, whether they are inside or outside the territory of the Republic of Panama, will be carried out using the highest standards of information security in the industry.
Retention and Removal. PII will be retained based on the existing contractual relationship and the legal and/or regulatory retention periods established for this purpose. Upon expiration of these terms and within the term established by the laws in force, PII will be securely removed from our systems and/or returned to their holders upon express request. Unless expressly authorized by the Data Subjects, Law 81 of 2019 establishes that Bladex may not carry out any processing on the PII stored and there is no legitimate interest to carry out processing.
To ensure compliance with the regulations in force and based on the security standards recognized by the industry, as soon as the legitimate interest for processing disappears the PII and the documents that include PII will be deleted. During the deletion process, PII will be extracted from the Databases and repositories used by BLADEX operating platforms and applications and securely stored to initiate the secure deletion protocol that ensures that PII cannot be recovered once deleted.
PII collected in physical format is always stored securely and our employees have been instructed not to leave it unsupervised, or pile it up in places of passage, or in open places within the facilities. For information in physical format, there is a disposal protocol with adequate security measures that guarantee its protection until the moment of its final disposal.
Security
Protecting PII is a priority for BLADEX. For this reason, we have implemented technical and physical security measures to ensure the integrity and confidentiality of the PII we manage. All our technological and operational infrastructure has security and protection controls in place to reduce the risk of unauthorized access, internal or external, as well as protocols that ensure the prompt reaction when an event or security incident is identified.
In the event of any breach of Bladex's computer systems, which could jeopardize the confidentiality of the information or PII provided by you, Bladex will notify the PII principal as soon as it becomes aware of the breach.
PII Principals Rights and Actions
For the purposes of this Privacy Notice, PII principal are the natural persons whose PII are subject to any processing by BLADEX. Bladex guarantees to PII principals the exercise of the ARCOP Rights so that, with prior proof of their identity, legitimacy and at no cost, they may have full access to their PII, through the exercise of the ARCOP Rights.
Rights. The regulations in force in the Republic of Panama recognize and establish the rights of data subjects, called ARCOP Rights (Access, Rectification, Cancellation, Object and Portability).
Enforcement and Actions. Based on the aforementioned rights, BLADEX declares that data subjects have the right to:
- Know and access, free of charge, the PII which BLADEX is processing in any way. When the PII principal requests that the information be provided in a technological storage device (USB, compact disc, etc.), He/She must provide the support to which the information will be transferred or bear the cost of this request. The support provided by the PII principal must be supplied unformatted, without any information. Based on current regulations, if the Controller obtained the PII from a source other than the PII principal , whether public or private, with or without legitimate interest, the PII principal may exercise the rights of Opposition and/or cancellation, but not the right of portability.
- Request, at any time, that his/her PII be updated or rectified when the PII is incomplete, incorrect, inaccurate, fragmented, irrelevant, incomplete, outdated, false or irrelevant.
- Be informed by BLADEX of the use given to their PII.
- Object any PII processing that has not been authorized or has been expressly prohibited.
- Withdraw, without justification, their consent to the processing and/or request the deletion of the PII when the extent of the processing consent expressly indicated, the ARCOP Rights, or the applicable regulations are not respected.
- Request and verify at any time the express consent form delivered to BLADEX for the processing of PII.
Procedure for exercising ARCOP Rights
PII principal must access the request form available at www.bladex.com or in printed form at BLADEX offices in order to be informed which PII is stored and/or to have his/her PII updated, corrected, rectified and/or deleted.
Each request for the exercise of ARCOP Rights will have an internal number that will be used by the PII principal when requesting information on the status of his request. BLADEX will have a period of two (2) business days to acknowledge receipt of the request submitted through the website and/or e-mail, enter it in the request register and indicate the number of the request to the Data Subject. When the request is made on a paper form, the internal number will be assigned at the time of submission.
In the same e-mail in which the number assigned to the request is indicated electronically, or in an e-mail sent within two (2) days following the personal submission of the printed form, the applicant will be informed if it is necessary to correct the request and/or clarify any point of the request and/or attach any document. The PII principal shall have a term of ten (10) business days, counted as of the day following the day the e-mail is sent, to comply with the request. Upon expiration of the aforementioned term, if no response has been received or if the non-compliance with the requirements is insisted upon, a status report will be drawn up and it will be noted in the Register of Requests that the PII principal has not corrected his request.
Processing of requests for the exercise of ARCOP Rights
BLADEX will respond to any request for access within ten (10) business days of its submission. If the request is admissible, BLADEX will execute the action within a maximum period of five (5) business days, counted from the day following the receipt of the request or within the same period, it will indicate to the PII principal the reasons why the request is inadmissible.
In the events that the bank does not comply with the request regarding the exercise of ARCOP right or the client is dissatisfied with the decision adopted by the bank, it may file a claim with the Superintendency of Banks. For such purposes, the client will have a period of 30 calendar days, which will begin to be counted from the date on which he obtained a formal response from the bank or when the bank has not complied with resolving the request or claim within the corresponding period.
Withdrawal of PII Processing Consents
The PII principal may, at any time, withdraw his or her consent for any processing of his or her PII by BLADEX. For such purpose, he/she shall complete the PII principal Consent Withdrawal Form available at www.bladex.com and send it via e-mail, duly signed to oficialpdp@bladex.com or deliver it personally at BLADEX offices.
PII Protection Officer
BLADEX, as Controller and in compliance with the regulations in force, has appointed a PII Protection Officer, whose duties are as follows:
- Keep a record of any event affecting the protection of PII processed by the Bank;
- Report any deficiency detected in the PII protection measures to Senior Management, as well as to the Risk Management Unit and the Internal Audit Unit;
- Coordinate with the Information Security area the security events that impact the protection of PII;
- Provide suggestions regarding corrective measures that can be implemented to remedy the deficiencies detected in the processing of PII;
- Maintain communication with the risk, internal audit and compliance areas in order to identify the necessary improvements in PII protection controls;
- Cooperate with the Information Security Officer in the handling of security incidents that impact the processing of PII;
- Be the liaison unit with the Superintendency of Banks on issues related to the processing of PII;
- Coordinate the annual training plan on PII protection;
- Be the liaison unit with the PII principals, notwithstanding the fact that administratively, when applicable, it may be supported by the head of the Claims Management System
To contact the PDP Officer, write to oficialpdp@bladex.com or call:
Panamá: +(507) 210-8500
Disclaimer regarding the use of social networks and instant messaging
Social networks and instant messaging applications are complementary platforms for dissemination of information and exchange of communication through digital media with customers and the general public but are not under the responsibility of BLADEX. Consequently, any information that users provide through these platforms does not constitute, nor is it part of the PII principal to the protection of BLADEX, being the full responsibility of the person who provides the information and the companies that manage these platforms.
Use of Social Networks
BLADEX may use these communication platforms as a complementary means of promoting products and services. These communications published through social networks are aimed at the general public. The profiles that BLADEX uses in social networks are open and use the channels offered by the companies that manage these networks, which make the publications appear more frequently for certain types of customers based on the PII processing consents given by users at the time of subscribing to such networks.
Use of Instant Messaging Applications
BLADEX may use these instant messaging platforms as a tool to streamline communications among employees and between employees and customers. However, since BLADEX has no control over the access and use of the information by the company that owns the application, BLADEX discourages its employees and customers from exchanging sensitive information and documents containing PII through these networks. This information should be shared through secure e-mail or any other secure communication channel implemented by BLADEX.
Right to file claims for non-compliance with regulations. Based on the provisions of paragraph 6, article 11 of SBP Agreement 001-2022, BLADEX informs the PII principals that in the event of any breach by us of the regulations in force and/or the provisions in this document, they may file claims with the Superintendency of Banks of Panama.
If the PII principal is located in a jurisdiction other than the Republic of Panama, he/she may appeal to the PII Protection Authotirty of the jurisdiction where he/she is located.
Privacy Policy: Version 1.00 | Date of publication: January 24, 2023.