The protection of fundamental rights and freedoms, and in particular, the protection of individuals in relation to the processing of personal data, is one of the basic principles of Grupo Catalana Occidente (hereinafter, "GCO" or the "Group"), as reflected in its Code of Ethics, in compliance with legal requirements and its corporate governance system.
The purpose of GCO's Privacy Policy (hereinafter, the "Policy") is to provide a concise, transparent explanation, in clear, simple language, of the way in which companies in the Group will use any personal data collected from its customers (as defined below), in accordance with the provisions of the European Union General Data Protection Regulations, 2016/679, Organic Law 3/2018, of 5 December, on Protection of Personal Data and Guarantee of Digital Rights,and the regulations implementing it in force at any given time (henceforth the "Personal Data Protection Regulations").
The GCO Entity with which you have a relationship. In the Annex at the end of this Policy, the identification and registered addresses of the entities that make up the Group can be found, together with other information.
The Data Protection officer is the person designated by the entities that constitute the Group to ensure compliance with Personal Data Protection Regulations, whom you may contact especially if you think your data protection freedoms and rights have not been respected, been breached, via the postal or email address provided in the Annex at the end of this Policy and published in the Spanish data protection Agency's register of data protection officers.
The supervisory authority is the Spanish Data Protection Agency, whose head office is at Calle Jorge Juan, 6, Madrid 28001. It is the independent public authority responsible for ensuring the privacy and protection of citizens' data, to whom you can submit queries and/or complaints regarding this matter, should you consider that your data protection rights and freedoms have not been duly respected by a Group entity. For more information, go to the following website: www.agpd.es.
All personal data, whether provided directly by the interested party or by an insurance distributor, seller or partner, including documents containing such data, or personal data obtained from recorded telephone conversations internet website browsing or other means, including biometric and geolocation data, will be processed before, during and after the formalisation of an application, pre-contract, contract or service related to any of the products and/or services marketed by Group entities, when such data are needed for the study, documentation, development and execution of a contractual relationship between the parties or any other relationship arising from the same.
In this sense, the definition of customer is established as any data subject who: requests information, a product or a service, is a policyholder, insured person or beneficiary, who causes or is a third party involved in an accident, is a participant, partner, subscriber, claimant, mortgage holder, investor in promissory notes and/or a third party involved in a contractual or service relationship with a Group entity.
If the personal data is provided by a person other than the holder, it shall be the provider's obligation to previously communicate this information to the holder of the personal data, and to obtain his/her consent, when necessary, for the data to be processed by the relevant Group entity.
Subject to the requirements of personal data protection regulations, this personal data can be supplemented by other data obtained from Group suppliers, and any personal data that the data subject has made public.
The personal data of minors will normally only be processed when their parents or legal guardians have given their consent for the processing required to execute a contract or service with a Group entity, when there is a legal obligation and/or legitimate interest, in the latter case after a balancing test has been carried out by the Group entity responsible for the processing, notwithstanding the exercise of personal data protection rights established by current Personal Data Protection Regulations.
In general, the personal data subject to processing in the issue of an offer, a precontract or contract, will refer to the identification of the interested party, their personal characteristics and/or social circumstances, and any other data that may be necessary to complete these procedures.
Also in the following specific cases: (i) in the case of life, accident, healthcare, illness and/or death insurance, it will be necessary to process data relating to the profession or activity of the policyholder and/or the insured person, and, where appropriate, data relating to their health, and (ii) in the case of investment funds, data relating to the profession or activity of the policyholder and/or insured person as well as the data necessary for carrying out tests of suitability and/or appropriateness.
Finally, in the case of the contact forms made available to the public by Group entities, when the information prior to the collection of data has been provided, with reference to this Policy, the identification and contact details required to establish contact as requested will be processed.
(i) Main purpose:
The main purpose of processing personal data is the study, issue, development and/or execution of a pre-contract, contract, contractual relationship or service agreed with a Group entity, effectively complying at all times with the obligations established in the regulations applicable to the Group entity responsible for such data processing.
(ii) Other purposes:
Personal data will be processed for the purpose of setting prices, selecting risks and managing subsequent requests related to the risks that can be contracted. If necessary, processing may include profiling and/or automated decision-making in accordance with the provisions of this Policy.
Personal data will also be processed for the purposes of preventing and combatting fraud, and may be disclosed to the common information systems of the insurance sector for consultation; for compliance by the relevant Group entity with the legal obligations arising from the Civil Liability and Insurance Act regarding the circulation of motor vehicles and/or the Law of Regulation, Supervision and Solvency for Insurance and Reinsurance companies; similarly, in connection with the prevention of money laundering and the financing of terrorism, for compliance by Group entities with their legal obligations and the adoption of due diligence measures arising from the Law on the Prevention of Money Laundering and the Financing of Terrorism and the regulations implementing it.
In order to manage the request and/or any of the contracts or services provided by a group entity, said entity may process your personal data to assess your financial solvency, and may consult insurance sector information systems or credit rating agencies and disclose data to them, in addition to carrying out statistical, quality and technical studies, and implementing satisfaction surveys, loyalty programmes, market analysis, and research and service quality studies.
In the case of insurance products, personal data may be processed to manage coinsurance or reinsurance, in accordance with current legislation. The reporting of data in such cases shall be carried out to comply with a legal obligation, to execute a contract, or in legitimate interest, in the latter case after a balancing test conducted by the Group entity responsible for processing the data.
Finally, with regard to contact forms, telephone numbers, email addresses and social network profiles made available by Group entities, your data will be used (i) to attend to and manage suggestions, requests, queries and/or claims made via these channels; and (ii) to manage CVs provided for selection processes in Group entities.
(iii) For automated decision-making including profiling:
Some processing of personal data necessary to execute or formalise contracts may involve the use of automated decision-making and/or profiling. This means that certain decisions may be made automatically without human involvement, although the data subject will always have the right to: (i) request a review of the results by a person; (ii) express their point of view; and (iii) contest the decision; in accordance with Personal Data Protection Regulations.
The potential use of artificial intelligence will always be in accordance with the general principles and values of the Group's Code of Ethics, which underlies the operations of its entities, in particular regarding privacy and the right to personal data protection. It will also take into consideration the guidelines of the document on ethical principles for the use of Artificial Intelligence in the insurance sector, drawn up by the Spanish Union of Insurance and Reinsurance Companies (UNESPA), and the report of the advisory group of the European Insurance and Occupational Pensions Authority (EIOPA) on Artificial Intelligence: Towards Ethical and Trustworthy Artificial Intelligence in the European Insurance Sector.
In the aforementioned processing of personal data for the prevention of fraud and/or money laundering and the financing of terrorism, the legal basis of profiling is for the Group entity responsible to comply with its legal obligations.
(iv) Advertising:
If customers authorise it, personal data may also be processed with a view to: (i) carrying out marketing activities and sending them information, even via remote means, on other general or customised products and services, either proprietary or available from other Group entities, as identified in the Annex at the end of this Policy and on the www.gco.com website; (ii) showing them customised advertising via websites, search engines and social media; and (iii) inviting them to participate in promotional competitions. This will apply even after the termination of services or the customer's contractual relationship with the Group entity. In any of the aforementioned cases, products and services may be adjusted to your personal profile, based on an analysis of behavioural and risk profiles, considering both internal and third-party sources, geolocation information, browsing habits and social networks.
The legal grounds for processing data referred to in the main purpose described above are based on the management of the offer and, if applicable, execution of the contract or service agreed with the Group entity responsible for processing said data.
Any processing for the other purposes mentioned and for making automated decisions is based on relevant legislation or legitimate interest, if applicable, after a balancing test has been conducted by each Group entity responsible for processing.
In particular, the processing of personal data for the purpose of preventing fraud and/or money laundering and the financing of terrorism is based on applicable legislation, while data processing with the aim of developing loyalty programmes for customers is based on legitimate interest, subject to the aforementioned analysis by the Group entity responsible for said processing.
Lastly, the processing of personal data for advertising purposes is legitimised, where applicable, by the customer's express consent.
Your personal data will be held throughout your relationship with the Group entity with which the service or contract has been agreed, or with which the relationship has been established.
Once this relationship has ended, this data will be stored for the necessary period of time established by the applicable legislation at all times, and will be available to the courts and tribunals, Public Prosecutor's Office, State security forces and/or competent public administrations, in particular the appropriate personal data protection supervisory authorities, and corresponding supervisory bodies, in order to deal with any legal or contractual liabilities arising from the contract or service related to the data processing in question and during the applicable time in force.
In general, the documentation and information concerning your business must be kept by the entrepreneur for at least six years from the end of the relationship, except as established by general or special provisions, in accordance with the terms of the Commercial Code.
In particular, by virtue of the provisions of the Anti-Money Laundering and Financing of Terrorism Act, in the life and investment insurance sector, the obliged parties must keep, for a period of ten years after the end of the relationship, the documentation that formalises compliance with the due diligence obligations established in the aforementioned law.
Any requests or proposals that do not lead to a contract or the provision of a service , regardless of the reason, shall be held for the time necessary to ensure their effectiveness in the fight against fraud in contracting and to prevent money laundering and the financing of terrorism.
The guidelines on the storage period, erasure and blocking of personal data, to be used by the Group entity responsible for processing, are specified in the internal regulations on the conservation, suppression and blocking of personal data, in line with GCO's policy on personal data protection and the use of ICT resources. Interested parties can access them through the data protection officer.
(i) GCO Entities:
The customer's personal data, contract or service and any information arising from or related to them can be transferred to the Group entities specified in the Annex at the end of this Policy and/or on the www.gco.com website to comply with the regulations applicable to each entity, and in general terms, for the prevention of and fight against fraud and/or the prevention of money laundering and the financing of terrorism, and, where applicable, to maintain and comprehensively and centrally manage the customer's relationship with the different entities in the Group.
We also expressly inform you that the entities in the Group share common services, to differing degrees, for the purpose of making use of existing synergies, optimising resources and offering a better service to customers. To this end, they have entered into various framework agreements to provide reciprocal services, which involve access to personal data managed by other entities in the Group, covering the provision of various services, including, but not limited to, the following:
Services provided to Group entities by Grupo Catalana Occidente, Tecnología y Servicios A.I.E.: (i) data hosting (ii) maintenance and management of systems, communications and computer equipment (iii) information security and security of supporting systems (iv) development and maintenance of IT applications (v) the claims management service (vi) reporting information related to the services provided (vii) maintenance and management of systems to detect presence, security systems and video surveillance systems, and (viii) document management, custody and filing, printing and labelling.
Services provided to Group entities by Grupo Catalana Occidente Contact Center A.I.E.: (i) providing customer service via any means, including remote means, such as telephone, email, internet, instant messaging and/or social networks, and (ii) conducting campaigns and satisfaction surveys.
Services provided to Group entities by Prepersa Peritación de Seguros y Prevención A.I.E.: provision of a service to cooperate in the management of claims related to insurance policies through its network of associates.
(ii) Other entities:
Personal data can also be disclosed to different associates or service providers of any Group entity responsible for processing data, including but not limited to: insurance brokers, co-insurers, reinsurers, lawsuit experts and investigators, solicitors and barristers, auditors, consultants, medical professionals and health assessors, financial, depository and managing entities and other suppliers and professionals who process personal data on behalf of the corresponding Group entity, in order to ensure the services rendered by the aforementioned entity while carrying out the contract or service, comply with the obligations stipulated in applicable legislation, in their legitimate interest following a balancing test, and/or in accordance with the user's consent, if this has been given.
In any of the above cases, we hereby inform you that the computer servers used by these service providers may be located in countries outside the European Union, where, if the level of privacy protection were not equivalent to European or national Personal Data Protection regulations, because the European Commission has not confirmed their adaptation, the corresponding Group entity will adopt appropriate measures, as envisaged in the Personal Data Protection Regulations for transfers to third countries and international organisations, with the exception of certain situations expressly provided for, in order to ensure that the level of protection of the interested parties is not diminished, and apply appropriate and necessary measures to effectively safeguard the rights of said parties and the security of information, in accordance with the technical measures available at any time.
(iii) Official organisations and government bodies:
Personal data will be released to all those recipients to whom such information must be disclosed by Group entities, in compliance with legal obligations, including, but not limited to, competent public bodies and administrations, such as the Spanish Tax Administration Agency or regional tax authorities, personal data protection control authorities, courts and tribunals, supervisory bodies, the Public Prosecutor's Office and/or State security forces and bodies.
(iv) Common credit information systems:
Group entities are entitled to view and process data regarding failure to comply with monetary, financial or credit obligations, through common credit information systems and any other system that enables them to assess solvency, for prior analysis and maintenance of the contractual relationship and to monitor its progress.
(v) If the customer has taken out a vehicle insurance policy:
In accordance with current legislation, the insurance entities in the Group, will provide the habitual driver insured under the policy with information on sanctions, if any, published in his or her name on current or future certified websites, complying at all times with current legislation on personal data protection.
This insurance company will use the data corresponding to the vehicle registration number to make enquiries through the services owned by the Vehicle Investigation Institute (Instituto de Investigación sobre Vehículos S.A., Zaragoza Centre), on the chassis number and all the technical and administrative characteristics of the vehicle that is the object of the insurance.
The Group entity through which the car insurance policy has been taken out, as jointly responsible for data processing, will provide, if applicable, the following details regarding your insurance policy to the insurance sector common information systems:
a) historical data regarding policies and claims to the Car Insurance Historical Information System, the purpose of which is to provide rigorous, verified information on claims at the time the contract is signed, by pooling the information obtained through policies and claims over the previous five years, in accordance with the terms set out in the Civil Liability and Motor Vehicle Insurance Act.
b) historical data on the number of claims related to your insurance or claims in which you have been involved will be disclosed to the Total Loss, Theft and Fire Vehicle Information System, the purpose of which is to facilitate the automated identification of possible irregular situations and risks of fraud, cooperate with Security Forces and Bodies, facilitating the investigation of possible theft and fraud offences, among others, related to insured motor vehicles; and cooperate with the Zaragoza Centre, law enforcement agencies, the Directorate General for Traffic and the insurance company concerned in the identification and location of stolen vehicles and vehicles that have received compensation.
To exercise your data protection rights in relation to either Historical Car Insurance Information Systems and Information on Automobiles regarding Writeoffs, Theft and Fire, please contact Tecnologías de la Información y Redes para las Entidades Aseguradoras S.A. (TIREA), Ctra. Las Rozas a El Escorial Km 0.3 Las Rozas 28231 Madrid.
You can find further information regarding data protection on the information systems for the insurance sector in the websites of the Spanish Union of Insurance and Reinsurance Companies (UNESPA) (www.unespa.es) and TIREA (www.tirea.es).
(vi) In the case of multi-risk home, store, business, owner's community, SME, industry or civil liability insurance policies and/or other policies in the general category:
The Group insurance entity with which the general insurance policy has been taken out will report, as appropriate, data on claims involving your insurance and/or your claims to the Fraud Management System for General Insurance Policies, which includes the policy purchased by you or any claim involving you, the insuring entity being the joint controller of said System. Its purpose is to prevent and detect fraud by either warning the insurer once the policy is issued, or by detecting fraud in claims. Its purpose is also to cooperate with law enforcement agencies by facilitating the investigation of possible theft and fraud offences, among others, related to the insured assets.
To exercise your data protection rights in relation to any of these Fraud Prevention Systems in general insurance policies, please contact Tecnologías de la Información y Redes para las Entidades Aseguradoras S.A. (TIREA), Ctra. Las Rozas a El Escorial Km 0.3 Las Rozas 28231 Madrid.
You can find further information regarding data protection on the information systems for the insurance sector in the websites of the Spanish Union of Insurance and Reinsurance Companies (UNESPA) (www.unespa.es) and TIREA (www.tirea.es).
(vii) In the case of life, accident, health, illness or death insurance or any other insurance in connection with which we request or manage data on your health:
Your personal data may be disclosed to the aforementioned partners and service providers of the corresponding Group insurance entity, who will act as data processors on behalf of the entity.
In addition, and specifically, if you are a holder of:
(a) a life insurance policy with death coverage and/or an accident insurance policy covering the contingency of the insured person's death, whether individual or collective, in compliance with current legislation, your personal data will be disclosed to the public register of insurance contracts with death coverage controlled by the Ministry of Justice, or any ministry that may replace it in the future.
(b) a health or health care insurance policy, in which case your personal data, including health data, may be disclosed to the corresponding Group insurance company and to doctors, health centres, hospitals or other institutions or persons, so that health care can be developed, delivered and monitored, the reimbursements or compensation stipulated in the insurance contract can be provided, and information from said providers can be requested or verified regarding the medical background of the insured party and the reasons that justify any benefits, reimbursements or compensation, and, where applicable, expenses can be recovered. Specifically, in the case of healthcare insurance, in order to inform the policyholder of the collection of each co-payment, the insurance Entity may communicate to the policyholder the details of the medical services used by each person insured under the policy, including the healthcare and professional services rendered by the corresponding health professionals or centres, specifying the date, nature and amount of the services provided.
If you are a holder of health insurance:
(i) you are informed that, in accordance with the provisions of the Spanish Organic Law on Personal Data Protection, your health data may be disclosed to the Medical Information and Statistics Centre (Centro de Información y Estadísticas Sanitarias), or any centre that may replace it in the future, for inclusion in the Central Medical Data System (Sistema de Datos Médicos de Pacientes), or any system that may replace it in the future, whose purpose is to compile and maintain a historical record of the healthcare provided to insured persons by health professionals, institutions, or insurance companies, to facilitate the production of statistical information on the use of health services, to facilitate the appropriate calculation and payment of premiums and the control of the costs of health care insurance and to facilitate information exchange with insurance companies for the purpose of market research and provision of assistance to insurance companies for the purpose of market research and provision of assistance to insurance companies and private health entities in the risk analysis of health insurance, and in accordance with the provisions of current legislation on health data.
(ii) if your health insurance policy includes coverage for cases of accidents, your personal data, including health data, may be disclosed to the corresponding insurance companies, the Insurance Compensation Consortium and any other entity that may replace it, the Spanish Workers' Compensation and Pension Mutuals, collaborating entities and service providers, to provide you with coverage for accidents, including your medical care, and for the management, settlement, and payment of any benefits or compensation for accidents that you may receive, and to the aforementioned service providers for assistance purposes.
(c) death insurance, your personal data may be disclosed to the National Institute of Toxicology and Forensic Sciences or any other entity that may replace it in the future, and to funeral homes, and healthcare providers to determine the causes of death, and to any other entity to which it is necessary to disclose your data to determine the causes of death and to comply with the legal obligations of the insurance company.
Consequently, by taking out these insurance policies, you expressly authorise the disclosure of your data, including your health data, for the purposes indicated above.
(viii) If you have taken out or are the holder of insurance coverage for incidents during your holidays or travel:
Your data may be disclosed to the corresponding Group insurance company and, if necessary, to the companies that collaborate in providing the contracted services, and to the service providers of the insurance company, so that the insurance coverage and assistance for incidents during your holidays or travel can be effectively provided. This may include, where appropriate, the disclosure of your data to doctors, hospitals or other health centres, as well as to companies and service providers that collaborate in the provision of medical, hospital or healthcare services, travel assistance, legal assistance, and any other service contracted by the insurance company to assist you during your holidays or travel.
(ix) In the event of carrying out surveys:
If you participate in surveys carried out by the Group entities, your data may be disclosed to the companies that conduct the surveys on behalf of the Group, acting as data processors, for statistical and research purposes. In any case, the data will be anonymized and aggregated to avoid identification of the survey participants.
(x) If you have consented:
If you have given your express consent, your personal data may be disclosed to other entities within the Group, collaborating entities, partners and other companies that, through marketing actions, offer products and services that may be of interest to you.
If you wish to withdraw your consent to the processing of your personal data for this purpose, please contact the corresponding Group entity, and they will provide you with the necessary information on how to exercise your right to withdraw your consent.
5. Data protection rights
You may exercise your rights of access, rectification, erasure, restriction of processing, object to processing, and data portability by contacting the corresponding Group entity. Likewise, you may file a complaint with the competent data protection authority, especially when you have not obtained satisfaction in the exercise of your rights.
A08168064
Paseo de la Castellana 4, 28046 Madrid
Listed in the Madrid Business Register, volume 36.829, page 141, Hoja M-659.287
Data Protection Officer, Grupo Catalana Occidente
dpo@gco.com
A-28119220
Paseo de la Castellana 4, 28046 Madrid
Listed in the Madrid Business Register, volume 37.110, page 177, hoja M-91.458
Data Protection Officer, Occident Seguros
dpo@gco.com
A-08185589
Paseo de la Castellana 4, 28046 Madrid
Listed in the Madrid Business Register, volume 36.935, page 1, hoja M-660.565
Data Protection Officer, Nortehispana Seguros
dpo@gco.com
A-28475754
Cedaceros 9, planta baja, 28014 Madrid
Listed in the Madrid Business Register, volume 36.521, page 171, hoja M-52.463
Data Protection Officer, GCO Gestión de Activos
dpo@gco.com
A-48409023
Paseo del Puerto 20, 48992 Neguri- Getxo (Vizcaya)
Listed in the Vizcaya Business Register, volume 2.228, page 150, hoja número 16.326
Data Protection Officer, Occident Hipotecaria
dpo@gco.com
V-65404063
Jesus Serra Santamans 3, 08174 Sant Cugat del Vallés (Barcelona)
Listed in the Barcelona Business Register, volume 42.241, page 185, hoja número B- 405.292
Data Protection Officer, GCO Contact Center
dpo@gco.com
V-65004517
Avenida Alcalde Barnils 63, 08174 Sant Cugat del Vallés (Barcelona)
Listed in the Barcelona Business Register, volume 41.030, page 29, hoja número B-376.366
Data Protection Officer, GCO Tecnología y Servicios
dpo@gco.com
A-63764138
Avenida Alcalde Barnils 63, 08174 Sant Cugat del Vallés (Barcelona)
Listed in the Barcelona Business Register, volume 37.416, page 142, hoja número B-298.341
Data Protection Officer, COCAV
dpo@gco.com
V-48410120
Paseo del Puerto 20, 48992 Neguri- Getxo (Vizcaya)
Listed in the Vizcaya Business Register, volume 2111, Folio 124, Hoja 5-8
Data Protection Officer, GCO Previsión EPSV
dpo@gco.com
A-67000471
Paseo de la Castellana 4, 28046 Madrid
Listed in the Madrid Business Register, volume 36.886, page 90, hoja M-659.976
Data Protection Officer, GCO Gestora de Pensiones
dpo@gco.com
B66672544
Avenida Alcalde Barnils 63, 08174 Sant Cugat del Vallés (Barcelona)
Inscrita en el Registro Mercantil de Barcelona, hoja número B-478.427
Data Protection Officer, GCO Activos Inmobiliarios S.L.
dpo@gco.com