Privacy Policy

Introduction

The protection of fundamental rights and freedoms, and in particular, the protection of individuals in relation to the processing of personal data, is one of the basic principles of Grupo Catalana Occidente (hereinafter, "GCO" or the "Group"), as reflected in its Code of Ethics, in compliance with legal requirements and its corporate governance system.

The purpose of GCO's Privacy Policy (hereinafter, the "Policy") is to provide a concise, transparent explanation, in clear, simple language, of the way in which companies in the Group will use any personal data collected from its customers (as defined below), in accordance with the provisions of the European Union General Data Protection Regulations, 2016/679, Organic Law 3/2018, of 5 December, on Protection of Personal Data and Guarantee of Digital Rights, and the regulations implementing it in force at any given time (henceforth the "Personal Data Protection Regulations").

Who is the controller of your personal data?

The GCO Entity with which you have a relationship. In the Annex at the end of this Policy, the identification and registered addresses of the entities that make up the Group can be found, together with other information.

Who is the Data Protection Officer?

The Data Protection officer is the person designated by the entities that constitute the Group to ensure compliance with Personal Data Protection Regulations, whom you may contact especially if you think your data protection freedoms and rights have not been respected, been breached, via the postal or email address provided in the Annex at the end of this Policy and published in the Spanish data protection Agency's register of data protection officers.

Who is the personal data protection supervisory authority?

The supervisory authority is the Spanish Data Protection Agency, whose head office is at Calle Jorge Juan, 6, Madrid 28001. It is the independent public authority responsible for ensuring the privacy and protection of citizens' data, to whom you can submit queries and/or complaints regarding this matter, should you consider that your data protection rights and freedoms have not been duly respected by a Group entity. For more information, go to the following website: www.agpd.es.

What personal data can be processed?

All personal data, whether provided directly by the interested party or by an insurance distributor, seller or partner, including documents containing such data, or personal data obtained from recorded telephone conversations internet website browsing or other means, including biometric and geolocation data, will be processed before, during and after the formalisation of an application, pre-contract, contract or service related to any of the products and/or services marketed by Group entities, when such data are needed for the study, documentation, development and execution of a contractual relationship between the parties or any other relationship arising from the same.

In this sense, the definition of customer is established as any data subject who: requests information, a product or a service, is a policyholder, insured person or beneficiary, who causes or is a third party involved in an accident, is a participant, partner, subscriber, claimant, mortgage holder, investor in promissory notes and/or a third party involved in a contractual or service relationship with a Group entity.

If the personal data is provided by a person other than the holder, it shall be the provider's obligation to previously communicate this information to the holder of the personal data, and to obtain his/her consent, when necessary, for the data to be processed by the relevant Group entity.

Subject to the requirements of personal data protection regulations, this personal data can be supplemented by other data obtained from Group suppliers, and any personal data that the data subject has made public.

The personal data of minors will normally only be processed when their parents or legal guardians have given their consent for the processing required to execute a contract or service with a Group entity, when there is a legal obligation and/or legitimate interest, in the latter case after a balancing test has been carried out by the Group entity responsible for the processing, notwithstanding the exercise of personal data protection rights established by current Personal Data Protection Regulations.

What are the categories of data subject to processing?

In general, the personal data subject to processing in the issue of an offer, a precontract or contract, will refer to the identification of the interested party, their personal characteristics and/or social circumstances, and any other data that may be necessary to complete these procedures.

Also in the following specific cases: (i) in the case of life, accident, healthcare, illness and/or death insurance, it will be necessary to process data relating to the profession or activity of the policyholder and/or the insured person, and, where appropriate, data relating to their health, and (ii) in the case of investment funds, data relating to the profession or activity of the policyholder and/or insured person as well as the data necessary for carrying out tests of suitability and/or appropriateness.

Finally, in the case of the contact forms made available to the public by Group entities, when the information prior to the collection of data has been provided, with reference to this Policy, the identification and contact details required to establish contact as requested will be processed.

Which are the purposes of processing your personal data?

(i) Main purpose:

The main purpose of processing personal data is the study, issue, development and/or execution of a pre-contract, contract, contractual relationship or service agreed with a Group entity, effectively complying at all times with the obligations established in the regulations applicable to the Group entity responsible for such data processing.

(ii) Other purposes:

Personal data will be processed for the purpose of setting prices, selecting risks and managing subsequent requests related to the risks that can be contracted. If necessary, processing may include profiling and/or automated decision-making in accordance with the provisions of this Policy.

Personal data will also be processed for the purposes of preventing and combatting fraud, and may be disclosed to the common information systems of the insurance sector for consultation; for compliance by the relevant Group entity with the legal obligations arising from the Civil Liability and Insurance Act regarding the circulation of motor vehicles and/or the Law of Regulation, Supervision and Solvency for Insurance and Reinsurance companies; similarly, in connection with the prevention of money laundering and the financing of terrorism, for compliance by Group entities with their legal obligations and the adoption of due diligence measures arising from the Law on the Prevention of Money Laundering and the Financing of Terrorism and the regulations implementing it.

In order to manage the request and/or any of the contracts or services provided by a group entity, said entity may process your personal data to assess your financial solvency, and may consult insurance sector information systems or credit rating agencies and disclose data to them, in addition to carrying out statistical, quality and technical studies, and implementing satisfaction surveys, loyalty programmes, market analysis, and research and service quality studies.

In the case of insurance products, personal data may be processed to manage coinsurance or reinsurance, in accordance with current legislation. The reporting of data in such cases shall be carried out to comply with a legal obligation, to execute a contract, or in legitimate interest, in the latter case after a balancing test conducted by the Group entity responsible for processing the data.

Finally, with regard to contact forms, telephone numbers, email addresses and social network profiles made available by Group entities, your data will be used (i) to attend to and manage suggestions, requests, queries and/or claims made via these channels; and (ii) to manage CVs provided for selection processes in Group entities.

(iii) For automated decision-making including profiling:

Some processing of personal data necessary to execute or formalise contracts may involve the use of automated decision-making and/or profiling. This means that certain decisions may be made automatically without human involvement, although the data subject will always have the right to: (i) request a review of the results by a person; (ii) express their point of view; and (iii) contest the decision; in accordance with Personal Data Protection Regulations.

The potential use of artificial intelligence will always be in accordance with the general principles and values of the Group's Code of Ethics, which underlies the operations of its entities, in particular regarding privacy and the right to personal data protection. It will also take into consideration the guidelines of the document on ethical principles for the use of Artificial Intelligence in the insurance sector, drawn up by the Spanish Union of Insurance and Reinsurance Companies (UNESPA), and the report of the advisory group of the European Insurance and Occupational Pensions Authority (EIOPA) on Artificial Intelligence: Towards Ethical and Trustworthy Artificial Intelligence in the European Insurance Sector.

In the aforementioned processing of personal data for the prevention of fraud and/or money laundering and the financing of terrorism, the legal basis of profiling is for the Group entity responsible to comply with its legal obligations.

(iv) Advertising:

If customers authorise it, personal data may also be processed with a view to: (i) carrying out marketing activities and sending them information, even via remote means, on other general or customised products and services, either proprietary or available from other Group entities, as identified in the Annex at the end of this Policy and on the www.gco.com website; (ii) showing them customised advertising via websites, search engines and social media; and (iii) inviting them to participate in promotional competitions. This will apply even after the termination of services or the customer's contractual relationship with the Group entity. In any of the aforementioned cases, products and services may be adjusted to your personal profile, based on an analysis of behavioural and risk profiles, considering both internal and third-party sources, geolocation information, browsing habits and social networks.

What is the legal basis for processing your personal data?

The legal grounds for processing data referred to in the main purpose described above are based on the management of the offer and, if applicable, execution of the contract or service agreed with the Group entity responsible for processing said data.

Any processing for the other purposes mentioned and for making automated decisions is based on relevant legislation or legitimate interest, if applicable, after a balancing test has been conducted by each Group entity responsible for processing.

In particular, the processing of personal data for the purpose of preventing fraud and/or money laundering and the financing of terrorism is based on applicable legislation, while data processing with the aim of developing loyalty programmes for customers is based on legitimate interest, subject to the aforementioned analysis by the Group entity responsible for said processing.

Lastly, the processing of personal data for advertising purposes is legitimised, where applicable, by the customer's express consent.

How long will we store your personal data?

Your personal data will be held throughout your relationship with the Group entity with which the service or contract has been agreed, or with which the relationship has been established.

Once this relationship has ended, this data will be stored for the necessary period of time established by the applicable legislation at all times, and will be available to the courts and tribunals, Public Prosecutor's Office, State security forces and/or competent public administrations, in particular the appropriate personal data protection supervisory authorities, and corresponding supervisory bodies, in order to deal with any legal or contractual liabilities arising from the contract or service related to the data processing in question and during the applicable time in force.

In general, the documentation and information concerning your business must be kept by the entrepreneur for at least six years from the end of the relationship, except as established by general or special provisions, in accordance with the terms of the Commercial Code.

In particular, by virtue of the provisions of the Anti-Money Laundering and Financing of Terrorism Act, in the life and investment insurance sector, the obliged parties must keep, for a period of ten years after the end of the relationship, the documentation that formalises compliance with the due diligence obligations established in the aforementioned law.

Any requests or proposals that do not lead to a contract or the provision of a service, regardless of the reason, shall be held for the time necessary to ensure their effectiveness in the fight against fraud in contracting and to prevent money laundering and the financing of terrorism.

The guidelines on the storage period, erasure and blocking of personal data, to be used by the Group entity responsible for processing, are specified in the internal regulations on the conservation, suppression and blocking of personal data, in line with GCO's policy on personal data protection and the use of ICT resources. Interested parties can access them through the data protection officer.

To which recipients will your personal data be disclosed?

(i) GCO Entities:

The customer's personal data, contract or service and any information arising from or related to them can be transferred to the Group entities specified in the Annex at the end of this Policy and/or on the www.gco.com website to comply with the regulations applicable to each entity, and in general terms, for the prevention of and fight against fraud and/or the prevention of money laundering and the financing of terrorism, and, where applicable, to maintain and comprehensively and centrally manage the customer's relationship with the different entities in the Group.

We also expressly inform you that the entities in the Group share common services, to differing degrees, for the purpose of making use of existing synergies, optimising resources and offering a better service to customers. To this end, they have entered into various framework agreements to provide reciprocal services, which involve access to personal data managed by other entities in the Group, covering the provision of various services, including, but not limited to, the following:

a) Services provided to Group entities by Grupo Catalana Occidente, Tecnología y Servicios A.I.E.: (i) data hosting (ii) maintenance and management of systems, communications and computer equipment (iii) information security and security of supporting systems (iv) development and maintenance of IT applications (v) the claims management service (vi) reporting information related to the services provided (vii) maintenance and management of systems to detect presence, security systems and video surveillance systems, and (viii) document management, custody and filing, printing and labelling.

b) services provided to Group entities by Grupo Catalana Occidente Contact Center A.I.E.: (i) providing customer service via any means, including remote means, such as telephone, email, internet, instant messaging and/or social networks, and (ii) conducting campaigns and satisfaction surveys.

c) services provided to Group entities by Prepersa Peritación de Seguros y Prevención A.I.E.: provision of a service to cooperate in the management of claims related to insurance policies through its network of associates.

(ii) Other entities:

Personal data can also be disclosed to different associates or service providers of any Group entity responsible for processing data, including but not limited to: insurance brokers, co-insurers, reinsurers, lawsuit experts and investigators, solicitors and barristers, auditors, consultants, medical professionals and health assessors, financial, depository and managing entities and other suppliers and professionals who process personal data on behalf of the corresponding Group entity, in order to ensure the services rendered by the aforementioned entity while carrying out the contract or service, comply with the obligations stipulated in applicable legislation, in their legitimate interest following a balancing test, and/or in accordance with the user's consent, if this has been given.

In any of the above cases, we hereby inform you that the computer servers used by these service providers may be located in countries outside the European Union, where, if the level of privacy protection were not equivalent to European or national Personal Data Protection regulations, because the European Commission has not confirmed their adaptation, the corresponding Group entity will adopt appropriate measures, as envisaged in the Personal Data Protection Regulations for transfers to third countries and international organisations, with the exception of certain situations expressly provided for, in order to ensure that the level of protection of the interested parties is not diminished, and apply appropriate and necessary measures to effectively safeguard the rights of said parties and the security of information, in accordance with the technical measures available at any time.

(iii) Official organisations and government bodies:

Personal data will be released to all those recipients to whom such information must be disclosed by Group entities, in compliance with legal obligations, including, but not limited to, competent public bodies and administrations, such as the Spanish Tax Administration Agency or regional tax authorities, personal data protection control authorities, courts and tribunals, supervisory bodies, the Public Prosecutor's Office and/or State security forces and bodies.

(iv) Common credit information systems:

Group entities are entitled to view and process data regarding failure to comply with monetary, financial or credit obligations, through common credit information systems and any other system that enables them to assess solvency, for prior analysis and maintenance of the contractual relationship and to monitor its progress.

(v) If the customer has taken out a vehicle insurance policy:

In accordance with current legislation, the insurance entities in the Group, will provide the habitual driver insured under the policy with information on sanctions, if any, published in his or her name on current or future certified websites, complying at all times with current legislation on personal data protection.

This insurance company will use the data corresponding to the vehicle registration number to make enquiries through the services owned by the Vehicle Investigation Institute (Instituto de Investigación sobre Vehículos S.A.,

Zaragoza Centre), on the chassis number and all the technical and administrative characteristics of the vehicle that is the object of the insurance.

The Group entity through which the car insurance policy has been taken out, as jointly responsible for data processing, will provide, if applicable, the following details regarding your insurance policy to the insurance sector common information systems:

a) historical data regarding policies and claims to the Car Insurance Historical Information System, the purpose of which is to provide rigorous, verified information on claims at the time the contract is signed, by pooling the information obtained through policies and claims over the previous five years, in accordance with the terms set out in the Civil Liability and Motor Vehicle Insurance Act.

b) historical data on the number of claims related to your insurance or claims in which you have been involved will be disclosed to the Total Loss, Theft and Fire Vehicle Information System, the purpose of which is to facilitate the automated identification of possible irregular situations and risks of fraud, cooperate with Security Forces and Bodies, facilitating the investigation of possible theft and fraud offences, among others, related to insured motor vehicles; and cooperate with the Zaragoza Centre, law enforcement agencies, the Directorate General for Traffic and the insurance company concerned in the identification and location of stolen vehicles and vehicles that have received compensation.

To exercise your data protection rights in relation to either Historical Car Insurance Information Systems and Information on Automobiles regarding Writeoffs, Theft and Fire, please contact Tecnologías de la Información y Redes para las Entidades Aseguradoras S.A. (TIREA), Ctra. Las Rozas a El Escorial Km 0.3 Las Rozas 28231 Madrid.

You can find further information regarding data protection on the information systems for the insurance sector in the websites of the Spanish Union of Insurance and Reinsurance Companies (UNESPA) (www.unespa.es) and TIREA (www.tirea.es).

(vi) In the case of multi-risk home, store, business, owner's community, SME, industry or civil liability insurance policies and/or other policies in the general category:

The Group insurance entity with which the general insurance policy has been taken out will report, as appropriate, data on claims involving your insurance and/or your claims to the Fraud Management System for General Insurance Policies, which includes the policy purchased by you or any claim involving you, the insuring entity being the joint controller of said System. Its purpose is to prevent and detect fraud by either warning the insurer once the policy is issued, or by detecting fraud in claims. Its purpose is also to cooperate with law enforcement agencies by facilitating the investigation of possible theft and fraud offences, among others, related to the insured assets.

To exercise your data protection rights in relation to any of these Fraud Prevention Systems in general insurance policies, please contact Tecnologías de la Información y Redes para las Entidades Aseguradoras S.A. (TIREA), Ctra. Las Rozas a El Escorial Km 0.3 Las Rozas 28231 Madrid.

You can find further information regarding data protection on the information systems for the insurance sector in the websites of the Spanish Union of Insurance and Reinsurance Companies (UNESPA) (www.unespa.es) and TIREA (www.tirea.es).

(vii) In the case of life, accident, health, illness or death insurance or any other insurance in connection with which we request or manage data on your health:

Your personal data may be disclosed to the aforementioned partners and service providers of the corresponding Group insurance entity, who will act as data processors on behalf of the entity.

In addition, and specifically, if you are a holder of:

(a) a life insurance policy with death coverage and/or an accident insurance policy covering the contingency of the insured person's death, whether individual or collective, in compliance with current legislation, your personal data will be disclosed to the public register of insurance contracts with death coverage controlled by the Ministry of Justice, or any ministry that may replace it in the future.

(b) a health or health care insurance policy, in which case your personal data, including health data, may be disclosed to the corresponding Group insurance company and to doctors, health centres, hospitals or other institutions or persons, so that health care can be developed, delivered and monitored, the reimbursements or compensation stipulated in the insurance contract can be provided, and information from said providers can be requested or verified regarding the medical background of the insured party and the reasons that justify any benefits, reimbursements or compensation, and, where applicable, expenses can be recovered. Specifically, in the case of healthcare insurance, in order to inform the policyholder of the collection of each co-payment, the insurance Entity may communicate to the policyholder the details of the medical services used by each person insured under the policy, including the healthcare and professional centres they have visited and/or the tests each insured person has taken.

(viii) If you have taken out a pension plan:

Your personal data may be exchanged between the Managing Entity, the Depositary and the Promoter and/or Marketing Entity of such pension products.

If the customer wishes to redeem consolidated rights from the target management firm or insurance company, he/she must present this request and an authorisation to said firm or company, so that they can, on the customer's behalf, request the source management fund or insurance company to release the consolidated rights, providing all financial and fiscal data necessary for this to be done.

(ix) If you have subscribed to participations in any investment fund marketed and/or managed by GCO:

Your personal data may be shared between the management firm, the depositary and the entity marketing said investment funds.

What are your rights when you provide your personal data?

As owner of your personal data, you are entitled to the rights set out below, which you may exercise by verifying your identity, as explained in the section Who is the Data Protection Officer? previous:

(i) Right to access. You can obtain confirmation from the Group entity responsible for processing your personal data as to whether it is processing said data and, if so, you have the right to access the data and information on the use being made of them, and obtain a copy of them in a structured, commonly used format that is easy to read.

(ii) Right to rectification. You may request the rectification of personal data that are inaccurate, and, if they are incomplete, you have the right to request that such data be correctly entered, by means of an additional declaration if necessary.

(iii) Right of withdrawal. You may request that your personal data be deleted when it is no longer needed for the purposes for which it was collected by the Group entity responsible for processing it, or if you withdraw the consent on which such processing is based. Such a request cannot be implemented when processing is necessary under the terms of the section "What is the legal basis for processing your personal data?" above.

In this respect, if you exercise your right to be forgotten, the corresponding Group entity will contact the internet service provider to transmit your request to discontinue the processing of personal data that concern them, taking into account the technology available and the cost of using it. In this case, only data required for the formulation and exercise of claims and the entity's defence against them will be retained by the data controller. Such a request cannot be implemented when processing is required under the provisions of the section “What is the legal basis for processing your personal data?” above, if processing is necessary to exercise the right to freedom of expression and information or on the grounds of public interest.

(iv) Right to object. You may object to your personal data being processed, unless the Group entity responsible for such processing, after a balancing test, has a legitimate interest in continuing to do so. In this case only data required for the formulation and exercise of claims and the entity's defence against them will be retained by the data controller. The use of personal data for commercial or advertising purposes shall not be considered legitimate, the right to object therefore being deemed equivalent to the withdrawal of the consent previously given. Such requests are not applicable when processing is necessary according to the provisions of the section "What is the legal basis for processing your personal data?" above.

(v) Right to restrict processing. You may ask for the processing of your personal data to be restricted, which may involve your data being blocked in the following circumstances: (i) if you contest the accuracy of the data, (ii) if the controller opposes the deletion of data because processing is legally justified, (iii) if the controller no longer needs the data, but they are required to draw up, exercise or defend claims or (iv) if you have opposed processing, while the controller verifies whether their legitimate reasons prevail over yours; in this case they will only be retained by the controller to draw up, exercise or defend claims.

(vi) Right to data portability. When technically possible, you may request that your personal data subject to automated processing be transferred to another controller, or to yourself as data subject, in a structured, commonly used and easy to read format, without detriment to your right of deletion or right to be forgotten. In this case such data will only be stored by the data controller for the purpose of formulating, exercising or defending claims.

All communications and actions performed in the exercise of your rights shall be free of charge. However, if the customer's requests are manifestly unfounded or excessive, especially when they are of a repetitive nature, the Group entity's data controller may charge a reasonable fee, according to the expenses incurred to deal with the request.

Confidentiality of personal data

From the first moment it initiates data processing, the Group entity acting as data controller and/or data processor will implement the technical, organisational and security measures necessary, considering the current state of technology, to guarantee the confidentiality, integrity, availability and resilience of data, preventing their loss or alteration and unauthorised access and processing.

We hereby inform you that the computer servers used by some Group service providers may be located in countries outside the European Union, where, if the level of privacy protection were not equivalent to European or national Personal Data Protection regulations, because the European Commission has not confirmed their adaptation, the corresponding Group entity will adopt appropriate measures, as envisaged in the Personal Data Protection Regulations for transfers to third countries and international organisations, with the exception of certain situations expressly provided for, in order to ensure that the level of protection of the interested parties is not diminished, as well as appropriate and necessary measures to effectively safeguard the rights of said parties and the security of information, in accordance with the technical measures available at any time.

When users are browsing the official websites of Group entities, this privacy policy is always available to them for information purposes, as is the GCO cookie policy, which conforms to the Guide to the Use of Cookies issued by the control authority. Users can manage and customise their preferences regarding the use of cookies at any time.

Validity of the Policy

GCO declares that the Privacy Policy published for information purposes on the www.GCO.com website will be the valid version at any given time and reserves the right to modify it without prior notice whenever necessary. Group entity customers can view the latest updated version of the Policy at any time in their official websites and, should they also wish to access previous versions, they may contact the corresponding Data Protection Officer, as indicated in the Annex to this Policy.

Copyright

GCO reserves all rights regarding the content of this Policy. The reproduction, distribution, transformation, handling, public disclosure or any other kind of total or partial use of this document, whether free of charge or in return for a consideration, is strictly forbidden without written authorisation.

Latest update to the Policy: version 7, approved on 13 December 2023, brought into effect on 1 January 2024. 

Annex: Companies comprising GCO for the purposes of this Privacy Policy