Treatment of personal data of VidaCaixa customers
1.1. Responsibility for processing
VidaCaixa, S.A.U. de Seguros y Reaseguros (hereinafter, "VidaCaixa"), with Tax Identity Number A58333261 and address at Paseo de la Castellana 51, planta 1º, 28046 Madrid (Spain), entered in the Madrid Companies Register, volume 36790, sheet 50, page M-658924, is the party responsible for processing the personal data of the policy holder, the insured parties, the sponsor of the pension plan, the members and, where applicable, the beneficiaries, as well as any additional data, including health data, generated during the term of the insurance/pension plan contract.
VidaCaixa has appointed the Data Protection Officer (DPO) that CaixaBank has nominated for all CaixaBank Group companies as the person in charge of privacy and data protection issues in the performance of its business.
Customers may contact the Data Protection Officer by sending an e-mail to firstname.lastname@example.org or in writing to calle Pintor Sorolla núm. 2-4 (49002 Valencia) with the reference "Data Protection Officer”.
1.2. Purpose and legitimacyn
- 1.2.1. VidaCaixa will process the personal data provided during the period prior to the contract or any additional data that may be generated during the term of the insurance/pension plan contract, in order to manage and comply with the contract, as well as to provide the services related to it, communicating any data that may be necessary to comply with the contract (service providers, re-insurers, distributors and public bodies/authorities).
1.2.2. VidaCaixa is obliged by various regulations and internal policies of the CaixaBank Group to process certain data relating to people with whom it has commercial relations (regulatory obligations in relation to the prevention of money laundering and the financing of terrorism, tax obligations, policies in relation to the fight against fraud and the application of international sanctions, etc.). In all cases, the use of such data for regulatory purposes shall be limited exclusively to the purpose stated.
COMPLIANCE WITH REGULATORY OBLIGATIONS IN RELATION TO THE PREVENTION OF MONEY LAUNDERING AND THE FINANCING OF TERRORISM
- I. Obligation to collect customer information in order to establish and maintain Commercial Relations.
VidaCaixa must collect sufficient information and/or documentation to substantiate the identity of the customer and the purpose and nature of the business relationship envisaged, the nature of his/her professional or business activity, the volume of such activity and the origin of the funds with which the Commercial Relationship established with VidaCaixa will be carried out.
The customer undertakes to provide the information and documentation relating to the origin of his/her funds, business or professional activity, as well as the identification documentation requested.
The inaccuracy or lack of veracity of the information provided or of the documents submitted, as well as any non-compliance with the commitments acquired, may be sufficient cause for VidaCaixa to decline to establish a Commercial Relationship and shall entitle VidaCaixa to limit, suspend or, where applicable, terminate any Commercial Relations that have been established.
- II. Commitments, declarations, authorisations and obligations of the customer in relation to the necessary requirements for the prevention of money laundering and the financing of terrorism.
- (i) The customer undertakes to provide the information and/or documentation required by CaixaBank and/or VidaCaixa to substantiate his/her identity and the purpose and nature of the business relationship envisaged, the nature of his/her professional or business activity, the volume of such activity and the origin of the funds with which the Commercial Relationship established with VidaCaixa will be carried out.
- (ii) The Customer declares that the data provided for establishing a Commercial Relationship with Vidacaixa are their own, and are complete and true, and undertakes to communicate any changes that may occur in such data and to provide any information and/or documentation required to verify and complete their content, as well as to facilitate implementation of the due diligence measures established by Law 10/2010, dated 28 April, on the prevention of money laundering and the financing of terrorism, and standards that are thus implemented by any regulation in this field (hereinafter, all of them referred to collectively as "Law 10/2010").
- (iii) The Customer undertakes to actively cooperate with VidaCaixa, from the beginning and during the course of all Commercial Relations, in the application and fulfilment of the due diligence measures arising from Law 10/2010, and to provide VidaCaixa with all the information and/or documentation that VidaCaixa deems necessary, whether related to their personal circumstances or concerning the operations carried out in the course of the Commercial Relations entered into by the Customer.
- (iv) The Customer authorises VidaCaixa and other "la Caixa" Group companies to exchange the information necessary in order to comply with the obligations established in Law 10/2010. The information that VidaCaixa and the "la Caixa" Group companies exchange by virtue of this authorisation will be used solely for the purpose of fulfilling the obligations established in the above mentioned regulations and will not be used for any other purpose whatsoever.
- (v) The Customer declares that he has been informed that current legislation on the prevention of money laundering and the financing of terrorism requires banks, insurance companies and pension plan managers to obtain information from their customers on their identity and economic activity and to carry out checks on this information.
The Customer gives his/her express consent for VidaCaixa to request this information from the Social Security Administration for the exclusive purpose of verifying the information provided. The data obtained from the Social Security Administration will be used exclusively for the above-mentioned purposes. In the event of non-compliance with this obligation on the part of VidaCaixa and/or the personnel providing services therein (and/or their distributors), all the actions provided for in the regulations on the protection of personal data in force at any given time shall be implemented.
In the event that the data obtained from the Social Security Administration does not coincide with the data provided by the Customer, this circumstance will be communicated so that, where appropriate, the information provided to VidaCaixa may be rectified.
- III. Holding public office
The Customer is advised that, in the event that he or she personally performs or has personally performed important public functions or other positions as provided for under Law 10/2010, i.e. one of his or her family members and/or close relatives, he or she must notify CaixaBank of this fact and provide the information and documentation required to verify the nature of his or her professional or business activity and the origin of the assets and funds with which the Commercial Relations with CaixaBank or the companies of the "la Caixa" Group will be carried out.
COMPLIANCE WITH REGULATORY OBLIGATIONS IN TAX MATTERS
- I. Reporting obligations relating to financial accounts
In accordance with the provisions of Law 58/2003, dated 17 December, on General Taxation and its implementing regulations, CaixaBank (and, where applicable, the "la Caixa" Group companies to which these regulations apply) is required to identify the tax residence of the persons who hold or control certain financial accounts and to provide information to the tax authorities on these accounts. For this purpose, the persons who have ownership or control of the financial accounts are obliged to declare their country of tax residence to CaixaBank.
Furthermore, when the Customer holding a financial account is a tax resident in a Corresponding Jurisdiction, as defined below, CaixaBank (and, where applicable, the companies of the "la Caixa" Group to which such regulations apply) is obliged to notify the Spanish tax authorities so that they may transmit the following information to the tax authorities of the Corresponding Jurisdictions: (i) names and surnames, (ii) tax ID number, (iii) address, (iv) place and date of birth, (v) country of tax residence, (vi) the account number (or its functional equivalent in the absence of an account number), (vii) the balance or value of the account at the end of the calendar year concerned and (viii) the total gross amount for the items listed in the regulations in respect of the financial account concerned.
For the purposes of this clause, Corresponding Jurisdiction shall mean the country or jurisdiction with which there is an obligation to exchange information in the field of mutual assistance. Specifically: (i) any Member State of the European Union, in accordance with EU Directive 2011/16/EU, (ii) any country or jurisdiction with which the European Union has an information exchange agreement; (iii) any other country or jurisdiction with which Spain has a tax information exchange agreement with whom there is a reciprocal exchange of information, or (iv) any other country with whom the Multilateral Agreement between Competent Authorities is in force in relation to the Automatic Exchange of Information on Financial Accounts with whom there is a reciprocal exchange of information.
- II. Financial account reporting obligations relating to FATCA.
In accordance with the Agreement between the Kingdom of Spain and the United States of America for the improvement of international tax compliance and the implementation of the Foreign Account Tax Compliance Act (FATCA) and its implementing regulations, Caixabank (and, where applicable, "la Caixa" Group companies to which these regulations apply) is obliged to provide the tax authorities with the following information regarding the Customer who is the holder of a financial account and identified as a US person (by reason of residence or citizenship) for its transfer to the competent US authority: (i) full name, (ii) full address, (iii) country(ies)/jurisdiction(s) of tax residence, (iv) tax ID number of each country/jurisdiction of tax residence, if issued, (v) citizenship, (vi) the account number (or its functional equivalent), (vii) the balance or value of the account at the end of the period established by the legislation and (viii) gross amount for the items included in the legislation.
In connection with the obligation to report financial accounts in relation to FATCA, the Customer who is considered a U.S. person for FATCA purposes must complete such additional documentation for this Agreement as may be provided to him/her for such purposes.
- III. Obligations to report any change or variation in the information provided.
The Customer declares to have tax obligations in the Jurisdiction detailed in the Personal and Socio-economic Data section at the heading.
The Customer undertakes to (i) notify CaixaBank of any change in the information referred to in clause 4 of this Agreement as soon as possible and not later than 30 working days following the date of the change in the information and/or details referred to in this clause and (ii) provide any information and/or documentation required by CaixaBank and/or, where applicable, by the companies of the "la Caixa" Group in order to comply with their obligations under this Agreement.
The inaccuracy or lack of veracity of the information provided in the Personal and Socio-economic Data section of the header or, if applicable, of the documents provided and/or declarations that the Customer must complete in accordance with the regulations in force regarding reporting obligations on certain financial accounts, as well as non-compliance with the commitments acquired, may be sufficient cause for CaixaBank and/or, where applicable, the companies of the "la Caixa" Group to refuse to establish Commercial Relations and shall entitle CaixaBank and/or, where appropriate, any of the companies of the "la Caixa" Group to limit, suspend or, where appropriate, terminate any Commercial Relationship that has been established.
POLICIES RELATING TO THE FIGHT AGAINST FRAUD AND THE APPLICATION OF INTERNATIONAL SANCTIONS.
Information on the anti-fraud policies and application of international sanctions adopted by CaixaBank and the "la Caixa" Group companies.
The Customer is advised that CaixaBank and the "la Caixa" Group companies have adopted very demanding policies on the fight against fraud and the application of international economic and financial penalties, in order to cooperate decisively in maintaining the integrity and security of the financial system. Therefore, the Customer, from the time of establishing a Commercial Relationship, undertakes to collaborate actively in the application of such policies and knows and accepts that failure to do so may lead, where appropriate, to the suspension, limitation or cancellation of the products and services contracted by the Customer as well as the products and services of natural or legal persons related to the Customer. 5.2 Declarations and obligations of the Customer
The Customer declares that neither he/she nor any other person acting on his/her behalf is a natural or legal person (hereinafter referred to as "Person(s)") or is owned or controlled by Persons, who:
- (i) Are persons sanctioned by laws, regulations, guidelines, resolutions, programmes or restrictive measures in matters of international economic and financial sanctions imposed by the United Nations, the European Union or any of its member countries, including the Kingdom of Spain and/or the U.S. Department of the Treasury’s Office of Foreign Assets Control (hereinafter “Sanctioned Persons”).
- (ii) Participate with or control a Sanctioned Person.
- (iii) Act directly or indirectly for or on behalf of a Sanctioned Person.
- (iv) Are formed, located or have their operational or residential headquarters in a country or territory, or whose government is included, in laws, regulations, guidelines, resolutions, programmes or restrictive measures in matters of international economic and financial sanctions imposed by the United Nations, the European Union or any of its member countries, including the Kingdom of Spain and/or the U.S. Department of the Treasury’s Office of Foreign Assets Control (hereinafter “Sanctions”).
- (v) Maintain business relationships or conduct transactions with customers in countries, territories or jurisdictions of risk, or involving the transfer of funds from or to such countries, territories or jurisdictions subject to Sanctions.
- (vi) Allocate, directly or indirectly, the funds originated under the Commercial Relationship that the Customer establishes with CaixaBank, or in any other way make available or receive such funds to or from any affiliate or Person for the purpose of financing any activity or business (a) of or with a Sanctioned Person, (b) in any territory or country which, at the time of using the funds or the contracted product is, or its government is, subject to Sanctions, or (c) which in any other way leads to the breach of Sanctions by any Person.
The Customer acknowledges and accepts the right of CaixaBank and/or any company of the "la Caixa" Group to reject transactions and even to terminate business relations immediately, whenever the circumstances stated by the [contracting party/holder] in this section change or are altered in any way whatsoever and/or CaixaBank and/or the companies of the "la Caixa" Group cannot guarantee the application of the sanctions policy, compliance with the applicable regulations or even compliance with the requirements recommended by the different national or international organisations to which CaixaBank and the companies of the "la Caixa" Group have decided to be linked for these purposes.
- I. Obligation to collect customer information in order to establish and maintain Commercial Relations.
1.2.3. VidaCaixa will also process the data necessary to properly manage the contract (including, where applicable, any additional services), in compliance with the provisions of the legal regulations of the insurance sector (Law 50/1980, dated 8 October, on Insurance Contracts, Law 20/2015, dated 14 July, on the organisation, supervision and solvency of insurance and re-insurance companies, Royal Decree 1060/2015, dated 20 November, on the organisation, supervision and solvency of insurance and re-insurance companies, Law 26/2006, dated 17 July, on private insurance and re-insurance mediation and/or any other applicable regulations) and on the social provision sector (Royal Legislative Decree 1/2002, dated 29 November, approving the revised text of the Pension Plan and Fund Regulation Act, Royal Decree 304/2004, dated 20 February, approving the Pension Plan and Fund Regulations, LAW 5/2012, dated 23 February, on Voluntary Social Provision Organisations, DECREE 203/2015, dated 27 October, approving the Regulations of Law 5/2012, dated 23 February, on Voluntary Social Provision Organisations).
Among other things, VidaCaixa, as the insurance company/manager, may process the data in order to carry out the appropriate suitability and appropriateness test, to evaluate, select and price the risk, to calculate and collect premiums, to resolve claims and pay benefits, to exchange information with insurance distributors/plan suppliers, to keep the data for statistical-actuarial purposes and to prevent fraud, to register to register policies, claims, technical provisions and investments, to communicate to other insurance or re-insurance companies the information indicated, as well as the risks insured in this policy, for the purposes of co-insurance, re-insurance, cession or portfolio management and for the resolution of complaints and claims, as well as for the appropriate communication with Public Administrations and Bodies.
All these procedures are necessary for establishing and maintaining a commercial relationship with VidaCaixa and any objection to them would necessarily entail the termination (or non-establishment, as the case may be) of such a relationship. In the event that the policy holder and the insured person are different people, the policy holder is obliged to inform the insured person or persons of the purposes and legitimacy of the processing of the data indicated above, to be carried out by the insurer, as well as to exercise the rights described below with regard to this person.
1.3. Communication of data
In order to make a comprehensive range of products and services available to customers, if the customer has given the appropriate consent through the Framework Contract signed with CaixaBank, and his or her authorisation for the processing of data analysis and study (1.3.1), and for the commercial offer of products and services (1.3.2), if granted, it will include CaixaBank, and companies of the CaixaBank group listed at www.caixabank.es/empresasgrupo (the "CaixaBank Group Companies"), who may use them for the purposes indicated. For this purpose, customer data will be managed from a common repository of information for the CaixaBank Group of companies.
The data included in this common repository will be:
- a. All those provided for the establishment or maintenance of commercial or business relations.
- b. All those generated during the acquisition and operating of products and services with CaixaBank, CaixaBank Group companies or third parties, such as account or card transactions, details of direct debit receipts, direct deposit of salaries, claims arising from insurance policies/pension plans, complaints, etc.
- c. All those obtained by CaixaBank from the provision of services to third parties, when the service is intended for the customer, such as the management of transfers or bills.
- d. Their status as shareholders of CaixaBank or not, in accordance with the records of the bank, or of the companies which, in accordance with the regulations governing the securities market, are required to keep the records of the securities represented by means of book entries.
- e. Those obtained from social networks that the client authorises CaixaBank to use.
- f. Those obtained from third parties as a result of data aggregation requests made by the customer.
- g. Those obtained from customer browsing through the Línea Abierta remote banking service and other websites of CaixaBank and CaixaBank Group companies or mobile phone applications of CaixaBank and CaixaBank Group companies, in which they are duly identified. This data may include information relating to geo-location.
- h. Those obtained from chats, walls, video-conferences or any other means of communication established between the parties.
The customer data included in the common repository will be complemented and enriched by data obtained from companies providing commercial information, by data obtained from public sources, as well as by statistical and socio-economic data (hereinafter "Additional Information"), always verifying that these comply with the requirements established in the current data protection regulations.
- 1.3.1. Analysis, study and follow-up procedures for the offer and design of products and services adjusted to the client's profile.
If consent has been given through the Framework Contract signed with CaixaBank, where appropriate, the customer authorises the processing of the data for the following purposes:
- (i) To proactively carry out risk analyses and apply them to their technical statistical and customer segmentation data, with a threefold purpose: a) To study products or services that may be suited to their specific commercial or credit profile and situation, all this in order to make commercial offers that are suited to their needs and preferences; b) To monitor the products and services acquired; c) To adjust recovery measures on non-payments and incidents arising from the products and services arranged.
- (ii) To associate its data with those of companies with which it has some kind of link, both in terms of ownership and in terms of management, in order to analyse possible economic interdependencies in the study of service offers, risk requests and product contracting.
- (iii) To conduct studies and automatic controls for fraud, non-payment and incidents arising from the products and services contracted.
The procedures indicated in sections (i), (ii) and (iii) may be carried out in an automated manner and may involve the preparation of profiles for the purposes already indicated. To this end, we inform you of your right to obtain human intervention in the processing, to express your point of view, to obtain an explanation of the decision taken on the basis of automated processing, and to challenge that decision.
- (iv) To carry out customer satisfaction surveys via telephone or electronic means with the aim of evaluating the services received from CaixaBank and CaixaBank Group companies.
- (v) To design new products and services or to improve the design and usability of the existing ones, as well as to define or improve the experiences of users in their relationship with CaixaBank and the CaixaBank Group companies.
- 1.3.2. Procedures for the commercial offer of products and services from CaixaBank and CaixaBank Group companies.
If consent has been given, the customer authorises the processing of the data for the following purposes:
To send commercial communications on paper or by electronic or telematic means, relating to the products and services that, at any given time are: a) marketed by CaixaBank, b) marketed by any of the CaixaBank Group companies c) marketed by companies in which CaixaBank has a holding and third parties whose activities include banking, investment and insurance services, holding of shares, venture capital, real estate, transport, sale and distribution of goods and services, consultancy, leisure or social welfare services.
The customer may choose at any time the various channels or means by which he or she wishes to receive the above-mentioned commercial communications through his or her private space at Línea Abierta, or through the CaixaBank branch network.
The policy holder/plan promoter, the insured person/participant and the beneficiary, if applicable, may exercise the rights recognised in the regulations on the protection of personal data in force at any given time (right of access, rectification, deletion, limitation, opposition and portability of data) in accordance with the applicable regulations:
- By writing to VidaCaixa (reference DERECHOS RGPD) at its head office located at Paseo de la Castellana 51, planta 1º, 28046 Madrid (Spain).
- By writing to CaixaBank (reference DERECHOS RGPD) at its head office located at calle Pintor Sorolla, 1 (49002 Valencia).
- To the following e-mail addresses:
- By means of the options enabled for this purpose in their Línea Abierta, if applicable.
Furthermore, customers are advised that they may address any claims arising from the processing of their personal data to the Spanish Data Protection Agency (www.agpd.es).
1.5 Period of data retention
The data will be handled for as long as the authorisations for use granted or the contractual or business relations established remain in force.
Once the authorisations for use have been revoked or the contractual or business relationship established has ended, and the data is not necessary for the purposes for which it was collected or processed, the data will no longer be used.
In accordance with the regulations, the data will be kept for the sole purpose of complying with the legal obligations imposed on VidaCaixa and/or CaixaBank Group companies, and for the formulation, exercise or defence of claims, during the period of limitation of the actions derived from the contractual or business relations between the parties.