[F13] Data protection

[F32] Data protection

Treatment of personal data of VidaCaixa customers

1. How we process your personal data

In order to manage your relationship with us, VidaCaixa processes your personal data for various purposes, always in accordance with the provisions of current regulations, respecting your rights and with complete transparency.

Therefore, you can see the full details of how we use your data in the relationship we have with you in this document, which you can consult at www.vidacaixa.es/en/data-protection, at any time. Furthermore, if you wish, you can request a hard copy of this information at any of our branches.

The main legislation regulating our processing of your personal data is as follows:

  • Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, which repealed Directive 95/46/EC (hereinafter the RGPD);
  • Organic Law 3/2018, of 5 December, on Personal Data Protection and the guarantee of digital rights (hereinafter LOPD).

2. Who processes your data

Data controller: The data controller of your personal data in your contractual and business relationships with us (“Contractual Relationships”) is VidaCaixa, S.A.U de Seguros y Reaseguros (hereinafter, “VidaCaixa”) with registered office at Paseo de la Castellana 51, planta 1ª, 28046 Madrid (Spain), and with Tax ID Number A-58333261.

Joint data controllers: n addition, for certain processes which we will tell you about in detail in this document, VidaCaixa and some of the companies in the CaixaBank Group will jointly process your data, and jointly decide the purposes (“what the data are used for”) and the media used (“how the data are used”), and as such are joint controllers of this processing.

The processes jointly carried out by VidaCaixa and companies in the CaixaBank Group are described in detail under heading 6 “How we process your data”.
Furthermore, you can see the list of companies processing your data and essential aspects of the joint processing agreements at: www.caixabank.es/empresasgrupo.

3. Data Protection Officer

VidaCaixa has designated CaixaBank’s Data Protection Officer (DPO), who was appointed for all the companies in the CaixaBank Group to be responsible for privacy and data protection in the performance their activities.

Customers may contact the Data Protection Officer directly by sending an email to delegado.proteccion.datos@caixabank.com or by writing to Delegado de Protección de Datos, Calle Pintor Sorolla núm. 2-4 (49002 Valencia).

Exercise of rights and submission of claims to the Spanish Data Protection Agency (AEPD)

You can exercise your rights of access, rectification, objection, deletion, limitation and portability of your personal data, to withdraw your consent and not to be subject to automated decisions, in accordance with the law.

You can ask to exercise these rights via any of the following channels:

  • at our CaixaBank branches abiertas al públicothat are open to the public
  • using the options available on your online banking and on our mobile apps
  • at the URL exercise of rights
  • by writing to Apartado de Correos n.º 51 de Paseo de la Castellana, 28046 Madrid

Furthermore, if you have any claim arising from processing your data you can address it to the Spanish Data Protection Agency (www.aepd.es).

5. Data categories

At VidaCaixa we process different personal data or managing the Contractual Relationships you enter into with us, the remaining data processing arising from your status as a customer, and if you have given your consent in the Framework Contract entered into with CaixaBank, for processing your data for the activity set out under heading 6.1.

To make it easier to understand, we have arranged the data we process into the categories set out below.

Not all the data categories listed are used for all the data processing. Under heading 6, where we set out our data processing, you can see the categories of data used specifically for each particular process, giving you the information needed to exercise your rights as recognised in the GDPR, if you so wish, in particular those of objection and revocation of consent.

The categories of data used in the various types of processing set out under heading 6 are as follows:

 > Data that you have provided us with when signing up to your contracts, or during your relationship with us in interviews or on forms.. These data are as follows:

  • identification and contact data: your identity document, full name, gender, postal, telephone and electronic contact information, home address, nationality, date of birth and communication language.
  • socio-economic data: details of your professional or working activity, income or remuneration, family unit or circle, level of education, assets, fiscal data and tax data.
  • financial data: contracted products and services, and connection to the product (status as holder, authorised party or representative).
  • necessary health data.
  • biometric data: voice biometrics or body mass index.

 > Data observed for product and service maintenance. These data are as follows:

  • financial data: information about the notes and movements on current accounts, including the type of transaction, the issuer, the amount and the description, information about investments made and their evolution, information about financing, statements of transactions with debit and credit cards, products taken out and payment history.
    It is important that you know that we will not process data observed for product and service maintenance that may contain information that discloses your ethnic or racial origin, your political opinion, your religious or philosophical beliefs, your union membership, genetic or biometric data aimed at unequivocally identifying you, or data relating to your sex life or sexual orientation (“Sensitive Data”) .
  • or whether you are a VidaCaixa shareholder.
  • digital data: the data obtained from the communications we have set up between you and us in chats, online walls, video conferences, telephone calls, or equivalent media, and the data obtained from you browsing our web site or mobile apps and the browsing you do on them (device ID, publicity ID, IP address and browser history), in the event that you have accepted the use of cookies and similar technologies on your browsing devices.
  • necessary health data.

> Data inferred or deduced by VidaCaixa from analysing and processing the remainder of the data categories. These data are as follows:

  • grouping customers into categories and segments depending on their age, assets and estimated income, transactions, balances, consumer habits, preferences or propensities for contracting products, demographics, and relationship with other customers.
  • scoring ratings that assign probabilities of payment or non-payment or risk limits.

 > Data that you have not given us directly obtained from sources that are accessible to the public, public records or external sources. These data are as follows:

  • data about persons or bodies that are included in laws, regulations, directives, resolutions, programmes or restrictive measures on international economic/financial sanctions imposed by the United Nations, the European Union, the Kingdom of Spain, the UK, and/or the US Department of the Treasury’s Office of Foreign Assets Control (OFAC).
  • cadastral or statistical data obtained from companies providing socio-economic and demographic statistical studies associated with geographical areas or postcodes, and not with specific people.
  • data from social networks or the internet that you have made public or that you authorise us to consult.
  • data obtained to check the survival of beneficiaries of life or temporary income arising from insurance transactions and facilitate payment of benefits to insurance beneficiaries in the event of the death of the insured party recorded by the National Death Index (INDEF).

6. How we process your data

We process your data in a variety of ways according to different purposes and legal bases:

  • Consent-based processing
  • Processing needed to fulfil Contractual Relationships
  • Processing needed to comply with legal obligations
  • Processing based on VidaCaixa’s legitimate interest

6.1 CONSENT-BASED PROCESSING

This processing has your consent as its legal basis, as provided for in article 6.1.a) of the General Data Protection Regulation (GDPR).

We may have requested this consent via different channels, for example, in the interview where you became a CaixaBank customer, via our electronic channels, by any channel of  Bankia S.A. before the merger with CaixaBank or in any member of the CaixaBank group of companies. If, for any reason, we have never asked for you consent, this processing will not be carried out.

You can check the authorisations that you have consented to or rejected, and change your decision at any time free of charge, at CaixaBank branches, at our branches, on the VidaCaixa website (www.vidacaixa.es) and on the websites of any one of the companies in the CaixaBank group, or in your private area on the CaixaBank website or mobile apps. References to offices, websites or mobile applications include those originating in Bankia S.A. that remain operational during technological integration of the organisations' systems during the merger process.

Consent-based processes are shown below. We show the following for each one: the description of the purpose (Purpose), whether the processing is carried out jointly with other companies in the CaixaBank Group (Joint Controller/Data controller), or not, and the data categories used (Categories of data processed).

If you granted consent to Bankia – not to CaixaBank – to process your data for commercial purposes prior to the merger with CaixaBank, we will apply Process A below to your data in accordance with the preferences you indicated to Bankia when you provided them.

Specifically, the processing described in Section A below will only be performed by other companies of the CaixaBank group under joint responsibility if you originally consented to disclosure of your data among companies of the former Bankia group (now CaixaBank).

   A. Commercial offer of products and services from VidaCaixa and Companies in the CaixaBank Group

Purpose: The purpose of this data processing is to make offers and marketing available to you, in hard copy or using electronic or computer media, relating to the products and services that, at any time: a) are marketed by CaixaBank; b) are marketed by any Companies in the CaixaBank Group; and c) are marketed by companies that CaixaBank has holdings in, and third parties whose activities fall under banking, investment and insurance services, shareholdings, venture capital, property, roadways, sales and distribution of assets and services, consultancy, leisure and charity-social services.

The customer may, at any time, choose the various channels or media that they wish, or do not wish, to receive these marketing communications from via their private space on Línea Abierta, or by managing them in CaixaBank branches.

We will only process your data in this way if you have given your consent to it. Your consent will remain in force until you withdraw it.

If you cancel all your products or services from the companies in the CaixaBank Group, but forget to withdraw your consent, we will do it automatically.

Categories of data processed: The data category we process for this purpose, the content of which is set out under heading 5 is:

  • data you have provided us with (identification and contact details).

Joint data controllers: The processing of your data in the category shown, for the purpose of informing you about our commercial offers of products and services using the channels selected by you, is carried out jointly by the same companies in the CaixaBank Group:

  • CaixaBank, S.A.
  • CaixaBank Payments & Consumer, E.F.C., E.P., S.A.U.
  • CaixaBank Electronic Money, EDE, S.L.
  • VidaCaixa, S.A.U. de Seguros y Reaseguros
  • Nuevo Micro Bank, S.A.U.
  • CaixaBank Equipment Finance, S.A.U.
  • Promo Caixa, S.A.U.
  • Comercia Global Payments, E.P. S.L. 
  • Buildingcenter, S.A.U. 
  • Imagintech S.A.

These companies may share the data and use them for the same purpose of informing you about a commercial offer.
You can see the list of companies processing your data, along with the essential aspects of the joint processing agreements, at: www.caixabank.es/empresasgrupo.

   B. Data communication

Purpose: In order to make a comprehensive range of products and services available to customers, in the event that the customer has given the relevant consent in the Framework Contract entered into with CaixaBank, their authorisation for analysis and data study processing, and for the commercial offer of products and services (B), in the event this is given, will include VidaCaixa and the companies in the CaixaBank Group listed in www.caixabank.es/empresasgrupo (the “Companies in the CaixaBank Group”), who may use them for the purposes shown. For this purpose, customers’ data will be managed in a shared information repository belonging to the Companies in the CaixaBank Group.

Categories of data processed: The data categories we process for this purpose, the content of which is set out under heading 5 are:
a. All those provided when setting up or maintaining commercial or business relationships.
b. All those generated in contracting and maintaining products and services with CaixaBank, with Companies in the CaixaBank Group, or with third parties, such as movements on accounts or cards, details of direct debits, direct salary deposits, incidents arising from insurance policies/pension plans, claims, etc.
c. All those that VidaCaixa obtains from providing services to third parties, when the customer is the recipient of the service, such as bank transfers or bill management.
d. Whether they are a shareholder of VidaCaixa as recorded on the entity’s registers, or those of the entities that, in accordance with stock market regulatory legislation, must keep registers of the securities represented by making book entries.
e. Those obtained from the social networks that the customer authorises CaixaBank to consult.
f. Those obtained from third party entities as a result of data aggregation requests requested by the customer.
g. Those obtained from the customer using the Línea Abierta remote banking service and other websites of CaixaBank and Companies in the CaixaBank Group, or the mobile phone app of CaixaBank and Companies in the CaixaBank Group, where the customer is required to log in. These data may include information relating to geolocation.
h. The customer’s data included in the common repository will be supplemented and enriched by data obtained from companies providing commercial information, data obtained from public sources, and statistical and socio-economic data (hereinafter, “Additional Information”), always verifying that they comply with the requirements provided for in the current data protection regulations

Joint data controllers: The processing of your data in the category shown, for the purpose of informing you about our commercial offers of products and services using the channels selected by you, is carried out jointly by the same companies in the CaixaBank Group, listed in the above section 6.1 (A). These companies may share your data and use them for the same purpose of notifying you of commercial offers.

You will find a list of companies that process your data and the essential aspects of the processing under joint responsibility at: www.caixabank.es/empresasgrupo

6.2 PROCESSING NEEDED TO FULFIL CONTRACTUAL RELATIONSHIPS

The legal basis for this data processing is the fact that it is needed to manage the contracts that you request or you are a part of, or, if you request it, apply pre-contractual measures, as provided for in article 6.1.b) of the General Data Protection Regulation (GDPR).

Therefore, the processing is necessary so that you can set up and maintain Contractual Relationships with us. If you object to it, we will either end the relationships or not be able to set them up if we have not already started them.

The processing needed to fulfil contractual relationships is shown below. We show the following for this processing: the description of the purpose (Purpose), whether the processing is carried out jointly with other companies in the CaixaBank Group (Joint Controller/Data controller:), or not, and the data categories used (Categories of data processed)

Formalising, maintaining and fulfilling Contractual Relationships

Purpose: The purpose of this data processing is to formalise and maintain the Contractual Relationships that you enter into with us. Taking out the VidaCaixa products and services that are available at any time on the VidaCaixa website will be done with the mediation of CaixaBank, in its capacity as the banking insurance operator of VidaCaixa. Therefore, you should have the identification and signature systems available that CaixaBank requires in each case.
This includes processing your requests or orders, preliminary contract management (pre-contractual relationships) and dealing with your requests for access to draws, promotions or events.
This data processing involves collecting the information needed to set up the relationship or manage the request, assessing the suitability of the contract and dealing with the information needed for proper contract maintenance and performance.
The processing tasks involved in formalising, maintaining and fulfilling Contractual Relationships are as follows:

  • Collecting and recording the data and documents needed to take out the products requested.
  • Formalising signature of the contracts for products and services.
  • Managing the operation of the products and services you have taken out with us. This includes managing incidents arising and noting and verifying book entries for receipts and payments for products.
  • Taking steps to resolve any non-payments that may arise, which includes making claims for non-payments.
  • Communications arising from managing the Contractual Relationships.
  • Monitoring and responding to your complaints and/or claims.
  • Dealing with your requests for access to draws, promotions or events, including managing them.

Categories of data processed: The data categories we process for this purpose, the content of which is set out under heading 5 are:

  • Data provided by you.
  • Data observed for product and service maintenance, and, if appropriate, necessary health data.

Data controller: The data controller for this processing is VidaCaixa. There is no joint processing with other controllers.

6.3. PROCESSING NEEDED TO COMPLY WITH LEGAL OBLIGATIONS

The legal basis for this data processing is the fact that it is needed to comply with a legal obligation that is required of us, as provided for in article 6.1.c) of the General Data Protection Regulation (GDPR).

Therefore, it is necessary so that you can set up and maintain Contractual Relationships with us. If you object to it, we must either end the relationships or not be able to set them up if we have not already started them.

The processing needed to comply with legal obligations is shown below in order from (A) to (D).. We show the following for each one: the description of the purpose (Purpose), whether the processing is carried out jointly with other companies in the CaixaBank Group (Joint Controller/Data controller:), or not, and the data categories used (Categories of data processed)

   A. Processing to comply with the regulations on prevention of money laundering and terrorist financing

Purpose: he purpose of this processing is to take the measures imposed on our activity by the Prevention of Money Laundering and Terrorist Financing Act 10/2010..

The processing work carried out to comply with the legislation on the prevention of money laundering and terrorist financing is as follows:

  • Collecting the information and documentation that enables compliance with due diligence measures and knowledge about customers.
  • Verifying if you hold, or have held, posts with public responsibility.
  • Checking the information you provide, comparing it with external sources, or public registry databases, official gazettes or companies providing information services.
  • Verifying your relationship with companies and, if necessary, your position of control in their ownership structure.
  • Communicating and updating, on a monthly basis, your information on the Financial Ownership Index, which is the responsibility of the Executive Service of the Commission for Prevention of Money Laundering and Monetary Offences (SEPBLAC)

Categories of data processed: The data categories we process for this purpose, the content of which is set out under heading 5 are:

  • Data provided by you
  • Data observed for product and service maintenance, except for sensitive data
  • Data inferred or deduced by VidaCaixa
  • Data you have not provided us with directly

Joint data controllers: The following companies in the CaixaBank Group carry out processing jointly to comply with the prevention of money laundering and terrorist financing obligations. These companies may share data and use them for the purpose shown.

  • CaixaBank, S.A.
  • CaixaBank Payments & Consumer, E.F.C., E.P., S.A.U.
  • VidaCaixa, S.A. de Seguros y Reaseguros
  • BPI Vida e Pensões - Companhia de Seguros, S.A.
  • Nuevo Micro Bank, S.A.U.
  • CaixaBank Asset Management SGIIC, S.A.U.
  • Telefónica Consumer Finance, E.F.C., S.A.
  • Buildingcenter, S.A.U.
  • Unión de Crédito para la Financiación Mobiliaria e Inmobiliaria, CREDIFIMO, E.F.C., S.A.U.
  • Corporación Hipotecaria Mutual, S.A.U., Establecimiento Financiero de Crédito
  • CaixaBank Wealth Management Luxembourg, S.A.
  • CaixaBank Asset Management Luxembourg, S.A.
  • BPI Gestão de Ativos, SGOIC, S.A.
  • Banco BPI, S.A.
  • CaixaBank Titulización, S.G.F.T., S.A.U. 
  • Bankia Fondos S.G.I.I.C., S.A.
  • Bankia Pensiones, S. A., E. G. F. P.
  • Bankia Habitat, S.L.U.
  • Bankia Fintech Venture, S.A.

   B. Processing for the purpose of complying with tax legislation

Purpose: The purpose of this processing is to take the measures imposed on our activity by the General Tax Act 58/2003, of 17 December, and other current tax legislation.
The processing work carried out to comply with tax legislation is as follows:

  • Collecting the information and documentation relating to your taxation as provided for in the tax regulations.
  • Reporting data relating to your taxation to the public authorities, where this is provided for in the regulations or required by the authorities.

Categories of data processed: The data categories we process for this purpose, the content of which is set out under heading 5, are:

  • Data provided by you
  • Data observed for product and service maintenance, except for sensitive data

Joint data controllers: The following companies in the CaixaBank Group carry out processing jointly to comply with tax obligations. These companies may share data and use them for the purpose shown.

  • CaixaBank, S.A.
  • VidaCaixa, S.A. de Seguros y Reaseguros
  • Nuevo Micro Bank, S.A.U.
  • CaixaBank Asset Management SGIIC, S.A.U.
  • CaixaBank Titulización, S.G.F.T., S.A.U. 
  • CaixaBank Notas Minoristas, S.A.U.
  • Bankia Fondos S.G.I.I.C., S.A. 
  • Bankia Pensiones, S. A., E. G. F. P. 
  • Segurbankia, S.A.
  • Bankia Mediación, OBSV

   C. Processing to comply with obligations arising from international sanctions and financial countermeasures policies

Purpose: The purpose of this processing is to adopt the measures imposed on our activity in the international sanctions and financial countermeasures programmes adopted by the European Union and the Kingdom of Spain.
The processing work carried out to comply with the international sanctions and financial countermeasures programmes is as follows:

  • Comparing if you appear on lists of persons or bodies that are included in laws, regulations, directives, resolutions, programmes or restrictive measures on international economic-financial sanctions imposed by the United Nations, the European Union, the Kingdom of Spain and/or the US Department of the Treasury’s Office of Foreign Assets Control (OFAC).

Categories of data processed: The data categories we process for this purpose, the content of which is set out under heading 5, are:

  • Data provided by you
  • Data you have not provided us with directly

Joint data controllers: The following companies in the CaixaBank Group carry out processing jointly to comply with the obligations arising from the international sanctions and financial countermeasures policies. These companies may share data and use them for the purpose shown.

  • CaixaBank, S.A.
  • CaixaBank Payments & Consumer, E.F.C., E.P., S.A.U.
  • VidaCaixa, S.A. de Seguros y Reaseguros
  • Nuevo Micro Bank, S.A.U.
  • CaixaBank Electronic Money EDE, S.L. (MoneyToPay)
  • CaixaBank Asset Management SGIIC, S.A.U.
  • Telefónica Consumer Finance, E.F.C., S.A.
  • Buildingcenter, S.A.U.
  • Unión de Crédito para la Financiación Mobiliaria e Inmobiliaria, CREDIFIMO, E.F.C., S.A.U.
  • Corporación Hipotecaria Mutual, S.A.U., Establecimiento Financiero de Crédito
  • Banco BPI, S.A.
  • CaixaBank Wealth Management Luxembourg, S.A.
  • Bankia Fondos S.G.I.I.C., S.A.
  • Bankia Pensiones, S. A., E. G. F. P. 
  • Bankia Habitat, S.L.U. 
  • Bankia Fintech Venture, S.A.

   D. Processing to comply with obligations arising from Solvency regulations

Purpose: The purpose of this processing is to adopt the measures imposed on our activity by Solvency regulations.

The data processing needed to properly manage the contract (including, as appropriate, additional services to it) complying with the provisions of the legal regulations for the insurance sector (Insurance Policy Act 50/1980, of 8 October, Law 20/2015, of 14 July, on the organisation, supervision and solvency of insurance and reinsurance entities, Royal Decree 1060/2015, of 20 November, on the organisation, supervision and solvency of insurance and reinsurance entities, Law 26/2006, of 17 July, on private insurance and reinsurance brokerage and/or any other legislation that may be applicable) and for the social provision sector (Royal Legislative Decree 1/2002, of 29 November, which approved the consolidated text of the Pension Plans and Funds Regulation Act, Royal Decree 304/2004, of 20 February, which approved the pension plans and funds Regulation, Law 5/2012, of 23 February, on Voluntary Social Welfare Entities, Decree 203/2015, of 27 October, which approved the Regulation of Law 5/2012, of 23 February, on Voluntary Social Welfare Entities).

Amongst others, VidaCaixa, as the insurance/managing entity, may process the data to carry out the relevant suitability and advisability test, to carry out risk assessment, selection and classification, to calculate and collect premiums, to resolve incidents and pay benefits, to exchange information with insurance distributors/plan marketers, to retain the data for statistical/actuarial and fraud prevention purposes, to record policies, incidents, technical and investment provisions, to communicate the data shown to other insurance or reinsurance entities, along with the insured risks in this policy, for the purposes of co-insurance, reinsurance, portfolio assignment or management and to resolve complaints and claims, as well as due communication with Public Authorities and Bodies.

All this processing is needed to set up and maintain the commercial relationships with VidaCaixa and objection to it would necessarily lead to the termination (or not setting up, as appropriate) of these relationships. In the event that the policy holder and the insured party are different people, the policy holder undertakes to inform the insured party or parties about the purposes and legitimation of the afore-mentioned data processing, to be carried out by the insurer, as well as that they can exercise the rights shown below with the latter.

Categories of data processed: The data categories we process for this purpose, the content of which is set out under heading 5, are:

  • Data provided by you
  • Data you have not provided us with directly

Data controller: The data controller for this processing is VidaCaixa. There is no joint processing with other controllers.

6.4 PROCESSING BASED ON VIDACAIXA’S LEGITIMATE INTEREST

The legal basis for this processing is the fulfilment of legitimate interests pursued by VidaCaixa or by a third party, as long as such interests to not prevail over your interests, or your fundamental rights and freedoms, as provided for in article 6.1.f) of the General Data Protection Regulations (GDPR).

Carrying out this processing means that we will have carried out a weighting between your rights and our legitimate interest in which we will have concluded that the latter prevails. Otherwise we will not carry out the processing. You can request the analysis weighting the legitimate interest of processing at any time by sending your query to the following email address delegado.proteccion.datos@caixabank.com.

Furthermore, we would like to remind you that you have the right to object to processing based on legitimate interest.. You can do so easily and free of charge using the channels shown under heading 4.
This processing is set out below in order from (A) to (C). We show the following for each one: VidaCaixa’s legitimate interest, the description of the purpose (Purpose), whether the processing is carried out jointly with other companies in the CaixaBank Group (Joint Controller/Data controller), and the data categories used (Categories of data processed).

    A. Managing the performance of employees, agents and suppliers

VidaCaixa’s legitimate interest: VidaCaixa’s legitimate interest in carrying out this processing is to manage relationships with employees and suppliers based on the analysis of their professional performance.

Purpose: The purpose of this processing is to analyse transactions and contracts that employees, agents and suppliers have with customers, in order to monitor their professional performance.

This data processing processes customer information, but the information is ancillary to the purpose sought. The processing does not have any effect or consequence for the data subject.

Processing carried out to manage the performance of employees, agents and suppliers is:

  • Monitoring the business activity of employees, agents and suppliers to calculate incentives and awards.

Categories of data processed: The data categories we process for this purpose, the content of which is set out under heading 5, are:

  • Data provided by you
  • Data observed for product and service maintenance, except for sensitive data
  • Data inferred or deduced by VidaCaixa
  • Data you have not provided us with directly

Data controller: The data controller for this processing is VidaCaixa.
There is no joint processing with other controllers.

    B. Fight against fraud

VidaCaixa’s legitimate interest: VidaCaixa’s legitimate interest in carrying out this processing is to prevent fraud that may cause financial or reputational losses.

Purpose: The purpose of this processing is the fight against fraud that may affect VidaCaixa, you and the rest of our customers.
The processing work carried out to fight against fraud is as follows:

  • The obligation to collect customer information to set up and maintain Commercial Relationships.

VidaCaixa must collect sufficient information and/or documentation to justify the customer's identity and the purpose and nature of the proposed business relationship, the nature of their professional or business activity, the volume of that activity and the origin of the funds used to run the Commercial Relationships entered into with VidaCaixa.

The customer undertakes to provide information and documentation relating to the origin of their funds, their business or professional activity and identity documentation that has been requested.

Inaccuracy or lack of veracity in the data provided or the documents provided, and non-compliance with the commitments taken on, may be sufficient grounds for VidaCaixa to refuse to set up Commercial Relationships and will enable VidaCaixa to limit, suspend, or, as appropriate, end the Commercial Relationships that may have been set up.

  • Customer commitments, statements, authorisations and obligations relating to the requirements demanded in relation to the prevention of money laundering and terrorist financing.

(i) The customer undertakes to provide the information and/or documentation required by CaixaBank and/or VidaCaixa to justify their identity and the purpose and nature of the proposed business relationship, the nature of their professional or business activity, the volume of that activity and the origin of the funds used to run the Commercial Relationships entered into with VidaCaixa.

(ii) The Customer states that the data provided to set up the Commercial Relationships with VidaCaixa are theirs, complete and true, and undertakes to notify any change occurring to them and to provide as much information and/or documentation as required to verify and complete their content, and facilitate the due diligence measures provided for in Law 10/2010, of 28 April, on the prevention of money laundering and terrorist financing, its implementing regulations, and any other regulation of the matter (hereinafter, all referred to jointly as “Law 10/2010”).

(iii) The Customer undertakes to actively collaborate with VidaCaixa from the start of and during the course of all the Commercial Relationships, in application of and in compliance with the due diligence measures arising from Law 10/2010. This includes giving VidaCaixa all the information and/or documentation that VidaCaixa considers necessary, whether relating to their personal circumstance or regarding transactions carried out in performance of the Commercial Relationships entered into by the Customer.

(iv) The Customer authorises VidaCaixa, and the companies in the “la Caixa” Group to exchange information needed to comply with the obligations provided for in Law 10/2010. The information exchanged by VidaCaixa and the companies in the “la Caixa” Group under this authorisation will be used for the sole purpose of compliance with the obligations provided for in the aforementioned legislation, and will not be used for other purposes in any case whatsoever.

(v) The Customer states that they have been informed that the current legislation on the prevention of money laundering and terrorist financing obliges banks, insurance companies and pension plan managers to obtain information from their customers about their identity and economic activity and to verify it.

For the exclusive purposes of verifying the information provided, the Customer gives their express consent to VidaCaixa so that, in their name, it may request such information from the Social Security Treasury. The data obtained from the Social Security Treasury will exclusively be used for the process set out above. In the event of non-compliance with this obligation by VidaCaixa and/or the personnel providing services in it (and/or its distributors), all the actions provided for in the personal data protection legislation in force at any time will be carried out.

In the event that the data obtained from the Social Security Treasury do not coincide with the data provided by the Customer, they will be notified of this fact so that, as appropriate, they may rectify the information given to VidaCaixa.

  • Performance of posts with public accountability

The Customer is informed that, in the event that they personally perform, or have performed, important public duties, or held other posts provided for in Law 10/2010, or one of their family members and/or next of kin does, they should notify this circumstance to CaixaBank herein and provide such information and documentation as enables verification of the nature or their professional or business activity and the origin of their asset and the funds used for the Commercial Relationships with CaixaBank of the companies in the CaixaBank Group.

Categories of data processed: The data categories we process for this purpose, the content of which is set out under heading 5, are:

  • Data provided by you
  • Data observed for product and service maintenance, except for sensitive data
  • Data inferred or deduced by VidaCaixa
  • Data you have not provided us with directly

Data controller: The data controller for this processing is VidaCaixa. There is no joint processing with other controllers.

    C. Creation of statistical reports to monitor and manage VidaCaixa’s activity

VidaCaixa’s legitimate interest: VidaCaixa’s legitimate interest is to monitor the evolution of the Entity’s business, study the behaviour and evolution of the customer, products and services portfolio and design new ones.

Purpose: The purpose of this processing is to prepare statistical reports and mathematical models enabling the Entity's activity to be monitored.

The processing work carried out to create statistical reports to monitor and manage VidaCaixa’s activity is as follows:

  • Grouping customer data and their Contractual Relationships to compile statistics
  • Processing statistical data to compile management reports and create mathematical models

Categories of data processed: The data categories we process for this purpose, the content of which is set out under heading 5, are:

  • Data provided by you
  • Data observed for product and service maintenance, except for sensitive data
  • Data inferred or deduced by VidaCaixa
  • Data you have not provided us with directly

Data controller: The data controller for this processing is VidaCaixa. There is no joint processing with other controllers.

7. Recipients of the data

Data controller and joint data controllers
The data we process due to the fact that you are a VidaCaixa customer is processed at VidaCaixa. If the processing is joint, it is carried out by companies in the CaixaBank Group, in accordance with what we have stated for each type of processing.

Authorities or official bodies
VidaCaixa may be legally obliged to provide information obtained within the framework of products and services taken out by you to the authorities or official bodies or other countries, whether in or outside the European Union, within the framework of combating terrorist financing and serious forms of organised crime and the prevention of money laundering, as well as within the framework of complying with the provisions of the legal regulations for the insurance sector shown above under heading 6.4.

Furthermore, we inform you that you can exercise your rights of access, rectification, objection, deletion, limitation and portability of your personal data, and not to be subject to automated decisions, in accordance with the law, regarding these compliance or non-compliance files at the addresses shown above.

Data communication when outsourcing services
We occasionally use service providers with potential access to personal data.
These providers give suitable, sufficient warranties in relation to data processing, as we have a responsible selection of service providers who meet specific requirements in the event that the services involve personal data processing.
The types of services that we may entrust to services providers are as follows:

  • Back office financial services
  • Administrative support services
  • Audit and consultancy services
  • Legal and asset and debt recovery services
  • Payment services
  • Marketing and publicity services
  • Questionnaire services
  • Call Centre Services
  • Logistics services
  • Physical security services
  • IT services (systems and information security, cybersecurity, IT systems, architecture, hosting and data processing)
  • Telecommunications services (voice and data)
  • Printing, packing, postal and courier delivery services
  • Information custody and destruction services (digital and hard copy)
  • Buildings, installations and equipment maintenance services

Data communication to Reinsurance entities
In accordance with article 6.7 of Law 20/2015, of 14 July, on the organisation, supervision and solvency of insurance and reinsurance entities (LOSSEAR), reinsurance is understood to be the following: Activity consisting of accepting risks assigned by an insurance entity or a reinsurance entity, including insurance or reinsurance entities in other countries. Moreover, article 77 of the Insurance Policy Act 50/1980, of 8 October, (LCS), provides that in the reinsurance contract the reinsurer undertakes to make good, within the limits provided for in the Act and in the policy, the debt arising in the reinsured party’s assets as a result of the obligation taken on by it as insurer in an insurance policy (article 77 of the Insurance Policy Act and 6.7 of the LOSSEAR).

The main function of the reinsurance policy is to manage VidaCaixa’s exposure to risk, as the insurance company, essentially with the aim of reducing it by transferring it, to a greater or lesser extent, to the reinsurance company. Reinsurance is, therefore, a vitally important tool for managing VidaCaixa’s balance sheet and solvency as an insurance company.

Within the framework of taking out reinsurance, article 99.4 of the LOSSEAR expressly provides that insurance companies, or, as appropriate, reinsurance companies, may communicate, without the consent of the policy holder, insured party, beneficiary or aggrieved third party, the data that are strictly necessary to enter into the reinsurance policy to its reinsurance entities, under the terms provided for in article 77 of the Insurance Policy Act 50/1980, of 8 October, o rcarry out connected transactions. These are understood to be carrying out statistical or actuarial studies, risk analysis or research for their customers, and any other activity related to or arising from reinsurance activity. Assigning such data for any purpose other than those provided for in the previous paragraph will require consent from the data subject.

Based on the doctrine authorised by the Spanish Data Protection Agency, reinsurance is a type of insurance that covers the risk taken on by insurers when providing direct insurance policies to their customers. That is to say, a policy where an insurance company assigns a part of the risk taken on to another reinsurance entity. The ultimate purpose of reinsurance is to offset the loss of assets that the direct insurer experiences when an event occurs that puts it under the obligation to compensate their insured party. The reinsurance policy is defined in article 77 of the Insurance Policy Act 50/1980, of 8 October, (hereinafter, LCS) and, in spite of the intimate relationship it has with the insurance policy, both policies, between themselves, work “autonomously and independently, without prejudice to the fact that the direct insurance is a necessary presupposition for the reinsurance”.

The LCS provides that “the requirements of article 2 with regard to the obligatory nature of its precepts are not applicable (article 79 LCS), with the lack of any direct relationship between the insurer and reinsurer being noteworthy. As a result, it is an internal agreement between the insurer and reinsurer whereby the latter undertakes to compensate the former within the limits of the agreement. This is an obligation that arises when the direct insurer’s obligation to its insured party arises and only when the claim by the insured party from the insurer becomes a fixed amount and due will the insurer be able to claim the amount from the reinsurer. The reinsurer will not take direct part in settling the base claim, except where expressly agreed otherwise, and the insured part may not take direct action against the reinsurer”. Therefore, the reinsurer will not have any type of direct contact with the insured parties.

On the other hand, with reference to personal data communication to the reinsurer, the data may only be communicated for purposes directly relating to the legitimate functions of the insurer, in this case, VidaCaixa, and the reinsurance entity, which do not require prior consent from the insured party, in as far as it is entitled by regulations having the force of law (article 99 LOSSEAR).

8. Time frames for retaining the data

Retention to maintain the Contractual Relationships
We will process your data while the Contractual Relationships we have set up last. . 

Retention of authorisations for consent-based processing
We will do processing based on your consent until you withdraw it.
If you cancel all your contracts for products and services with the companies in the CaixaBank Group, but do not revoke the consents you gave us, we will automatically void them from when you cease to be a customer.

Retention to comply with legal obligations and making, exercising and defending claims
Once the authorisations to use your data have been revoked by withdrawing your consent, or at the end of the contractual or business relationships you may have set up with us, we will only retain your data to comply with legal obligations and to enable making, exercising or defending claims during the statute of limitations for actions arising from contractual relationships.
We will process these data using the technical and organisational means needed to ensure that they are only used for these purposes.

Data destruction
We will destroy your data when the time frames for retention imposed by the rules regulating VidaCaixa’s activity have passed and the statute of limitations for administrative or court action arising from the relationships set up between you and us has expired.

9. Data transfers outside the European Economic Area
VidaCaixa processes your data within the European Economic Area and, in general, we sub-contract service providers who are also located in the European Economic Area, or in countries that have been declared to have a suitable level of protection.

If we need to use service providers for processing outside the European Economic Area, or in countries that have not been declared to have a suitable level of protection, we will ensure that the security and legitimate processing of your data is guaranteed.

Therefore, we demand suitable guarantees from these service providers, in accordance with the provisions of the GDPR, for example, that they have binding corporate rules guaranteeing protection of the information in a similar manner to that provided for in European regulations, or that they sign up to European Union standard clauses.

10. Automated decisions
If, during the Contractual Relationships you maintain with us, we make decisions that may have legal effects on you, or may significantly affect you (for example, refusing you a contract for a specific product) solely and exclusively based on automated processing (that is to say, without a human being taking part), we will let you know about it and also about the logic behind it, in the contractual documentation for the product or service you have asked us for.

Furthermore, at that time, we will take steps to safeguard your rights and interests by giving you the right to human intervention, expressing your point of view and challenging the decision.

11. Review
We review this document every time it is needed to maintain you duly informed, for example, if new regulations or criteria are published or new processing is carried out. ;
We will notify you using the usual communications channels whenever substantial or significant changes to this document occur.