VidacaixaCorporativoBuscadorHeader
Breadcrumb
[F32] Protección de datos - Índice
Treatment of personal data of VidaCaixa customers
- 1. HOW WE PROCESS YOUR PERSONAL DATA
- 2. WHO PROCESSES YOUR DATA
- 3. DATA PROTECTION OFFICER
- 4. EXERCISE OF RIGHTS AND SUBMISSION OF CLAIMS TO THE SPANISH DATA PROTECTION AGENCY (AEPD)
- 5. DATA PROCESSED
- 6. HOW WE PROCESS YOUR DATA PURPOSES, LEGAL BASES AND PERSONAL DATA WE PROCESS
- 6.1. Consent-based processing
- 6.2. Processing needed to fulfil contractual relationship
- 6.3. Processing needed to comply with legal obligations
- 6.4. Processing based on VidaCaixa’s legitimate interest
- 7. RECIPIENTS OF THE DATA
- 8. TIME FRAMES FOR RETAINING THE DATA
- 9. DATA TRANSFERS OUTSIDE THE EUROPEAN ECONOMIC AREA
- 10. AUTOMATED DECISIONS
- 11. REVIEW
[F32] Protección de datos
June 2026 version
1. How we process your personal data
To manage your relationship with us, we will process your personal data for different purposes, while respecting your rights and ensuring full transparency.
This Privacy Policy (which you can consult at any time at: https://www.vidacaixa.es/privacidad) provides the full details on how we will use your data. In addition, if you like, you can request a paper copy of the policy at any CaixaBank branch.
The main legislation and regulations governing our processing of your personal data are as follows:
- Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, which repealed Directive 95/46/EC (hereinafter the GDPR).
- Delegated Regulation (EU) 2015/35 of the Commission, of 10 October 2014, completing Directive 2009/138/EC, and European community regulations implementing solvency II (hereinafter, the Solvency II Regulation).
- Regulation (EU) 1286/2014, of 26 November 2014, on key information documents for packaged retail and insurance-based investment products (hereinafter, the KID Regulation).
- Directive (EU) 2016/97, of 20 January 2016, on insurance distribution (hereinafter, the IDD).
- Organic Law 3/2018, of 5 December, on Personal Data Protection and the guarantee of digital rights (hereinafter, the LOPDGGD).
- Law 50/1980, of 8 October, on Insurance Contracts (hereinafter, the LCS).
- Law 20/2015, of 14 July, on the organisation, supervision and solvency of insurance and reinsurance entities (hereinafter, the LOSSEAR).
- Law 5/2012, of 23 February, on Voluntary Social Welfare Entities (hereinafter, the VSWE Act).
- Royal Legislative Decree 1/2002, of 29 November, approving the consolidated text of the Pension Plans and Funds Regulation Act (hereinafter, the Pension Plans and Funds Act).
- Royal Decree-Law 3/2020, of 4 February, on urgent measures, which incorporates various European Union directives into the Spanish legal system in the fields of public procurement in certain sectors, private insurance, pension plans and funds, and on tax matters and tax litigation (hereinafter, the IDD Transposition).
- Royal Decree 1060/2015, of 20 November, on the organisation, supervision and solvency of insurance and reinsurance entities (hereinafter, the ROSSEAR).
- Royal Decree 304/2004, of 20 February, approving the Pension Plans and Funds Regulations (hereinafter, the Pension Plans and Funds Regulations).
- Decree 203/2015, of 27 October, approving the Regulations for Law 5/2012, of 23 February, on Voluntary Social Welfare Entities (hereinafter, the VSWE Regulations).
2. Who processes your data
Data controller: the data controller for your personal data in your relationships with us is VidaCaixa, S.A.U. de Seguros y Reaseguros (hereinafter, “VidaCaixa”) with NIF A-58333261 and registered office at Paseo de la Castellana 189, planta 1a y 2a, 28046 Madrid (Spain).
Joint data controllers: for certain types of processing, we will process your data jointly with other companies. Together we will decide the objectives and means used, and therefore we are joint controllers of this processing.
The types of processing for which VidaCaixa will process your data jointly with other companies are described in detail in section 6 “How We Process Your Data”.
The list of joint data controller companies and the essential aspects of this processing are available for you to consult at www.caixabank.es/empresasgrupo.
3. Data Protection Officer
VidaCaixa and the CaixaBank group companies have appointed a Data Protection Officer, who will help you resolve any queries relating to the processing of your personal data and the exercise of your rights.
You can contact the Data Protection Officer to send them any suggestions,
queries, questions or claims at the following address: www.caixabank.com/delegadoprotecciondedatos.
4. Exercise of rights and submission of claims to the Spanish Data Protection Agency (AEPD)
You can exercise your rights of access, rectification, objection, deletion, limitation and portability of your personal data, to withdraw your consent and not to be subject to automated decisions, in accordance with the law, through the following channels:
- at CaixaBank branches that are open to the public;
- at the URL: https://www.vidacaixa.es/privacidad;
- by writing to Apartado de Correos n.º 209, 46080 Valencia.
In addition, you can file claims with the Spanish Data Protection Agency (www.aepd.es).
5. Data processed
For the processing that we are explaining in this Policy, the data listed below will be used.
Not all the data listed in this section is used for all types of data processing. Section 6 details the data processing we carry out and you can consult the types of data we use for each type of processing.
In the case of consent-based processing, we will also inform you of the details of the specific data used.
The types and breakdown of the data we use is as follows:
> Data that you have provided us with when signing your contracts, or during your relationship with us in interviews or on forms:
- Identity and contact data: full name, sex, postal, telephone and e-mail contact information, home address, nationality, date of birth, language for communications, identity document, image and voice.
- Professional or employment activity and socio-economic data: your professional activity or employment status, income or remuneration, family unit or circle, level of education, assets, fiscal data and tax data.
- Biometric data: where authorised by you, facial features, voice biometrics, signature traits or fingerprint pattern.
- Health data: answers to questions regarding your health status, pre-existing illnesses or ailments, medical histories and reports and other diagnostic tests.
- Data on legal capacity: data about a person’s capacity to act, established in a court judgment.
- Data on special communication needs: data provided by data subjects with a disability to enable accessibility to operational dialogue and management.
> Data observed when contracting and maintaining products and services that are sold to you (in-house or by third parties):
- Contract data: products and services contracted or requested, status as holder, authorised person or representative of the product and service contracted, classification according to the regulations on securities and financial instruments markets (MiFID category), information regarding investments made and their progress, and information on and transactions related to financing operations.
- Basic financial information: current and historical balances of products and services, and payment history for the products and services contracted.
- Third party data seen in statements and payment receipts for sight accounts and payment accounts: information regarding the entries and movements that third party issuers make on your accounts, including the type of transaction, the issuer, the amount and the description appearing on payment receipts and statements of transactions with debit, credit or pre-payment cards.
- Data on whether or not you are a CaixaBank shareholder: whether you hold shares in CaixaBank or not.
- Data on communications with you: data obtained from chats, online bulletin boards, video conferences, telephone calls, or similar media.
- Browsing data: if you have accepted the use of cookies and similar technologies on your browsing devices, data obtained while you are browsing our websites or mobile apps and how you browse: browser history (sites visited and clicks on content), device ID, advertising ID, IP address, and version of the app installed.
- Geographical data: when you have authorised access to such data in the app settings, the location data of the businesses where you have used your card and the geolocation data for your mobile device provided by installing and/or using our mobile applications.
> Data obtained (inferred or deduced) from analysing and processing the remainder of the data:
- Data obtained from carrying out other processing provided for in this policy: data obtained from carrying out processing provided for in this policy, which will be set out in detail in the information on the types of processing where the use of this data is applicable.
- Data obtained from drawing up statistical models: we use the results of implementing mathematical models with customer data to fight against fraud, deduce your consumption habits, contract preferences or tendencies, classify clients, comply with our regulatory obligations and manage the operation of your products and/or services.
- Financial-actuarial risk assessment data: Depending on the nature of the product contracted, we estimate your life expectancy, the risk of an accident occurring, whether you will become incapacitated in any way, whether you will retire, lose your job or suffer a serious illness (financial-actuarial risks), using mathematical and statistical models that use personal data.
- Risk assessment or scoring data: in data processing carried out to comply with regulations on the prevention of money laundering and the financing of terrorism, as a joint controller company, we may use the data gathered by other joint controller companies about your capacity for payment or non-payment, or risk limits, based on applying statistical mathematical models.
> Data obtained from publicly available sources, public registries or external sources:
- Data relating to international sanctions: data on persons or bodies that are included in laws, regulations, directives, resolutions, programmes or restrictive measures on international economic/financial sanctions imposed by the United Nations, the European Union, the Kingdom of Spain, and the Office of Financial Sanctions Implementation (OFSI) of His Majesty’s Treasury (HMT) in the UK, and/or the US Department of the Treasury’s Office of Foreign Assets Control (OFAC).
- Demographic and socio-economic data: statistical information that is not linked to specific people but instead to geographical areas, age sectors or professional activity sectors, which we use to relate to customer information.
- Data on property and vehicles associated with your person: data obtained from the Property Registry and Land Registry and basic data on vehicles obtained from the Directorate General for Traffic that we use to supplement the information about your property and vehicles.
- Data on directors, functional positions and company associations: data extracted from the INFORMA database that we use to supplement the information regarding your activity.
- Data on agricultural subsidies and insurance: data published by the Spanish Agricultural Guarantee Fund (FEGA) and the State Agricultural Insurance Entity (ENESA).
- Data from other companies when you have given your consent to allow them to share your data with us: data on you processed by other companies with which we have agreements, and which you have authorised to share your information with us.
- Information obtained from publicly available sources and public registries: data provided by publicly available sources and public registries to compare the information you give us during registration, and to maintain and comply with contractual relationships. Additionally, information from Equifax’s Consultations on Bankruptcy Situations, the National Index of Deaths (INDEF), the Register of Insurance Contracts with Death Cover and additional contact data obtained from telephone directories (White Pages, Yellow Pages, Lleida.net) and the INFORMA database to contact our clients if they fail to comply with contractual obligations.
These databases have been legitimated previously to avail of this information.
- Browsing data: if you have accepted the use of cookies and similar technologies on your browsing devices, data obtained while you are browsing on third-party websites or mobile apps and how you browse on said pages: browser history (sites visited and clicks on content), device ID, advertising ID, IP address.
- Social media or internet data: data from social media or the internet that you authorise us to consult.
6. How we process your data
We process your data in a variety of ways for different purposes and under different legal bases:
- Consent-based processing
- Processing needed to fulfil contractual relationships
- Processing needed to comply with legal obligations
- Processing based on VidaCaixa’s or CaixaBank Group companies’ legitimate interest.
In addition to the processing set out below, we may carry out specific processing, not included in this policy. This processing may be carried out to fulfil your requests for products or services. We will provide you with detailed information on this processing when you make the specific request.
Table summarising the processing in force
6.1.A. Product and service offer personalisation according to the analysis of your data
- Operational description: Data analysis to generate a commercial profile and personalise offers
- Purpose: Personalise the offer and recommendations
- Legal grounds: Consent
6.1.B. Communication of products and services offers using channels
- Operational description: Send offers (personalised or not) on the chosen channels
- Purpose: Communicate the offer
- Legal grounds: Consent
6.1.C. Transfer of your data to other companies
- Operational description: Disclosure/transfer of data to other companies to send offers
- Purpose: Allow other companies to send you offers
- Legal grounds: Consent
6.2.A. Formalising, maintaining and fulfilling contractual relationships
- Operational description: Register, sign and manage policies/plans (collections, payments, surrenders, transfers, beneficiaries)
- Purpose: Provide the service and manage the contractual relationship
- Legal grounds: Contract performance
6.2.B. Analysis of requirements and needs
- Operational description: Assess convenience/suitability to recommend products
- Purpose: Assess needs and recommend suitable products
- Legal grounds: Contract performance
6.2.C. Analysis of the health condition declaration to assess the data subject’s risk prior to contracting an insurance product
- Operational description: Questionnaires and tests to assess insurance risk
- Purpose: Risk assessment to take out insurance
- Legal grounds: Contract performance
6.3.A. Processing to comply with the regulations on the prevention of money laundering and terrorist financing
- Operational description: Due diligence/KYC, PEP, risk level, real ownership, FTF (Financial Ownership File) operations and reporting.
- Purpose: Compliance with anti-money laundering and terrorism financing obligations
- Legal grounds: Legal obligation
6.3.B. Processing for the purpose of complying with tax legislation
- Operational description: Identify tax residence and reports
- Purpose: Compliance with tax obligations
- Legal grounds: Legal obligation
6.3.C. Processing to comply with obligations arising from international policies on financial sanctions and countermeasures
- Operational description: Consult and check EU and Spanish sanctions lists
- Purpose: Compliance with EU/Spain sanctions
- Legal grounds: Legal obligation
6.3.D. Processing to deal with complaints and claims
- Operational description: Customer service/advocate management, exercise of rights, reporting to oversight authorities and collaboration with the Spanish Data Protection Agency
- Purpose: Deal with claims and comply with obligations
- Legal grounds: Legal obligation
6.3.E. Assessment, selection and rating financial/actuarial risks (including making automated decisions)
- Operational description: Risk assessment and rating, including profiling and ADM
- Purpose: Define selection and rating and conditions
- Legal grounds: Legal obligation
6.3.F. Supervision and internal control
- Operational description: Periodic compliance and risk monitoring of sales/operations
- Purpose: Supervision and internal control
- Legal grounds: Legal obligation
6.3.G. Management of legal requests, demands for information and/or embargoes
- Operational description: Deal with requests from authorities/courts and embargoes
- Purpose: Compliance with legal requirements
- Legal grounds: Legal obligation
6.3.H. Fraud prevention
- Operational description: Analyse operations and access points, prevent cyberattacks; ADM may be blocked and alternative offered in branch
- Purpose: Prevent fraud and protect systems and clients
- Legal grounds: Legal obligation
6.3.I. Financial regulatory reporting
- Operational description: Draft reports for sector and oversight bodies, special categories only exceptionally if absolutely necessary
- Purpose: Compliance with regulatory reporting
- Legal grounds: Legal obligation
6.3.J. Accounting Management
- Operational description: Accounting management and sending information to the oversight body pursuant to regulations
- Purpose: Accounting and associated reporting
- Legal grounds: Legal obligation
6.4.A. Managing the performance of employees, agents and suppliers
- Operational description: Analyse transactions/contracts associated with agents/suppliers to monitor performance
- Purpose: Manage relationships with agents/suppliers by performance
- Legal grounds: Legitimate interest
6.4.B. Preparing management reports and mathematical models
- Operational description: Create and maintain models/algorithms to support other purposes, with anonymisation/pseudonymisation where possible
- Purpose: Improve management and support for processing
- Legal grounds: Legitimate interest
6.4.C. Sending commercial communications based on a basic commercial profile.
- Operational description: Send communications on similar products/services with a basic commercial profile if there are no preferences and no opposition
- Purpose: Marketing/loyalty
- Legal grounds: Legitimate interest
6.4.D. OFSI and OFAC sanctions policies and international financial countermeasures
- Operational description: Check lists from UK/US to operate in these markets
- Purpose: International compliance/operations
- Legal grounds: Legitimate interest
6.4.E. Improving the efficiency of internal processes
- Operational description: Analyse processes, volumes, times, interactions and aggregate data to improve experience and continuity
- Purpose: Process efficiency and optimisation
- Legal grounds: Legitimate interest
6.4.F. Customer surveys
- Operational description: Contact to carry out satisfaction surveys
- Purpose: Improve services and understand satisfaction
- Legal grounds: Legitimate interest
6.4.G. Defence of VidaCaixa’s rights and interests by court or administrative proceedings
- Operational description: Manage court/administrative proceedings and provide documentation
- Purpose: Legal defence and protection
- Legal grounds: Legitimate interest
COINSURANCE. Coinsurance (note associated with 6.2.A)
- Operational description: Exchange of data among co-insurers to manage co-insured policies
- Purpose: Manage co-insured policies
- Legal grounds: Contract performance
6.1 Consent-based processing
The lawful basis for this processing is your consent.
We may have requested this consent via different channels – during the interview when you became a customer in person, through our digital channels, or through one of the CaixaBank Group companies that is joint controller of that specific processing.
If we never asked for your consent, this processing shall not apply to you. You can check the authorisations that you have consented to or rejected, and change your decision at any time, free of charge, at CaixaBank branches, at the CaixaBank website (www.caixabank.es), or mobile applications, and on the websites of any of the companies in the CaixaBank group that are joint processors.
Consent-based processing is shown below in order from (A) to (C). For each type of processing, we will list:
- A description of the purpose.
- Detailed information about the type of data processed
- Information about profiling, if applicable
- Other relevant information about the processing.
Whether the processing is carried out jointly with other CaixaBank Group companies.
A. Product and service offer personalisation according to the analysis of your data
Purpose: If you give us permission, we will use your data to create a commercial profile to deduce your preferences and to offer you the products we have deduced you might be interested in through your banking manager (in person or remotely).
Whether you accept or reject this type of processing, you can always request any of our products or services.
By processing your data, we can make you personalised offers that we believe may interest you more than generic offers.
If you also authorise the Communication of commercial offers through other channels (see point 6.1.B of the Privacy Policy), you will also receive our offers through the channels you indicate.
Data processed: For this type of processing, we will not use data on your ethnic or racial origins, your political opinions, your religious or philosophical beliefs, your union membership, your genetic data, your identifying biometric data, health data or data about your sex life or sexual orientation.
The data that we process for this purpose are:
- Identity and contact data: full name, sex, postal, telephone and e-mail contact information, home address, nationality and date of birth, language for communications, and identity document.
- Professional or employment activity and socio-economic data: your professional activity or employment status, income or remuneration, family unit or circle, level of education, assets, fiscal data and tax data.
- Contract data: products and services contracted or requested (ours or third party), status as holder, authorised person or representative of the product and/or service contracted, classification according to the regulations on securities and financial instruments markets (MiFID category), information regarding investments made and their progress, and information on and movements of financing operations.
- Basic financial data: current and historical balances of products and services, and payment history for the products and services contracted (in-house or from third parties).
- Third-party data seen in statements and payment receipts for sight accounts and payment accounts: information regarding the entries and movements that third party issuers make on your accounts, including the type of transaction, the issuer, the amount and the description appearing on payment receipts and statements of transactions with debit, credit or pre-payment cards.
- Data on whether or not you are a CaixaBank shareholder: whether you hold shares in CaixaBank or not.
- Data on communications with you: data obtained from chats, online bulletin boards, video conferences, telephone calls, or similar media.
- Browsing data: if you have accepted the use of cookies and similar technologies on your browsing devices, data obtained while you are browsing our websites or mobile apps and how you browse: browser history (sites visited and clicks on content), device ID, advertising ID, IP address, and version of the app installed.
- Geographical data: when you have authorised access to such data in the app settings, the location data of the businesses where you have used your card and the geolocation data for your mobile device provided by installing and/or using our mobile applications.
- Data obtained from carrying out other processing provided for in this policy: Customer classification data (processing defined in section 6.4.A).
- Data obtained from drawing up statistical models: we use the results of implementing mathematical models with customer data to deduce your consumption habits, contract preferences or tendencies or for customer classification.
- Demographic and socio-economic data: statistical information that is not linked to specific people but instead to geographical areas, age sectors or professional activity sectors, which we use to relate them with customer information.
- Data on property and vehicles associated with your person: data obtained from the property registry and basic data on vehicles obtained from the Directorate General for Traffic that we use to supplement the information regarding your property and vehicles.
- Data on directors, functional positions and company associations: data extracted from the INFORMA database that we use to supplement the information regarding your activity.
- Data on agricultural subsidies and insurance: data published by the Spanish Agricultural Guarantee Fund (FEGA) and the State Agricultural Insurance Entity (ENESA).
- Data from other companies when you have given your consent to allow them to share your data with us: data on you processed by other companies with which we have agreements, and which you have authorised to share your information with us.
- Browsing data: if you have accepted the use of cookies and similar technologies on your browsing devices, data obtained while you are browsing on third-party websites or mobile apps and how you browse on said pages: browser history (sites visited and clicks on content), device ID, advertising ID, IP address.
- Social media or internet data: data from social media or the internet that you authorise us to consult.
Use of profiles: We will draw up a commercial profile that we will use solely to personalise your offer of products and services:
- Purpose of the profile: The profile we will make with the information we have on you will allow us to deduce the products and services we believe may interest you and to make you personalised offers instead of generic offers.
- Consequences: If you authorise us to process your data for this purpose, we will use commercial profiles to decide which products or services to offer you. If you do not authorise it, we will not use your information to personalise our commercial offer.
- We will never, under any circumstances, use this profiling to refuse any product or service or to set credit limits. Not accepting this processing does not prevent, limit or condition your access to our full catalogue of products and services, which is always available to you.
- If you ask to take out any product or service, we will assess your request in accordance with our procedures. Accepting or refusing the analysis of your data to personalise our offer of products and services will not affect this assessment.
Not accepting this data processing will also not prevent us from contacting you to manage your products and services.
- Logic: A customer’s profile is created using the data shown in the “data processed” section.
Mathematical formulas obtained from behaviour seen in the past in customers with similar characteristics are applied to these data in order to infer the customer’s future behaviour. These mathematical formulas allow us to calculate the importance of all the data processed in the final result of the applicant’s profile.
The final result is the probability that the customer may be interested in a product or service.
Other relevant information: You will find other important information on this type of processing below:
- Duration of the processing: We will only process your data in this way if you have given your consent to it. Your consent will remain in force until you withdraw it. If you cancel all your products or services with us but forget to withdraw your consent, we will do so automatically.
- Creating management reports and mathematical models: The data processed and those resulting from this processing will also be used to create management reports and mathematical models pursuant to point 6.4.B.
Joint data controllers: The following CaixaBank Group companies will process your data as joint controllers for this processing.
- CaixaBank, S.A.
- CaixaBank Payments & Consumer, E.F.C., E.P., S.A.U.
- Nuevo Micro Bank, S.A.U.
- Facilitea Selectplace, S.A., Sociedad Unipersonal
- ImaginersGen, S.A.
- VidaCaixa, S.A.U. de Seguros y Reaseguros
You can see the essential aspects of the joint controller processing agreements at: www.caixabank.es/empresasgrupo
B. Communication of products and services offers using channels
Purpose: You can choose other channels on which you would like us to communicate our offer of products or services, whether personalised or not, depending on what you have indicated in section A above.
If you give us your permission, we will offer you our products and services through the channels you indicate:
- website, app and email
- letter
- telephone.
The data we will use will vary pursuant to the following:
- If you do not allow us to personalise the commercial offer (see section 6.1.A), we will only use your identification and contact data to send you generic offers.
- If you allow us to personalise the commercial offer (see section 6.1.A), we will also use the information from your commercial profile to send you personalised offers.
Data processed: For this type of processing, we will not use data on your ethnic or racial origins, your political opinions, your religious or philosophical beliefs, your union membership, your genetic data, your identifying biometric data, health data or data about your sex life or sexual orientation.
The data that we process for this purpose are:
- Identity and contact data: full name, sex, postal, telephone and e-mail contact information, home address, language for communications.
- Data obtained from carrying out other processing provided for in this policy:
- Data on product and service offer personalisation according to the analysis of your data: If you authorise us to personalise our commercial offer for you (see section 6.1.A of the policy), we will also use the information from your commercial profile to send you personalised offers.
Other relevant information: You will find other important information on this type of processing below:
- Duration of the processing: We will only process your data in this way if you have given your consent to it. Your consent will remain in force until you withdraw it. If you cancel all your products or services with us but forget to withdraw your consent, we will do so automatically.
Joint data controllers: The following CaixaBank Group companies will process your data as joint controllers for this processing:
- CaixaBank, S.A.
- CaixaBank Payments & Consumer, E.F.C., E.P., S.A.U.
- Nuevo Micro Bank, S.A.U.
- Facilitea Selectplace, S.A., Sociedad Unipersonal
- ImaginersGen, S.A.
- VidaCaixa, S.A.U. de Seguros y Reaseguros
You can see the essential aspects of the joint controller processing agreements at: www.caixabank.es/empresasgrupo
C. Transfer of your data to other companies
Purpose: If you give us permission, we will transfer your data to other companies so that they can send you commercial offers for their products and services. This data will vary pursuant to the following:
- If you do not allow us to personalise the commercial offer (see section 6.1.A), we will transfer only your identification and contact data to these companies.
- If you allow us to personalise the commercial offer (see section 6.1.A), we will also disclose information from your commercial profile to these companies, as well as information we have deduced about your likelihood for payment or non-payment, or on risk limits.
If you do not give us permission, we will not disclose your data to other companies.
The companies to which we may transfer your data are in the following sectors:
- banking
- investment services
- insurance and reinsurance
- venture capital
- real estate
- roads
- sale and distribution of goods and services,
- consultancy services
- leisure and
- charity/social
Data processed: For this type of processing, we will not use data on your ethnic or racial origins, your political opinions, your religious or philosophical beliefs, your union membership, your genetic data, your identifying biometric data, health data or data about your sex life or sexual orientation.
The data that we process for this purpose are:
- Identity and contact data: full name, sex, postal, telephone and e-mail contact information, home address, nationality and date of birth, language for communications, and identity document.
- Data obtained from carrying out other processing provided for in the policy:
- Data on product and service offer personalisation according to the analysis of your data: If you authorise us to personalise our commercial offer for you (see section 6.1.A), we will also use the information from your commercial profile to send you personalised offers.
Other relevant information: You will find other important information on this type of processing below:
- Assignment information: If we reach an agreement with a company to disclose your data, the company that receives the data will inform you of this disclosure. It will also inform you of the data received and the details of the processing it plans on carrying out.
- Duration of the processing: We will only process your data in this way if you have given your consent to it. Your consent will remain in force until you withdraw it. If you cancel all your products or services with us but forget to withdraw your consent, we will do so automatically.
- Joint data controllers: The following CaixaBank Group companies will process your data as joint controllers for this processing:
- CaixaBank, S.A.
- CaixaBank Payments & Consumer, E.F.C., E.P., S.A.U.
- Nuevo Micro Bank, S.A.U.
- Facilitea Selectplace, S.A., Sociedad Unipersonal
- ImaginersGen, S.A.
- VidaCaixa, S.A.U. de Seguros y Reaseguros
You can see the essential aspects of the joint controller processing agreements at: www.caixabank.es/empresasgrupo
6.2 Processing needed to fulfil contractual relationships
This type of data processing is necessary to manage the contracts you request or to which you are a party. It is also used to apply pre-contractual measures, if you so request. We shall do so pursuant to art. 6.1.b) of the General Data Protection Regulation (GDPR).
This processing is necessary so that you can enter into and maintain your contracts with us. If you do not wish us to do this processing, we must end these relationships or you will not be able to enter into a contract if you have not done so yet.
The processing needed to manage your contracts is shown below in order from (A) to (C). For each type of processing we will indicate: the purpose, the type of data processed, information on the use of profiles, other relevant information regarding processing and whether or not the processing is carried out jointly with other CaixaBank Group companies.
A. Formalising, maintaining and fulfilling contractual relationships
Purpose: The purpose of this data processing is to formalise and maintain the contractual relationship between you and VidaCaixa. This means that VidaCaixa will process your data to:
- Manage your requests and orders.
- Carry out formalities before you sign the contract (what is called “precontractual relations”).
- Establish measures to ensure compliance with your contracts with VidaCaixa.
This data processing implies that VidaCaixa will only collect the information it needs to:
- Formalise the relationship with you or manage your request.
- Verify whether the product or service you wish to take out is suitable for you.
- Maintain and perform your contracts correctly.
The processing activities involved in formalising, maintaining and performing contractual relationships are as follows:
- Collecting and recording your data and documents needed to take out the products requested.
- Signing the contracts for products and services.
- Managing the products and services you have taken out with us. This includes the ordinary and operational management of the contract (such as changes to beneficiaries, updating conditions for offers, expanding policies, and product updates), receiving payment for the financial sums arising from the contract, payments of benefits, surrenders or any item arising from performing a contract linked to a product taken out by you, and external transfers and mobilisation of pension plans.
- Additionally, to correctly manage benefits, in certain cases CaixaBank may contact beneficiaries of VidaCaixa products to inform them of the existence of a claim and facilitate the corresponding formalities. Said contact will be made using only the contact data that CaixaBank already has in its possession, as a result of its prior relationship with the beneficiary, without said data being disclosed to VidaCaixa.
- We will also disclose data to different insurance entities among which the cover for the insured risk is distributed (a type of management called “coinsurance”).
Types of data processed:
- Identity and contact data
- Financial data
- Data on your professional or employment activity and socio-economic data
- Contract data
- Data on communications with you
- Data obtained from the use of statistical models
- Data relating to international sanctions
- Information obtained from publicly available sources and public registries
- Health data
- Data on legal capacity
- Biometric data
- Data on the customer’s qualified electronic certificate
Other relevant information:
- Data disclosures: In the scope of employment pension plans and VSWE, we will disclose some of your data to third parties such as actuaries, supervisory commissions, deposit entities, auditors and other figures that are legally authorised for such purpose. In the scope of insurance and welfare products, it is necessary for us to communicate data to supervisors, public authorities and registries, and reinsurance companies.
- Health data processing: When performing any insurance contract, we may process your health data as needed to fulfil the contractual relationship that we have with you.
- Expanding or monitoring commitments, discounts or preferential conditions: if you take out a product or service requiring compliance with particular requirements, we will carry out the data processing needed to verify that you continue to comply with them. Additionally, if there are other co-holders on your accounts, they may find out information on compliance with said requirements indirectly.
- For example, if you take out a product or service that entitles you to access discounts for belonging to a professional group, such as healthcare personnel or security forces, we will check during the term of the contract that you continue to belong to that group. You should keep in mind that if you share accounts with other people, these people may know that you comply with the requirements when they see that the discounts are applied to the account, or that you no longer meet requirements if the discounts are no longer applied.
- Joint control in cases of co-insurance: In cases where the policy taken out is considered to be co-insured, VidaCaixa and the co-insurance companies will act as joint data controllers for processing the personal data needed for the insurance policy. Information relating to the intervening co-insurance companies and the essential aspects of joint control are available to the insurance policyholder in the policy documentation.
Data controller: The data controller for this processing is VidaCaixa.
B. Analysis of requirements and needs
Purpose:
In some cases, before signing a contract, we will need you to provide us with certain information that allows us to assess and evaluate your needs and requirements, to check whether the products or services you want to take out are appropriate (convenient and suitable):
- Your knowledge and experience to decide if you can take out a product or service.
- Financial situation, including your capacity to bear losses.
- Investment targets, including your risk appetite.
The purpose of this evaluation is to offer you information and, as applicable, objective advice before entering into a contract so that you can make your decisions based on sound criteria; we will only recommend those insurance-based investment products that are suitable for you.
Types of data processed:
The types of data we process for this purpose, the content of which is set out under heading 5, are:
- Identity and contact data
- Financial data
- Data on your professional or employment activity and socio-economic data
- Investment preferences
- Data on legal capacity
- Data on communications special needs
Other relevant information:
You will find other important information on this type of processing below.
- Regulatory obligations: This processing is carried out on the basis of the provisions of Royal Decree-Law 3/2020, of 4 February, on urgent measures, which incorporates various European Union directives into the Spanish legal system in the fields of public procurement in certain sectors, private insurance, pension plans and funds, and on tax matters and tax litigation.
Data controller: The data controller for this processing is VidaCaixa.
C. Analysis of the health condition declaration to assess the data subject’s risk prior to contracting an insurance product
Purpose: Find out all of the circumstances that could impact the risk assessment when taking out an insurance product, considering your health condition and lifestyle habits.
You are under the obligation to declare the risk that you intend to insure and, so that you can comply with this duty and VidaCaixa can properly assess your personal circumstances, we may use questionnaires regarding your personal situation, lifestyle and health habits, ask you to have a medical check-up and request statements from you regarding any of these aspects.
Data processed:
The types of data we process for this purpose, the content of which is set out under heading 5, are:
- Identity and contact data
- Financial data
- Data on your professional or employment activity and socio-economic data
- Health data
Other relevant information:
- Health data processing: We will process your health data when this is needed to fulfil the contractual relationship we have with you.
- Regulatory obligations: This processing is carried out based on the provisions of the legislation applicable to these products:
- Law 50/1980, of 8 October, on Insurance Contracts.
- Law 20/2015, of 14 July, on the organisation, supervision and solvency of insurance and reinsurance entities.
Data controller: The data controller for this processing is VidaCaixa.
6.3 Processing needed to comply with legal obligations
This data processing is needed to comply with a legal obligation that applies to us, as provided for in article 6.1.c) of the General Data Protection Regulation (GDPR).
We need to process your data so that you can enter into and maintain your contracts with us. If you do not wish us to do this processing, we must end these relationships or you will not be able to enter into a contract if you have not done so yet.
The processing needed to comply with legal obligations is shown below in order from (A) to (J). For each type of processing we will indicate: a description of the purpose, the type of data processed, information on the use of profiles, other relevant information regarding processing and whether or not the processing is carried out jointly with other CaixaBank Group companies.
A. Processing to comply with the regulations on the prevention of money laundering and terrorist financing
Purpose: Adopt the measures applicable to our activity by law regarding preventing money laundering and terrorist financing.
We will process your data to:
- Collect the information and documentation that enables us to comply with due diligence and know your customer measures.
- Check the information that you give us.
- Verify whether you hold, or have held, posts with public responsibility.
- Assign you a risk level. Depending on this level, the various due diligence measures will be applied to you in accordance with the regulations on preventing money laundering and terrorist financing.
- Analyse the transactions carried out through CaixaBank.
- Verify your relationship with companies and, if necessary, your position of control in their ownership structure.
- Report and update your information in the Financial Ownership File on a monthly basis. This file is the responsibility of the Executive Service of the Commission for the Prevention of Money Laundering and Monetary Offences (SEPBLAC).
Types of data processed:
- Identity and contact data
- Data on your professional or employment activity and socio-economic data
- Contract data
- Basic financial data
- Third party data seen on statements and payment receipts for sight accounts and payment
- Data on communications with you
- Data obtained from carrying out other processing provided for in this policy:
- Data on risk assessment or scoring (processing defined in section 6.2.C).
- Data obtained from the use of statistical models
- Data on directors, functional positions and company associations
- Information obtained from publicly available sources and public registries
Use of profiles: we will create a profile exclusively to apply the measures required of our activity by the regulations on preventing money laundering and terrorist financing.
- Purpose of the profile: Prevent transactions being contracted that are liable to involve money laundering or terrorism financing.
- Consequences: Profiles are tools that help us determine whether our customers’ transactions are likely to involve money laundering or terrorism financing. This allows us to decide whether to accept the transaction or not.
Joint data controllers: The following CaixaBank Group companies will process your data as joint controllers for this processing.
- CaixaBank, S.A.
- CaixaBank Payments & Consumer, E.F.C., E.P., S.A.U.
- VidaCaixa, S.A. de Seguros y Reaseguros
- BPI Vida e Pensões – Companhia de Seguros, S.A.
- Nuevo Micro Bank, S.A.U.
- CaixaBank Asset Management SGIIC, S.A.U.
- Buildingcenter, S.A.U.
- Livingcenter Activos Inmobiliarios, S.A.U.
- Unión de Crédito para la Financiación Mobiliaria e Inmobiliaria, CREDIFIMO, E.F.C., S.A.U.
- VidaCaixa Wealth Management Luxembourg, S.A.
- VidaCaixa Asset Management Luxembourg, S.A.
- BPI Gestão de Ativos, SGOIC, S.A.
- Banco BPI, S.A.
- Bankia Habitat, S.L.U.
- Puerto Triana, S.A.U.
You can see the essential aspects of the joint controller processing agreements at: www.CaixaBank.es/empresasgrupo.
B. Processing for the purpose of complying with tax legislation
Purpose: Adopt the measures imposed by tax regulations applicable to our activity. We have the obligation to identify the tax residency of the persons who are holders or who have control over certain financial accounts. We must also provide information on these accounts as part of mutual assistance. For this reason, VidaCaixa will process your data to:
- Collect information and documentation relating to your taxation as provided for in the tax regulations.
- Report data relating to your taxation to public authorities, where this is provided for in the regulations or required by the authorities.
Types of data processed:
- Identity and contact data
- Data on your professional or employment activity and socio-economic data
- Contract data
- Basic financial data
Joint data controllers: The following CaixaBank Group companies will process your data as joint controllers for this processing:
- CaixaBank, S.A.
- VidaCaixa, S.A. de Seguros y Reaseguros
- Nuevo Micro Bank, S.A.U.
- CaixaBank Asset Management SGIIC, S.A.U.
You can see the essential aspects of the joint controller processing agreements at: www.CaixaBank.es/empresasgrupo.
C. Processing to comply with obligations arising from international policies on financial sanctions and countermeasures
Purpose: To adopt the measures imposed on our activity in the programmes on sanctions and financial countermeasures of the European Union and the Kingdom of Spain.
To comply with these measures, VidaCaixa will verify whether you are on a list of persons or entities included in these sanctions programmes.
Types of data processed:
- Identity and contact data
- Data relating to international sanctions
Other relevant information: The international financial sanctions programmes that VidaCaixa will check are those adopted by:
- The Office of Financial Sanctions Implementation (OFSI) of His Majesty’s Treasury (HMT) of the United Kingdom
- The U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) on the basis of our legitimate interest, as set out in section 6.4.H.
Joint data controllers: The following CaixaBank Group companies will process your data as joint controllers for this processing:
- CaixaBank, S.A.
- CaixaBank Payments & Consumer, E.F.C., E.P., S.A.U.
- VidaCaixa, S.A. de Seguros y Reaseguros
- Nuevo Micro Bank, S.A.U.
- CaixaBank Asset Management SGIIC, S.A.U.
- CaixaBank Equipment Finance, S.A.U.
- Buildingcenter, S.A.U.
- Livingcenter Activos Inmobiliarios, S.A.U.
- Puerto Triana, S.A.
- Bankia Habitat, S.L.U.
- Unión de Crédito para la Financiación Mobiliaria e Inmobiliaria, CREDIFIMO, E.F.C., S.A.U.
- Banco BPI, S.A.
- BPI Gestão de Ativos, SGOIC, S.A.
- CaixaBank Wealth Management Luxembourg, S.A.
- CaixaBank Asset Management Luxembourg, S.A.
- OpenWealth, S.A.U.
You can see the essential aspects of the joint controller processing agreements at: www.caixabank.es/empresasgrupo
D. Processing to deal with complaints and claims
Purpose: To attend to the queries and claims addressed to VidaCaixa in accordance with the regulations that apply to us as an insurance company, which are listed in section 1 of this document, and which oblige us to have customer service available to our customers and users.
Data protection regulations also oblige us to respond to the claims that you may file with our Data Protection Officer and to manage requests to exercise your personal data rights.
For this reason, VidaCaixa will process your data to:
- Receive your complaints and claims at our Customer Care Service and those addressed to the Member or Associate Advocate.
- Respond to you within established timeframes.
- Attend to the requests to exercise your personal data rights and the queries you make to the VidaCaixa Data Protection Officer.
- Report your data to our sector supervisory body, the General Directorate of Insurance and Pension Funds or, where appropriate, the Basque Country Government.
- Collaborate with supervisory authorities such as the Spanish Data Protection Agency.
Types of data processed:
- Identity and contact data
- Data on professional or employment activity and socio-economic data
- Data on legal capacity
- Data on communications special needs
- Contract data
- Basic financial data
- Data on communications with you
- Third party data seen on statements and payment receipts for sight accounts and payment
- Browsing data
- Health data
Other relevant information:
- Data disclosures: We share your personal data with the Member or Associate Advocate and with the supervisory authorities so that they can resolve the files/claims that correspond to them.
- Health data processing: We may process your health data when this is needed to fulfil our contractual relationship.
Data controller: The data controller for this processing is VidaCaixa.
E. Assessment, selection and rating financial/actuarial risks (including making automated decisions)
Purpose: Define VidaCaixa’s risk selection and rating policy. To that end, we must assess the risk we assume when you take out new insurance contracts or with your current contracts.
Use of profiles and automated decisions: We will make a profile to perform an ongoing assessment of the risk we assume; we will only use this profile in our relationship with you.
- Purpose of the profile: The profile we will make with your information allows us to offer you personalised contract conditions and rates.
- Consequences: We will never use it to deny you any product or service, nor to apply a higher price than that which corresponds to the ordinary process. You can request to voluntarily complete a health questionnaire or undergo medical tests to assess your risk.
- Logic: The profile is created using the data indicated in the “Types of data processed” section.
Types of data processed:
- Identity and contact data
- Data on professional or employment activity and socio-economic data
- Basic financial data
- Data on communications with you.
- Data observed when contracting and maintaining products and services that are sold to you.
- Data obtained from the use of statistical models.
- Data relating to international sanctions.
- Information obtained from publicly available sources and public registries.
- Health data.
Other relevant information:
- Health data processing: We may process your health data when these are needed to comply with legislation regulating the insurance business.
- Regulatory obligations: This processing is carried out based on the provisions of the legislation applicable to these products:
- Law 20/2015, of 14 July, on the organisation, supervision and solvency of insurance and reinsurance entities.
Data controller: The data controller for this processing is VidaCaixa.
F. Supervision and internal control
Purpose: Internally oversee our activity. This oversight is carried out to verify whether we comply with regulations on corporate governance and risk management.
We carry out periodic controls to check that we are complying with regulations and internal procedures. We do this in order to mitigate the risks inherent to marketing and selling our products and services. It is also to mitigate the risks of our usual operations.
Types of data processed:
- Identity and contact data
- Data on your professional or employment activity and socio-economic data
- Data on legal capacity
- Data on communications special needs
- Sensitive data relating to situations of vulnerability
- Contract data
- Basic financial data
- Third party data seen on statements and payment receipts for sight accounts and payment
- Data on whether or not you are a CaixaBank shareholder
- Data on communications with you
- Browsing data
- Geographical data
- Data obtained from carrying out other processing provided for in this policy
- Data obtained from the use of statistical models
- Data obtained from publicly available sources or external sources
- Third party browsing data
Data controller: The data controller for this processing is VidaCaixa.
G. Management of legal requests, demands for information and/or embargoes
Purpose: Respond to information requests or embargoes related to one of our customers. These requests are sent to VidaCaixa by governments, authorities, police forces or courts.
Types of data processed:
- Identity and contact data
- Data on your professional or employment activity and socio-economic data
- Contract data
- Basic financial data
- Third party data seen on statements and payment receipts for sight accounts and payment.
- Other: Beneficial owner
Data controller: The data controller for this processing is VidaCaixa.
H. Fraud prevention
- Purpose: Adopt the necessary measures to prevent malicious transactions or behaviours before they can be carried out. Its aim is also to revert their effects if they do take place by reporting potentially fraudulent transactions or behaviours to VidaCaixa or to its customers.
We will process your data to:
- Verify customers’ identity to prevent fraudulent access to information or transactions.
- Review and analyse the contracts and transactions carried out in our systems to protect our customers from fraud on any channel and to prevent cyberattacks.
- Types of data processed:
- Identity and contact data
- Data on your professional or employment activity and socio-economic data
- Contract data
- Basic financial data
- Data observed when contracting and maintaining products and services that are sold to you
- Data on communications with you
- Data relating to international sanctions
- Information obtained from publicly available sources and public registries Data obtained from carrying out other processing provided for in this policy:
- Health data
Use of profiles: we will make a profile with data from your usual transactions and activities. We will use this profile exclusively to identify unusual situations that could indicate attempted fraud.
- Purpose of the profile: The purpose of the profile is to identify activities that are unusual or that are outside your behaviour profile. They could indicate attempted fraud or fraudulent access to information.
- Consequences: In the event you are informed that a transaction cannot be carried out as there are indications of fraud, this will not prevent you from providing additional information or documentation that will help us to reassess your case and eventually discount fraudulent intent.
Other relevant information:
- Automated decisions: To prevent fraud, we will use automated processing to try to detect fraudulent transactions.
- Regulatory obligations: This processing is carried out based on the provisions of the legislation applicable to these products:
- Law 20/2015, of 14 July, on the organisation, supervision and solvency of insurance and reinsurance entities.
Data controller: The data controller for this processing is VidaCaixa
I. Financial regulatory reporting
Purpose: To draft reports on VidaCaixa’s activity as an insurance company. These reports are send to the bodies and authorities that supervise our activity.
To that end, we must process personal data and send information to different regulatory and supervisory bodies, in accordance with the specific norms that each one establishes. These bodies include ICEA, UNESPA, INVERSO, INE and EIOPA.
Types of data processed:
- Identity and contact data
- Data on your professional or employment activity and socio-economic data
- Data on legal capacity
- Contract data
- Basic financial data
- Third party data seen on statements and payment receipts for sight accounts and payment
- Data obtained from carrying out other processing provided for in this policy
- Data obtained from the use of statistical models
- Data obtained from publicly available sources or external sources
- Special category data, exceptionally and strictly limited in nature, linked to protected contingencies, where they are essential to recognise or calculate benefits or to fulfil supervisory requirements.
Data controller: The data controller for this processing is VidaCaixa.
J. Accounting Management
Purpose: Manage VidaCaixa's accounting. To comply with this obligation, we need to process some personal data and send information to regulatory and supervisory bodies, including the General Directorate of Insurance and Pension Funds (DGSFP), in accordance with current regulations.
Types of data processed:
- Identification data
- Contract data
Data controller: The data controller for this processing is VidaCaixa.
6.4 Processing based on VidaCaixa’s legitimate interest
This type of processing is carried out to pursue the legitimate interests of VidaCaixa or a third party. We will carry out this type of processing provided that our interests do not take precedence over your interests or your fundamental rights and freedoms, pursuant to art. 6.1.f) of the General Data Protection Regulation (GDPR).
Before carrying out this processing, we will weigh up your rights and our legitimate interest. We will only carry out the processing in those cases where our interest prevails over your rights and freedoms. You can view the analysis weighed against the legitimate interest of processing at any time by sending your query to the following email address [email protected].
Remember that you can oppose processing carried out for our legitimate interest. If you believe that VidaCaixa should consider a personal situation or reason for no longer processing your data, you can request this easily and free of charge on the channels mentioned in section 4.
This processing is set out below in order from (A) to (G). For each type of processing we will indicate: VidaCaixa’s legitimate interest, a description of the purpose, the types of data processed, information about the use of profiles, if applicable, other information about the processing
and whether the processing is carried out jointly with other CaixaBank Group companies.
A. Managing the performance of employees, agents and suppliers
VidaCaixa’s legitimate interest: Manage our relationships with agents and suppliers based on their professional performance.
Purpose: To monitor agents’ and suppliers’ professional performance, objectives and challenges by analysing the transactions and contracts they have with customers.
Types of data processed:
- Identity and contact data
- Contract data
- Basic financial data
Other relevant information:
- Right to object: If you believe that VidaCaixa should stop using your data for a personal reason, you may request this easily and free of charge through the channels mentioned in section 4.
- Ancillary use of customer data: In this process, customer data is processed, but only in an ancillary fashion to the aim pursued. This does not affect the customer or have consequences for them.
Data controller: The data controller for this processing is VidaCaixa.
B. Preparing management reports and mathematical models
Legitimate interest: To organise and improve our business activity in the most efficient way possible. To that end, we need to create mathematical algorithms that help us analyse information in an advanced fashion.
Purpose: Create and maintain statistical and mathematical algorithms and models. These can be used to perform complex calculations and analyses that allow us to apply the processing described in this policy.
Types of data: We use the data that have already been identified under each type of processing. Whenever possible, we apply techniques so that the data cannot be associated with a person (anonymisation or pseudonymisation). Consequently, we guarantee that the processing does not affect the data subjects’ rights and that the results are mathematical formulas or algorithms.
Other important information:
- Right to object: If you believe that VidaCaixa should stop using your data for a personal reason, you may request this easily and free of charge through the channels mentioned in section 4
- Ancillary data processing: The purpose is not to process customer data individually. This is a necessary secondary type of processing to create mathematical formulas. For that reason, we use anonymisation techniques and the minimum amount of information necessary. This processing does not have individual consequences for customers.
Data controller: When the mathematical models are based on processing carried out under this policy by VidaCaixa, the data controller is VidaCaixa. If the processing is carried out with joint controllers, the same system as the original processing will be applied. You can view the list of joint data controller companies and the agreements at https://https://www.caixabank.es/empresasgrupo" rel="noopener noreferrer" target="_blank">www.caixabank.es/empresasgrupo.
C. Commercial communications based on a basic commercial profile
We will only do this processing of your data if:
- You haven't stated your preferences for commercial processing described in sections 6.1.A., 6.1.B. and 6.1.C.
- You have not objected to the processing.
VidaCaixa's legitimate interest: To drive sales of the products and services in our portfolio and earn our customers’ loyalty.
Purpose: To provide you with commercial communications on products and services similar to the ones you have taken out with us. We will do this based on a basic commercial profile we will create with your data.
Types of data processed:
- Identity and contact data
- Data on your professional or employment activity and socio-economic data
- Contract data: products and services contracted or requested, status as holder, authorised person or representative of the product and service contracted, classification according to the regulations on securities and financial instruments markets (MiFID category), information regarding investments made and their progress, and information on and transactions related to financing operations.
- Basic financial data
- Data on communications with you: data obtained from chats, online bulletin boards, video conferences, telephone calls, or similar media.
Other relevant information:
- Duration of the processing: The processing will be carried out until you cease to be a VidaCaixa customer, for a maximum of 13 months after termination of the relationship, or beforehand if (ii) you exercise your right to objection at any time, or (iii) you have refused to receive any kind of commercial communication.
Data controller: The data controller for this processing is VidaCaixa.
D. OFSI and OFAC sanctions policies and international financial countermeasures
Legitimate interest: VidaCaixa and the joint controllers mentioned in this section need to process your data to comply with international regulations on sanctions and financial measures implemented by the United States and United Kingdom. This is necessary to be able to operate in and do business with these countries.
Purpose: To comply with the regulations on sanctions and financial controls required by the authorities in the United Kingdom and United States.
To comply with these regulations, the joint data controller companies will check whether your name is on a list of persons or entities with restrictions imposed by the United States and United Kingdom.
Types of data processed:
- Identity and contact data.
- Data relating to international sanctions.
Other relevant information:
- Right to object: If you believe that VidaCaixa should consider a personal situation or reason for no longer processing your data, you can request this easily and free of charge on the channels indicated in section 4.
Joint data controllers: The following CaixaBank Group companies will process your data as joint controllers for this processing:
- CaixaBank, S.A.
- CaixaBank Payments & Consumer, E.F.C., E.P., S.A.U.
- VidaCaixa, S.A. de seguros y reaseguros.
- Nuevo Micro Bank, S.A.U.
- CaixaBank Asset Management SGIIC, S.A.U.
- CaixaBank Equipment Finance, S.A.U.
- Buildingcenter, S.A.U.
- Livingcenter Activos Inmobiliarios, S.A.U.
- Puerto Triana, S.A.
- Bankia Habitat, S.L.U.
- Unión de Crédito para la Financiación Mobiliaria e Inmobiliaria, CREDIFIMO, E.F.C., S.A.U.
- Banco BPI, S.A.
- BPI Gestão de Ativos, SGOIC, S.A.
- CaixaBank Wealth Management Luxembourg, S.A.
- CaixaBank Asset Management Luxembourg, S.A
- OpenWealth, S.A.U.
You can see the essential aspects of the joint controller processing agreements at: www.caixabank.es/empresasgrupo
E. Improving the efficiency of internal processes
VidaCaixa’s legitimate interest: Manage processes efficiently to optimise them as much as possible. By doing so, we will achieve a higher level of service quality and improve business continuity.
Purpose: To review internal processes. We will analyse and identify process volumes, processing times and customer interactions with our systems. As a result, we will obtain aggregate data that will help us improve these internal processes and customer experience.
Types of data processed:
- Identity and contact data
- Contract data
- Basic financial data
- Third party data seen on statements and payment receipts for sight accounts and payment
- Data on communications with you
- Browsing data
- Data obtained from carrying out other processing
- Data obtained from the use of statistical models
- Data obtained from publicly available sources or external sources
- Third party browsing data
Other important information:
- Right to object: If you believe that VidaCaixa should stop using your data for a personal reason, you may request this easily and free of charge through the channels indicated in section 4.
Data controller: The data controller for this processing is VidaCaixa.
F. Customer surveys
VidaCaixa’s legitimate interest: Find out our customers’ degree of satisfaction. This allows us to improve the products and services we offer our customers, thereby guaranteeing a suitable experience that meets their expectations.
Purpose: To carry out surveys of our customers to find out their degree of satisfaction with our services and, if necessary, improve internal processes.
Types of data processed:
- Identity and contact data.
- Contract data
- Data on communications with the data subject.
Other relevant information:
- Right to object: You can object to this processing on the channels indicated in section 4. If you object to this processing, we will stop this processing without you having to give us a reason.
- Duration of the processing: In the event that you object to this processing, we will stop this type of processing, without any other additional requirement.
Data controller: The data controller for this processing is VidaCaixa.
G. Defence of VidaCaixa’s rights and interests by court or administrative proceedings
VidaCaixa’s legitimate interest: Defence of VidaCaixa’s rights and interests by court or administrative proceedings. VidaCaixa exercises its right to effective legal protection.
Purpose: To manage the administrative or legal proceedings in which VidaCaixa is the petitioner or respondent.
Types of data processed: The data types we process for this purpose are as follows:
- Identity and contact data
- Data on your professional or employment activity and socio-economic data
- Data on legal capacity and special communication needs
- Contract data
- Basic financial data
- Data on communications with the data subject
- Information obtained from publicly available sources and registries
- Health data
Other relevant information: You will find other important information on this type of processing below:
- Right to object to processing: If you believe that VidaCaixa should take into account any particular situation or other reasons that justify us stopping data processing, you can request this easily and free of charge using the channels indicated under heading 4.
Data controller: The data controller for this processing is VidaCaixa.
7. Recipients of the data
Data controller and joint data controllers
The data we process due to the fact that you are a VidaCaixa customer is processed by VidaCaixa. If the processing is joint, it is carried out by companies in the CaixaBank Group, in accordance with our explanations for each type of processing.
Authorities or official bodies
We may be obliged to provide information on the transactions we carry out to official organisations from other countries. These may be countries located inside or outside of the European Union. We do this to comply with regulations to prevent money laundering and terrorism financing, as well as in the framework of compliance with the insurance sector regulations mentioned above. Additionally, with respect to insurance with death cover, VidaCaixa, in its capacity as insurer, must also notify a public registry legally constituted for that purpose (Law 20/2005, of 14 November, on the creation of the Death Cover Insurance Policy Register) of its existence and basic information.
We are obliged to make and send reports on our activity to regulatory and supervisory bodies. We are also obliged to send the accounting information required by regulations.
Data communication when outsourcing services
We occasionally use service providers with potential access to personal data.
These providers have the appropriate safeguards for data processing. They are selected responsibly by VidaCaixa. Additionally, they must meet specific requirements if the service involves data processing.
Furthermore, VidaCaixa has mechanisms so that suppliers guarantee compliance with data protection regulations. Suppliers must also comply with VidaCaixa’s corporate principles approved by the Board of Directors and mentioned in section 1 of this Policy.
The types of services that we may entrust to service providers are as follows:
>Back office financial services
>Administrative support services
>Audit and consultancy services
>Legal and asset and debt recovery services>Payment services
>Marketing and publicity services
>Questionnaire services
>Call centre services
>Logistics services
>Physical security services
>IT services (systems and information security, cybersecurity, IT systems, architecture, hosting and data processing)
>Telecommunications services (voice and data)
>Printing, packing, postal and courier services
>Information custody and destruction services (digital and hard copy)
>Buildings, installations and equipment maintenance services
8. Time frames for retaining the data
Retention to maintain contractual relationships
We will use your data while the contractual relationships we have set up last.
Retention of authorisations for processing based on consent or legitimate interest
We will process your data based on your consent until you withdraw it. If you cancel all your contracts for products and services with the companies in the CaixaBank Group, but do not revoke the consents you gave us at the time, we will automatically void them from when you cease to be a customer. We will process your data based on our legitimate interest. If you do not agree to this, you can object to it and we will no longer process your data for this purpose after we accept your objection.
Retention to comply with legal obligations and making, exercising and defending claims
Once your contractual relationship with us ends, we will only retain your data to comply with legal obligations. We will also retain your data to respond to possible claims during the term of the statute of limitations for the actions you make take.
We will apply technical and organisational measures to ensure that they are only used for these purposes.
Destruction of data
We will destroy your data when the statutes of limitations run out on the actions that may be taken pursuant to our contractual relationships.
9. Data transfers outside the European Economic Area
At VidaCaixa we process your data and hire service providers within the European Economic Area or in countries with an adequate level of personal data protection.
If we need suppliers who process data outside of the two cases mentioned above, we will ensure that they do so securely and legitimately.
To that end, we require appropriate safeguards as set out in data protection regulations. That is, they must have binding corporate rules that guarantee the same protection as the European Economic Area or use the European Union’s standard contractual clauses. You can request a copy of these safeguards at www.VidaCaixa.com/delegadoprotecciondedatos.
10. Automated decisions
Automated decisions are based solely on the automated processing of your data (without human intervention) and can have legal effects for you or significantly impact you.
We informed you of the processing that includes automated decisions in section 6 of this Policy.
Additionally, if during our contractual relationship we were to use automated decisions (for example, reject you from taking out a specific product), we will notify you in the contract documentation for the product or service that you requested, as well as explain the logic behind the decision.
Furthermore, at that time, we will facilitate your right to obtain human intervention, express your point of view and challenge the decision.
11. Revision
We will revise this Privacy Policy as necessary to keep you informed, for example, when new regulations or criteria are published or when we carry out new types of processing.
Whenever there are important changes to this privacy policy, we will inform you on the usual channels.
VidacaixaForm New
Subscribe to our newsletter
You will learn to enjoy the future without worries.