[F13] Data protection

[F32] Data protection

Treatment of personal data of VidaCaixa customers

1. How we process your personal data

In order to manage your relationship with us, VidaCaixa, and other CaixaBank Group entities, will have access to and process your personal data for various purposes, always in accordance with the provisions of current regulations, and with respect for your rights and complete transparency.

Therefore, you can see the full details of how we use your data in the relationship we have with you in this document, which you can consult at www.vidacaixa.es/en/privacy, at any time. Furthermore, if you wish, you can request a hard copy of this information at any CaixaBank branch.

The main legislation regulating our business and our processing of your personal data is as follows:

  • Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, which repealed Directive 95/46/EC (hereinafter the GDPR);
  • Delegated Regulation (EU) 2015/35 of the Commission, of 10 October 2014, completing Directive 2009/138/EC, and European community regulations implementing solvency II (hereinafter, the Solvency II Regulation).
  • Regulation (EU) 1286/2014, of 26 November 2014, on key information documents for packaged retail and insurance-based investment products (hereinafter, the KID Regulation).
  • Directive (EU) 2016/97, of 20 January 2016, on insurance distribution (hereinafter, IDD).
  • Organic Law 3/2018, of 5 December, on Personal Data Protection and the guarantee of digital rights (hereinafter, the LOPDGDD).
  • Law 50/1980, of 8 October, on Insurance Contracts (hereinafter, the LCS).
  • Law 20/2015, of 14 July, on the organisation, supervision and solvency of insurance and reinsurance entities (hereinafter, the LOSSEAR).
  • Law 5/2012, of 23 February, on Voluntary Social Welfare Entities (hereinafter, the VSWE Act).
  • Royal Legislative Decree 1/2002, of 29 November, approving the consolidated text of the Pension Plans and Funds Regulation Act (hereinafter, the Pension Plans and Funds Act).
  • Royal Decree-Law 3/2020, of 4 February, on urgent measures, which incorporates various European Union directives into the Spanish legal system in the fields of public procurement in certain sectors, private insurance, pension plans and funds, and on tax matters and tax litigation (hereinafter, the IDD Transposition).
  • Royal Decree 1060/2015, of 20 November, on the organisation, supervision and solvency of insurance and reinsurance entities (hereinafter, the ROSSEAR).
  • Royal Decree 304/2004, of 20 February, approving the Pension Plans and Funds Regulations (hereinafter, the Pension Plans and Funds Regulations).
  • Decree 203/2015, of 27 October, approving the Regulations for Law 5/2012, of 23 February, on Voluntary Social Welfare Entities (hereinafter, the VSWE Regulations).

2. Who processes your data

Data controller: The data controller of your personal data in your contractual and business relationships with us (“Contractual Relationships”) is VidaCaixa, S.A.U de Seguros y Reaseguros (hereinafter, “VidaCaixa”) with Tax ID Number A-58333261 and its registered office at Paseo de la Castellana 52, planta 1º, 28046 Madrid (Spain).

Joint data controllers: In addition, for certain processes which we will tell you about in detail below, VidaCaixa will jointly process your data with other CaixaBank Group companies, and jointly decide the purposes (“what the data are used for”) and the media used (“how the data are used”), and as such are joint controllers of this processing.

The processing for which VidaCaixa processes the data as data controller, on its own or jointly with other CaixaBank Group companies, as joint data controllers, is identified and described in detail in heading 6 “How we process your data”.. Furthermore, you can see the list of companies processing your data and essential aspects of the joint processing agreements at: www.caixabank.es/empresasgrupo.

3. Data Protection Officer

VidaCaixa and the CaixaBank group companies have appointed a Data Protection Officer, who will attend to you to answer any query relating to the processing of your personal data and the exercise of your rights.

You can contact the Data Protection Officer to send in your suggestions, enquiries, queries or claims at the following address: www.caixabank.com/delegadoprotecciondedatos.

4. Exercise of rights and submission of claims to the Spanish Data Protection Agency (AEPD)

You can exercise your rights of access, rectification, objection, deletion, limitation and portability of your personal data, to withdraw your consent and not to be subject to automated decisions, in accordance with the law.

You can find specific information regarding each of the rights here: www.aepd.es/es/derechos-y-deberes/conoce-tus-derechos

You can ask to exercise these rights via any of the following channels:

  • at CaixaBank branches that are open to the public;
  • using the options available on your CaixaBank online banking and on our mobile apps;
  • at the URL https://www.vidacaixa.es/privacidad
  • by writing to the following address: Paseo de la Castellana, No 51, Madrid, post code 28046.

In addition, if you have any claim arising from processing your data. you can address it to the Spanish Data Protection Agency (www.aepd.es).

5. Data processed

For the processing that we are explaining in this document, the data set out below will be used:

Not all the data about which we are informing you are used for all the data processing. Heading 6, where we list the data processing that we carry out, is where you can specifically see the type of data processed during each kind of processing.

In the case of consent-based processing, we also inform you of the details of the specific data used.

The types and details of data used in the various types of processing set out under heading 6 are as follows:

> Data you provided us with when signing up for your contracts, or during your relationship with us, our agents, pension plan or VSWE promoters, or insurance policyholders during interviews or on forms. These are the types of data and details of the data:

  • Identity and contact data: full name, gender, postal, telephone and e-mail contact information, home address, nationality and date of birth, language for communications and identity document.
  • Professional or employment activity and socio-economic data: your professional activity or employment, income or remuneration, family unit or circle, level of education, assets, fiscal data and tax data.
  • Biometric data: face profile, voice biometrics or fingerprints.
  • Health data: answers to questions regarding your state of health, pre-existing illnesses or ailments, medical histories and reports and other diagnostic tests.
  • Data on legal capacity and special communications needs: data on a person's power to act, established in a court ruling, and data provided by disabled data subjects to permit accessible dialogue and operational management.

> Data observed when contracting and maintaining products and services that are sold to you (in-house or by third parties). These are the types of data and details of the data:

  • Contract data: products and services contracted or requested, status as holder, authorised person or representative of the product and service contracted, classification according to the regulations on insurance, pension plans, voluntary social welfare entities, securities and financial instruments markets (MiFID category),information regarding investments made and their progress, and information on and movements of financing operations.
  • Basic financial information: current and historical balances of products and services, and payment history for the products and services contracted.
  • Third party data seen in statements and payment receipts for sight accounts and payment accounts: information regarding the entries and movements that third party issuers make on your accounts, including the type of transaction, the issuer, the amount and the description appearing on payment receipts and statements of transactions with debit, credit or pre-payment cards.
  • Data on whether or not you are a CaixaBank shareholder: whether you hold shares in CaixaBank or not.
  • Data on communications with you: data obtained from chats, online bulletin boards, video conferences, telephone calls, or similar media.
  • Browsing data: data obtained while you are browsing our web sites or mobile apps and where you browse: browser history (sites visited and clicks on content, device ID, advertising ID, IP address), if you have accepted the use of cookies and similar technology on your browser devices.
  • Geographical data: data on the location of the businesses where you use your card and geopositioning data from your mobile device provided by the installation and/or use of our mobile apps, where you have authorised this in the set up of the app itself.

> Data inferred or deduced from analysing and processing the remainder of the data. These are the types of data and details of the data:

  • Data obtained from drawing up statistical models: we use the results of implementing mathematical models using customer data to fight against fraud, deduce their consumption habits, contract preferences or propensities, while complying with our regulatory obligations and managing the operation of your products and/or services.
  • Financial-actuarial risk assessment data: Depending on the nature of the product contracted, we estimate your life expectancy, the risk of an accident occurring, whether you will become incapacitated in any way, whether you will retire, lose your job or suffer a serious illness (financial-actuarial risks), using mathematical and statistical models that use personal data.
  • Risk assessment or scoring data: in financing operations or payment in instalments, we deduce your capacity for payment or non-payment, or the risk limits, using statistical mathematical models calculated using your data.

> Data obtained from publicly available sources, public registries or external sources. These are the types of data and details of the data:

  • Credit information systems data: the result of consulting Asnet and Bedexcug credit information files, which provide information on debts, capital solvency and credit (debtor, creditor and debt).
  • Equifax RISK SCORE data: In financing operations or payment in instalments, we use the result provided by this system to assess non-payment positions at 12 months, calculated by using statistical and mathematical models from your National ID document, residential post code and your data on credit information systems.
  • CIRBE data: we check whether you have risks (financing) with other entities. We obtain these data from the Bank of Spain Risk Information Centre (CIRBE).
  • Social Security General Treasury data: data obtained from the Social Security General Treasury relating to the type of employment (self-employed or employee) and its NACE code.
  • Data relating to international sanctions: data on persons or bodies that are included in laws, regulations, directives, resolutions, programmes or restrictive measures on international economic/financial sanctions imposed by the United Nations, the European Union, the Kingdom of Spain, and the Office of Financial Sanctions Implementation (OFSI) of Her Majesty's Treasury (HTM) in the UK, and/or the US Department of the Treasury’s Office of Foreign Assets Control (OFAC).
  • Demographic and socio-economic data: statistical information that is not linked to specific people but instead to geographical areas, age sectors or professional activity sectors, which we use to relate them with customer information.
  • Data on property and vehicles associated with your person: data obtained from the property registry and basic data on vehicles obtained from the Directorate General for Traffic that we use to supplement the information regarding your property and vehicles.
  • Data on directors, functional positions and company associations: data extracted from the INFORMA database that we use to supplement the information regarding your activity.
  • Data on agricultural subsidies and insurance: data published by the Spanish Agricultural Guarantee Fund (FEGA) and the State Agricultural Insurance Entity (ENESA).
  • Data from other companies to which you have given your consent to their sharing data with us: data on you processed by other companies with which we have agreements, and those you have authorised to share your information with us.
  • Information obtained from publicly available sources and public registries: data provided by publicly available sources and public registries to compare the information that you give us when entering into, maintaining and performing the contractual relationships; information from the Equifax bankruptcy proceedings consultation file, INDEF; the Register of insurance policies with death cover, and additional contact information obtained from telephone directories (White Pages, Yellow Pages, Lleida.net) and the INFORMA database, in order to contact our customers in the event of a breach of contractual obligations.
  • Browsing data: data obtained from your browsing third-party web sites or mobile apps and where you browse: browser history (sites visited and clicks on content, device ID, advertising ID, IP address), if you have accepted the use of cookies and similar technology on your browser devices.
  • Social media or internet data: data from social media or the internet that you authorise us to consult.

6. How we process your data purposes, legal bases and personal data we process

We process your data in a variety of ways for different purposes and under different legal bases:

  • Consent-based processing.
  • Processing needed to fulfil contractual relationships.
  • Processing needed to comply with legal obligations.
  • Processing based on VidaCaixa’s legitimate interest.

In addition to the general processing set out below, we can carry out specific processing, not included in this policy, arising from your requests for products and services. We will give you detailed information regarding this processing when the specific request is dealt with.

6.1 CONSENT-BASED PROCESSING

This processing has your consent as its legal basis, as provided for in article 6.1.a) of the General Data Protection Regulation (GDPR).

We may have requested this consent via different channels, for example, during the interview when you became a customer, via your CaixaBank manager or the electronic channels of one of the CaixaBank Group companies that is joint controller of that specific processing.

If, for any reason, we never asked for your consent, this processing will not be carried out.

You can check the authorisations you have given or refused us and change your decision at any time, free-of-charge, at CaixaBank branches, on the VidaCaixa website (https://www.vidacaixa.es/privacidad) and on the web site or mobile apps available for each one of the companies that are joint controllers of that specific processing.

Consent-based processes are shown below in order from (A) to (C). For each of them, we give a description of the purpose (Purpose), details of the data processed (Data processed), if applicable, information on the use of profiles (Use of Profiles), other information needed regarding processing (Other relevant information) and whether or not the processing is carried out jointly with other CaixaBank Group companies (Joint data Controller/Data controller).

In the event that you have given your consent to your data being processed for commercial purposes, not to CaixaBank but to Bankia, prior to its merger with CaixaBank, the A, B and C processing shown below will be carried out in accordance with the preferences you indicated to Bankia at the time.

Specifically, the processing described in paragraphs A and B below will only be carried out by CaixaBank group companies as joint controllers, if you consented to the communication of data between Bankia (now CaixaBank) group companies.

A. Product offer personalisation according to the analysis of your data

Purpose: If we have your consent, we will use the data shown below to draw up a commercial profile on you which allows us to deduce your preferences or needs, in order to offer you, via your manager, the products and services sold by joint controller companies that we believe may interest you, depending on the preferences and needs deduced.

By processing your data in this way, we can make you personalised offers that we believe may interest you more than generic offers.

Data processed: For this processing, we do not use data that contain information disclosing your ethnic or racial origin, your political opinion, your religious or philosophical beliefs, your union membership, genetic or biometric data aimed at unequivocally identifying you, or data relating to your sex life or sexual orientation.

The data that we process for this purpose are:

  • Identity and contact data: full name, gender, postal, telephone and e-mail contact information, home address, nationality and date of birth, language for communications, and identity document.
  • Data on your professional activity or employment and socio-economic data: professional activity or employment, income or remuneration, family unit or circle, level of education, assets, fiscal data and tax data.
  • Contract data: products and services contracted or requested (ours or third party), status as holder, authorised person or representative of the product and service contracted, classification according to the regulations on securities and financial instruments markets (MiFID category), information regarding investments made and their progress, and information on and movements of financing operations.
  • Basic financial data: current and historical balances of products and services, and payment history for the products and services contracted (ours or third-party).
  • Third-party data seen on statements and payment receipts for sight accounts and payment accounts: information regarding the notes and movements that third party issuers make on your accounts, including the type of transaction, the issuer, the amount and the description appearing on payment receipts and statements of transactions with debit, credit or pre-payment cards.
  • Data on whether or not you are a CaixaBank shareholder: whether you have shares in CaixaBank or not.
  • Data on communications with you: data obtained from chats, online bulletin boards, video conferences, telephone calls, or similar media.
  • Browsing data: data obtained from your browsing our web sites or mobile apps and where you browse: browser history (sites visited and clicks on content, device ID, advertising ID, IP address) if you have accepted the use of cookies and similar technology on your browser devices.
  • Geographical data: data on the location of the businesses where you use your card and geopositioning data from your mobile device provided by the installation and/or use of our mobile apps, where you have authorised this in the set up of the app itself.
  • Data obtained from drawing up statistical models: we use the results of implementing mathematical models using customer data to fight against fraud, deduce consumption habits, contract preferences or propensities, while complying with our regulatory obligations and managing the operation of your products and/or services.
  • Risk assessment or scoring data: in financing operations or payment in instalments, we deduce your capacity for payment or non-payment, or the risk limits, using statistical mathematical models calculated using your data.
  • Equifax RISK SCORE data: In financing operations or payment in instalments, we use the result provided by this system to assess non-payment positions at 12 months, calculated by using statistical and mathematical models from your National ID document, residential post code and your data on credit information systems.
  • Credit information systems data: the result of consulting Asnet and Bedexcug solvency files, which provide information about debts, capital solvency and credit (debtor, creditor and debt).
  • CIRBE data: we check whether you have risks (financing) with other entities. We obtain these data from the Bank of Spain Risk Information Centre (CIRBE).
  • Demographic and socio-economic data: statistical information that is not linked to specific people but instead to geographical areas, age sectors or professional activity sectors, which we use to relate them with customer information.
  • Data on property and vehicles associated with your person: data obtained from the property registry and basic data on vehicles obtained from the Directorate General for Traffic that we use to supplement the information about your property and vehicles.
  • Data on directors, functional positions and company associations: data extracted from the INFORMA database that we use to supplement the information regarding your activity.
  • Data on agricultural subsidies and insurance: data published by the Spanish Agricultural Guarantee Fund (FEGA) and the State Agricultural Insurance Entity (ENESA).
  • Data from other companies to which you have given your consent to their sharing your data with us: data on you processed by other companies with which we have agreements, and those you have authorised to share your information with us.
  • Browsing data: data obtained from you browsing third-party web sites or mobile apps and where you browse: browser history (sites visited and clicks on content, device ID, advertising ID, IP address) if you have accepted the use of cookies and similar technology on your browser devices.
  • Social media or internet data: data from social media or the internet that you authorise us to consult.

Use of profiles: For this processing, we draw up a commercial profile that we exclusively use to personalise our offer of products and services:

  • Purpose of the profile: The profile used has the purpose of deducing the products and services that we believe may interest you, based on the information we have about you, to give you the opportunity to contract them, instead of sending you generic commercial offers.
  • Consequences: If you authorise processing, we will use commercial profiles to decide which products or services we will market to you. If you do not authorise it, we will not use your information to personalise the commercial offer.
    We never, under any circumstances, use this profiling to refuse any product or service or to set credit limits. Not accepting this processing does not prevent, limit or condition your access to our full catalogue of products and services, which is always available to you.
    In the event that you ask to contract any product or service, your request will be assessed with you, in accordance with our normal procedures. Accepting or refusing the analysis of your data in order to personalise the product offer will not affect this assessment.
  • Logic: A customer’s profile is worked out using the data shown in the “data processed” section.
    Mathematical formulas obtained from behaviour seen in the past in customers with similar characteristics are applied to these data in order to infer the customer’s future behaviour. These mathematical formulas allow us to calculate the importance of all the data processed in the final result of the applicant’s profile.
    The final result is the probability that the customer may be interested in a product or service.

Other relevant information: You will find other important information on processing below:

  • Prior check of your ability to pay: When the offers that we want to send you consist of products or services that involve payment in instalments or financing, CaixaBank will check your ability to pay beforehand.
    CaixaBank will make this check using the processing set out in section 6.2.C of its Privacy Policy in order to offer you a credit limit and a repayment period that are in line with the knowledge that we have regarding your financial situation, in accordance with the principles of responsibility in offering financing products required by the Bank of Spain and the regulations on prudent supervision and solvency for responsible credit and loan institutions.
    Non-acceptance of this processing does not prevent, limit or condition your access to our catalogue of finance products and services which, in the event you ask for them, will be assessed with you in accordance with our normal procedures.
  • Duration of the processing: We will only process your data in this way if you have given your consent to it. Your consent will remain in force until you withdraw it. If you cancel all your products or services with us, but forget to withdraw your consent, we will do so automatically.
  • Offer of products and services from joint controller companies: If you consent to this processing, we offer you products and services marketed by the joint controller companies listed in the next section.
    These companies are devoted to financial, banking and payment methods business, including the offer of properties arising from these activities, the insurance business, general e-commerce, leisure and promoting social and sustainability activities.
  • Joint data controllers: The processing of your data in the category shown, for the purpose of informing you about our commercial offers of products and services using the channels selected by you, is carried out jointly by the same companies in the CaixaBank Group:
    • CaixaBank, S.A.
    • CaixaBank Payments & Consumer, E.F.C., E.P., S.A.U.
    • Nuevo Micro Bank, S.A.U.
    • Wivai Select Place, S.A.U,
    • ImaginersGen, S.A.
    • VidaCaixa, S.A.U. de Seguros y Reaseguros

    You can see the essential aspects of the joint controller processing agreements at: www.caixabank.es/empresasgrupo.

B. Communication of the commercial offer using other channels

Purpose: In addition to your manager, we only make our commercial offer available to you over the channels that you authorise us to use.

Data processed: The data that we process for this purpose are:

  • Identification and contact data: full name, gender, postal, telephone and e-mail contact information, home address, and language for communications.

Other relevant information: You will find other important information on processing below:

  • Duration of the processing: We will only process your data in this way if you have given your consent to it. Your consent will remain in force until you withdraw it. If you cancel all your products or services with us, but forget to withdraw your consent, we will do so automatically.
  • Joint data controllers: The following CaixaBank Group companies will process your data as joint controllers for this processing:
    • CaixaBank, S.A.
    • CaixaBank Payments & Consumer, E.F.C., E.P., S.A.U.
    • Nuevo Micro Bank, S.A.U.
    • Wivai Select Place, S.A.U,
    • ImaginersGen, S.A.
    • VidaCaixa, S.A.U. de Seguros y Reaseguros

    You can see the essential aspects of the joint controller processing agreements at: www.caixabank.es/empresasgrupo

C. Assignment of data to other companies

Purpose: If we have your consent, we will assign the data shown below to other companies with which we have agreements, so that they may make commercial offers of the products and services they market.

If you do not consent to this processing, we will not assign your data. If you consent, the data we communicate to other companies will vary depending on whether or not you have authorised or refused the personalisation of product offers based on an analysis of your data.

If we do not have your consent to personalise our commercial offer (processing A above), we will only give these companies your identity and contact data.

If you have given your consent to our personalising our commercial offer (processing A above), we will also communicate information on your commercial profile to these companies. This consists of information deduced about your preferences and needs, and information deduced about your probability of paying or defaulting, or about risk limits.

The third party companies to which we may assign your data have the following activities:

  • banking
  • investment services
  • insurance, reinsurance, pension plans and voluntary social welfare entities
  • venture capital
  • real estate
  • roads
  • sale and distribution of goods and services,
  • consultancy services
  • leisure and
  • charity/social

Data processed:

For this processing, we do not use data that contain information disclosing your ethnic or racial origin, your political opinion, your religious or philosophical beliefs, your union membership, genetic or biometric data aimed at unequivocally identifying you, or data relating to your sex life or sexual orientation.

These are the data on you that we will use if you consent to our communicating your data to third party companies but we do not have your consent to our personalising our commercial offer of products and services (processing A above):

  • Identity and contact data: full name, gender, postal, telephone and e-mail contact information, home address, nationality and date of birth, language for communications, and identity document.

If you have given your consent to personalising our commercial offer of products and services (processing A above), we will also use the following data:

  • Data obtained from drawing up statistical models: we use the results of implementing mathematical models using customer data to fight against fraud, deduce their consumption habits, contract preferences or propensities, while complying with our regulatory obligations and managing the operation of your products and/or services.
  • Risk assessment or scoring data: in financing operations or payment in instalments, we deduce your capacity for payment or non-payment, or the risk limits, using statistical mathematical models calculated using your data.

Other relevant information: You will find other important information on processing below:

  • Assignment information: If we reach an agreement with a third party company to assign your data, the recipient company will notify you of this fact, as well as the data assigned and details of the processing that it intends to carry out.
  • Duration of the processing: We will only process your data in this way if you have given your consent to it. Your consent will remain in force until you withdraw it. If you cancel all your products or services with us, but forget to withdraw your consent, we will do so automatically.
  • Joint data controllers: The following CaixaBank Group companies will process your data as joint controllers for this processing:
    • CaixaBank, S.A.
    • CaixaBank Payments & Consumer, E.F.C., E.P., S.A.U.
    • Nuevo Micro Bank, S.A.U.
    • Wivai Select Place, S.A.U,
    • ImaginersGen, S.A.
    • VidaCaixa, S.A.U. de Seguros y Reaseguros

    You can see the essential aspects of the joint controller processing agreements at: www.caixabank.es/empresasgrupo

6.2 PROCESSING NEEDED TO FULFIL CONTRACTUAL RELATIONSHIPS AND TAKE PRE-CONTRACTUAL MEASURES (article 6.1.b) GDPR)

This processing is necessary so that you can set up and maintain Contractual Relationships with us. If you object to it, we will either end the relationships or not be able to set them up if we have not already started them.

The processing needed to fulfil contractual relationships is shown below in order from (A) to (C). For each of them, we give a description of the purpose (Purpose), the type of data processed (Data processed), where appropriate, information on the use of profiles (Use of Profiles), other information needed regarding processing (Other relevant information) and whether or not the processing is carried out jointly with other CaixaBank Group companies (Joint data Controller/Data controller).

A. Formalising, maintaining and fulfilling contractual relationships

Purpose: In our position as the insurer, we need to process personal data during the various phases of implementing your insurance policy and pension and voluntary social welfare products. The purpose of this data processing is to formalise, maintain and manage the contractual relationships we enter into with you, including processing your requests or mandates, and the procedures prior to contract (pre-contractual relations) and setting up measures to ensure the performance of the contracts you have with us.

This processing involves gathering and recording the data and formalising the signature of the documents needed for the subscription process for products offered by VidaCaixa, both for individual products (products put in place directly with customers) and collective products (products put in place with companies, associations and other groups).

It also includes managing the operation of the products or services contracted. That is to say, the ordinary and operational management of the contract (such as changes to beneficiaries, updating conditions for offers, expanding policies, and product updates), receiving payment for the financial sums arising from the contract, payments of benefits, redemptions or any item arising from performing a contract linked to a product taken out by you, and external transfers and mobilisation of pension plans.

For this purpose, communications are also made that arise from managing the contractual relationships and transactions relating to the management of policies in which various insurers are involved, who distribute the cover of the insured risks amongst themselves, (known as “co-insurance”).

Data processed: The types of data we process for this purpose, the content of which is set out under heading 5, are:

  • Identity and contact data
  • Financial data
  • Data on your professional or employment activity and socio-economic data
  • Data on communications with you
  • Data obtained from drawing up statistical models
  • Data relating to international sanctions
  • Information obtained from publicly available sources and public registries
  • Health data

Other relevant information:

  • Data communication: Within the scope of employment pension plans and VSWEs, we communicate some of your data to third parties which, as provided for in the legislation regulating this activity, play an essential role in the proper performance of our contractual obligations. Specifically, we assign your data to actuaries, control committees, deposit entities, auditor and other bodies with legally attributed powers for that purpose. Furthermore, within the scope of insurance and welfare products, it is necessary for us to communicate data to supervisors, public authorities and registries, and reinsurance companies.
  • Health data processing: When performing any insurance policy to which you are a party, we may process your health data as these are needed to fulfil the contractual relationship that we have with you.
  • Data controller: The data controller for this processing is VidaCaixa. This processing is not carried out with a joint controller.

B. Analysis of requirements and needs

Purpose: Before entering into the contract, as an insurer taking part in the distribution of its own products, in some cases we will need you to give certain information that will allow us to assess and evaluate your needs and requirements.

In addition, when we offer advice on an insurance-based investment product, we will need to obtain the following information about you:

  • Knowledge and experience of investment in the specific product type.
  • Financial situation, including your capacity to bear losses.
  • Investment targets, including your risk appetite.

The purpose of this assessment is to be able to offer you information and, if appropriate, objective advice beforehand, so that you can make your decisions based on solid criteria. The above information will be obtained so that we can recommend insurance-based investment products that would be ideal for you and best fit in with your level of risk appetite and your capacity to bear losses.

Data processed: The types of data we process for this purpose, the content of which is set out under heading 5, are:

  • Identity and contact data
  • Financial data
  • Data on your professional or employment activity and socio-economic data
  • Investment preferences

Other relevant information: You will find other important information on processing below.

  • Regulatory obligations: This processing is carried out on the basis of the provisions of Royal Decree-Law 3/2020, of 4 February, on urgent measures, which incorporates various European Union directives into the Spanish legal system in the fields of public procurement in certain sectors, private insurance, pension plans and funds, and on tax matters and tax litigation.

Data controller: The data controller for this processing is VidaCaixa. This processing is not carried out with a joint controller.

C. Analysis of the state of health declaration to assess the data subject’s risk prior to contracting an insurance product

Purpose: This means that, in the event of a request from you to contract an individual risk insurance product, we can find out and evaluate all the circumstances that may influence the assessment of the risk that may be involved for VidaCaixa in entering into an insurance product with you, taking your state of health and lifestyle into account.

You are under the obligation to declare the risk that you intend to insure and, so that you can comply with this duty and VidaCaixa can properly assess your personal circumstances, we can use questionnaires regarding your personal situation, lifestyle and health habits, ask you to have a medical check-up and request declarations from you regarding any of these aspects.

Data processed: The types of data we process for this purpose, the content of which is set out under heading 5, are:

  • Identity and contact data
  • Financial data
  • Data on your professional or employment activity and socio-economic data
  • Health data

Other relevant information:

  • Health data processing: We will process your health data when these are needed to fulfil the contractual relationship we have with you
  • Data controller: The data controller for this processing is VidaCaixa. This processing is not carried out with a joint controller.
  • Regulatory obligations: This processing is carried out based on the provisions of the legislation applicable to these products:
    • Law 50/1980, of 8 October, on Insurance Contracts.
    • Law 20/2015, of 14 July, on the organisation, supervision and solvency of insurance and reinsurance entities.

6.3. PROCESSING NEEDED TO COMPLY WITH LEGAL OBLIGATIONS

The legal basis for this data processing is the fact that it is needed to comply with a legal obligation that is required of us, as provided for in article 6.1.c) of the General Data Protection Regulation (GDPR).

Therefore, it is necessary so that you can set up and maintain Contractual Relationships with us. If you object to it, we must either end the relationships or not be able to set them up if we have not already started them.

The processing needed to comply with legal obligations is shown below in order from (A) to (E). For each of them, we give a description of the purpose (Purpose), the type of data processed (Data processed), where appropriate, information on the use of profiles (Use of Profiles), other information needed regarding processing (Other relevant information) and whether or not the processing is carried out jointly with other CaixaBank Group companies (Joint data controllers/Data controller).

A. Processing to comply with the regulations on prevention of money laundering and terrorist financing

Purpose: The purpose of this processing is to take the measures imposed on our activity by the Act 10/2010, on the Prevention of Money Laundering and Terrorist Financing.

The processing work carried out to comply with the legislation on the prevention of money laundering and terrorist financing is as follows:

  • Collecting the information and documentation that enables compliance with due diligence measures and knowledge of our customers;
  • Checking the information that you give us;
  • Verifying whether you hold, or have held, posts with public responsibility;
  • Classifying your risk level, on the basis of which the various due diligence measures will be applied, based on the Prevention of Money Laundering and Terrorist Financing legislation;
  • Analysing the transactions performed via CaixaBank, in accordance with the provisions of the legal obligations;
  • Verifying your relationship with companies and, if necessary, your position of control in their ownership structure; and

Communicating and updating, on a monthly basis, your information on the Financial Ownership Index, which is the responsibility of the Executive Service of the Commission for the Prevention of Money Laundering and Monetary Offences (SEPBLAC).

Types of data processed: The types of data we process for this purpose, the content of which is set out under heading 5, are:

  • Identity and contact data
  • Data on your professional or employment activity and socio-economic data
  • Contract data
  • Basic financial data
  • Third party data seen on statements and payment receipts for sight accounts and payment
  • Data on communications with you
  • Data obtained from drawing up statistical models
  • Data on directors, functional positions and company associations
  • Social Security General Treasury data
  • Information obtained from publicly available sources and public registries

Use of profiles: This processing involves drawing up a profile that we exclusively use to take the measures imposed on our activity by the Prevention of Money Laundering and Terrorist Financing Act 10/2010.

  • Purpose: The profile used has the purpose of preventing transactions being contracted that are liable to be subject to money laundering or terrorism financing.
  • Consequences: The profiles are tools that help to prevent money laundering and terrorist financing units by determining whether or not transactions are liable to be subject to money laundering or terrorist financing, and, therefore, whether or not to accept them.

Joint data controllers: The following CaixaBank Group companies will process your data as joint controllers for this processing:

  • CaixaBank, S.A.
  • CaixaBank Payments & Consumer, E.F.C., E.P., S.A.U.
  • VidaCaixa, S.A. de Seguros y Reaseguros
  • BPI Vida e Pensões - Companhia de Seguros, S.A.
  • Nuevo Micro Bank, S.A.U.
  • CaixaBank Asset Management SGIIC, S.A.U.
  • Telefónica Consumer Finance, E.F.C., S.A.
  • Buildingcenter, S.A.U.
  • Unión de Crédito para la Financiación Mobiliaria e Inmobiliaria, CREDIFIMO, E.F.C., S.A.U.
  • Corporación Hipotecaria Mutual, S.A.U., Establecimiento Financiero de Crédito
  • CaixaBank Wealth Management Luxembourg, S.A.
  • CaixaBank Asset Management Luxembourg, S.A.
  • BPI Gestão de Ativos, SGOIC, S.A.
  • Banco BPI, S.A.
  • Bankia Habitat, S.L.U.
    You can see the essential aspects of the joint controller processing agreements at: www.caixabank.es/empresasgrupo

B. Processing for the purpose of complying with tax legislation

PurposeThe purpose of this processing is to take the measures imposed on our business by the General Tax Act 58/2003, of 17 December, and Royal Decree 1021/2015, of 13 November, establishing the obligation to identify the tax residence of persons holding ownership or control of certain financial accounts, and to report them in the context of mutual assistance, and other current tax legislation.

The processing work carried out to comply with tax legislation is as follows:

  • Collecting the information and documentation relating to your taxation as provided for in the tax regulations; and
  • Reporting data relating to your taxation to the public authorities, where this is provided for in the regulations or required by the authorities.

Types of data processed: The types of data we process for this purpose, the content of which is set out under heading 5, are:

  • Identity and contact data
  • Data on your professional or employment activity and socio-economic data
  • Contract data
  • Basic financial data

Other relevant information:

Joint data controllers: The following CaixaBank Group companies will process your data as joint controllers for this processing:

  • CaixaBank, S.A.
  • VidaCaixa, S.A. de Seguros y Reaseguros
  • Nuevo Micro Bank, S.A.U.
  • CaixaBank Asset Management SGIIC, S.A.U.
  • CaixaBank Notas Minoristas, S.A.U.
  • Segurbankia, S.A.
  • Bankia Mediación, OBSV
    You can see the essential aspects of the joint controller processing agreements at: www.caixabank.es/empresasgrupo

C. Processing to comply with obligations arising from international policies on sanctions and financial countermeasures

Purpose: The purpose of this processing is to adopt the measures imposed on our activity in the international programmes on sanctions and financial countermeasures adopted by the European Union and the Kingdom of Spain.

To comply with international financial sanctions and countermeasures, we check whether you appear on the lists of persons or bodies that are included in laws, regulations, directives, resolutions, programmes or restrictive measures on international economic/financial sanctions imposed by the United Nations, the European Union, the Kingdom of Spain, and the Office of Financial Sanctions Implementation (OFSI) of Her Majesty's Treasury (HTM) in the UK, and/or the US Department of the Treasury’s Office of Foreign Assets Control (OFAC).

Types of data processed: The types of data we process for this purpose, the content of which is set out under heading 5, are:

  • Identity and contact data
  • Data relating to international sanctions

Joint data controllers: The following CaixaBank Group companies will process your data as joint controllers for this processing:

  • CaixaBank, S.A.
  • CaixaBank Payments & Consumer, E.F.C., E.P., S.A.U.
  • VidaCaixa, S.A. de Seguros y Reaseguros
  • Nuevo Micro Bank, S.A.U.
  • CaixaBank Asset Management SGIIC, S.A.U.
  • Telefónica Consumer Finance, E.F.C., S.A.
  • Buildingcenter, S.A.U.
  • Livingcenter Activos Inmobiliarios, S.A.U.
  • Unión de Crédito para la Financiación Mobiliaria e Inmobiliaria, CREDIFIMO, E.F.C., S.A.U.
  • Corporación Hipotecaria Mutual, S.A.U., Establecimiento Financiero de Crédito
  • Banco BPI, S.A.
  • CaixaBank Wealth Management Luxembourg, S.A.
  • Bankia Habitat, S.L.U

You can see the essential aspects of the joint controller processing agreements at: www.caixabank.es/empresasgrupo

D. Processing to deal with complaints and claims

Purpose: To handle queries, complaints and claims made to VidaCaixa in accordance with the applicable legislation as cited in section 1 of this document. VidaCaixa is under the obligation to have a customer care department or service to deal with and resolve complaints and claims that policyholders, insured, beneficiaries, injured third parties, or right holders of any one of them may submit regarding their legally recognised interests and rights.

Furthermore, in the area of voluntary social welfare, in accordance with the Pension Plans and Funds Regulatory Act and the VSWE Act, the Ombudsman is an obligatory figure from outside the organisation, who acts according to independent criteria and whose decisions are binding on VidaCaixa.

At the same time, the LOPDGDD obliges the data controller, in this case VidaCaixa, to deal with the claims submitted to its Data Protection Officer and to deal with the personal data protection rights that data subjects may exercise.

The processing work carried out to comply with legislation relating to processing complaints and claims is as follows:

  • Receipt of the complaint or claim by VidaCaixa’s Customer Care Service and by the Ombudsman;
  • Attention to the data protection rights and queries relating to VidaCaixa by the CaixaBank Group Data Protection Officer;
  • Data communicated to our sector supervisor, the General Directorate of Insurance and Pension Funds or, where appropriate, the Basque Country Government; and
  • Response to the complaint or claim submitted in any of the cases described above within the deadline set, as well as the activities needed to collaborate with the supervisory authority.

Data processed: The types of data we process for this purpose, the content of which is set out under heading 5, are:

  • Identity and contact data
  • Data on legal capacity and special communication needs
  • Contract data
  • Basic financial data
  • Data on communications with you
  • Browsing data
  • Health data

Other relevant information:

  • Data communication: We will need to share your personal data with the Ombudsman and with the supervisors so that they can resolve the files/claims that correspond to them as described above.
  • Data controller: The data controller for this processing is VidaCaixa. This processing is not carried out with a joint controller.
  • Health data processing: We may process your health data when these are needed to fulfil the contractual relationship that we have with you.

E. Assessment, selection and rating financial/actuarial risks (including making automated decisions)

Purpose: To define VidaCaixa’s risk selection and rating policy. To do this, VidaCaixa needs to assess the risk it is taking on when entering into new insurance policies with its customers, as well as the risk that it has already taken on with contracts that are already in force.

Use of profiles and automated processing: For this processing, we draw up profiles that we only use for the continuous assessment of the risk taken on by VidaCaixa with the contracts that are in force and to assess and define the policy for selecting new risks and VidaCaixa’s subscription and rating strategy. The personal data are configured and integrated into mathematical models to make calculations and assessments of the risk associated with the possibility that an incident or contingency might take place that gives rise to the automatic receipt of a benefit. Therefore, customers are classified in terms of risk on the basis of the data indicated below: firstly, what type of subscription check should be used, if necessary, to access a new insurance product and, secondly, the appropriate rate to use to calculate the technical provisions.

  • Consequences: We do not, under any circumstances, use this automated profiling to refuse any product or service, or apply a rate that is higher than that applicable in the event that the risk of your transaction is not assessed automatically. In any case, you have the right to ask us for a health questionnaire or have a medical check-up voluntarily, which will be taken into account in the contracting process. The assignment of a risk profile will be associated with determining the applicable rate, which will never be higher than that for a customer who decides to undergo a normal subscription check.
  • Logic: A customer’s profile is worked out using the data shown in the “data processed” section. Mathematical formulas are applied to these data, which are obtained from behaviour observed in the past in customers with similar characteristics, to measure, depending on the relevant time horizon for each kind of contract, the possibility that any of the circumstances obliging VidaCaixa to pay a benefit arise. These mathematical formulas allow us to determine the importance of all the data processed in the final result of the customer’s profile.

    By way of example, it will be estimated based on financial/actuarial calculations and experience with other customers in similar circumstances, your life expectancy, the risk that you may have an accident, become incapacitated in any way, retire, lose your job or suffer a serious illness.

Data processed:

  • Identity and contact data: Tax ID (NIF)/Foreign Citizen’s ID No. (NIE)/Passport, name and surname(s), date of birth, postal address, e-mail address, telephone number (landline or mobile) and language for communications.
  • Financial data: Products and services contracted, status as holder/beneficiary/attorney-in-fact, status as a non-customer intervener, MiFID category and payment history.
  • Socio-economic: Professional activity, level of education, remuneration/income, assets (properties), family unit/circle, fiscal or tax data.
  • Employment: Employment relationship data (position, length of service, etc).
  • Data on communications with you.
  • Data observed when contracting and maintaining products and services that are sold to you.
  • Data obtained from drawing up statistical models.
  • Data relating to international sanctions.
  • Information obtained from publicly available sources and public registries.
  • Special data categories: Health data.

Other relevant information:

  • Data controller: The data controller for this processing is VidaCaixa. This processing is not carried out with a joint controller.
  • Health data processing: We may process your health data when these are needed to comply with the legislation regulating the insurance business.
  • Regulatory obligations: This processing is carried out based on the provisions of the legislation applicable to these products:
    • Law 20/2015, of 14 July, on the organisation, supervision and solvency of insurance and reinsurance entities.

6.4 PROCESSING BASED ON VIDACAIXA’S LEGITIMATE INTEREST (article 6.1.f) GDPR)

The legal basis for this processing is the fulfilment of legitimate interests pursued by VidaCaixa or a third party, provided that such interests do not prevail over your interests, or your fundamental rights and freedoms, as provided for in article 6.1.f) of the General Data Protection Regulation (GDPR).

Carrying out this processing means that we have weighed your rights against our legitimate interest and concluded that the latter takes precedence. Otherwise we will not carry out the processing. You can request the analysis weighting the legitimate interest of processing at any time by sending your query to the following email address delegado.proteccion.datos@caixabank.com.

In addition, we would like to remind you that you have the right to object to processing based on legitimate interest. You can do so easily and free of charge using the channels shown under heading 4.

This processing is set out below in order from (A) to (D). For each one of them, we give VidaCaixa’s legitimate interest (VidaCaixa’s legitimate interest), the description of the purpose (Purpose), the type of data processed (Data processed), if appropriate, information on the use of profiles (Use of profiles), other information needed regarding processing (Other relevant information) and whether or not the processing is carried out jointly with other CaixaBank Group companies (Joint data Controller/Data controller).

A. Managing the performance of employees, agents and suppliers

VidaCaixa’s legitimate interest: VidaCaixa’s legitimate interest in carrying out this processing is managing relationships with employees, agents and suppliers on the basis of their professional performance, thereby ensuring that the company functions well and efficiently.

Purpose: to monitor and assess employees’, agents’ and suppliers’ professional performance, aims and targets by analysing the transactions and contracts they have with customers.

Data processed: The types of data we process for this purpose, the content of which is set out under heading 5, are:

  • Contract data.
  • Basic financial data.

Other relevant information:

  • Right to object to processing: You have the right to object to processing based on legitimate interest. You can do so easily and free of charge using the channels shown under heading 4.

B. Product governance

VidaCaixa’s legitimate interest: To comply with regulatory requirements on product design and governance and ensure that when designing products and the target audience, all the relevant risks for the market in question and the planned coherence of the distribution strategy are taken into account.

Purpose: To analyse the personal data shown below to continuously assess needs and requirements and, based on this, to design new products or modify pre-existing ones so that they fit our customers’ needs and requirements. And to inform our distributors of the characteristics that the target audience for the commercial offer of the product should meet. VidaCaixa will supervise its distribution work and that of its distributors, analyse real transactions and verify that its products are marketed to their target audience.

Use of profiles: For this processing we draw up profiles that we only use to define the target audience and segments within that target audience, with the aim of ensuring that the insurance products designed are only marketed to the customers they fit best, taking their needs and requirements into account. We never, under any circumstances, use this profiling to refuse any product or service.

  • Consequences: The profiling will be used to define objective and subjective characteristics which should appear in a specific situation to offer a product to the customer but will not, if a customer proactively requests access to a specific product or service, prevent the request from being analysed and resolved in the normal manner. In addition, the profile may define which group of customers within the target audience is considered preferential (preferential audience), as they are the ones whose needs and requirements would be met best by the product in question. The use of these profiles will never serve to determine the access price or the rate for any of the products defined by VidaCaixa.
  • Logic: Assigning values to profiles to determine the characteristics of the target audience and, if appropriate, preferential audience will come from calculations using the data shown in the “data processed” section. Mathematical formulas obtained from behaviour seen in customers with similar characteristics are applied to assess their needs and requirements. These mathematical formulas allow us to calculate the importance of all the data processed in the final result of the applicant’s profile.

Data processed:

  • Identity and contact data.
  • Data on your professional or employment activity and socio-economic data.
  • Contract data.
  • Basic financial data.
  • Data observed when contracting and maintaining products and services that are sold to you.
  • Data on communications with you.
  • Information obtained from publicly available sources and public registries.

Other relevant information:

  • Data controller: The data controller for this processing is VidaCaixa. This processing is not carried out with a joint controller.
  • Regulatory obligations: This processing is carried out based on the provisions of the legislation applicable to these products:
    • Directive (EU) 2016/97, of 20 January 2016, on insurance distribution.
    • Preparatory directives relating to product governance and vigilance procedures for insurance companies and insurance distributors.

C. Fraud prevention

VidaCaixa’s legitimate interest: To prevent and hinder fraudulent conduct that not only harms VidaCaixa but also the sector in general.

Purpose: To take the necessary steps to detect, prevent, avoid or reverse, if their effects are defined, all malicious transactions or conduct carried out in any of the phases of signing up for and taking out insurance offered by VidaCaixa, and to avoid others that involve economic or reputational losses to the entity or its customers. For example, fraudulent redemptions or mobilisations or other transactions relating to pension plan or VSWE management, or in payment and receipt management operations, in the widest possible sense.

The main processing work carried out to fight against fraud is as follows:

  • Verify the identity of the customers associating with the entity to prevent fraudulent subscription processes, or with intent to defraud, for example. when taking out insurance for a risk that has already occurred, or intentionally withholding information on state of health;
  • Review and analyse contracts and transactions carried out on our systems to detect malicious or fraudulent conduct, for example, when it comes to processing a pension plan benefit, redemption or mobilisation.

Use of profiles and automated processing: this processing involves drawing up a profile relating to your usual transactions and activities that we only use to identify unusual, anomalous transactions or interactions, or which fall outside your behaviour profile, which may be indicative of an attempt at fraud. Its use entails taking measures that go from a detailed review of the transaction to blocking it or refusing automatic performance. To prevent fraud, we use automated processing to try to detect fraudulent transactions.

  • Consequences: In the event you are informed that a transaction cannot be carried out as there are indications of fraud, this will not prevent you from providing additional information or documentation that will help VidaCaixa to reassess your case and eventually discount fraudulent intent.
  • Logic: The processing consists of comparing your data and pre-existing transactions with the current ones, for the purpose of automatically detecting inconsistencies.

Data processed: The types of data we process for this purpose, the content of which is set out under heading 5, are:

  • Identity and contact data
  • Data on your professional or employment activity and socio-economic data
  • Contract data.
  • Basic financial data.
  • Data observed when contracting and maintaining products and services that are sold to you.
  • Data on communications with you.
  • Data relating to international sanctions
  • Information obtained from publicly available sources and public registries
  • Health data

Other relevant information:

  • Health data processing: We can process your health data for this purpose because it is permitted by the legislation regulating insurance business.
  • Data controller: The data controller for this processing is VidaCaixa.
  • Regulatory obligations: This processing is carried out based on the provisions of the legislation applicable to these products:
    • Law 20/2015, of 14 July, on the organisation, supervision and solvency of insurance and reinsurance entities.

D. Creation of statistical reports and mathematical models to monitor and manage VidaCaixa’s activity

VidaCaixa’s legitimate interest: VidaCaixa’s legitimate interest in carrying out this processing is to design, organise and optimise its corporate activity and commercial activity in the most efficient way possible. It is, therefore, necessary to have reports on the company’s management and business and the market, as well as advanced mathematical algorithms for information analytics.

Purpose: To draw up reports on the company’s activity and its relationship with the market, the composition and evolution of its customer base, and the suitability and effectiveness of its products, services and risks, which enable their efficient governance and management and the creation of statistical and mathematical models that enable the processing set out in this policy to be carried out.

Data processed: The types of data we process for this purpose are those previously identified for each type of processing. However, where possible, anonymisation (i.e., the information is irreversibly altered so that you cannot be identified in any way) or pseudonymisation (coding or encrypting your data) techniques are applied these data to ensure that the processing does not have any impact on their holders’ rights, and that the result of the processing is reports containing statistical or aggregated information, or mathematical formulas or algorithms.

Other relevant information:

  • Data controller: The data controller for this processing is VidaCaixa. This processing is not carried out with a joint controller.

E. Commercial communications for insured parties, participants and beneficiaries of collective products contracted by a legal entity

VidaCaixa’s legitimate interest: To add value to VidaCaixa’s brand and commercial offer to its customers and offer them products and services associated with those they have already contracted and which cover related needs. VidaCaixa understands that this process also benefits its customers and does not disappoint their expectations.

Purpose: For commercial, promotional and marketing purposes, VidaCaixa may send communications to its customers for collective products and, by doing so, add value to its brand, products and services. VidaCaixa may also offer customers who are participants, insured parties or beneficiaries of products contracted by legal entities different products and services related with other VidaCaixa products that they may already have taken out.

Unlike consent-based processing (A and B in section 6.1), we do not need your consent when you are a current customer, and we only let you know of products and services offered by us and which are similar to those you have already contracted.

Data processed:

  • Identity and contact data
  • Data on your professional or employment activity and socio-economic data
  • Contract data.
  • Basic financial data.
  • Data observed when contracting and maintaining products and services that are sold to you.
  • Data on communications with you.

Other relevant information:

  • Purpose of the processing: This processing will cease to be carried out, and you will not receive any more communications of this type, when (i) you cease to be a VidaCaixa customer, (ii) you exercise your right of objection at any time, and (iii) if you have refused to receive any kind of commercial communication.

7. Recipients of the data: third parties who may have access to your personal data

Data controller and joint data controllers

The data we process due to the fact that you are a VidaCaixa customer is processed at VidaCaixa.

The data we process as joint controller, under the terms shown throughout this policy, will be shared with the other joint controllers (CaixaBank Group companies) for the purposes and on the legal bases shown above in section 6.

Official authorities, bodies and registries

As you have been informed of each type of processing in section 6 of this document, VidaCaixa is legally obliged to provide information obtained within the framework of contracts for products and services to official authorities or bodies of other countries, both within and outside the European Union (in which case you will be notified under the terms provided for in section 8), within the framework of the fight against terrorism finance and serious forms of organised crime, and the prevention of money laundering, as well as within the framework of compliance with the legal regulations for the insurance sector shown above. With respect to insurance with death cover, VidaCaixa, in its capacity as insurer, must also notify a public registry legally constituted for that purpose (Law 20/2005, of 14 November, on the creation of the death cover Insurance Policy Register) of its existence and basic data.

The legal basis for these assignments is compliance with the aforementioned legal obligations.

Data communication needed to fulfil contractual relationships

As mentioned above, in the area of employment pension plans and VSWEs, it is possible that, in order to fulfil our contractual relationship with you, it may be necessary for us to communicate some of your data to third parties participating in the relationship, such as, for example, actuaries, supervisory committees, deposit entities, auditors or other bodies with legally attributed powers for that purpose. Furthermore, within the scope of insurance and welfare products, it is necessary for us to communicate data to supervisors, public authorities and registries. In all cases, your personal data are only communicated in as far as is necessary for the proper performance of your insurance policies, with that sole purpose and legal basis.

In addition, within the field of insurance, and under the terms provided for in the LOSSEAR, it will be necessary to communicate your data to reinsurance companies. The main function of the reinsurance policy is to manage VidaCaixa’s exposure to risk, as the insurance company, essentially with the aim of reducing it by transferring it, to a greater or lesser extent, to the reinsurance company. Reinsurance is, therefore, a vitally important tool for managing VidaCaixa’s balance sheet and solvency as an insurance company. As part of taking out reinsurance, of the LOSSEAR expressly provides that insurance companies may communicate, without the consent of the policy holder, insured party, beneficiary or aggrieved third party, the data that are strictly necessary to enter into the reinsurance policy to its reinsurance entities or to carry out connected transactions. These are understood to be conducting statistical or actuarial studies, risk assessment or research for their customers, and any other activity related to or arising from reinsurance activity. Assigning such data for any purpose other than those provided for in the previous paragraph will require your consent. The reinsurer will not have any type of direct contact with the insured parties.

Data communication when outsourcing services to data processors

We occasionally use service providers with potential access to personal data. These providers give suitable, sufficient warranties in relation to data processing, as we have a responsible selection process for service providers that includes specific requirements in the event that the services involve personal data processing. These providers process personal data, in our name and on our behalf, following our instructions as data controllers.

The types of services that we may entrust to service providers are as follows:

  • Back office financial services
  • Administrative support services
  • Audit and consultancy services
  • Legal services
  • Payment services
  • Marketing and publicity services
  • Questionnaire services
  • Call Centre Services
  • Logistics services
  • Physical security services
  • IT services (systems and information security, cybersecurity, IT systems, architecture, hosting and data processing)
  • Telecommunications services (voice and data)
  • Printing, packing, postal and courier delivery services
  • Information custody and destruction services (digital and hard copy)
  • Buildings, installations and equipment maintenance services

8. Time frames for retaining the data

Retention to maintain the contractual relationships

Ordinarily, we will process your data while the contractual relationships we have set up with you last.

Retention of authorisations and consent-based data processing

When we process your data on the basis of your consent, we keep them until you revoke your consent. At any event, if you cancel or terminate all your contracts with CaixaBank group companies for products and services, we automatically cancel the consents you have given us which you have not yet revoked, at the time you stop being a customer.

Retention of data for which the legal basis is our legitimate interest

When we process your data on the basis of our legitimate interest, or that of third parties, under the terms set out in this policy, we retain them until that legitimate interest ceases, or when you exercise your right to object to the specific processing, or when your rights and interests prevail over our legitimate interest, or that of third parties. At any event, if you cancel or terminate all your contracts with CaixaBank group companies for products and services, from the time you stop being a customer, we automatically stop processing the personal data covered by our legitimate interest, or that of third parties, except in the case provided for in the LOSSEAR for the prevention of fraud when taking out insurance, as shown below.

Retention for compliance with legal obligations

As an insurer and trading company, we are subject to a variety of legislation that imposes on us obligations regarding the retention of documentation. In compliance with this legislation, we retain personal data while those obligations last, for the sole purpose of complying with the regulations.

Therefore, we inform you that we keep company documentation (contracts and invoices, etc.) for 6 years, as provided for in the Code of Commerce. In addition, in compliance with the regulations on the prevention of money laundering, we keep your information relating to life insurance for a period of 10 years.

Making, exercising and defending claims and fraud prevention when taking out insurance

Once the authorisations to use your data have been revoked by withdrawing your consent, exercising your right of objection, the legitimate interest ending, or at the end of the contractual or business relationships that you have entered into with us, and as long as no law does obliges us to retain the documentation, we will only retain your data to comply with legal obligations and to enable making, exercising or defending claims during the statute of limitations for actions arising from contractual relationships for 5 years. We may also retain such data for longer than the time during which the contractual relationships are in force, solely for the purpose of preventing fraudulent conduct, under the terms set out above, and taking the technical and organisational measures needed to ensure that they are only used for these purposes, maintaining the personal data blocked, under the terms provided for in data protection legislation so as to make them available to the authorities.

Destruction of data

Finally, we will destroy your data when the time frames for retention imposed by the rules regulating VidaCaixa’s activity have passed and the statute of limitations for administrative or court action arising from the relationships set up between you and us has expired.

9. Data transfers outside the European Economic Area

VidaCaixa processes your data within the European Economic Area and, in general, we sub-contract service providers who are also located in the European Economic Area, or in countries that have been declared to have a suitable level of protection by the European Commission.

If we need to use service providers for processing outside the European Economic Area, or in countries that have not been declared to have a suitable level of protection, we will ensure that the security and legitimate processing of your data are guaranteed and we will notify you of this.

Therefore, we demand suitable guarantees from these service providers, in accordance with the provisions of the GDPR, for example, that they have binding corporate rules guaranteeing protection of the information in a similar manner to that provided for in European regulations, or that they sign up to European Union standard clauses. You can request access to these guarantees by contacting us through our data protection officer.

10. Automated decisions

We informed you of the processing that includes automated decisions in section 6 of this document.

In addition, if, during your contractual relationships with us, we use mechanisms that may make decisions solely and exclusively based on automated processing (that is to say, without a person taking part) which may have legal effects on you, or that may significantly affect you (for example, refusal to enter into a contract for a specific product), we will notify you in the very contract documentation for the product or service that you requested, as well as the logic behind the decision.

Furthermore, at that time, we will take steps to safeguard your rights and interests by giving you the right to human intervention, expressing your point of view and challenging the decision.

11. Review

We review this document every time it is necessary to keep you duly informed, for example, if new regulations or criteria are published or new processing is carried out.

We will notify you using the usual communications channels whenever changes are made to this privacy policy.