Privacy Policy

Introduction

The protection of fundamental rights and freedoms, and in particular the protection of individuals in relation to the processing of personal data, is one of the basic principles of Grupo Catalana Occidente (henceforth, “GCO” or the “Group”), as reflected in its Code of Ethics, in compliance with legal requirements and its corporate governance system.

The purpose of GCO's privacy policy (hereinafter, the "Policy") is to provide a concise, transparent explanation, in clear, simple language, of the way in which companies in the Group will process any personal data collected from their customers (as defined below), in accordance with the provisions of the General Data Protection Regulation (EU) 2016/679 and the Organic Law 3/2018, of 5 December, on Protection of Personal Data and Guarantee of Digital Rights implementing it  (henceforth the "Data Protection Regulations").

Who is the controller of your personal data?

The GCO entity with which you have a relationship; in the Annex at the end of this Policy, the identification and registered addresses of the entities that make up the Group can be found, together with other information.

Who is the Data Protection Officer?

The Data Protection officer is the person designated by the entities that constitute the Group to ensure compliance with Data Protection Regulations whom you may contact, especially if you think your data protection freedoms and rights have been breached, via the postal or email address provided in the Annex at the end of this Policy and published in the Spanish Data Protection Agency's Register of Data Protection Officers.

Who is the personal data protection supervisory authority?

The supervisory authority is the Spanish Data Protection Agency, whose head office is at Calle Jorge Juan, 6, Madrid 28001. It is the independent public authority responsible for ensuring the privacy and protection of citizens' data, to whom you can submit queries and/or complaints regarding this matter, should you consider that your data protection rights and freedoms have not been duly respected by a Group entity. For more information, go to the following website: www.aepd.es. 

What personal data can be processed?

Personal data (any information on an identified or identifiable individual), whether provided directly by the interested party or by an insurance distributor, seller or partner, including documents containing such data, or personal data obtained from recorded telephone conversations, internet website browsing or other means, including biometric and geolocation data, before, during and after the formalisation of an application, pre-contract, contract or service related to any of the products and/or services marketed by Group entities, will be processed when such data are needed for the study, documentation, development and/or execution of a contractual relationship between the parties or any other relationship arising from the same.

In this sense, the definition of customer is established as any data subject that: requests information, a product or a service, is a policyholder, insured person or beneficiary, who causes or is a third party involved in an accident, is a participant, partner, subscriber, claimant, mortgage holder, investor in promissory notes and/or a third party involved in a contractual or service relationship with a Group entity.

If the personal data are provided by a person other than the holder, it shall be the provider's obligation to previously communicate this information using the forms made available to him/her by the Group entity data controller to the holder of the personal data, and to obtain his/her consent through these forms, when necessary, for the data to be processed by the relevant Group entity.

Subject to the requirements of Data Protection Regulations, these personal data can be supplemented by other data obtained from Group suppliers, and any personal data that the data subject has made public.

The personal data of minors will normally only be processed when their parents or legal guardians have given their consent using the forms made available to them for the processing required to execute a contract or service with a Group entity, when there is a legal obligation and/or legitimate interest, in the latter case after a balancing test has been carried out by the Group entity responsible for the processing, notwithstanding the exercise of personal data protection rights established by the current Data Protection Regulation.

What are the categories of data subject to processing?

In general, the personal data subject to processing in the issue of an offer, a precontract or contract, will refer to the identification of the interested party, their personal characteristics and/or social circumstances, and any other data that may be necessary to complete these procedures.

In addition and of a specific nature; (i) in the case of life, accident, healthcare, illness and/or death insurance, it will be necessary to process data relating to the profession or activity of the policyholder and/or the insured person, and, where appropriate, data relating to their health, and (ii) in the case of investment funds, data relating to the profession or activity of the policyholder and/or insured person as well as the data necessary for carrying out tests of suitability and/or appropriateness.

Finally, in the case of the contact forms made available to the public by Group entities, when the information prior to the collection of data has been provided, with reference to this Policy, the identification and contact details required to establish contact as requested will be processed.

Which are the purposes of processing your personal data?

(i) Main purpose:

The main purpose of processing personal data is the study, issue, development and/or execution of a pre-contract, contract, contractual relationship or service agreed with a Group entity, effectively complying at all times with the obligations established in the regulations applicable to the Group entity responsible for such data processing.

(ii) Other purposes:

Personal data will be object of processing for the purpose of setting prices and selecting risks and managing subsequent requests related to the risks that can be contracted. This processing may include, if necessary, profiling and/or automated decision-making in accordance with the provisions established in this Policy.

Likewise, personal data will be processed for the purposes of preventing and combating fraud, with the possibility of consulting and reporting to the insurance sector's common information systems, for compliance by the relevant Group entity with the legal obligations arising from the Civil Liability and Insurance Act regarding the circulation of motor vehicles and/or the Regulation, Supervision and Solvency for Insurance and Reinsurance Companies Act; similarly, in connection with the prevention of money laundering and the financing of terrorism, for compliance by Group entities with their legal obligations and the adoption of due diligence measures arising from anti-money laundering and terrorism financing legislation and the regulations implementing it.

In order to manage the request and/or any of the contracts or services provided by a Group entity, said entity may process your personal data to assess your financial solvency, and may consult insurance sector information systems or credit rating agencies and disclose data to them, in addition to carrying out statistical, quality and/or technical studies, and implementing satisfaction surveys, loyalty programmes, market analysis, and research and service quality studies.

In insurance products the personal data may be processed to manage the coinsurance or reinsurance in accordance with insurance contract regulations. The disclosure of data in such cases shall be carried out to comply with a legal obligation, to execute a contract, or in legitimate interest, in the latter case after a balancing test conducted by the Group entity responsible for processing the data.

Finally, with regard to contact forms, telephone numbers, email addresses and social network profiles made available by Group entities, your data will be used (i) to attend to and manage suggestions, requests, queries and/or claims made via these channels; and (ii) to manage CVs provided for selection processes in Group entities.

(iii) For automated decision-making including profiling:

Some processing of personal data necessary for the execution or formalising of contracts may require the adoption of automated decision-making and/or profiling. This means that certain decisions may be made automatically without human involvement, where the data subject will always have the right to: (i) request the review of the results by a person; (ii) express their point of view; and (iii) contest the decision; in accordance with Data Protection Regulations.

Furthermore, the potential design, development or use of artificial intelligence insofar as it involves the processing of personal data shall always comply with the provisions of the Data Protection Regulations in relation to the Artificial Intelligence Regulation (EU) 2024/1689 and its implementing regulations, and with the general principles and values of GCO's Code of Ethics, which underlies the operations of its entities, in particular regarding privacy and the right to personal data protection. It will also take into consideration the guidelines of the document on ethical principles for the use of Artificial Intelligence in the insurance sector, drawn up by the Spanish Union of Insurance and Reinsurance Companies (UNESPA), and the report of the consultative expert group of the European Insurance and Occupational Pensions Authority (EIOPA) on Artificial Intelligence Governance Principles: Towards Ethical and Trustworthy Artificial Intelligence in the European Insurance Sector.

In the aforementioned processing of personal data for the prevention of fraud and/or money laundering and the financing of terrorism, the legal basis of profiling is for the Group entity responsible to comply with its legal obligations. 

(iv) Advertising:

If customers authorise it, personal data may also be processed with a view to: (i) carrying out marketing activities and sending them information, even via remote means, including newsletters, blogs or other opt-in information channels, on other general or customised products and services, either proprietary or available from other Group entities, as identified in the Annex at the end of this Policy and on the www.gco.com website; (ii) showing them customised advertising on websites, search engines and social media; and (iii) offering participation in promotional competitions. This will apply even after the termination of services or the customer's contractual relationship with the Group entity. In any of aforementioned cases the adjustment of products and services to your profile may be performed based on the analysis of risk and behavioural profiles, considering both internal and external sources, geolocation information and your browsing habits through the internet or social media. 

What is the legal basis for processing your personal data?

The legal grounds for processing data referred to in the main purpose described above are based on the management of the offer and, if applicable, execution of the contract or service agreed with the Group entity responsible for processing said data.

Any processing for the other purposes mentioned and for making automated decisions is based on relevant legislation or legitimate interest, if applicable, after a balancing test has been conducted by each Group entity responsible for processing.

In particular, the processing of personal data for the purpose of preventing fraud and/or money laundering and the financing of terrorism is based on applicable legislation, while data processing with the aim of developing loyalty programmes for customers is based on legitimate interest, subject to the aforementioned analysis by the Group entity responsible for said processing.

Finally, the lawful basis for the processing of personal data for advertising purposes is, where applicable, the consent given by the data subject, meaning any freely given, specific, informed and unambiguous expression of intent by which the data subject agrees, by means of a statement or a clear affirmative action, to the processing of his or her personal data. Data subjects have the right to withdraw their consent at any time thereafter, although this does not affect the legitimacy of any processing based on the consent prior to its withdrawal.

How long will we store your personal data?

Your personal data will be held throughout your relationship with the Group entity with which the service or contract has been agreed, or with which a relationship has been established.

Once this relationship has ended, this data will be stored for the necessary period of time established by the applicable legislation at all times, and will be available to the courts and tribunals, Public Prosecutor's Office, State security forces and/or competent public administrations, in particular the appropriate personal data protection supervisory authorities, and corresponding supervisory bodies, in order to deal with any legal or contractual liabilities arising from the contract or service related to the data processing in question and during the applicable time in force.

In general, the documentation and information concerning your business must be kept by the entrepreneur for at least six years from the end of the relationship, except as established by general or special provisions, in accordance with the terms of the Commercial Code.

In particular, by virtue of the provisions of anti-money laundering and terrorism financing legislation, in the life and investment insurance sector, the obliged parties must keep, for a period of ten years after the end of the relationship, the documentation that formalises compliance with the due diligence obligations established in the aforementioned legislation.

Any requests or proposals that do not lead to a contract or the provision of a service, regardless of the reason, shall be held for the time necessary to ensure their effectiveness in the fight against fraud in contracting and to prevent money laundering and terrorism financing.

The guidelines on the storage period, erasure and blocking of personal data, to be used by the Group entity responsible for processing, are specified in the internal regulations on the conservation, erasure and blocking of personal data, in line with GCO's policy on personal data protection. Data subjects can access them through the Data Protection Officer. 

To which recipients will your personal data be disclosed?

(i) GCO Entities:

The customer's personal data, contract or service and any information arising from or related to them can be transferred to the Group entities specified in the Annex at the end of this Policy and/or on the www.gco.com website to comply with the regulations applicable to each entity, and in general terms, for the prevention of and fight against fraud and the prevention of money laundering and the financing of terrorism, and, where applicable, to maintain and comprehensively and centrally manage the customer's relationship with the different entities in the Group.

We also expressly inform you that the entities in the Group share common services, to differing degrees, for the purpose of making use of existing synergies, optimising resources and offering a better service to customers. To this end, they have entered into various framework agreements to provide reciprocal services, which involve access to personal data managed by other entities in the Group, covering the provision of various services, including, but not limited to, the following:

a)    Services provided by Grupo Catalana Occidente, Tecnología y Servicios A.I.E. for Group entities: (i) data hosting, (ii) maintenance and management of systems, communications and computer equipment, (iii) information security and the security of supporting systems, (iv) development and maintenance of IT applications, (v) the claims management service, (vi) reporting and disclosure of information relating to the services provided, (vii) maintenance and management of presence detection, security and video surveillance systems, and (viii) document management, custody and filing, printing and labelling.

b)    Services provided by Grupo Catalana Occidente Contact Center A.I.E. for Group entities: (i) providing customer service via any means, including remote means, such as telephone, email, internet, instant messaging and/or social media, and (ii) conducting campaigns and satisfaction surveys.

c)    Services provided by Prepersa Peritación de Seguros y Prevención S.L.U. for Group entities: provision of a service to cooperate in the management of claims related to insurance policies through its network of associates.

(ii) Other entities:

Personal data can also be disclosed to different associates or service providers of any Group entity responsible for processing data, including but not limited to: insurance brokers, co-insurers, reinsurers, lawsuit experts and investigators, solicitors and court representatives, auditors, consultants, medical professionals and health assessors, financial, depository and managing entities and other suppliers and professionals who process personal data as processors on behalf of the corresponding controller Group entity, in order to ensure the services rendered by the aforementioned entity while carrying out the contract or service comply with the obligations stipulated in applicable legislation, in their legitimate interest following a balancing test, and/or in accordance with the user's consent if this has been given.

In any of the above cases, we hereby inform you that the computer servers used by these service providers may be located in countries outside the European Union, where, if the level of privacy protection were not equivalent to European or national Data Protection regulations, because the European Commission has not confirmed their adaptation, the corresponding controller Group entity will adopt appropriate measures, as envisaged in Data Protection Regulations for transfers to third countries and international organisations, with the exception of certain situations expressly provided for, in order to ensure that the level of protection of the data subjects is not diminished, and apply appropriate and necessary measures to effectively safeguard the rights of data subjects and the security of information, in accordance with the technical measures available at any time. 

(iii) Official organisations and government bodies:

Personal data will be released to all those recipients to whom such information must be disclosed by Group entities, in compliance with legal obligations, including, but not limited to, competent public bodies and administrations, such as the Spanish Tax Administration Agency or regional tax authorities, personal data protection control authorities, courts and tribunals, supervisory bodies, the Public Prosecutor's Office and/or State security forces and bodies.

(iv) Common credit information systems:

Group entities are entitled to view and process data regarding failure to comply with monetary, financial or credit obligations, through common credit information systems and any other system that enables them to assess solvency, for prior analysis and maintenance of the contractual relationship and to monitor its progress.  

(v) If the customer has taken out a vehicle insurance policy:

In accordance with current legislation, the insurance entity in the Group will provide the habitual driver insured under the policy with information on sanctions, if any, published in his or her name on current or future certified websites, complying at all times with current legislation on personal data protection.

Said insurance entity shall use data belonging to the Vehicle Investigation Institute in the centre of Zaragoza (Instituto de Investigación sobre Vehículos S.A) to identify the vehicle's registration and chassis number and all technical and administrative characteristics of the vehicle covered in the insurance policy.

The Group entity through which the car insurance policy has been taken out, as jointly responsible for data processing, will provide, if applicable, the following details regarding the policy to the insurance sector common information systems:

a)    historical data of policies and claims registered in the Car Insurance History File, the purpose of which is to provide rigorous and contrasted information on claims data at the time the contract is signed by pooling the information obtained through policies and claims over the previous five years, in accordance with the terms set out in the Civil Liability and Motor Vehicle Insurance Act.

b)    historical data on the number of claims related to your insurance or claims in which you have been involved registered in the Total Loss, Theft and Fire File, the purpose of which is to facilitate the automated identification of possible irregular situations and risks of fraud, cooperate with law enforcement agencies, facilitating the investigation of possible theft and fraud offences, among others, related to the insured motor vehicles, and cooperate with Centro Zaragoza, law enforcement agencies, the Directorate General for Traffic and the insurance company affected in the identification and location of stolen vehicles and vehicles that have received compensation. 

To exercise your data protection rights in relation to either Historical Car Insurance Information Systems or Information on Automobiles on Write-offs, Theft and Fire, please contact Tecnologías de la Información y Redes para las Entidades Aseguradoras S.A. (TIREA), Ctra. Las Rozas a El Escorial Km 0.3 Las Rozas 28231 Madrid. 

You can find the rest of the data protection information on the information systems for the insurance sector on the Union of Insurance and Reinsurance Companies (UNESPA) (www.unespa.es) and TIREA (www.tirea.es) websites.

(vi) In the case of multi-risk home, store, business, owner's community, SME, industry or civil liability insurance policies and/or other policies in the general category:

The Group insurance entity with which the general insurance policy has been taken out will report, as appropriate, data on claims involving your insurance and/or your claims to the Fraud Management System for General Insurance Policies, which includes the policy purchased by you and any claim involving you, the insuring entity being the joint controller of said System. Its purpose is to prevent and detect fraud by either warning the insurer once the policy is issued, or by detecting the fraud committed in the declared claims. Its purpose is also to cooperate with national, regional and local law enforcement agencies by facilitating the investigation of possible theft and fraud offences, among others, related to the insured property.

To exercise your data protection rights in relation to any of these Fraud Prevention Systems in General Insurance Policies, please contact Tecnologías de la Información y Redes para las Entidades Aseguradoras S.A. (TIREA), Ctra. Las Rozas a El Escorial Km 0.3 Las Rozas 28231 Madrid.

You can find the rest of the data protection information on the information systems for the insurance sector on the Union of Insurance and Reinsurance Companies (UNESPA) (www.unespa.es) and TIREA (www.tirea.es) websites.

(vii) In the case of life, accident, health, illness or death insurance or any other insurance in connection with which we request or manage data on your health:

Your personal data may be disclosed to the aforementioned partners and service providers of the Group insurance entity, who will act as data processors on behalf of the entity.
In addition, and specifically, if you are a holder of:

(a)    a life insurance policy with death benefit and/or an accident insurance policy covering the contingency of the insured person's death, whether individual or collective policies, in compliance with current legislation, your personal data will be disclosed to the public insurance register of contracts with death benefit dependent on the Ministry of Justice or the one that may replace it in the future, as the case may be.

(b)    a health or healthcare insurance policy, in which case your personal data, including health data, may be disclosed between the Group insurance company and doctors, health centres, hospitals or other institutions or persons, so that healthcare can be provided, developed and monitored, the reimbursements or compensation stipulated in the insurance contract can be paid, and information from said providers can be requested or verified regarding the medical background of the data subject and the reasons that justify any benefits, reimbursements or compensation, and, where applicable, expenses can be recovered. Specifically, in the case of healthcare insurance, in order to inform the policyholder of the collection of each co-payment, the insurance Entity may communicate to the policyholder the details of the medical services used by each insured person of the policy, including the healthcare and professional centres they have visited and/or the tests each insured person has taken.

(viii) If you have taken out a pension plan:

Your personal data may be exchanged between the Managing Entity, the Depositary and the Promoter and/or Marketing Entity of such social welfare products.

Likewise, in the case of asking to demonstrate vested rights from the Managing Entity or target insurance company, the client must present this demonstration request and an authorization to the Managing Entity or target insurance company so that, in their name, the source fund Managing Entity may be asked to demonstrate such vested rights, in addition to all financial and fiscal data needed in the process.

(ix) If you have subscribed to participations in any investment fund marketed and/or managed by GCO:

Your personal data may be exchanged between the Managing Entity, the Depositary and the corresponding Marketing Entity of the said investment funds.

What are your rights when you provide your personal data?

As the data subject, you have the rights set out below, which you may exercise by verifying your identity in the way explained in the section “Who is the Data Protection Officer?” above:

(i)    Right of access. You can obtain confirmation from the Group entity responsible for processing your personal data as to whether it is processing said data and, if so, you have the right to access the data and information on the use being made of them, and obtain a copy of them in a structured, commonly used format that is easy to read.

(ii)    Right of rectification. You may request the rectification of personal data that is inaccurate, and, where incomplete, you have the right to request that such data be correctly filled in, including an additional declaration where necessary.

(iii)    Right of erasure. You may request that your personal data be erased when they are no longer needed for the purposes for which they were collected by the Group entity responsible for processing them, or if you withdraw the consent on which such processing is based. The request shall not be applicable when the processing is required on the basis of the provisions included in the section “What is the legal basis for processing your personal data?” above.

In this respect, if you exercise your right to be forgotten, the corresponding Group entity will contact the internet service provider to transmit your request to discontinue the processing of personal data that concern them, taking into account the technology available and the cost of using it. In this case, only data required for the formulation and exercise of claims and the entity's defence against them will be retained by the data controller. The request shall not be applicable when the processing is required on the basis of the provisions included in the section “What is the legal basis for processing your personal data?” above, whether the processing is required to exercise the right of freedom of expression and information or on grounds of public interest.

(iv)    Right to object. You may object to your personal data being processed, unless the Group entity responsible for such processing, after a balancing test, has a legitimate interest in continuing to do so. In this case only data required for the formulation and exercise of claims and the entity's defence against them will be retained by the data controller. The processing of personal data for commercial or advertising purposes shall not be considered legitimate and therefore the right to object shall be deemed equivalent to the withdrawal of given prior consent. Such a request shall not be applicable when processing is required on the grounds of what is stipulated in the paragraph "What is the legal basis for processing your personal data?" above.

(v)    Right to restrict processing. You may request the processing of your personal data be restricted, which may involve your data being blocked in the following circumstances: (i) when you challenge data accuracy, (ii) when the data controller objects to data deletion in the event of lawful processing, (iii) when the controller no longer needs the data but they are needed to make, exercise rights to or defend claims or, (iv) when you have objected to processing, whilst the controller verifies whether your legitimate reasons prevail over theirs; in this case they shall only be held by controller to draw up, exercise or defend claims.

(vi)    Right to data portability. Where technically possible, you may request that relevant personal data subject to automated processing be transmitted to another controller, or to yourself as data subject, in a structured, commonly used and easy to read format, and without detriment to your rights of erasure or to be forgotten, in which case such data will only be stored by the data controller for the purpose of formulating, exercising or defending claims.  

Any communications and actions performed in the context of exercising your rights shall be free of charge. Where necessary due to the complexity and number of requests, pursuant to the Data Protection Regulations the one-month response period may be extended for a further two months and the data subject will be informed of this by the Group entity data controller. However, if the customer's requests are manifestly unfounded or excessive, especially when they are of a repetitive nature, the Group entity data controller may charge a reasonable fee according to the expenses incurred to deal with the request.

In this context, the rights of access to and, where applicable, rectification or erasure of the data of a deceased person may be exercised by the people related to the deceased by family or as common-law partner and the heirs, persons or institutions expressly designated for this purpose, subject to proof of such status, the validity and effectiveness of the mandates and instructions and, where necessary, registration of them unless the deceased has expressly forbidden it or it is thus stipulated by law.

In the case of the death of minors, these powers may also be exercised by their legal representatives or, within the framework of its authority, by the Public Prosecutor's Office, which may act ex officio or at the request of any interested individual or legal entity. Likewise, in the event of the death of persons with disabilities, these powers may also be exercised, in addition to those mentioned in the previous paragraph, by anyone designated for the exercise of support functions, if such powers are considered to be included in the support measures provided by the designated person.

Confidentiality of personal data

From the first moment it initiates data processing, the Group entity acting as data controller and/or data processor will implement the technical, organisational and security measures necessary, considering the current state of technology, to guarantee the confidentiality, integrity, availability and resilience of data, preventing their loss or alteration and unauthorised access and processing.

We hereby inform you that the computer servers used by some Group service providers may be located in countries outside the European Union, where, if the level of privacy protection were not equivalent to European or national Data Protection Regulations, because the European Commission has not confirmed their adaptation, the corresponding Group entity will adopt appropriate measures, as envisaged in the Data Protection Regulations for transfers to third countries and international organisations, with the exception of certain situations expressly provided for, in order to ensure that the level of protection of the interested parties is not diminished, as well as appropriate and necessary measures to effectively safeguard the rights of said parties and the security of information, in accordance with the technical measures available at any time.  

When users are browsing the official websites of Group entities, this Policy is always available to them for information purposes, as is the GCO Cookie Policy, which conforms to the Guide to the Use of Cookies issued by the control authority. Users can manage and customise their preferences regarding the use of cookies at any time.

Validity of the Policy

GCO declares that this Policy published for information purposes on the www.gco.com website will be the valid version at any given time and reserves the right to modify it without prior notice whenever necessary. Group entity customers can view the latest updated version of the Policy at any time on their official websites and, should they also wish to access previous versions, they may contact the corresponding Data Protection Officer, as indicated in the Annex to the Policy. 

Copyright

GCO reserves all rights regarding the content of this Policy. The reproduction, distribution, transformation, handling, public communication or any other kind of total or partial use, free of charge or in return for a consideration, of this document is strictly forbidden without written authorisation. 

Latest update to the Policy: version 9, approved on 12 June 2025. 

Annex: Companies comprising GCO for the purposes of this Privacy Policy