Privacy Policy

The Data Protection Officer is the person appointed by the entities that make up the Group to ensure compliance with the Personal Data Protection Regulations. You may contact this person, especially if you believe your data protection rights and freedoms have not been respected, via the postal or email address indicated as contact details in the Annex at the end of this Policy, which are also published in the Register of Data Protection Officers of the Spanish Data Protection Agency.

The supervisory authority is the Spanish Data Protection Agency, located in Madrid (28001), Calle Jorge Juan, no. 6, as an independent public authority responsible for safeguarding the privacy and data protection of citizens. You may submit queries and/or complaints to this authority if you believe your data protection rights and freedoms have not been properly addressed by the relevant Group Entity. For more information, you can consult the following website: www.agpd.es.

All personal data provided directly by the data subject, or obtained through an insurance distributor, marketer, or collaborator, including documents containing such data, and those obtained through the recording of telephone conversations or as a result of browsing the Group’s websites or other communication channels, including, where applicable, biometric and geolocation data, before, during, and after the formalization of a request, pre-contract, contract, or service related to any products and/or services marketed by the Group Entities, as required for the study, issuance, development, and/or execution of the contractual relationship or arising therefrom between the parties, will be processed.

For these purposes, the term “client” includes any interested party who is: an applicant for a product, service, or information; policyholder; insured; beneficiary; claimant or third party affected by a claim; participant; member; subscriber; heir; mortgage debtor; promissory note investor; and/or any third party with a contractual or service relationship with a Group Entity.

If personal data are provided by someone other than the data subject, the provider is responsible for previously informing the data subject and obtaining their consent when necessary for processing by the relevant Group Entity.

Such personal data may also be supplemented, in accordance with the requirements of the Personal Data Protection Regulations, by other data obtained from Group providers, as well as by personal data that the data subject has made manifestly public.

As a general rule, personal data of minors will only be processed when their parents or legal guardians have given consent for processing necessary for the execution of the relevant contract or service with the corresponding Group Entity, in compliance with a legal obligation and/or in legitimate interest, in which case after the corresponding balancing test by the Group Entity responsible for processing; without prejudice to the exercise of the rights recognized by the Personal Data Protection Regulations regarding the protection of their personal data.

In general, the categories of personal data processed in the issuance of an offer, pre-contract, or contract will refer to the data subject’s identifying data, contact details, as well as those relating to their personal characteristics and/or social circumstances, and any others that may be necessary for execution.

Specifically: (i) in the case of life, accident, health, and/or funeral insurance policies, data relating to the policyholder’s and/or insured’s profession or activity, as well as, if necessary, health data of the insured, will also be processed; (ii) in the case of investment funds, data relating to the policyholder’s and/or insured’s profession or activity, as well as the categories of data necessary for suitability and appropriateness tests, will also be processed.

Finally, in contact forms made available to the public by the Group Entities, once prior information has been provided with reference to this Policy, the identifying and contact data necessary to establish the requested contact will be processed.

(I) Main purpose
The main purpose of processing personal data is the study, issuance, development, and/or execution of the pre-contract, contract, relationship, or service that may be entered into with the relevant Group Entity and to effectively comply with the obligations established in the regulations applicable at any time to the Group Entity responsible for processing.

(II) Other purposes:
Personal data will be processed for the purpose of rating and selecting risks and managing subsequent requests related to the risks to be contracted. This processing may include, if necessary, profiling and/or automated decision-making, in accordance with this Policy.

Likewise, personal data will be processed for the purposes of fraud prevention and detection, including consultation and communication with common information systems in the insurance sector; for compliance by the relevant Group Entity with legal obligations arising from the Law on Civil Liability and Motor Vehicle Insurance and/or the Law on the Regulation, Supervision, and Solvency of Insurance and Reinsurance Entities; as well as for the prevention of money laundering and terrorist financing, for compliance by the obligated Group Entities with legal obligations and the adoption of due diligence measures under the Law on the Prevention of Money Laundering and Terrorist Financing and its implementing regulations.

Additionally, in the context of managing requests and/or any contracts and services issued by one of the Group Entities, the responsible Entity may process your personal data to assess your financial solvency, including consultation and communication with common and/or credit information systems, as well as conducting statistical, quality, and technical studies, including satisfaction surveys, loyalty programs, market analysis and research, and service quality studies.

Furthermore, in the case of insurance products and in accordance with current regulations, personal data may be processed for the management of coinsurance and reinsurance. Data communication in such cases will be carried out in compliance with a legal obligation, in execution of the contract, or in legitimate interest, in which case after the corresponding balancing test by the Group Entity responsible for processing.

Finally, regarding contact forms, phone numbers, email addresses, and social media profiles that may be made available by the various Group Entities, we will process your data to (i) address and manage suggestions, requests, queries, and/or complaints you make through them; and (ii) manage CVs you provide for recruitment processes of the Group Entities.

(III) Automated decisions including profiling:
Some personal data processing necessary for the conclusion or execution of the contract may require automated decision-making and/or profiling. This means that certain decisions may be made automatically without human intervention, and in such cases, the data subject always has the right to: (i) request a review of the results by a person, (ii) express their point of view, (iii) and contest the decision; in accordance with the Personal Data Protection Regulations.

Likewise, the potential use of artificial intelligence will always comply with the general principles and values of GCO’s Code of Ethics, which inspire the operation and actions of the Entities that comprise it, especially respect for privacy and the right to personal data protection, and will take into account the guidelines of the document on ethical use of artificial intelligence in the insurance sector prepared by the Spanish Union of Insurance and Reinsurance Entities (UNESPA), and the report of the Consultative Expert Group of the European Insurance and Occupational Pensions Authority (EIOPA) on AI governance principles: towards ethical and reliable AI in the European insurance sector.

Furthermore, in personal data processing for the prevention of fraud and/or money laundering and terrorist financing mentioned above, profiling is legally based on compliance with a legal obligation of the Group Entity responsible for processing.

(IV) Advertising purposes:
Additionally, if the data subject authorizes it, personal data will also be processed to: (i) carry out commercial actions and send information, including by remote communication means, about other products and services, general or personalized, whether their own or those of other Group Entities to which the controller belongs, identified in the final Annex of this Policy and/or on the website www.gco.com; (ii) show you personalized advertising on websites, search engines, and social networks; and (iii) offer participation in promotional contests; all even after the termination of your contractual or service relationship with the Group Entity responsible for processing. In any of the cases mentioned, the adaptation of products and services to your particular profile may be carried out based on behavioral and risk profile analysis, considering both internal and third-party sources, geolocation information, as well as your browsing on the internet or social networks.

The legal basis for the processing activities described as the main purpose above is, as a matter of law, the development of the offer and, where applicable, the execution of the contract or service entered into with the Group Entity responsible for the processing.

Processing for the other purposes described above, and for automated decision-making, is based on the applicable regulations or on legitimate interest, in which case, after the appropriate balancing test by each Group Entity responsible for the processing.

Specifically, the processing of personal data for the purpose of preventing and combating fraud, money laundering, and terrorist financing is based on the applicable regulations, and the processing for the purpose of developing customer loyalty programs is based on legitimate interest, following the aforementioned analysis carried out by the Group Entity responsible for the processing.

Finally, the processing of personal data for advertising purposes is, where applicable, legitimized by the specific consent given by the data subject.

Personal data will be retained for as long as the relationship with the Group Entity with which the contract or service has been entered into, or the relationship has been established, remains in force.

Once this relationship has ended, such data will be retained for the period required by the regulations applicable at any given time, remaining available to courts and tribunals, the Public Prosecutor’s Office, law enforcement agencies, and/or the competent public administrations, in particular the data protection supervisory authorities and the corresponding supervisory bodies, for the purpose of addressing any possible legal or contractual liabilities arising from the contract or service on which the processing was based, and for the duration of the limitation period for such liabilities.

As a general rule, any business-related documentation and information must be retained by any business owner for at least six years after the end of the relationship, unless otherwise provided by general or special provisions, in accordance with the provisions of the Commercial Code.

Specifically, and in accordance with the Law on the Prevention of Money Laundering and Terrorist Financing, in the area of life and investment insurance, obligated parties must retain, for a period of ten years after the end of the relationship, the documentation that formalizes compliance with the due diligence obligations established in the aforementioned law.

Furthermore, specifically, requests or proposals that do not result in a contract or service, regardless of the reason, will be retained for the period necessary to ensure the purpose of combating fraud in contracting and preventing money laundering and terrorist financing.

The guidelines on retention, deletion, and blocking periods for personal data, for application by the Group Entity responsible for processing, are set out in the internal regulations on the retention, deletion, and blocking of personal data, as a development of GCO’s personal data protection policy and use of ICT resources, and may be consulted by the data subject through the Data Protection Officer.

(i) GCO Entities:
The client’s personal data, their contract or service, and any information derived from or linked to them, may be disclosed to the entities belonging to the Group identified in the final Annex of this Policy and/or on the website www.gco.com, for the purpose of complying with the regulations applicable to each entity, and, in general terms, for combating fraud and preventing money laundering and terrorist financing, as well as, where applicable, for the purpose of maintaining and managing their relationship with the various Group Entities in an integrated and centralized manner.

We also specifically inform you that the Group Entities share, to varying degrees, common services in order to leverage existing synergies, optimize resources, and offer better service to clients. For this reason, they have entered into various framework agreements for the reciprocal provision of services, which involve access to personal data managed by other Group Entities, and which cover various service provisions, including, by way of example and not limitation, the following:

• a) Services provided to Group Entities by Grupo Catalana Occidente, Tecnología y Servicios A.I.E.: (i) data hosting and storage, (ii) maintenance and management of systems, communications, and IT equipment, (iii) information security and the systems supporting it, (iv) development and maintenance of IT applications, (v) claims processing services, (vi) reporting of information related to the services provided, (vii) maintenance and management of attendance control systems, security systems, and video surveillance, and (viii) management, custody, and archiving of documents, printing, and labeling.
• b) Services provided to Group Entities by Grupo Catalana Occidente Contact Center A.I.E.: (i) customer service through any means, including remote means such as telephone, email, internet, instant messaging, and/or social networks, and (ii) conducting satisfaction campaigns and surveys.
• c) Services provided to Group Entities by Prepersa Peritación de Seguros y Prevención A.I.E.: collaboration in the management of claims associated with insurance policies through its network of collaborators.

(ii) Other Entities:
Personal data may also be disclosed to various collaborators and service providers of any of the Group Entities responsible for processing, such as, by way of example and not limitation: insurance distributors, co-insurers, reinsurers, claims adjusters and investigators, lawyers and solicitors, auditors, consultants, medical professionals and health evaluators, financial entities, depositaries, management entities, and other providers and professionals, who will process the personal data as data processors on behalf of and for the account of the corresponding Group Entity responsible, for the purpose of ensuring the services provided by said controller in the execution of the contract or service, complying with obligations arising from applicable regulations, in legitimate interest after the balancing test and/or in accordance with the consent given, where applicable.

In any of the cases described, we inform you that the IT servers of such service providers may be located in countries outside the European Union, where, if the level of privacy protection is not equivalent to that of the Personal Data Protection Regulations, due to the absence of an adequacy decision by the European Commission, the corresponding Group Entity responsible for processing will adopt the appropriate safeguards provided for in the Personal Data Protection Regulations for transfers to third countries and international organizations, with exceptions for specific situations expressly provided for, in order to ensure that the level of protection for data subjects is not undermined, as well as the appropriate and necessary measures for the best protection of the rights of data subjects and information security, based on the technical measures available at any given time.

(iii) Public bodies and authorities:
Personal data will be provided to all those recipients to whom any of the Group Entities are required to communicate such information in compliance with legal obligations, including, by way of example and not limitation, competent public bodies and administrations, such as the Spanish Tax Agency or regional tax authorities, data protection supervisory authorities, courts and tribunals, corresponding supervisory bodies, the Public Prosecutor’s Office, and/or law enforcement agencies.

(iv) Common credit information systems:
The Group Entities have the right to consult and process data relating to non-compliance with monetary, financial, or credit obligations, when they need to assess the economic solvency of the data subject, through common credit information systems, as well as any other system that allows an assessment of the data subject’s solvency, for prior analysis, maintenance, and control of the development of the contractual relationship.

(v) If you have contracted a motor vehicle insurance policy:
The Group’s insurance entities, in accordance with current legal regulations, will provide the regular driver covered by the insurance policy with information about any penalties that may be published in their name on current or future certified websites, always complying with current data protection legislation.

The insurance entity will use the vehicle’s registration number to consult, through the services owned by the Instituto de Investigación sobre Vehículos S.A. (Centro Zaragoza), the chassis number and all technical and administrative characteristics of the insured vehicle.

The Group Insurance Entity with which you have contracted the motor vehicle insurance policy, as joint controller, will, where applicable, communicate the following data related to your insurance to the common information systems of the insurance sector indicated below:

• a) The historical data of policies and claims to the Historical Information System of Motor Vehicle Insurance, whose purpose is to provide, at the time of contract subscription, rigorous and verified information on claims data by pooling information obtained through policies and claims from the last five years, as set out in the Law on Civil Liability and Motor Vehicle Insurance.
• b) The historical data on the number of claims related to your insurance or claims in which you have been involved to the Total Loss, Theft, and Fire Motor Vehicle Information System, whose purpose is to facilitate the automated identification of possible anomalies and fraud risks, cooperate with law enforcement agencies by facilitating the investigation of possible theft and fraud crimes, among others, related to insured motor vehicles; and cooperate with Centro Zaragoza, law enforcement agencies, the Directorate General of Traffic, and the affected insurance entity in identifying and locating stolen and compensated vehicles.

To exercise data protection rights in relation to either of these two systems, you may contact Tecnologías de la Información y Redes para las Entidades Aseguradoras S.A. (TIREA), Ctra. Las Rozas a El Escorial Km 0.3, Las Rozas 28231 Madrid.

You can find further information on data protection regarding the common information systems of the insurance sector on the websites of the Spanish Union of Insurance and Reinsurance Entities (UNESPA) (www.unespa.es) and TIREA (www.tirea.es).

(vi) If you have contracted a multi-risk insurance policy for home, business, office, community, SME, industry, civil liability, and/or other types of miscellaneous insurance:

The Group Insurance Entity with which you have contracted the miscellaneous insurance policy will, where applicable, communicate claims data related to your insurance and/or your claim to the Fraud Prevention Information System for Miscellaneous Insurance, including the insurance you have contracted or the claim in which you have been involved, acting as joint controller of the aforementioned System. Its purpose is the prevention and detection of fraud, either by preventing fraud once the policy has been issued or by detecting fraud already committed in declared claims. Likewise, its purpose is to cooperate with law enforcement agencies to facilitate the investigation of possible crimes such as theft and fraud, among others, related to the insured assets.

To exercise your data protection rights in relation to the Fraud Prevention Information System for Miscellaneous Insurance, you may contact Tecnologías de la Información y Redes para las Entidades Aseguradoras S.A. (TIREA), Ctra. Las Rozas a El Escorial Km 0.3, Las Rozas 28231 Madrid.

You can find further information on data protection regarding the common information systems of the insurance sector on the websites of UNESPA (www.unespa.es) and TIREA (www.tirea.es).

(vii) If you have contracted a life, accident, health, medical assistance, funeral, or any other insurance policy through which we request or manage health data:

Your personal data may be communicated to the various collaborators and service providers of the corresponding Group Insurance Entity mentioned above, who will process the personal data as data processors on behalf of the said Insurance Entity.

Furthermore, and specifically, if you are the holder:

• (a) of a life insurance policy with death coverage and/or an accident insurance policy covering the contingency of the insured’s death, whether individual or group policies, in compliance with current regulations, your personal data will be communicated to the public registry of death coverage insurance contracts under the Ministry of Justice or any entity that may replace it in the future.
• (b) of a health or medical assistance insurance policy, your personal data, including health data, may be communicated between the corresponding Group Insurance Entity and doctors, health centers, hospitals, or other institutions or persons, for the purpose of fulfilling, developing, controlling, and executing the healthcare service, reimbursement, or compensation guaranteed in the insurance contract, and to request or verify from such healthcare providers the causes and medical history of the data subject that justify the services, reimbursements, or compensations and, where appropriate, to recover expenses. Specifically, in the case of medical assistance insurance, for the purpose of informing the policyholder about the charge for each copayment, the Insurance Entity may communicate to the policyholder the data on the medical services used by each insured person under the policy, including the healthcare centers and professionals visited and/or the list of tests undergone by each insured person.

(viii) If you have contracted a social welfare product:

Your personal data may be communicated among the managing entity, the depository entity, and the promoting and/or marketing entity of such social welfare products.

Furthermore, if you request the transfer of consolidated rights to the managing entity or destination insurer, you must submit the transfer request and an authorization to the managing entity or destination insurer so that, on your behalf, it may request from the original managing entity or insurer the transfer of the aforementioned consolidated rights, as well as all financial and tax information necessary to carry it out.

(ix) If you hold shares in any of the investment funds marketed and/or managed by GCO:

Your personal data may be communicated among the managing entity, the depository entity, and the corresponding marketing entity of such investment funds.

As the owner of your personal data, you have the following rights, which you may exercise by identifying yourself as indicated in the section “Who is the Data Protection Officer?” above:

(i) Right of access.
You may obtain confirmation from the Group Entity responsible for processing as to whether or not personal data concerning you are being processed and, if so, the right to access such data and information about the processing activities, as well as to obtain a copy of the data in a structured, commonly used, and machine-readable format.

(ii) Right to rectification.
You may request the rectification of inaccurate personal data and also have the right to request that incomplete personal data be completed, including by means of an additional statement.

(iii) Right to erasure.
You may request the erasure of your personal data when they are no longer necessary for the purposes for which they were collected by the Group Entity responsible for processing, or when you withdraw the consent on which the processing is based. This request will not apply when the processing is necessary as indicated in the section “What is the legal basis for the processing of personal data?” above. In this regard, in the digital environment of any of the Group Entities, if you exercise your right to be forgotten, the corresponding Entity will contact the internet service provider to forward your request regarding the cessation of processing of your personal data, taking into account the available technology and the cost of implementation, in which case the data will only be retained by the controller for the establishment, exercise, or defense of legal claims. This request will not apply when the processing is necessary as indicated in the section “What is the legal basis for the processing of personal data?” above, or when the processing is necessary for the exercise of the right to freedom of expression and information or for reasons of public interest.

(iv) Right to object.
You may object to the processing of your personal data, unless there are legitimate grounds, after the balancing test by the Group Entity responsible for continuing the processing, in which case the data will only be retained by the controller for the establishment, exercise, or defense of legal claims. The processing of personal data for commercial or advertising purposes will not be considered legitimate, and therefore the right to object will be equivalent to the withdrawal of previously given consent. This request will not apply when the processing is necessary as indicated in the section “What is the legal basis for the processing of personal data?” above.

(v) Right to restriction of processing.
You may request the restriction of the processing of your personal data, which may involve the blocking of data, in the following circumstances: (i) when you contest the accuracy of the data, (ii) when the controller opposes the erasure of data because the processing is lawful, (iii) when the controller no longer needs the data but they are required for the establishment, exercise, or defense of legal claims, or (iv) when you have objected to the processing, while the controller verifies whether the legitimate grounds of the controller override yours; in which case the data will only be retained by the controller for the establishment, exercise, or defense of legal claims.

(vi) Right to data portability.
Where technically feasible, you may request that personal data concerning you that are subject to automated processing be transmitted to another controller, or to you as the data subject, in a structured, commonly used, and machine-readable format, without prejudice to your rights to erasure or to be forgotten, in which case the data will only be retained by the controller for the establishment, exercise, or defense of legal claims.

All communications and any actions taken in the context of exercising your rights will be free of charge. When requests are manifestly unfounded or excessive, especially due to their repetitive nature, the Group Entity responsible for processing may charge a reasonable fee based on the costs incurred in handling your request.

The Group Entity responsible for and/or in charge of processing will, from the outset of processing, adopt the necessary technical, organizational, and security measures, taking into account the state of technology, to ensure the integrity, confidentiality, availability, and resilience of personal data, preventing their alteration, loss, unauthorized processing, or access.

We inform you that the IT servers of some Group service providers may be located in countries outside the European Union, where, if the level of privacy protection is not equivalent to that established in the Personal Data Protection Regulations, due to the absence of an adequacy decision by the European Commission, the corresponding Group Entity responsible for processing will adopt the appropriate safeguards provided for in the Personal Data Protection Regulations for transfers to third countries and international organizations, with exceptions for specific situations expressly provided for, in order to ensure that the level of protection for data subjects is not undermined, as well as the appropriate and necessary measures for the best protection of the rights of data subjects and information security, based on the technical measures available at any given time.

Regarding browsing the official websites of the Group Entities, the user always has this Privacy Policy available for informational purposes, as well as the GCO Cookie Policy adapted to the guidelines of the Guide on the use of cookies issued by the supervisory authority, and may at any time manage and customize their preferences regarding the use of cookies.

GCO states that the Privacy Policy published for informational purposes on the website www.gco.com will always be the current version, reserving the right to modify it to keep it updated at any time and without prior notice whenever necessary. A client of a Group Entity may always consult the latest updated version of the Policy on the corresponding official websites and, if they also wish to access previous versions, may contact the Data Protection Officer as indicated in the Annex to this Policy.

GCO reserves all rights relating to the content of this Policy. Without written authorization, the reproduction, distribution, transformation, manipulation, public communication, or any other act of total or partial exploitation, whether free of charge or for consideration, of this document is strictly prohibited.

Last update of the Policy: version 7a approved on December 13, 2023, effective as of January 1, 2024.