Who is the controller of your personal data?

BanSabadell Seguros Generales, S.A. de Seguros y Reaseguros

Registered office at c/ Isabel Colbrand 22, 28050 Madrid, Spain.

Tax ID No. A-64194590.

Registered in the Madrid Companies Register, Volume 36651, Book 0, Folio 117, Section 8, Page M657405, Entry 2, and in the Insurance Entities Register of the Directorate-General of Insurance and Pension Funds under code C-0767.

Data Protection Officer: DPO_BSSegurosGenerales@BSSeg.com.

How do we obtain your personal data?

BanSabadell Seguros Generales S.A. de Seguros y Reaseguros markets its products through its insurance intermediaries: BanSabadell Mediación S.L., banking/insurance operator affiliated with Grupo Banco Sabadell, and Sabadell Consumer Finance, S.A.U., exclusive banking/insurance operator.

At the time of taking out insurance policies, our intermediaries collect personal data directly from data subjects in the capacity of data controllers, through the Banco de Sabadell, S.A. distribution network.

What categories of personal data do we process?

In order to issue an insurance policy and keep it in force, we need to process your identification data, contact details, bank account details and all the information relating to the insured risk that is needed to correctly assess risk and determine pricing, which may depend on a wide range of personal, family, financial and property circumstances, in accordance with the risk in question.

In the case of health insurance, risk assessment requires the processing of the insured’s health data, which is collected by means of a health questionnaire, the completion of which is a legal obligation of the insured, pursuant to article 10 of the Insurance Contracts Act 50/1980 of 8 October. The processing of such specially protected data is covered by article 9 of the General Data Protection Regulation (EU), by express indication of article 9 of the Personal Data Protection and Guarantee of Digital Rights Act 3/2018, as it is necessary for the execution of an insurance contract to which the data subject is a party.

For the personnel selection processes, we need to process your identification and contact data, as well as your academic and professional information, among others, according to the needs of the candidacy to which you apply.

The personal data that you provide upon taking out your insurance policy and that is stored during the policy’s term will be processed for the following purposes:

1. To prepare, issue and manage your insurance contract, including assessing and pricing the insured risk at the time of execution and at each annual renewal, loss appraisal, benefit payments and the sending of necessary communications relating to your contract;

2. To register, process and respond to complaints and claims that you send us, if and when you have any;

3. To carry out the verification needed to detect and prevent money laundering and terrorist financing;

4. To carry out the verification needed to detect and prevent all types of insurance sector fraud; this may occasionally involve obtaining additional expert opinions, conducting private investigations or checking public registers, credit information systems or similar resources;

5. To engage in direct non-commercial electronic communication relating to your assessment of the company. Such communication may include satisfaction surveys to help us improve our services.

6. To carry out, directly or through our insurance intermediaries, commercial and/or advertising actions or communications, via electronic or any other means, in relation to products similar to those taken out. These actions may be for the purpose of informing you of services included in your policy, news, current promotions or other events;

7. To carry out, directly or through our insurance intermediaries, commercial and/or advertising actions or communications via electronic or any other means in relation to products of other insurance companies or pension plan managers within the Banco de Sabadell Group. These actions may be aimed at offering you insurance products or pension plans that are not offered directly by us, but by another of the Group’s companies, as well as informing you of news, current promotions or other events;

8. To include you as a participant in competitions, prize draws or other promotional activities, at your request and in compliance with any applicable regulations or rules that are announced.

9. To include you in the personnel selection process of the candidacy or candidacies in which you have decided to apply, as well as to carry out the management and resolution of it.

Will we process your personal data for profiling purposes?

Yes. Like all insurers, we need to create statistical-actuarial profiles in order to assess and price the insured risk when the policy is taken out and at each annual renewal, i.e. to determine your insurance premium and update it each year. These profiles are prepared using (i) information that you provide directly to us, (ii) the number, frequency and amounts of the claims reported during the policy’s lifetime, (iii) verifications carried out by us to assess the insured risk through external sources available to insurers (including: Equifax, Axesor, Centro Zaragoza, Instituto Nacional de Estadística [National Statistics Institute], Evalúa and Datathinx), (iv) the risk profile indicators assigned by Banco de Sabadell, S.A. and (v) the risk profile indicators assigned by the insurance companies of other branches and/or pension plan managers in which Banco de Sabadell, S.A.* has a controlling interest and with which it has taken out any insurance product or pension plan, if applicable. We only use data that are useful, relevant and necessary with regards to the aforementioned statistical/actuarial purposes. Furthermore, such data will always be subject to prior pseudonymisation and encryption techniques in order to guarantee data subjects’ privacy.

We also create marketing profiles in order to predict what other products, terms or benefits you may be interested in and/or that we may offer you, and to determine the best time to offer them to you, e.g. when you reach a certain age or when we detect any signs of displeasure or dissatisfaction with our service that we may be able to correct or make up for. These profiles are prepared using (i) information that you provide directly to us, (ii) the number, frequency and amounts of the claims reported during the policy’s lifetime, (ii) the number of products you have taken out with us and their performance and (iv) the risk profile indicators assigned by the insurance companies of other branches and/or pension plan managers in which Banco de Sabadell, S.A.* has a controlling interest and with which it has taken out an insurance product or pension plan. We only use data that are useful, relevant and necessary with regards to the aforementioned commercial purposes. Furthermore, such data will always be subject to prior pseudonymisation and encryption techniques in order to guarantee data subjects’ privacy.

How long will we store your personal data?

When you request an insurance policy simulation or quote, we will store your personal data for a maximum period of three (3) months to facilitate and speed up the process of formalising the insurance when you so decide, without prejudice to the price being updated at the time the product is actually taken out. In the case of insurance combined with a bank loan, we will extend this period until the bank grants you the loan. If you ultimately decide not to take out the insurance, we will delete your personal data within ten (10) days.

When you take out insurance or modify the contractual conditions by any means, we will store your personal data for the duration of your contractual relationship with us, and for a period of six (6) years following termination of the same [EEB1].

When you initiate or receive communication via telephone or other means (instant messaging), this communication will generally be recorded for the purpose of monitoring the quality of service and the recordings will be retained for a period of two (2) years.

When you respond to our evaluation surveys about your level of satisfaction with our services, we will store information about your responses for seven (7) years.

When you submit an application and we receive your CV, we will keep your data for the time strictly necessary for its management. Only if you are selected in the process, this data will be kept for a maximum period of two (2) years.

Throughout the storage period, we will implement appropriate security measures to prevent any risk of accidental destruction, loss, accidental modification or unauthorised access to your personal data. In compliance with article 32 of the Personal Data Protection Act 3/2018, near the end of the pre-determined storage period your personal data will be blocked and can only be used to answer to any potential liability in relation to the processing thereof.

The lawful bases for the aforementioned processing operations are as follows:

1. In order to prepare, issue and manage your insurance contract, the applicable lawful bases are the execution of the insurance contract to which you are a party or the application of the pre-contractual measures requested for this purpose, under the terms and within the limits set forth by the Insurance Contracts Act 50/1980 and the Organisation, Supervision and Solvency of Insurers and Reinsurers Act 20/2015 [article 6.1.b) of the General Data Protection Regulation (EU)];

2. In order to register, process and respond to the complaints and claims that you send us, the applicable lawful basis is compliance with the legal obligation applicable to us, as stated in article 97 of the Organisation, Supervision and Solvency of Insurers and Reinsurers Act 20/2015 [article 6.1.c) of the General Data Protection Regulation (EU)];

3. In order to carry out the verification needed to detect and prevent money laundering and terrorist financing, the applicable lawful basis is compliance with legal obligations applicable to us, derived from the Prevention of Money Laundering and Terrorist Financing Act 10/2010 [article 6.1.c) of the General Data Protection Regulation (EU)];

4. In order to carry out the verification needed to detect and prevent insurance sector fraud, the applicable lawful basis is our legitimate interest in complying with the provisions of the Organisation, Supervision and Solvency of Insurers and Reinsurers Act 20/2015, and to consequently enact measures to prevent, impede, identify, detect, report and remedy fraudulent conduct, which consists of the use of deception or concealment of information from the insurer in order to obtain an insurance policy that would not otherwise be issued or the payment of a claim that does not comply with [article 6.1.f) of the General Data Protection Regulation (EU)];

5. In order to conduct customer satisfaction surveys and a customer evaluation of the company, the lawful basis is our legitimate interest in building customer loyalty and improving our services [article 6.1.f) of the General Data Protection Regulation (EU)];

6. In order to carry out commercial and/or advertising actions or communications, including profiling for this purpose, the applicable lawful basis is our legitimate interest in building customer loyalty, ensuring that customers are satisfied with our services, and possibly offering them other products similar to those taken out that may be of interest to them [article 6.1.f) of the General Data Protection Regulation (EU)];

7. To carry out commercial and/or advertising actions or communications relating to products of other insurance companies or pension plan managers of the Banco de Sabadell Group, including the preparation of profiles for this purpose, the applicable lawful basis is the express, free, informed, unequivocal and specific consent that you give at the time you decide to participate in the data cycle [article 6.1.a) of the General Data Protection Regulation (EU)];

8. To include you as a participant in competitions, prize draws or other promotional activities, the applicable lawful basis is the consent you give at the time of applying for participation [article 6.1.a) of the General Data Protection Regulation (EU)].

9. To manage your candidacy for the Company's selection processes, the applicable legal basis is the execution of the pre-contractual measures necessary to achieve a labor contract [article 6.1.b) of the General Data Protection Regulation (EU) ].

In relation to profiling for statistical/actuarial purposes, the applicable lawful basis is the execution of the insurance contract to which you are a party or the application of the pre-contractual measures requested for these purposes, under the terms and within the limits stated in the Insurance Contracts Act 50/1980 and the Organisation, Supervision and Solvency of Insurers and Reinsurers Act 20/2015 [article 6.1.b) of the General Data Protection Regulation (EU)]. As an insurer, we have a duty to ensure that the premium rates we charge are sufficient, based on reasonable actuarial assumptions, to guarantee the solvency of our entity, and in particular to draw up adequate technical provisions, pursuant to article 94 of the Organisation, Supervision and Solvency of Insurers and Reinsurers Act 20/2015.

In relation to profiling for marketing purposes, the applicable lawful basis is our legitimate interest in keeping our customers loyal, ensuring that customers are satisfied with our services, and possibly offering them other products similar to those they have purchased and that may be of interest to them [article 6.1.f) of the General Data Protection Regulation (EU)]. We will only enrich these profiles with external sources, from the insurance companies in other areas and/or pension plan managers in which Banco de Sabadell, S.A.* has a controlling interest and with which you have taken out an insurance product or pension plan, when (a) you have given us your express, free, informed, unequivocal and specific consent to do so, which you may revoke at any time [article 6.1.a) of the General Data Protection Regulation (EU)], or when (b) you have expressly requested a service from us that requires it [article 6.1.b) of the General Data Protection Regulation (EU)].

Will we disclose your personal data to third parties?

The aforementioned processing operations require the disclosure of your personal data to:

· Competent public authorities and bodies, in compliance with the legal supervisory obligations provided for in the Organisation, Supervision and Solvency of Insurers and Reinsurers Act 20/2015 and other legal obligations relating to the duty to cooperate with the justice system and the State Administration, including the Directorate-General of Insurance and Pension Funds, SEPBLAC, the Spanish Tax Agency (Agencia Tributaria), the State Security Forces and Agencies as well as Courts and Tribunals.

· Other group or affiliated companies, in various circumstances:

o We may need to share information about your insurance policy and claims experience with other entities in our corporate group in order to comply with the legal supervisory obligations set out in the Organisation, Supervision and Solvency of Insurers and Reinsurers Act 20/2015.

o We will share your risk profile indicator with the insurance companies of other branches and/or pension plan managers in which Banco de Sabadell, S.A.* has a controlling interest and with which you have also taken out an insurance product or pension plan, if applicable. They will use the profile to determine your insurance premium and update it each year with a greater degree of precision and better guarantees, based on their own legitimate interests and those of the other insurance companies of other branches and pension plan managers of Banco de Sabadell, S.A.* This entails complying with article 94 of the Organisation, Supervision and Solvency of Insurers and Reinsurers Act 20/2015 and ensuring that the premium rates we charge are sufficient, according to reasonable actuarial assumptions, to guarantee the solvency of our entity, and in particular to draw up suitable technical provisions.

o We may also share your risk profile indicator with the entities mentioned in the previous paragraph to enable them to, at the appropriate time, assess the possibility of offering you additional conditions or benefits that increase your level of satisfaction, provided that you have given us valid consent to do so or requested a service from us that makes it necessary.

· Entities in the insurance and reinsurance sector for the formalisation of their insurance contract (reinsurance and coinsurance entities), when so required by the policy taken out, in the terms and under the legal authorisation set out in the Organisation, Supervision and Solvency of Insurers and Reinsurers Act 20/2015.

Our DATA CONTROLLERS (agents, intermediaries and service providers) will also have access to your personal data. In the implementation of our corporate governance policies, we only work with data controllers with a proven record of compliance with prevailing data protection laws. This ensures that your personal data will never be processed from a country that does not offer a level of protection equivalent to European levels, either through contractual measures with the data controller, through the existence and verification of binding corporate rules or by means of other equivalent safeguards. We do not currently carry out international transfers of personal data outside the European Union.

We use the services of Medallia Inc., whose servers are located in the United States, to conduct satisfaction surveys and company evaluations.

As a result, the data necessary to conduct the surveys may be sent, stored and accessed from outside the European Economic Area (“EEA”). These transfers are carried out on the basis of the standard data protection clauses adopted by the European Data Protection Commission, the content of which ensures the confidentiality of the data transferred and legal compliance with data protection provisions [art. 46.2 d) of the European Data Protection Regulation (EU)].

What are your rights?

Data subjects may exercise the following rights at any time:

· Right of access. You can ask us to confirm whether or not we are processing your personal data, and if so you can get a copy of the data and full information about its processing.

· Right of rectification. You can request the correction of errors, the modification of inaccurate or incomplete data, and obtain a guarantee of the accuracy of information that is subject to processing.

· Right of erasure. You can request the cancellation or deletion of your data because their processing is unlawful or because the purpose for which they were processed or collected has ceased to exist.

· The right to object. You can object to the processing of your personal data for marketing purposes, including profiling for such purposes. In the case of processing operations based on a legitimate interest, data subjects also have the right to object to processing on grounds relating to a particular situation, provided that there are no compelling legitimate grounds for the processing or that the data are not necessary for the establishment, exercise or defence of claims.

· The right to restrict processing. You can request a suspension of processing if it is unlawful or if the accuracy of the data is contested.

· The right to portability. You can request a copy of your data in a structured, commonly used and machine-readable format for direct transmission to another insurer. This right is exclusive to the policyholder.

· The right to safeguards in automated individual decision-making. This right includes requiring human intervention, expressing your point of view and/or challenging decisions based solely on automated processing of your personal data, including profiling.

To exercise any of these rights, please contact our Data Protection Unit by emailing ProteccionDatos_BSSegurosGenerales@BSSeg.com. In order to process your petition without delay, it is recommended that you clearly state your identity (first name, surname/s and national identity card number) and the right/s you wish to exercise. The exercise of these rights is free of charge, except in the case of manifestly unfounded or excessive petitions for access, in which case we are legally entitled to charge a reasonable fee to cover the cost of processing your petition.

In addition, and in relation to the right of opposition, we inform you that any citizen may use the existing advertising exclusion systems to express their refusal or opposition to receiving commercial communications from any entity to which they have not given their express consent. For more information, please visit www.listarobinson.es.

Should you have any doubts or concerns relating to respect for your rights, you may contact us at any time and request the mediation of our Data Protection Officer, duly appointed before the Spanish Data Protection Agency for this duty, by emailing DPO_BSSegurosGenerales@BSSeg.com. In particular, you can ask our Data Protection Officer for more information about the weighting of the legitimate interest on which we have based a specific processing operation and/or the impact assessment we have previously carried out, where such processing gives rise to reasonable doubts in this respect.

We inform you that you may ultimately petition the Spanish Data Protection Agency to protect your rights or submit a claim on its website www.agpd.es, or at its head office located at c/ Jorge Juan, 6 – 28001 Madrid (Spain).