Customer data protection policy
I. Data controller
The data controller of your personal data is MORA BANC GRUP, SA, whose registered address is at Avinguda Meritxell, 96 AD500 – Andorra la Vella, and that is filed with the Companies Registry of the Principality of Andorra under number 1828 (hereinafter, “MoraBanc” or the “Company”).
II. Data Protection Officer
You are hereby informed that MoraBanc has appointed a Data Protection Officer, who shall be the person responsible for supervising and enforcing compliance with the law on personal data protection (passed by Act 29/2021, of 28 October).
For any enquiries or requests that you may have about personal data protection, you may contact MoraBanc’s Data Protection Officer at the above address or at the following email address: email@example.com.
III. What personal data does MoraBanc process?
The personal data that we process includes any information you provide to us in the customer onboarding process or in any processes for engaging any of our products or services, in addition to any information that we have or have had access to during our contractual relationship with you, understood in the broadest sense, through any of our channels: branches, website, mobile app, chats, forms, online and telephone banking services.
Unless otherwise stated, all data collected shall be required as they are essential details for executing, maintaining, performing, complying with and/or monitoring our contractual relationship, which it would not be possible to establish should you fail to provide them.
We may also process the personal data of third parties (family members, guarantors, legal representatives, amongst others) for the sole purpose of handling our contractual relationship and the performance of all legal obligations. MoraBanc shall not process or disclose these data to third parties for purposes other than handling this contractual relationship.
Click HERE if you would like further details about the personal data that the Company processes.
IV. How does MoraBanc obtain your personal data?
In addition to the personal data that you provide to us, the Company may obtain information about its customers from external sources of information, including official journals and gazettes, public registries, rulings and decisions handed down by public bodies, lists of members of professional associations, files relating to information on the prevention of money laundering and the financing of terrorism, the Ministry of Taxes and Borders and the Andorran Social Security Fund (CASS), companies in the MoraBanc Group that may disclose data concerning the prevention of money laundering and the financing of terrorism, social media, public sources and the Internet, in addition to third-party businesses to which you have given your consent for the assignment of your personal data.
V. For what purpose and on what legitimate basis do we process your data?
1. Pre-contractual phase and information requests
- • Processing associated with requests for information about products and services provided by MoraBanc, and pre-contractual matters:
|Purpose of data processing||Legitimate basis|
In these cases, your personal data must be processed for contractual reasons and, should you object to this, you shall be told that the contract in question cannot be executed.
|The enforcement of pre-contractual measures pursuant to section 6.1 b) of Act 29/2021 on Personal Data Protection|
You may withdraw your consent at any time by writing an email to: firstname.lastname@example.org
|Consent given pursuant to section 6.1.a) of Act 29/2021 on Personal Data Protection|
2. Contractual phase
- Processing associated with taking out products and services provided by MoraBanc:
|Purpose of data processing||Legitimate basis|
In these cases, your personal data must be processed for contractual reasons and, should you object, you shall be told that the contract in question cannot be executed.
|The execution of contracts pursuant to section 6.1 b) of Act 29/2021 on Personal Data Protection|
|MoraBanc must fulfil certain legal obligations for dealing with products and services requested that are taken out by customers, including, amongst others:
Actions related to: (i) checking the identity of natural persons and legal entities; (ii) checking the source of funds; (iii) monitoring transactions conducted by customers; and (iv) informing the authorities about domestic and international controls.
MoraBanc discloses all information related to the prevention of money laundering and the financing of terrorism to all the entities in its Group.
You are likewise hereby informed that the services for the prevention of money laundering and the financing of terrorism have been entrusted by MoraBanc to Mora Assegurances, SAU and Mora Gestió d’Actius, SAU. This therefore means that MoraBanc: (i) shall disclose all information that it deems relevant to Mora Assegurances, SAU and Mora Gestió d’Actius, SAU; and (ii) shall obtain information from third parties such as specialised data files or publicly available sources on the Internet about its account holders, joint account holders, legal representatives and beneficial owners.
All legal obligations shall remain in place and be performed by the Company even after the contractual relationship with its customers has terminated for as long as it is legally bound to do so.
The data processing that must be carried out in compliance with the various laws described is mandatory and, should you object to this, you are hereby informed that you may not enter into a contractual relationship with the Company.
|Performance of a legal obligation pursuant to section 6.1.c) of Act 29/2021 on Personal Data Protection|
||Legitimate interest pursuant to section 6.1.f) of Act 29/2021 on Personal Data Protection|
||Consent given pursuant to section 6.1.a) of Act 29/2021, on Personal Data Protection|
Assessment of solvency and credit risk
Pursuant to the legal requirements discussed, the Company shall assess your solvency and credit risk. To do so, MoraBanc examines all of the information you have provided that it has on its records. NO scores are given nor are automated decisions taken for customers and NO information is obtained from third parties or from records on defaults on financial obligations in drawing up the credit risk assessment. As can be seen below, decisions are taken by a team appointed for this purpose.
|Information about the assessment of solvency and credit risk|
|Data categories used or that shall be used for this assessment||Identification details: forename, surname, passport or identity document, address, financial information and work details. This information may be obtained from the data subject or from searches on MoraBanc’s database or, in the case of Spanish companies, the Informa database.
No external records on insolvency nor are external registries searched.
|Why are these categories considered relevant?||There is no model that sets guidelines or points to assess specific risks, but, in the case of some campaigns, specific points may be used to decide whether or not a data subject fulfils the requirements to be granted a special offer.|
|How are decisions taken?||Based on the information it has been given, the Risk Department draws up a report that, depending on the amount involved, is submitted to the relevant Committee. The Committees are responsible for taking the final decision.|
|Anticipated results of this data processing||Once the assessment has been completed, it is decided whether or not a transaction can go ahead and the result passed on to the relevant bank manager.|
- • Weighting of legitimate interest
In the case of data processed based on the Company’s legitimate interest as described above, to ensure that all the safeguards have been taken required not to breach the rights of our customers in respect of personal data protection the Company has examined the weighting between these legitimate interests and the rights of data subjects. The findings of this analysis are positive, based on the circumstances of each case examined to understand whether these safeguards were taken into account.
If you would like to learn more about the conclusions of the studies on the weighting of legitimate interest conducted by MoraBanc related to the data processing discussed in the above points in order to verify that your data protection rights have not been breached, you may ask the Data Protection Officer for them at the following email address: email@example.com.
- Data processed for marketing purposes
For marketing purposes, the Company may carry out the following actions:
|Purpose of data processing||Legitimate basis|
|Sending marketing messages via electronic media (email, SMS or similar electronic messaging) and making telephone calls regarding MoraBanc’s financial products and services.||Legitimate interest pursuant to section 6.1.f) of Act 29/2021 on Personal Data Protection|
|Sending marketing messages via electronic media (email, SMS or similar electronic messaging) and making telephone calls regarding third-party products and services such as those provided by Mora Assegurances, SAU and Mora Gestió d’Actius, SAU, and products provided by third-party companies with which MoraBanc has reached business agreements.||Consent given pursuant to section 6.1.a) of Act 29/2021, on Personal Data Protection|
|Your personal data shall be assigned to the following companies in the MoraBanc Group that belong to the insurance and investment service sectors so that they may carry out actions or send promotional marketing messages by way of telephone calls and electronic media (email, SMS or similar electronic messaging) of products that may match your profile:
– Mora Assegurances, SAU
– Mora Gestió d’Actius, SAU
|Consent given pursuant to section 6.1.a) of Act 29/2021, on Personal Data Protection|
Creation of analytical models for drawing up marketing profiles
The Company hereby informs you that based on analytical models it may customise the range of products and services offered to you in line with your socio-economic background, past transactions, assets, risk profile and payment behaviour in order to match our product offering to your profile. In any event, these models are built using the Company’s internal information that you have provided to it or that has been obtained based on products taken out in the past and on your balances. NO information is obtained from third parties to draw up these profiles. A breakdown is given below of the significant information about these profiles:
|Information on the creation of analytical models for marketing purposes|
|Data categories used or that shall be used for creating the abovementioned models||Socio-demographic information (information about marital status, family, date of birth, place of birth, age, sex, nationality, place of residence), transactions with products (taken out, held, cancelled), salary, loans, credits, cards and information on their use, pension plans, retirement plans, balance of investments with the bank, insurance policies held with Mora Assegurances, SAU (health, sick pay and life insurance), complaints and claims and the reasons and dates lodged, scores given in satisfaction surveys, online and offline transactions, information about your cookies and your browsing history.|
|Why are these categories considered relevant?||Because they are made up of variables that are usually correlated with buying habits or the cancellation of a product.|
|How are the models drawn up?||By examining what customers have done in the past, we are able to predict what they will do in the future. MoraBanc is therefore able to address them with relevant marketing campaigns.|
|Why is this model relevant for automated decision-making?||Because it helps prioritise customers and define what to offer to each of them, rather than offering everything to everyone.|
|Anticipated results of this data processing||After devising an analytical model, MoraBanc picks out the potential customers for each product. Thus, MoraBanc is able to contact these customers and offer them products most suited to their requirements. Therefore, communication channels are used with customers, whether through their branches, letters, telephone calls and electronic media such as emails, push notifications, SMS, ATMs and online banking accounts, or through specific notifications and banners.|
Finally, you may object or consent to your data being processed by ticking the boxes made available for this purpose that are found at the beginning of any contracts for engaging our products and services. In any event, you may consent or object to your data being processed at any time, by either following the procedure for doing so in each marketing message or by writing an email to firstname.lastname@example.org.
VI. Who will receive your personal data?
The Company shall only disclose its customers’ personal data to the following recipients or categories of recipients:
- Public bodies, domestic financial supervisory authorities, authorities responsible for the prevention of money laundering and the financing of terrorism, the Department of Taxes and Borders, the Andorran Social Security Fund (CASS), magistrates, judges and courts, law enforcement agencies and, in general, competent authorities, provided the Company is legally required to provide them with personal data.
- Authorities in other countries, pursuant to the regulations on taxes, the prevention of money laundering and the financing of terrorism, and the prevention of fraud.
- Entities in the MoraBanc Group, specifically, Mora Assegurances, SAU, with registered address at Plaça Coprínceps, 2 AD700 – Escaldes-Engordany, Principality of Andorra (business: life, accident, property, medical and civil liability insurance and reinsurance); and Mora Gestió d’Actius, SAU, with registered address at Carrer de l’Aigüeta, 3 AD500 – Andorra la Vella, Principality of Andorra (business: management of undertakings for collective investments, the discretionary and individual management of portfolios and advice on investments). They are responsible for the ongoing management of you as a MoraBanc customer and for updating your personal data, as well as for the prevention of fraud, money laundering and the financing of terrorism.
Your personal data shall only be disclosed to the Group companies mentioned in the above paragraph if you have given your consent to receiving marketing messages.
- Your personal data shall only be disclosed to Mora Gestió d’Actius, SAU or to any other similar asset management company so that the investment requested by you can be arranged.
- As a result of the transactions conducted, MoraBanc may disclose your personal data to other credit institutions, financial brokers and/or any other operator that acts or may act in the provision of banking and/or financial services, securities issuers, regulated markets, multilateral trading facilities, central clearing counterparties and securities clearing and settlement systems, whether domestic or foreign in all cases, in order to comply with the legal or regulatory obligations to which these operators are subject.
- In addition to the foregoing, the Company works with other third-party service providers that also have access to customers’ personal data and process them on behalf of the Company as a result of rendering these services. Specifically, the Company outsources the following services to third-party service providers, including, but not limited to, marketing and agency services, customer services, onboarding services, IT services, printing and processing correspondence, licensing services, software maintenance and development services, data storage services, management services, administrative services, record keeping and document digitisation services, legal and tax advice, consultancy, accounting, financial reporting, information management, auditing, quality assurance, transactions, video surveillance, IT and physical security, and cybersecurity. This therefore means that these companies may access personal data as data processors for which MoraBanc is the data controller.
The Company follows strict standards in the selection of service providers so that it fulfils its obligations in respect of personal data protection and it undertakes to execute the relevant data processing agreements pursuant to which it imposes, amongst others, the following obligations on them: they must implement suitable technical and organisational measures; process the personal data for the purposes agreed upon by only following the Company’s written instructions; and erase or return the data to the Company once the service provision has come to an end.
VII. Are there international transfers of personal data?
Certain third-party service providers listed in the previous point are located outside of the domestic territory, including in countries with data protection levels that are not comparable with those in Andorra or the EU.
Furthermore, as a result of the transactions involving cheques, transfers, remittances, POS terminals, investment services, SWIFT payments, SEPA payments, correspondent bank orders and summons from foreign authorities personal data may be transferred to countries outside of Andorra and the European Union that have not signed up to Convention 108 of the Council of Europe.
International data transfers that may be made as a consequence of the provision of the aforementioned services must fulfil the safeguards set forth on sect. 44 of Act 29/2021 on personal data protection.
Should international transfers of personal data be made in the future, they shall be carried out based on these safeguards. In conducting its annual review of personal data protection, the Company also oversees international transfers of personal data. Should you require further information on the safeguards implemented for international transfers, you may write an email to the Company’s Data Protection Officer at email@example.com.
VIII. Storage period
MoraBanc must process your personal data throughout the term of our contractual relationship with you. On the termination of our contractual relationship, we shall only keep your personal data on record for prescription periods set by the laws in force to which each of the contracts signed are subject (as a general rule, thirty (30) years once the obligations arising from a contract have terminated).
During the term that we keep your personal data on record due to legal obligations, they shall be locked. This means that these data shall be stored subject to the technical measures required to prevent their processing and shall only be disclosed to judicial bodies or public administrations that require this information. Once these terms have elapsed, MoraBanc shall erase the personal data.
IX. Personal data protection risk analysis
MoraBanc has conducted a number of personal data protection risk analyses of all the data processing described in this document. The matters analysed took into account aspects related to the processing of special categories of personal data; the volume of data; the processing of third-party data; the involvement of third parties in the data processing workflow; the assessment of the personal details of natural persons; asset management tasks; the engagement of third-party service providers; the assignment of data; the legitimate bases for data processing and the possibility of exercising rights related to the protection of the data subjects’ personal data, amongst others.
Following the analyses conducted, MoraBanc made assessments of the impact of the personal data protection measures set after the preliminary risk analyses conducted. You may request any additional information by writing an email to the Data Protection Officer at firstname.lastname@example.org.
X. Personal data protection rights
Pursuant to the regulations on personal data protection, you may exercise the following rights:
- Access. You may obtain information related to the processing of your personal data and a copy of them.
- Rectification. If you believe that your personal data are inaccurate or incomplete, you may request that they be modified.
- Erasure. You may demand that your personal data be erased, to the extent permitted by law.
- Restriction of processing. You may request that the processing of your personal data be restricted if: (i) you do not believe that your personal data are accurate; (ii) you consider that they are being unlawfully processed; (iii) you need your personal data to lodge or file a claim; or (iv) you wish to exercise your right of objection.
- Objection. You may object to your personal data being processed on grounds related to your personal circumstances. Data subjects are entitled, amongst others, to object to the processing of their personal data for marketing purposes, which includes the creation of analytical models related to this activity.
- Portability of personal data. Whenever legally and technically possible, you are entitled to request that we return the personal data that you have provided to us and, whenever technically possible, that they be transferred to a third party.
- Withdrawal of your consent. If you have given your consent for the processing of your personal data, you are entitled to withdraw it at any time.
You may exercise these rights by sending an email to email@example.com or a letter to MORA BANC GRUP, SA (for the attention of the Data Protection Officer), Avinguda Meritxell, 96 AD500 – Andorra la Vella, Principality of Andorra.
You must submit a copy of your passport or official identity document that identifies you in the event that this cannot be done using other means.
XI. Data protection claims
If you believe that your personal data rights have been breached, you may contact MoraBanc’s Data Protection Officer (firstname.lastname@example.org), who shall deal with your request and look into the best way to process your claim. In any event, you may submit a claim to the Andorran Data Protection Agency at https://www.apda.ad, which is the supervisory authority on these matters.
Schedule I. Personal data that MoraBanc may process
|Identification details||Forename and surname(s).
Address (email and home).
Passport or identity document.
Handwritten and digital signature.
|Personal details||Marital status.
Date of birth.
Place of birth.
|Business information||Business activities.
Subscriptions to publications.
Artistic, literary and scientific output.
|Transactions involving goods and services||Goods and services provided.
Goods and services received.
Details about products taken out, including bank, financial and transactional details.
Compensation and indemnity.
|Financial details||Bank details.
Income, revenues, investments and property assets.
Credits, loans and guarantors.
Pension and retirement plans.
Credit cards and details of their use.
Details about card payments.
Location of cash withdrawals and payments made.
Payment system credentials.
Details of debt.
|Solvency and credit risk details||Products taken out.
Financial information on these products and details on defaults.
|Academic and work details||Education and qualifications.
Employee and employment records.
Non-financial salary details.
|Social circumstances||Characteristics of housing/home.
Properties and possessions.
Interests and lifestyle.
Membership of clubs and associations.
Licences, permits and authorisations.
|Contractual details||Details of claims, complaints and legal actions.
Details about your preferences.
Details of telephone conversations.
Details of remarks by bank managers.
Forms for obtaining information about money laundering and the financing of terrorism.
Tests taken pursuant to Act 8/2013 on organisational requirements and operating conditions for institutions operating in the financial sector, investor protection, market abuse and financial collateral agreements, including any modifications made to date.
Contractual terms and conditions of products taken out.
Information obtained from interviews and forms.
|Sensitive information||Information from criminal records arising from the obligations on the prevention of money laundering and the financing of terrorism.
Information about possible fraud.
Biometric details from your digital signature.
|Details on the digital environment||User details and content related to digital interaction on devices enabled at any given time. IP address and information on Internet domains, geolocation, cookies, device identifiers, our apps and our social media websites, information on images and videos required for taking out products on our digital channel, chats, forms and other telephone banking services.|