This information describes how personal data provided by users through the public area of this Website (the “Website”) is collected, used, stored, shared and protected.

This Website guarantees that no personal data will be collected from users without their knowledge, nor will they be transferred to third parties except in cases when it is legally required. Users’ personal data will be processed in an effective and responsible manner, in strict compliance with the provisions of the General Data Protection Regulation (EU) 679/2016 (“GDPR”), the Data Protection and Guarantee of Digital Rights Act 3/2018 (“LOPDGDD”) as well as other regulations that may be applicable.

Users guarantee the authenticity and veracity of all the data they provide through the Website and that they will keep the information provided updated, so that it always corresponds to their actual situation, and they are solely liable for any false or inaccurate statements they make, as well as for any damage or harm arising therefrom.

Identification of data controllers

Users’ personal data will be processed by the following entities (collectively, the “Joint Controllers”), based on a shared responsibility scheme:

• BanSabadell Seguros Generales, S.A. de Seguros y Reaseguros Registered office at c/Isabel Colbrand 22, 28050 Madrid, Spain. Tax ID No. A-64194590. Registered in the Madrid Companies Register, Volume 36651, Book 0, Folio 117, Section 8, Page M657405, Entry 2, and in the Insurance Entities Register of the Directorate-General of Insurance and Pension Funds under code C-0767. Data Protection Officer: DPO_BSSegurosGenerales@BSSeg.com. If you are a customer of this company, you can view its privacy policy here.
• BanSabadell Vida, S.A. de Seguros y Reaseguros Registered office at c/Isabel Colbrand 22, 28050 Madrid, Spain. Tax ID No. A-08371908. Registered in the Madrid Companies Register, Volume 36993, Book 0, Folio 149, Section 8, Page M-661014, Entry 2 and registered with the Directorate-General of Insurance as an insurer under number C-557. Data Protection Officer: DPO_BSVida@BSVida.com. If you are a customer of this company, you can view its privacy policy here.
• BanSabadell Pensiones EGFP, S.A. Registered office at c/Isabel Colbrand 22, 28050 Madrid, Spain. Tax ID No. A-58581331. Registered in the Madrid Companies Register, Volume 36622, Book 0, Folio 140, Section 8, Page M657072, Entry 2, and in the Special Register of Pension Fund Managers under number G-0085. Data Protection Officer: DPO_BSPensiones@BSPensiones.com. If you are a customer of this company, you can view its privacy policy here.

The aforementioned entities have designed the Website and jointly decide on the purposes for and means of the personal data processing carried out therein. These entities have signed the appropriate joint controllers agreement which specifies their respective responsibilities in regards to this processing. If you would like information on essential aspects of the agreement, you can request it through any of the email addresses mentioned in this section.

Type of data processed

This Website is a channel for information and management of previously purchased products. The categories of personal data that are subject to being processed are as follows:

• Browsing data: users’ browsing data by means of cookies.
• Information on incidents and queries: personal data that is sent through the mailbox enabled for the communication of incidents and/or queries.

Purposes of processing

• Carrying out statistical studies and management of the Website: browsing data will be processed for the purpose of finding out how users use this Website (for example, to find out the number of visits and what content generates the most interest), as well as to analyse this information in order to make improvements and to anonymise it to be stored for statistical purposes. For more information on the types of cookies used on this Website and how to give or withdraw your consent, please see the Cookies Policy.
• Management of incidents and/or queries that arrive through the Mailbox published for this purpose on the Web page: the personal information sent through the incident mailbox will be processed to manage the incident or query sent by the users.

Storage periods

Browsing data will be stored for a period of two (2) years.

Identification and contact details will be stored for as long as you have any product or service from any of its entities, and your personal details will be stored and duly blocked after the termination of the contractual relationship for the period necessary to fulfil any responsibilities relating thereto. This period may not under any circumstances exceed ten (10) years.

The personal information sent through the incident mailbox will be kept for the period necessary to proceed with its management and resolution. Said personal information will be kept while the incident is being managed and, once finished, it will be kept for a maximum period of two (2) years.

The information and documentation relating to the products taken out are stored by each of the entities, as independent controllers, pursuant to the terms stipulated in their privacy policy.

Throughout the storage period, appropriate security measures will be implemented to prevent any risk of destruction, loss, accidental alteration or unauthorised access to your personal data. In compliance with article 32 of the LOPDGDD, near the end of the stipulated storage period, personal data will be blocked and used solely to meet any liability relating to their processing.

Legitimacy

The legal basis for the processing of browser data – including profiling for marketing to potential customers – is the consent given for the setting of cookies, pursuant to the provisions of the cookies policy.

The legal basis for the treatment of the information received through the incidents and consultations mailbox is the legitimate interest of the Companies to manage incidents that may affect their users or clients.

Communications to third parties

Under no circumstances will the personal data of users be shared or transferred to third parties other than joint data controller entities.

Without prejudice to the foregoing, the joint controllers (service providers) may have access to personal data. In application of their corporate governance policies, these entities only work with data controllers that have previously provided sufficient guarantees of compliance with current data protection laws. This ensures that under no circumstances will the personal data of users be processed from a country that does not offer a level of protection comparable to European levels, either through contractual measures with the processor, through the existence and verification of binding corporate rules or other equivalent safeguards.

Likewise, the joint controllers may share their data with the competent authorities in compliance with legal obligations.

Rights of data subjects

Data subjects may exercise the following rights:

• Right of access, should they wish to ask us to confirm whether or not we are processing their personal data, and if so to obtain a copy of the data and full information about their processing.
• Right of rectification, should they wish to request the correction of errors, the modification of inaccurate or incomplete data, and basically to guarantee the accuracy of information that may be processed.
• Right of erasure, should they wish to request the cancellation or deletion of their data because their processing is unlawful or if the purpose for which the data were processed or collected no longer exists.
• The right of portability, if they want to receive the personal data that they have provided and those that have been obtained from their contractual relationship in electronic format, or if they want to transfer them to another entity.
• Right to object: You may request that your personal data not be processed. The data will no longer be processed, except in cases of compelling legitimate or contractual reasons or to bring or defend against claims.
• The right to limit processing in the following cases: (i) when the accuracy of data is contested; (ii) when the processing of your data is unlawful and you object to the erasure of your data; (iii) when your data no longer needs to be processed, but you need it to bring or defend against claims; and (iv) when you have objected to the processing of your data for the performance of a task carried out in the public interest or for the fulfilment of a legitimate interest, while it is being determined whether the legitimate grounds for processing outweigh yours.
• The right to withdraw consent previously given for a particular processing operation, without affecting the data processing carried out prior to the withdrawal.

To exercise any of these rights, as well as to request information on any aspect of the processing of your data, you may contact the email addresses provided for this purpose by each joint controller or contact their respective Data Protection Officers:

- For BanSabadell Vida, S.A. de Seguros y Reaseguros: ProteccionDatos_BSVida@BSVida.com; DPO_BSVida@BSVida.com

- For BanSabadell Seguros Generales, S.A. de Seguros y Reaseguros: ProteccionDatos_BSSegurosGenerales@BSSeg.com; DPO_BSSegurosGenerales@BSSeg.com

- For BanSabadell Pensiones EGFP, S.A.: ProteccionDatos_BSPensiones@BSPensiones.com; DPO_BSPensiones@BSPensiones.com.

In order to process your petition to exercise a right without delay, it is recommended that you clearly state your identity (first name, surname/s and national identity card number) and the right/s you wish to exercise. The exercise of these rights is free of charge, except in the case of manifestly unfounded or excessive petitions for access, in which case we are legally entitled to charge a reasonable fee to cover the cost of processing your petition.

We inform you that you may ultimately petition the Spanish Data Protection Agency to protect your rights or submit a claim on its website www.agpd.es, or at its head office located at c/ Jorge Juan, 6 – 28001 Madrid (Spain).