Information on customer data protection

I. Data controller

The data controller of your personal data is MORA ASSEGURANCES, SAU, whose registered address Social is at Avinguda Meritxell, 96 AD500 – Andorra la Vella, and that is filed with the Companies Registry of the Principality of Andorra under number 6895 (hereinafter, “MoraBanc Assegurances” or the “Company”).

Back

II. Data Protection Officer

You are hereby informed that MoraBanc Assegurances has appointed a Data Protection Officer, who shall be the person responsible for supervising and enforcing compliance with the law on personal data protection (passed by Act 29/2021, of 28 October).

For any enquiries or requests that you may have about personal data protection, you may contact MoraBanc Assegurances’ Data Insurance Protection Officer at the above address or at the following email address: dpo@morabanc.ad.

Back

III. What personal data does MoraBanc Assegurances process?

The personal data that we process includes any information you provide to us in the customer onboarding process or in any processes for engaging any of our products or services, in addition to any information that we have or have had access to during our contractual relationship with you, understood in the broadest sense, through any of our channels: branches, website, mobile app, chats, forms and telephone.

Unless otherwise stated, all data collected shall be required as they are essential details for executing, maintaining, performing, complying with and/or monitoring our contractual relationship, which it would not be possible to establish should you fail to provide them.

We may also process the personal data of third parties (the insured if other than the Policyholders, beneficiaries, injured parties and heirs, amongst others) for the sole purpose of handling our contractual relationship and the performance of all legal obligations. MoraBanc Assegurances shall not process or disclose these data to third parties for purposes other than handling this contractual relationship.

Click HERE if you would like further details about the personal data that the Company processes.

Back

IV. How does MoraBanc Assegurances obtain your personal data?

In addition to the personal data that you provide to us, the Company may obtain information about its customers from external sources of information, such as:

  • Mora Banc Grup, SA (hereinafter the “Bank”). The Company markets its products through the Bank by using its sales network and IT systems. The Company avails itself of the synergies arising from this relationship to use the personal data the Bank holds about the data subjects who take out an insurance policy, thus streamlining the process of taking out insurance for both the Company and the data subjects. Furthermore, the Company delegates its services for the prevention of money laundering and the financing of terrorism, as well as services for tax affairs, to the Bank. This therefore means that the Bank (i) shall disclose all information that it deems relevant to Mora Assegurances; and (ii) shall obtain information from third parties such as specialised data files or publicly available sources on the Internet.
  • Third-party medical examination service providers in the event of a claim or a risk assessment.
  • Different businesses that render additional services to the data subjects depending on the products or services they have engaged, including, amongst others, (i) home medical care; (ii) a second medical opinion; and (iii) tele-underwriting.

Back

V. For what purpose and on what legitimate basis do we process your data?

1. Pre-contractual phase and information requests

  • Processing associated with requests for information about products and services provided by MoraBanc Assegurances, and pre-contractual matters:
Purpose of data processing Legitimate basis
  • Handling information requests in order to respond to your requests for information about our financial products and services.
  • Handling telephone services that, amongst other things, enable the products and services on offer to be engaged.
  • Ensuring that all requirements and risk assessments for taking out the products or services provided by MoraBanc Assegurances are met.

In these cases, your personal data must be processed for contractual reasons and, should you object to this, you shall be told that the contract in question cannot be executed.

 The enforcement of pre-contractual measures pursuant to section 6.1 b) of Act 29/2021 on Personal Data Protection

 

2. Contractual phase

  • Processing associated with taking out products and services provided by MoraBanc Assegurances:
Purpose of data processing Legitimate basis
  • Entering into, maintaining and performing the contractual relationship between MoraBanc Assegurances and its Policyholders to, amongst others: (i) handle customer onboarding; (ii) handle the services provided to the data subjects depending on the products or services they have taken out; (iv) update and send documents; (v) conduct audits; (vi) handle potential complaints and claims (in and out of court); and (v) handle electronic signatures.
  • Disclosing your personal data, in full or in part, to other insurance companies for the purpose of settling claims.
  • Disclosing your personal data to the insurance or reinsurance companies with which the Company decides to enter into reinsurance and coinsurance arrangements for the sole purpose of entering into such contractual relationships.
  • Should the insured be other than the policyholder, handling the claims process in the event of the death of the insured covered by an insurance policy taken out.
  • Handling and processing the invoicing of any assistance requested by the policyholder, the insured or the beneficiary based on the insurance policy taken out.
  • Processing the personal data of the policyholder, the insured or the beneficiary for the purpose of the mutual disclosure of the personal data of the policyholder, the insured or the beneficiary between the Company and its employees, and healthcare centres, whenever necessary, in order to provide the assistance requested based on the insurance policy, whereby the Company may obtain information about her/his health, and the assistance requested and/or received, for the purposes of processing and invoicing it.
  • Handling the telephone service and chatbot that make it possible, amongst others, to handle the following: (i) processing of claims; (ii) sending medical bills; and (iii) informing of the processing of sick leave.
  • In the event of the failure to meet payments that, for whatever reason, were due to MoraBanc Assegurances by virtue of a contractual obligation, the information about the non-payment (original amount, effective date, maturity date, outstanding amounts, type of financing, the collateral put forward and their worth) shall be processed and actions taken to recover them.

In these cases, your personal data must be processed for contractual reasons and, should you object to this, you shall be told that the contract in question cannot be executed.

 The execution of contracts pursuant to section 6.1 b) of Act 29/2021 on Personal Data Protection
MoraBanc Assegurances must fulfil certain legal obligations for dealing with products and services requested that are taken out by customers, including, amongst others:

  • Taking certain actions to comply with Act 12/2017, on the regulation and supervision of insurance and reinsurance companies in the Principality of Andorra, and Act 14/2017 on the prevention and fight against money laundering and the financing of terrorism, and to prevent, detect and monitor potential situations of fraud, such as the unlawful access to the personal data of data subjects and identity theft.
  • Issuing certain reports to the financial authorities, such as the Andorran Financial Authority (AFA), as the supervisor of the insurance sector in Andorra, and to other international organisations in the case of obligations imposed by international tax regulations and, specifically, the Foreign Account Tax Compliance Act (FATCA) and the Common Reporting Standard (CRS).

You are likewise hereby informed that the services for the prevention of money laundering and the financing of terrorism have been entrusted to the Bank. This therefore means that the Bank: (i) shall disclose all information that it deems relevant to Mora Assegurances; and (ii) shall obtain information from third parties such as specialised data files or publicly available sources on the Internet.

Furthermore, the Financial Intelligence Unit of Andorra (UIFAND) may be the recipient of your personal data in order to: (i) submit information from time to time about transactions that meet certain set criteria; or (ii) request specific information about a transaction.

  • Disclosing personal data to the competent public bodies, the Andorran Social Security System (CASS), magistrates, judges and courts of law.
  • Handling requests, claims and complaints that may be received in respect of customers.
  • Dealing with requests to exercise rights related to personal data protection in compliance with sections 18 to 26 of Act 29/2021 on personal data protection.
  • Undergoing audits on financial matters, the prevention of money laundering and the financing of terrorism, products and tax affairs to which the Company may be subject from time to time.

All legal obligations shall remain in place and be performed by the Company even after the contractual relationship with its customers has terminated for as long as it is legally bound to do so.

The data processing that must be carried out in compliance with the various laws described is mandatory and, should you object to this, you are hereby informed that you may not enter into a contractual relationship with the Company.

 Performance of a legal obligation pursuant to section 6.1.c) of Act 29/2021 on Personal Data Protection
  • Processing information about health, both when an insurance policy is first taken out and throughout its term, whether for handling claims or processing sick leave, or on the grounds of coinsurance or reinsurance.
    Given that MoraBanc Assegurances specialises in insurance policies, processing information about health shall be a binding condition for taking out and, if applicable, processing an insurance policy. Many of our products may not be taken out if the personal health data of the insured are not processed.
 Consent. Processing of special categories of personal data pursuant to section 9.2.a) of Act 29/2021 on Personal Data Protection
  • Conducting customer satisfaction surveys through telephone calls and electronic media (email, SMS or equivalent messaging). The legal basis for this data processing is MoraBanc Assegurances’ legitimate interest in finding out about its customers’ experiences. You are hereby informed that these services have been entrusted to the Bank, which, in discharging this undertaking, shall act on behalf of Mora Assegurances.
    You may object to your data being processed by ticking the boxes made available for this purpose that are found at the beginning of any contracts for engaging our products and services. In any event, you may object to your data being processed by either following the procedure for doing so in any marketing message or by writing an email to protecciodedades@morabanc.ad.
  • Handling your status as a MoraBanc Assegurances customer on an ongoing basis and updating your personal data. MoraBanc Assegurances and the entities in its Group, specifically Mora Banc Grup, SA and Mora Gestió d’Actius, SAU, shall disclose any information related to the update of your personal data. This means that if you update any personal data provided to MoraBanc Assegurances, it may provide this updated information to any of the entities in the Group and disclose any contact details about you (e.g., email address, telephone number or postal address). This processing is carried out based on the legitimate interest of all entities in the MoraBanc Group having updated information and being aware of the products that are marketed by the Company, without them having to request this updated information from each of the entities in the MoraBanc Group.
 Legitimate interest pursuant to section 6.1.f) of Act 29/2021 on Personal Data Protection
  • • Data processed for marketing purposes

For marketing purposes, the Company may carry out the following actions:

Purpose of data processing Legitimate basis
Sending marketing messages via electronic media (email, SMS or similar electronic messaging) and making telephone calls regarding MoraBanc Assegurances’ financial products and services.

You are hereby informed that these campaigns may be directly run by MoraBanc Assegurances or through third-party companies of the Bank, which in the discharge of this undertaking, shall act on behalf of Mora Assegurances.

 Legitimate interest pursuant to section 6.1.f) of Act 29/2021 on Personal Data Protection

Finally, you may object or consent to your data being processed by ticking the boxes made available for this purpose that are found at the beginning of any contracts for engaging our products and services. In any event, you may consent or object to your data being processed at any time, by either following the procedure for doing so in each marketing message or by writing an email to protecciodedades@morabanc.ad.

  • Weighting of legitimate interest

In the case of data processed based on the Company’s legitimate interest as described above, to ensure that all the safeguards have been taken that are required not to breach the rights of our customers in respect of personal data protection the Company has examined the weighting between these legitimate interests and the rights of data subjects. The findings of this analysis are positive, based on the circumstances of each case examined to understand whether these safeguards were taken into account.

If you would like to learn more about the conclusions of the studies on the weighting of legitimate interest conducted by MoraBanc Assegurances related to the data processing discussed in the above points in order to verify that your data protection rights have not been breached, you may ask the Data Protection Officer for them at the following email address: dpo@morabanc.ad.

Back

VI. Who will receive your personal data?

The Company shall only disclose its customers’ personal data to the following recipients or categories of recipients:

  1. Public bodies, domestic financial supervisory authorities, authorities responsible for the prevention of money laundering and the financing of terrorism, the Department of Taxes and Borders, the Andorran Social Security Fund (CASS), magistrates, judges and courts, law enforcement agencies and, in general, competent authorities, provided the Company is legally required to provide them with personal data.
  2. Authorities in other countries, pursuant to the regulations on taxes, the prevention of money laundering and the financing of terrorism, and the prevention of fraud.
  3. Mora Banc Grup, SA, depending on the undertakings entrusted to it, shall provide the following services for dealing with (i) money laundering and the financing of terrorism; (ii) tax affairs; (iii) the carrying out of customer satisfaction surveys; (iv) telephone calls and post; (v) legal advice and conducting internal audits; and (vi) requests for exercising rights.
  4. Entities in the MoraBanc Group, specifically, Mora Banc Grup, SA, with registered address at Av. Meritxell, 96, AD500 – Andorra la Vella, Principality of Andorra (business: banking in the broadest sense); and Mora Gestió d’Actius, SAU, with registered address at Carrer de l’Aigüeta, 3 AD500 – Andorra la Vella, Principality of Andorra (business: management of undertakings for collective investments, the discretionary and individual management of portfolios and advice on investments). They are responsible for the ongoing management of you as a MoraBanc Assegurances customer and for updating your personal data, as well as for the prevention of fraud, money laundering and the financing of terrorism. Your personal data shall only be disclosed to the Group companies mentioned in the above paragraph if you have given your consent to receiving marketing messages.
  5. Companies in the insurance and reinsurance sector, for the sole purpose of executing reinsurance and coinsurance policies.
  6. In addition to the foregoing, the Company works with other third-party service providers that also have access to customers’ personal data and process them on behalf of the Company as a result of rendering these services. Specifically, the Company outsources the following services to third-party service providers, including, but not limited to: claims handling services, insurance brokerage services, tele-selection services, promotional campaign services, medical check-up services for selecting risks, administrative services, advisory and consultancy services, technology maintenance and development quality assurance auditing services, IT services, printing and correspondence dispatch services, licensing services, software maintenance and development services, and data storage services. This therefore means that these companies may access personal data as data processors for which MoraBanc Assegurances is the data controller.

The Company follows strict standards in the selection of service providers so that it fulfils its obligations in respect of personal data protection and it undertakes to execute the relevant data processing agreements pursuant to which it imposes, amongst others, the following obligations on them: they must implement suitable technical and organisational measures; process the personal data for the purposes agreed upon by only following the Company’s written instructions; and erase or return the data to the Company once the service provision has come to an end.

Back

VII. Are there international transfers of personal data?

Certain third-party service providers listed in the previous point are located outside of the domestic territory, including in countries with data protection levels that are not comparable with those in Andorra or the EU.

International data transfers that may be made as a consequence of the provision of the aforementioned services must fulfil the safeguards set forth on sect. 44 of Act 29/2021 on personal data protection.

Should international transfers of personal data be made in the future, they shall be carried out based on these safeguards. In conducting its annual review of personal data protection, the Company also oversees international transfers of personal data. Should you require further information on the safeguards implemented for international transfers, you may write an email to the Company’s Data Protection Officer at dpo@Morabanc.ad.

Back

VIII. Storage period

MoraBanc Assegurances must process your personal data throughout the term of our contractual relationship with you. On the termination of our contractual relationship, we shall only keep your personal data on record for prescription periods set by the laws in force to which each of the contracts signed are subject (as a general rule, thirty (30) years once the obligations arising from a contract have terminated).

During the term that we keep your personal data on record due to legal obligations, they shall be locked. This means that these data shall be stored subject to the technical measures required to prevent their processing and shall only be disclosed to judicial bodies or public administrations that require this information. Once these terms have elapsed, MoraBanc Assegurances shall erase the personal data.

Back

IX. Personal data protection risk analysis

MoraBanc Assegurances ha dut a terme diverses anàlisis de riscos en matèria de protecció de dades de tots els tractaments identificats en aquest document. A les qüestions analitzades s’han tingut en compte els aspectes relatius a: tractament de categories especials de dades; volum de dades; tractament de dades de tercers; participació de tercers al flux de dades; avaluació d’aspectes personals de persones físiques; realització de tasques de gestió patrimonial; contractació de proveïdors externs; cessió de dades; bases de legitimació del tractament i la possibilitat d’exercir els drets en matèria de protecció de dades per part dels interessats, entre d’altres.

Després de les anàlisis realitzades, Mora Banc ha dut a terme les avaluacions d’impacte de protecció de dades que s’han determinat després de les anàlisis de riscos prèvies realitzades. Podeu sol·licitar qualsevol informació addicional a l’adreça electrònica del Delegat de Protecció de Dades de MoraBanc Assegurances: dpo@morabanc.ad.

Back

X. Personal data protection rights

Pursuant to the regulations on personal data protection, you may exercise the following rights:

  • Access. You may obtain information related to the processing of your personal data and a copy of them.
  • Rectification. If you believe that your personal data are inaccurate or incomplete, you may request that they be modified.
  • Erasure. You may demand that your personal data be erased, to the extent permitted by law.
  • Restriction of processing. You may request that the processing of your personal data be restricted if: (i) you do not believe that your personal data are accurate; (ii) you consider that they are being unlawfully processed; (iii) you need your personal data to lodge or file a claim; or (iv) you wish to exercise your right of objection.
  • Objection. You may object to your personal data being processed on grounds related to your personal circumstances. Data subjects are entitled, amongst others, to object to the processing of their personal data for marketing purposes, which includes the creation of analytical models related to this activity.
  • Portability of personal data. Whenever legally and technically possible, you are entitled to request that we return the personal data that you have provided to us and, whenever technically possible, that they be transferred to a third party.
  • Withdrawal of your consent. If you have given your consent for the processing of your personal data, you are entitled to withdraw it at any time.

You may exercise these rights by sending an email to protecciodedades@morabanc.ad or a letter to MORA ASSEGURANCES, SAU (for the attention of the Data Protection Officer), Avinguda Meritxell, 96 AD500 – Andorra la Vella, Principality of Andorra.

You must submit a copy of your passport or official identity document that identifies you in the event that this cannot be done using other means.

Back

XI. Data protection claims

If you believe that your personal data rights have been breached, you may contact MoraBanc Assegurances’ Data Protection Officer (dpo@morabanc.ad), who shall deal with your request and look into the best way to process your claim.

In any event, you may submit a claim to the Andorran Data Protection Agency at https://www.apda.ad, which is the supervisory authority on these matters.

Back

Schedule I. Personal data that MoraBanc Assegurances may process

Identification details Forename and surname(s).
Address (email and home).
Telephone number.
Passport or identity document.
Handwritten and digital signature.
Personal details Marital status.
Family circumstances.
Date of birth.
Place of birth.
Age.
Sex.
Nationality.
Physical characteristics.
Business information. Transactions involving goods and services Business activities.
Transactions involving goods and services Goods and services provided.
Goods and services received.
Details about products taken out, including bank, financial and transactional details.
Compensation and indemnity.
Financial details Bank details.
Salary.
Income, revenues, investments and property assets.
Credits, loans and guarantors.
Pension and retirement plans.
Tax.
Insurance.
Mortgages.
Subsidies.
Solvency and credit risk details Products taken out.
Financial information on these products and details on defaults.
Academic and work details Education and qualifications.
Occupation.
Workplace.
Employee and employment records.
Non-financial salary details.
Social circumstances Characteristics of housing/home.
Military status.
Properties and possessions.
Contractual details Details of claims, complaints and legal actions.
Details about your preferences.
Details of telephone conversations.
Details of remarks by bank managers.
Forms for obtaining information about money laundering and the financing of terrorism.
Contractual terms and conditions of products taken out.
Information obtained from interviews and forms.
Third-party details Beneficiaries.
Family.
Spouses.
Heirs.
Injured parties.
Sensitive information Health details required for taking out policies.
Information from criminal records arising from the obligations on the prevention of money laundering and the financing of terrorism.
Information about possible fraud.
Details on the digital environment User details and content related to digital interaction on devices enabled at any given time. IP address and information on Internet domains, geolocation, cookies, device identifiers, our apps and our social media websites, chats, forms and other telephone banking services.

Back