Customer data protection policy

I. Data controller

II. Data Protection Officer

III. What personal data does MoraBanc process?

IV. How does MoraBanc obtain your personal data?

V. For what purpose and on what legitimate basis do we process your data?

VI. Who will receive your personal data?

VII. Are there international transfers of personal data?

VIII. Storage period

IX. Personal data protection risk analysis

X. Personal data protection rights

XI. Data protection claims

Schedule I. Personal data that MoraBanc may process

 

I. Data controller

The data controller of your personal data is MORA BANC GRUP, SA, whose registered address is at Avinguda Meritxell, 96 AD500 – Andorra la Vella, and that is filed with the Companies Registry of the Principality of Andorra under number 1828 (hereinafter, “MoraBanc” or the “Company”).

Back

 

II. Data Protection Officer

You are hereby informed that MoraBanc has appointed a Data Protection Officer, who shall be the person responsible for supervising and enforcing compliance with the law on personal data protection (passed by Act 29/2021, of 28 October).

For any enquiries or requests that you may have about personal data protection, you may contact MoraBanc’s Data Protection Officer at the above address or at the following email address: dpo@morabanc.ad.

Back

 

III. What personal data does MoraBanc process?

The personal data that we process includes any information you provide to us in the customer onboarding process or in any processes for engaging any of our products or services, in addition to any information that we have or have had access to during our contractual relationship with you, understood in the broadest sense, through any of our channels: branches, website, mobile app, chats, forms, online and telephone banking services.

Unless otherwise stated, all data collected shall be required as they are essential details for executing, maintaining, performing, complying with and/or monitoring our contractual relationship, which it would not be possible to establish should you fail to provide them.

We may also process the personal data of third parties (family members, guarantors, legal representatives, amongst others) for the sole purpose of handling our contractual relationship and the performance of all legal obligations. MoraBanc shall not process or disclose these data to third parties for purposes other than handling this contractual relationship.

Click HERE if you would like further details about the personal data that the Company processes.

Back

 

IV. How does MoraBanc obtain your personal data?

In addition to the personal data that you provide to us, the Company may obtain information about its customers from external sources of information, including official journals and gazettes, public registries, rulings and decisions handed down by public bodies, lists of members of professional associations, files relating to information on the prevention of money laundering and the financing of terrorism, the Ministry of Taxes and Borders and the Andorran Social Security Fund (CASS), companies in the MoraBanc Group that may disclose data concerning the prevention of money laundering and the financing of terrorism, social media, public sources and the Internet, in addition to third-party businesses to which you have given your consent for the assignment of your personal data.

Back

 

V. For what purpose and on what legitimate basis do we process your data?

1. Pre-contractual phase and information requests

  • Processing associated with requests for information about products and services provided by MoraBanc, and pre-contractual matters:
Purpose of data processingLegitimate basis
  • Handling information requests in order to respond to your requests for information about our financial products and services.
  • Carrying out the procedure required to verify your identity. Should this process be digital, MoraBanc shall make the relevant checks using documents or do so over the telephone or via videoconference that shall be recorded and kept on record.
  • Ensuring that all requirements for the purchase of products or services provided by MoraBanc are met. Should a request be made for the approval of a financing transaction by MoraBanc, we shall examine your request to appraise it and check the documentation. In the case of investment services, additional information may be obtained for providing (i) an advisory service or (ii) discretionary portfolio management.

In these cases, your personal data must be processed for contractual reasons and, should you object to this, you shall be told that the contract in question cannot be executed.

The enforcement of pre-contractual measures pursuant to section 6.1 b) of Act 29/2021 on Personal Data Protection
  • Handling information requests received through different channels such as online forms, email, telephone or social media.
  • Sending marketing messages via electronic media (email, SMS or equivalent electronic messaging) or telephone about press releases, business information, events, and MoraBanc’s products and services.

You may withdraw your consent at any time by writing an email to: protecciodedades@morabanc.ad

Consent given pursuant to section 6.1.a) of Act 29/2021 on Personal Data Protection

 

2. Contractual phase

  • Processing associated with taking out products and services provided by MoraBanc:
Purpose of data processingLegitimate basis
  • Entering into, maintaining and performing the contractual relationship between MoraBanc and its customers to, amongst others: (i) handle customer onboarding; (ii) monitor financial management; (iii) execute transactions, certificates, transfers and instructions; (iv) update and send documents; (v) handle transfers; (vi) conduct audits; (vii) handle potential complaints and claims (in and out of court); (vii) handle electronic signatures; (ix) handle videoconferences; and (x) handle cards and POS terminals.
  • Handling the telephone and online services that, amongst other things, enable financing transactions and guarantors to be set up.
  • Specifically dealing with the customer area on the online banking service. You will be able to conduct transactions and obtain information about your accounts and balances from this area.
  • Responding to affidavits of heirship and public bodies related to information requests, freezing accounts and the seizure of assets.
  • In the event of the failure to meet payments that, for whatever reason, were due to MoraBanc, by virtue of a contractual obligation, the information about the non-payment (original amount, effective date, maturity date, outstanding amounts, type of financing, the collateral put forward and its amount) shall be processed and actions taken to recover them.

In these cases, your personal data must be processed for contractual reasons and, should you object, you shall be told that the contract in question cannot be executed.

The execution of contracts pursuant to section 6.1 b) of Act 29/2021 on Personal Data Protection
MoraBanc must fulfil certain legal obligations for dealing with products and services requested that are taken out by customers, including, amongst others:

 

  • Taking certain actions to comply with Act 14/2017 on the prevention and fight against money laundering and the financing of terrorism, and to prevent, detect and monitor potential situations of fraud, such as the unlawful access to the personal data of data subjects and identity theft.

Actions related to: (i) checking the identity of natural persons and legal entities; (ii) checking the source of funds; (iii) monitoring transactions conducted by customers; and (iv) informing the authorities about domestic and international controls.

MoraBanc discloses all information related to the prevention of money laundering and the financing of terrorism to all the entities in its Group.

You are likewise hereby informed that the services for the prevention of money laundering and the financing of terrorism have been entrusted by MoraBanc to Mora Assegurances, SAU and Mora Gestió d’Actius, SAU. This therefore means that MoraBanc: (i) shall disclose all information that it deems relevant to Mora Assegurances, SAU and Mora Gestió d’Actius, SAU; and (ii) shall obtain information from third parties such as specialised data files or publicly available sources on the Internet about its account holders, joint account holders, legal representatives and beneficial owners.
Furthermore, the Financial Intelligence Unit of Andorra (UIFAND) may be the recipient of your personal data in order to: (i) submit information from time to time about transactions that meet certain set criteria; or (ii) request specific information about a transaction.

  • Issuing certain reports to the financial authorities, such as the Andorran Financial Authority (AFA) and other international organisations in the case of obligations imposed by international tax regulations and, specifically, the Foreign Account Tax Compliance Act (FATCA) and the Common Reporting Standard (CRS).
  • Discharging obligations to identify customers and keeping records of telephone calls made to conduct different transactions.
  • Disclosing personal data to the competent public bodies, the Andorran Social Security System (CASS), magistrates, judges and courts of law.
  • Handling requests, claims and complaints that may be received in respect of customers.
  • Dealing with requests to exercise rights related to personal data protection in compliance with sections 18 to 26 of Act 29/2021 on personal data protection.
  • Undergoing audits on financial matters, the prevention of money laundering and the financing of terrorism, products and tax affairs to which the Company may be subject from time to time.
  • Assessing solvency and the risk of customers in compliance with Act 35/2018 on the solvency and supervision of banks and investment institutions. You can find further information below about the processing of your personal data in the section on the rating models used to measure credit risk.
  • Using video surveillance systems in branches, pursuant to Act 30/2018 of 6 December, on public security whereby banks must have the protection measures in place established in the Decree enacted on 9 December 2020 that passed the Regulation on the installation of video surveillance systems to prevent crimes from being committed in their establishments and facilities, and against the people who work there or who find themselves there, and to avoid these persons from being subject to risk.

All legal obligations shall remain in place and be performed by the Company even after the contractual relationship with its customers has terminated for as long as it is legally bound to do so.

The data processing that must be carried out in compliance with the various laws described is mandatory and, should you object to this, you are hereby informed that you may not enter into a contractual relationship with the Company.

Performance of a legal obligation pursuant to section 6.1.c) of Act 29/2021 on Personal Data Protection
  • Conducting customer satisfaction surveys through telephone calls and electronic media (email, SMS or equivalent messaging). The legal basis for this data processing is MoraBanc’s legitimate interest in finding out about its customers’ experiences.
  • Handling your status as a MoraBanc customer on an ongoing basis and updating our personal data. MoraBanc and the entities in its Group, specifically Mora Assegurances, SAU and Mora Gestió d’Actius, SAU shall disclose any information related to the update of your personal data. This means that if you update any personal details at any of MoraBanc’s branches, it may provide this updated information to any of the entities in the Group and disclose any contact details about you (e.g., email address, telephone number or postal address). This processing is carried out based on the legitimate interest of all entities in the MoraBanc Group having updated information and being aware of the products that are marketed by the Company, without them having to request this updated information from each of the entities in the MoraBanc Group.
Legitimate interest pursuant to section 6.1.f) of Act 29/2021 on Personal Data Protection
  • Signing documents using electronic signatures on the devices that MoraBanc makes available to you. This system allows you to sign any kind of electronic document in which your identity as the signatory is proven through the collection of biometric data. Should you not wish these data to be processed, you may choose to sign documents by hand.
Consent given pursuant to section 6.1.a) of Act 29/2021, on Personal Data Protection

 

Assessment of solvency and credit risk

Pursuant to the legal requirements discussed, the Company shall assess your solvency and credit risk. To do so, MoraBanc examines all of the information you have provided that it has on its records. NO scores are given nor are automated decisions taken for customers and NO information is obtained from third parties or from records on defaults on financial obligations in drawing up the credit risk assessment. As can be seen below, decisions are taken by a team appointed for this purpose.

Information about the assessment of solvency and credit risk
Data categories used or that shall be used for this assessmentIdentification details: forename, surname, passport or identity document, address, financial information and work details. This information may be obtained from the data subject or from searches on MoraBanc’s database or, in the case of Spanish companies, the Informa database.

 

No external records on insolvency nor are external registries searched.

Why are these categories considered relevant?There is no model that sets guidelines or points to assess specific risks, but, in the case of some campaigns, specific points may be used to decide whether or not a data subject fulfils the requirements to be granted a special offer.
How are decisions taken?Based on the information it has been given, the Risk Department draws up a report that, depending on the amount involved, is submitted to the relevant Committee. The Committees are responsible for taking the final decision.
Anticipated results of this data processingOnce the assessment has been completed, it is decided whether or not a transaction can go ahead and the result passed on to the relevant bank manager.

 

  • Weighting of legitimate interest

In the case of data processed based on the Company’s legitimate interest as described above, to ensure that all the safeguards have been taken required not to breach the rights of our customers in respect of personal data protection the Company has examined the weighting between these legitimate interests and the rights of data subjects. The findings of this analysis are positive, based on the circumstances of each case examined to understand whether these safeguards were taken into account.

If you would like to learn more about the conclusions of the studies on the weighting of legitimate interest conducted by MoraBanc related to the data processing discussed in the above points in order to verify that your data protection rights have not been breached, you may ask the Data Protection Officer for them at the following email address: dpo@morabanc.ad.

  • Data processed for marketing purposes

For marketing purposes, the Company may carry out the following actions:

 Purpose of data processingLegitimate basis
Sending marketing messages via electronic media (email, SMS or similar electronic messaging) and making telephone calls regarding MoraBanc’s financial products and services.Legitimate interest pursuant to section 6.1.f) of Act 29/2021 on Personal Data Protection
Sending marketing messages via electronic media (email, SMS or similar electronic messaging) and making telephone calls regarding third-party products and services such as those provided by Mora Assegurances, SAU and Mora Gestió d’Actius, SAU, and products provided by third-party companies with which MoraBanc has reached business agreements.Consent given pursuant to section 6.1.a) of Act 29/2021, on Personal Data Protection
Your personal data shall be assigned to the following companies in the MoraBanc Group that belong to the insurance and investment service sectors so that they may carry out actions or send promotional marketing messages by way of telephone calls and electronic media (email, SMS or similar electronic messaging) of products that may match your profile:
– Mora Assegurances, SAU
– Mora Gestió d’Actius, SAU		Consent given pursuant to section 6.1.a) of Act 29/2021, on Personal Data Protection

 

Creation of analytical models for drawing up marketing profiles

The Company hereby informs you that based on analytical models it may customise the range of products and services offered to you in line with your socio-economic background, past transactions, assets, risk profile and payment behaviour in order to match our product offering to your profile. In any event, these models are built using the Company’s internal information that you have provided to it or that has been obtained based on products taken out in the past and on your balances. NO information is obtained from third parties to draw up these profiles. A breakdown is given below of the significant information about these profiles:

Information on the creation of analytical models for marketing purposes
Data categories used or that shall be used for creating the abovementioned modelsSocio-demographic information (information about marital status, family, date of birth, place of birth, age, sex, nationality, place of residence), transactions with products (taken out, held, cancelled), salary, loans, credits, cards and information on their use, pension plans, retirement plans, balance of investments with the bank, insurance policies held with Mora Assegurances, SAU (health, sick pay and life insurance), complaints and claims and the reasons and dates lodged, scores given in satisfaction surveys, online and offline transactions, information about your cookies and your browsing history.
Why are these categories considered relevant?Because they are made up of variables that are usually correlated with buying habits or the cancellation of a product.
How are the models drawn up?By examining what customers have done in the past, we are able to predict what they will do in the future. MoraBanc is therefore able to address them with relevant marketing campaigns.
Why is this model relevant for automated decision-making?Because it helps prioritise customers and define what to offer to each of them, rather than offering everything to everyone.
Anticipated results of this data processingAfter devising an analytical model, MoraBanc picks out the potential customers for each product. Thus, MoraBanc is able to contact these customers and offer them products most suited to their requirements. Therefore, communication channels are used with customers, whether through their branches, letters, telephone calls and electronic media such as emails, push notifications, SMS, ATMs and online banking accounts, or through specific notifications and banners.

Finally, you may object or consent to your data being processed by ticking the boxes made available for this purpose that are found at the beginning of any contracts for engaging our products and services. In any event, you may consent or object to your data being processed at any time, by either following the procedure for doing so in each marketing message or by writing an email to protecciodedades@morabanc.ad.

Back

 

VI. Who will receive your personal data?

The Company shall only disclose its customers’ personal data to the following recipients or categories of recipients:

  1. Public bodies, domestic financial supervisory authorities, authorities responsible for the prevention of money laundering and the financing of terrorism, the Department of Taxes and Borders, the Andorran Social Security Fund (CASS), magistrates, judges and courts, law enforcement agencies and, in general, competent authorities, provided the Company is legally required to provide them with personal data.
  1. Authorities in other countries, pursuant to the regulations on taxes, the prevention of money laundering and the financing of terrorism, and the prevention of fraud.
  1. Entities in the MoraBanc Group, specifically, Mora Assegurances, SAU, with registered address at Plaça Coprínceps, 2 AD700 – Escaldes-Engordany, Principality of Andorra (business: life, accident, property, medical and civil liability insurance and reinsurance); and Mora Gestió d’Actius, SAU, with registered address at Carrer de l’Aigüeta, 3 AD500 – Andorra la Vella, Principality of Andorra (business: management of undertakings for collective investments, the discretionary and individual management of portfolios and advice on investments). They are responsible for the ongoing management of you as a MoraBanc customer and for updating your personal data, as well as for the prevention of fraud, money laundering and the financing of terrorism.

Your personal data shall only be disclosed to the Group companies mentioned in the above paragraph if you have given your consent to receiving marketing messages.

  1. Your personal data shall only be disclosed to Mora Gestió d’Actius, SAU or to any other similar asset management company so that the investment requested by you can be arranged.
  1. As a result of the transactions conducted, MoraBanc may disclose your personal data to other credit institutions, financial brokers and/or any other operator that acts or may act in the provision of banking and/or financial services, securities issuers, regulated markets, multilateral trading facilities, central clearing counterparties and securities clearing and settlement systems, whether domestic or foreign in all cases, in order to comply with the legal or regulatory obligations to which these operators are subject.
  1. In addition to the foregoing, the Company works with other third-party service providers that also have access to customers’ personal data and process them on behalf of the Company as a result of rendering these services. Specifically, the Company outsources the following services to third-party service providers, including, but not limited to, marketing and agency services, customer services, onboarding services, IT services, printing and processing correspondence, licensing services, software maintenance and development services, data storage services, management services, administrative services, record keeping and document digitisation services, legal and tax advice, consultancy, accounting, financial reporting, information management, auditing, quality assurance, transactions, video surveillance, IT and physical security, and cybersecurity. This therefore means that these companies may access personal data as data processors for which MoraBanc is the data controller.

The Company follows strict standards in the selection of service providers so that it fulfils its obligations in respect of personal data protection and it undertakes to execute the relevant data processing agreements pursuant to which it imposes, amongst others, the following obligations on them: they must implement suitable technical and organisational measures; process the personal data for the purposes agreed upon by only following the Company’s written instructions; and erase or return the data to the Company once the service provision has come to an end.

Back

 

VII. Are there international transfers of personal data?

Certain third-party service providers listed in the previous point are located outside of the domestic territory, including in countries with data protection levels that are not comparable with those in Andorra or the EU.

Furthermore, as a result of the transactions involving cheques, transfers, remittances, POS terminals, investment services, SWIFT payments, SEPA payments, correspondent bank orders and summons from foreign authorities personal data may be transferred to countries outside of Andorra and the European Union that have not signed up to Convention 108 of the Council of Europe.

International data transfers that may be made as a consequence of the provision of the aforementioned services must fulfil the safeguards set forth on sect. 44 of Act 29/2021 on personal data protection.

Should international transfers of personal data be made in the future, they shall be carried out based on these safeguards. In conducting its annual review of personal data protection, the Company also oversees international transfers of personal data. Should you require further information on the safeguards implemented for international transfers, you may write an email to the Company’s Data Protection Officer at dpo@morabanc.ad.

Back

 

VIII. Storage period

MoraBanc must process your personal data throughout the term of our contractual relationship with you. On the termination of our contractual relationship, we shall only keep your personal data on record for prescription periods set by the laws in force to which each of the contracts signed are subject (as a general rule, thirty (30) years once the obligations arising from a contract have terminated).

During the term that we keep your personal data on record due to legal obligations, they shall be locked. This means that these data shall be stored subject to the technical measures required to prevent their processing and shall only be disclosed to judicial bodies or public administrations that require this information. Once these terms have elapsed, MoraBanc shall erase the personal data.

Back

 

IX. Personal data protection risk analysis

MoraBanc has conducted a number of personal data protection risk analyses of all the data processing described in this document. The matters analysed took into account aspects related to the processing of special categories of personal data; the volume of data; the processing of third-party data; the involvement of third parties in the data processing workflow; the assessment of the personal details of natural persons; asset management tasks; the engagement of third-party service providers; the assignment of data; the legitimate bases for data processing and the possibility of exercising rights related to the protection of the data subjects’ personal data, amongst others.

Following the analyses conducted, MoraBanc made assessments of the impact of the personal data protection measures set after the preliminary risk analyses conducted. You may request any additional information by writing an email to the Data Protection Officer at dpo@morabanc.ad.

Back

 

X. Personal data protection rights

Pursuant to the regulations on personal data protection, you may exercise the following rights:

  • Access. You may obtain information related to the processing of your personal data and a copy of them.
  • Rectification. If you believe that your personal data are inaccurate or incomplete, you may request that they be modified.
  • Erasure. You may demand that your personal data be erased, to the extent permitted by law.
  • Restriction of processing. You may request that the processing of your personal data be restricted if: (i) you do not believe that your personal data are accurate; (ii) you consider that they are being unlawfully processed; (iii) you need your personal data to lodge or file a claim; or (iv) you wish to exercise your right of objection.
  • Objection. You may object to your personal data being processed on grounds related to your personal circumstances. Data subjects are entitled, amongst others, to object to the processing of their personal data for marketing purposes, which includes the creation of analytical models related to this activity.
  • Portability of personal data. Whenever legally and technically possible, you are entitled to request that we return the personal data that you have provided to us and, whenever technically possible, that they be transferred to a third party.
  • Withdrawal of your consent. If you have given your consent for the processing of your personal data, you are entitled to withdraw it at any time.

You may exercise these rights by sending an email to protecciodedades@morabanc.ad or a letter to MORA BANC GRUP, SA (for the attention of the Data Protection Officer), Avinguda Meritxell, 96 AD500 – Andorra la Vella, Principality of Andorra.

You must submit a copy of your passport or official identity document that identifies you in the event that this cannot be done using other means.

Back

 

XI. Data protection claims

If you believe that your personal data rights have been breached, you may contact MoraBanc’s Data Protection Officer (dpo@morabanc.ad), who shall deal with your request and look into the best way to process your claim. In any event, you may submit a claim to the Andorran Data Protection Agency at https://www.apda.ad, which is the supervisory authority on these matters.

Back

 

Schedule I. Personal data that MoraBanc may process

Identification detailsForename and surname(s).
Address (email and home).
Telephone number.
Passport or identity document.
Handwritten and digital signature.
Personal detailsMarital status.
Family circumstances.
Date of birth.
Place of birth.
Age.
Sex.
Nationality.
Mother tongue.
Physical characteristics.
Image.
Business informationBusiness activities.
Business licences.
Subscriptions to publications.
Artistic, literary and scientific output.
Transactions involving goods and servicesGoods and services provided.
Goods and services received.
Details about products taken out, including bank, financial and transactional details.
Compensation and indemnity.
Financial detailsBank details.
Salary.
Income, revenues, investments and property assets.
Credits, loans and guarantors.
Pension and retirement plans.
Tax.
Insurance.
Mortgages.
Subsidies.
Credit history.
Credit cards and details of their use.
Details about card payments.
Location of cash withdrawals and payments made.
Payment system credentials.
Details of debt.
Payment behaviour.
Investment balances.
Solvency and credit risk detailsProducts taken out.
Financial information on these products and details on defaults.
Academic and work detailsEducation and qualifications.
Occupation.
Workplace.
Employee and employment records.
Non-financial salary details.
Social circumstancesCharacteristics of housing/home.
Military status.
Properties and possessions.
Interests and lifestyle.
Membership of clubs and associations.
Licences, permits and authorisations.
Contractual detailsDetails of claims, complaints and legal actions.
Details about your preferences.
Details of telephone conversations.
Details of remarks by bank managers.
Forms for obtaining information about money laundering and the financing of terrorism.
Tests taken pursuant to Act 8/2013 on organisational requirements and operating conditions for institutions operating in the financial sector, investor protection, market abuse and financial collateral agreements, including any modifications made to date.
Contractual terms and conditions of products taken out.
Information obtained from interviews and forms.
Third-party detailsGuarantors.
Beneficiaries.
Family.
Spouses.
Sensitive informationInformation from criminal records arising from the obligations on the prevention of money laundering and the financing of terrorism.
Information about possible fraud.
Biometric details from your digital signature.
Details on the digital environmentUser details and content related to digital interaction on devices enabled at any given time. IP address and information on Internet domains, geolocation, cookies, device identifiers, our apps and our social media websites, information on images and videos required for taking out products on our digital channel, chats, forms and other telephone banking services.

Back