III. What personal data does MoraBanc process?
IV. How does MoraBanc obtain your personal data?
V. For what purpose and on what legitimate basis do we process your data?
VI. Who will receive your personal data?
VII. Are there international transfers of personal data?
IX. Personal data protection risk analysis
X. Personal data protection rights
Schedule I. Personal data that MoraBanc may process
The data controller of your personal data is MORA BANC GRUP, SA, whose registered address is at Avinguda Meritxell, 96 AD500 – Andorra la Vella, and that is filed with the Companies Registry of the Principality of Andorra under number 1828 (hereinafter, “MoraBanc” or the “Company”).
You are hereby informed that MoraBanc has appointed a Data Protection Officer, who shall be the person responsible for supervising and enforcing compliance with the law on personal data protection (passed by Act 29/2021, of 28 October).
For any enquiries or requests that you may have about personal data protection, you may contact MoraBanc’s Data Protection Officer at the above address or at the following email address: dpo@morabanc.ad.
The personal data that we process includes any information you provide to us in the customer onboarding process or in any processes for engaging any of our products or services, in addition to any information that we have or have had access to during our contractual relationship with you, understood in the broadest sense, through any of our channels: branches, website, mobile app, chats, forms, online and telephone banking services.
Unless otherwise stated, all data collected shall be required as they are essential details for executing, maintaining, performing, complying with and/or monitoring our contractual relationship, which it would not be possible to establish should you fail to provide them.
We may also process the personal data of third parties (family members, guarantors, legal representatives, amongst others) for the sole purpose of handling our contractual relationship and the performance of all legal obligations. MoraBanc shall not process or disclose these data to third parties for purposes other than handling this contractual relationship.
Click HERE if you would like further details about the personal data that the Company processes.
In addition to the personal data that you provide to us, the Company may obtain information about its customers from external sources of information, including official journals and gazettes, public registries, rulings and decisions handed down by public bodies, lists of members of professional associations, files relating to information on the prevention of money laundering and the financing of terrorism, the Ministry of Taxes and Borders and the Andorran Social Security Fund (CASS), companies in the MoraBanc Group that may disclose data concerning the prevention of money laundering and the financing of terrorism, social media, public sources and the Internet, in addition to third-party businesses to which you have given your consent for the assignment of your personal data.
1. Pre-contractual phase and information requests
Purpose of data processing | Legitimate basis |
---|---|
In these cases, your personal data must be processed for contractual reasons and, should you object to this, you shall be told that the contract in question cannot be executed. | The enforcement of pre-contractual measures pursuant to section 6.1 b) of Act 29/2021 on Personal Data Protection |
You may withdraw your consent at any time by writing an email to: protecciodedades@morabanc.ad | Consent given pursuant to section 6.1.a) of Act 29/2021 on Personal Data Protection |
2. Contractual phase
Purpose of data processing | Legitimate basis |
---|---|
In these cases, your personal data must be processed for contractual reasons and, should you object, you shall be told that the contract in question cannot be executed. | The execution of contracts pursuant to section 6.1 b) of Act 29/2021 on Personal Data Protection |
MoraBanc must fulfil certain legal obligations for dealing with products and services requested that are taken out by customers, including, amongst others:
Actions related to: (i) checking the identity of natural persons and legal entities; (ii) checking the source of funds; (iii) monitoring transactions conducted by customers; and (iv) informing the authorities about domestic and international controls. MoraBanc discloses all information related to the prevention of money laundering and the financing of terrorism to all the entities in its Group. You are likewise hereby informed that the services for the prevention of money laundering and the financing of terrorism have been entrusted by MoraBanc to Mora Assegurances, SAU and Mora Gestió d’Actius, SAU. This therefore means that MoraBanc: (i) shall disclose all information that it deems relevant to Mora Assegurances, SAU and Mora Gestió d’Actius, SAU; and (ii) shall obtain information from third parties such as specialised data files or publicly available sources on the Internet about its account holders, joint account holders, legal representatives and beneficial owners.
All legal obligations shall remain in place and be performed by the Company even after the contractual relationship with its customers has terminated for as long as it is legally bound to do so. The data processing that must be carried out in compliance with the various laws described is mandatory and, should you object to this, you are hereby informed that you may not enter into a contractual relationship with the Company. | Performance of a legal obligation pursuant to section 6.1.c) of Act 29/2021 on Personal Data Protection |
| Legitimate interest pursuant to section 6.1.f) of Act 29/2021 on Personal Data Protection |
| Consent given pursuant to section 6.1.a) of Act 29/2021, on Personal Data Protection |
Assessment of solvency and credit risk
Pursuant to the legal requirements discussed, the Company shall assess your solvency and credit risk. To do so, MoraBanc examines all of the information you have provided that it has on its records. NO scores are given nor are automated decisions taken for customers and NO information is obtained from third parties or from records on defaults on financial obligations in drawing up the credit risk assessment. As can be seen below, decisions are taken by a team appointed for this purpose.
Information about the assessment of solvency and credit risk | |
---|---|
Data categories used or that shall be used for this assessment | Identification details: forename, surname, passport or identity document, address, financial information and work details. This information may be obtained from the data subject or from searches on MoraBanc’s database or, in the case of Spanish companies, the Informa database.
No external records on insolvency nor are external registries searched. |
Why are these categories considered relevant? | There is no model that sets guidelines or points to assess specific risks, but, in the case of some campaigns, specific points may be used to decide whether or not a data subject fulfils the requirements to be granted a special offer. |
How are decisions taken? | Based on the information it has been given, the Risk Department draws up a report that, depending on the amount involved, is submitted to the relevant Committee. The Committees are responsible for taking the final decision. |
Anticipated results of this data processing | Once the assessment has been completed, it is decided whether or not a transaction can go ahead and the result passed on to the relevant bank manager. |
In the case of data processed based on the Company’s legitimate interest as described above, to ensure that all the safeguards have been taken required not to breach the rights of our customers in respect of personal data protection the Company has examined the weighting between these legitimate interests and the rights of data subjects. The findings of this analysis are positive, based on the circumstances of each case examined to understand whether these safeguards were taken into account.
If you would like to learn more about the conclusions of the studies on the weighting of legitimate interest conducted by MoraBanc related to the data processing discussed in the above points in order to verify that your data protection rights have not been breached, you may ask the Data Protection Officer for them at the following email address: dpo@morabanc.ad.
For marketing purposes, the Company may carry out the following actions:
Purpose of data processing | Legitimate basis | |
---|---|---|
Sending marketing messages via electronic media (email, SMS or similar electronic messaging) and making telephone calls regarding MoraBanc’s financial products and services. | Legitimate interest pursuant to section 6.1.f) of Act 29/2021 on Personal Data Protection | |
Sending marketing messages via electronic media (email, SMS or similar electronic messaging) and making telephone calls regarding third-party products and services such as those provided by Mora Assegurances, SAU and Mora Gestió d’Actius, SAU, and products provided by third-party companies with which MoraBanc has reached business agreements. | Consent given pursuant to section 6.1.a) of Act 29/2021, on Personal Data Protection | |
Your personal data shall be assigned to the following companies in the MoraBanc Group that belong to the insurance and investment service sectors so that they may carry out actions or send promotional marketing messages by way of telephone calls and electronic media (email, SMS or similar electronic messaging) of products that may match your profile: – Mora Assegurances, SAU – Mora Gestió d’Actius, SAU | Consent given pursuant to section 6.1.a) of Act 29/2021, on Personal Data Protection |
Creation of analytical models for drawing up marketing profiles
The Company hereby informs you that based on analytical models it may customise the range of products and services offered to you in line with your socio-economic background, past transactions, assets, risk profile and payment behaviour in order to match our product offering to your profile. In any event, these models are built using the Company’s internal information that you have provided to it or that has been obtained based on products taken out in the past and on your balances. NO information is obtained from third parties to draw up these profiles. A breakdown is given below of the significant information about these profiles:
Information on the creation of analytical models for marketing purposes | |
---|---|
Data categories used or that shall be used for creating the abovementioned models | Socio-demographic information (information about marital status, family, date of birth, place of birth, age, sex, nationality, place of residence), transactions with products (taken out, held, cancelled), salary, loans, credits, cards and information on their use, pension plans, retirement plans, balance of investments with the bank, insurance policies held with Mora Assegurances, SAU (health, sick pay and life insurance), complaints and claims and the reasons and dates lodged, scores given in satisfaction surveys, online and offline transactions, information about your cookies and your browsing history. |
Why are these categories considered relevant? | Because they are made up of variables that are usually correlated with buying habits or the cancellation of a product. |
How are the models drawn up? | By examining what customers have done in the past, we are able to predict what they will do in the future. MoraBanc is therefore able to address them with relevant marketing campaigns. |
Why is this model relevant for automated decision-making? | Because it helps prioritise customers and define what to offer to each of them, rather than offering everything to everyone. |
Anticipated results of this data processing | After devising an analytical model, MoraBanc picks out the potential customers for each product. Thus, MoraBanc is able to contact these customers and offer them products most suited to their requirements. Therefore, communication channels are used with customers, whether through their branches, letters, telephone calls and electronic media such as emails, push notifications, SMS, ATMs and online banking accounts, or through specific notifications and banners. |
Finally, you may object or consent to your data being processed by ticking the boxes made available for this purpose that are found at the beginning of any contracts for engaging our products and services. In any event, you may consent or object to your data being processed at any time, by either following the procedure for doing so in each marketing message or by writing an email to protecciodedades@morabanc.ad.
The Company shall only disclose its customers’ personal data to the following recipients or categories of recipients:
Your personal data shall only be disclosed to the Group companies mentioned in the above paragraph if you have given your consent to receiving marketing messages.
The Company follows strict standards in the selection of service providers so that it fulfils its obligations in respect of personal data protection and it undertakes to execute the relevant data processing agreements pursuant to which it imposes, amongst others, the following obligations on them: they must implement suitable technical and organisational measures; process the personal data for the purposes agreed upon by only following the Company’s written instructions; and erase or return the data to the Company once the service provision has come to an end.
Certain third-party service providers listed in the previous point are located outside of the domestic territory, including in countries with data protection levels that are not comparable with those in Andorra or the EU.
Furthermore, as a result of the transactions involving cheques, transfers, remittances, POS terminals, investment services, SWIFT payments, SEPA payments, correspondent bank orders and summons from foreign authorities personal data may be transferred to countries outside of Andorra and the European Union that have not signed up to Convention 108 of the Council of Europe.
International data transfers that may be made as a consequence of the provision of the aforementioned services must fulfil the safeguards set forth on sect. 44 of Act 29/2021 on personal data protection.
Should international transfers of personal data be made in the future, they shall be carried out based on these safeguards. In conducting its annual review of personal data protection, the Company also oversees international transfers of personal data. Should you require further information on the safeguards implemented for international transfers, you may write an email to the Company’s Data Protection Officer at dpo@morabanc.ad.
MoraBanc must process your personal data throughout the term of our contractual relationship with you. On the termination of our contractual relationship, we shall only keep your personal data on record for prescription periods set by the laws in force to which each of the contracts signed are subject (as a general rule, thirty (30) years once the obligations arising from a contract have terminated).
During the term that we keep your personal data on record due to legal obligations, they shall be locked. This means that these data shall be stored subject to the technical measures required to prevent their processing and shall only be disclosed to judicial bodies or public administrations that require this information. Once these terms have elapsed, MoraBanc shall erase the personal data.
MoraBanc has conducted a number of personal data protection risk analyses of all the data processing described in this document. The matters analysed took into account aspects related to the processing of special categories of personal data; the volume of data; the processing of third-party data; the involvement of third parties in the data processing workflow; the assessment of the personal details of natural persons; asset management tasks; the engagement of third-party service providers; the assignment of data; the legitimate bases for data processing and the possibility of exercising rights related to the protection of the data subjects’ personal data, amongst others.
Following the analyses conducted, MoraBanc made assessments of the impact of the personal data protection measures set after the preliminary risk analyses conducted. You may request any additional information by writing an email to the Data Protection Officer at dpo@morabanc.ad.
Pursuant to the regulations on personal data protection, you may exercise the following rights:
You may exercise these rights by sending an email to protecciodedades@morabanc.ad or a letter to MORA BANC GRUP, SA (for the attention of the Data Protection Officer), Avinguda Meritxell, 96 AD500 – Andorra la Vella, Principality of Andorra.
You must submit a copy of your passport or official identity document that identifies you in the event that this cannot be done using other means.
If you believe that your personal data rights have been breached, you may contact MoraBanc’s Data Protection Officer (dpo@morabanc.ad), who shall deal with your request and look into the best way to process your claim. In any event, you may submit a claim to the Andorran Data Protection Agency at https://www.apda.ad, which is the supervisory authority on these matters.
Identification details | Forename and surname(s). Address (email and home). Telephone number. Passport or identity document. Handwritten and digital signature. |
Personal details | Marital status. Family circumstances. Date of birth. Place of birth. Age. Sex. Nationality. Mother tongue. Physical characteristics. Image. |
Business information | Business activities. Business licences. Subscriptions to publications. Artistic, literary and scientific output. |
Transactions involving goods and services | Goods and services provided. Goods and services received. Details about products taken out, including bank, financial and transactional details. Compensation and indemnity. |
Financial details | Bank details. Salary. Income, revenues, investments and property assets. Credits, loans and guarantors. Pension and retirement plans. Tax. Insurance. Mortgages. Subsidies. Credit history. Credit cards and details of their use. Details about card payments. Location of cash withdrawals and payments made. Payment system credentials. Details of debt. Payment behaviour. Investment balances. |
Solvency and credit risk details | Products taken out. Financial information on these products and details on defaults. |
Academic and work details | Education and qualifications. Occupation. Workplace. Employee and employment records. Non-financial salary details. |
Social circumstances | Characteristics of housing/home. Military status. Properties and possessions. Interests and lifestyle. Membership of clubs and associations. Licences, permits and authorisations. |
Contractual details | Details of claims, complaints and legal actions. Details about your preferences. Details of telephone conversations. Details of remarks by bank managers. Forms for obtaining information about money laundering and the financing of terrorism. Tests taken pursuant to Act 8/2013 on organisational requirements and operating conditions for institutions operating in the financial sector, investor protection, market abuse and financial collateral agreements, including any modifications made to date. Contractual terms and conditions of products taken out. Information obtained from interviews and forms. |
Third-party details | Guarantors. Beneficiaries. Family. Spouses. |
Sensitive information | Information from criminal records arising from the obligations on the prevention of money laundering and the financing of terrorism. Information about possible fraud. Biometric details from your digital signature. |
Details on the digital environment | User details and content related to digital interaction on devices enabled at any given time. IP address and information on Internet domains, geolocation, cookies, device identifiers, our apps and our social media websites, information on images and videos required for taking out products on our digital channel, chats, forms and other telephone banking services. |