Information on the protection of customer data

Data Controller

Data Protection Officer

What personal data does Mora Assegurances process?

How does Mora Assegurances obtain your data?

For what purpose and on what legal basis do we process your data?

Who will receive your data?

Are there international data transfers?

Retention period

Data protection risk analysis

Data protection rights

Data protection claims

Annex I: Personal data that Mora Assegurances may process

 

Data Controller

The controller of your personal data is MORA ASSEGURANCES, SAU, with registered office at Avenida Meritxell, 96 AD500 – Andorra la Vella, registered in the Companies Registry of the Principality of Andorra under number 6895 (hereinafter, “Mora Assegurances” or the “Company”).

Back


 

Data Protection Officer

We inform you that Mora Assegurances has appointed a Data Protection Officer who will be responsible for supervising and monitoring compliance with the regulation relating to personal data protection (Law 29/2021, of October 28, qualified on personal data protection).

For any query or request regarding data protection, you may contact the Data Protection Officer of Mora Assegurances at the aforementioned physical address or at the following email address: dpo@morabanc.ad.

Back


 

What personal data does Mora Assegurances process?

The personal data we process includes any information you provide during the customer registration process or during the contracting processes of any of our products or services, as well as any information to which we have or have had access during the contractual relationship, understood in a broad sense, through any of our channels: branches, website, mobile application, chats, forms and telephone.

Unless otherwise indicated, all collected data will be necessary as they are indispensable elements for the formalization, maintenance, development, performance and/or control of the contractual relationship, which cannot be carried out if you do not provide them.

We may also process personal data of third parties (among others, insured persons if different from the policyholder, beneficiaries, deceased persons, heirs and affected parties) solely for the purposes of contract management and compliance with legal obligations. Mora Assegurances will not process or disclose this data to third parties for purposes beyond this management.

Click HERE if you wish to know more details about the personal data processed by the Company.

Back


 

How does Mora Assegurances obtain your data?

  • Through Mora Banc Grup, SA (hereinafter, the “Bank”). The Company markets its products through the Bank using its sales network and its IT systems. Taking advantage of the synergies of this relationship, the Company uses the data available to the Bank on individuals who initiate the contracting of insurance, making such contracting more agile and convenient both for the Company and for the individual concerned. Likewise, the Company delegates to the Bank the services of prevention of money laundering and terrorist financing, as well as tax services. This means that the Bank: (i) will communicate to Mora Assegurances all relevant information and (ii) will obtain information from third-party sources, such as specialized information files or publicly available sources on the internet.
  • Third-party medical assessment service providers in the event of a claim or for risk assessment purposes.
  • Different companies that provide additional services to individuals depending on the products or services contracted, among others (i) home medical assistance, (ii) second medical opinion and (iii) tele-underwriting.

Back


 

For what purpose and on what legal basis do we process your data?

1. Pre-contractual phase or information request

  • Processing related to the request for information about products or services offered by Mora Assegurances, as well as pre-contractual procedures:
ProcessingLegal basis
  • Managing information requests in order to respond to your request regarding our financial products and services.
  • Telephone management that allows, among other things, the contracting of the products and services offered.
  • Verification of the fulfillment of necessary requirements and risk assessment for the contracting of the products or services offered by Mora Assegurances.

These processing activities are necessary to carry out the contracting and, if you object, we inform you that it will not be possible to formalize the contract.

Application of pre-contractual measures (Article 6.1. b) of Law 29/2021 on Personal Data Protection).

2. Contractual phase

  • Processing related to the contracting of products or services offered by Mora Assegurances:
ProcessingLegal basis
  • Subscribe, maintain and fulfill the existing contractual relationship between Mora Assegurances and policyholders, including: (i) customer registration management, (ii) claims management, (iii) management of services offered to individuals depending on the products or services contracted, (iv) updating and sending documents, (v) carrying out audits, (vi) managing possible complaints and claims (judicial and extrajudicial), (vii) electronic signature management.
  • Communicating your data, in whole or in part, to other insurance entities for the purpose of claims settlement.
  • Communicating your data to insurance or reinsurance entities with which the Company decides to enter into reinsurance or coinsurance contracts, solely to sign and maintain the aforementioned contractual relationship.
  • In the event that the insured is different from the policyholder, managing the processing of the death claim of the insured covered by the insurance policy contracted.
  • Managing the processing and invoicing of assistance requested by the policyholder, insured and beneficiary under the contracted insurance policy.
  • Processing health data of the policyholder, insured and beneficiaries in order to mutually communicate personal data between the Company and healthcare professionals and centers, whenever necessary for the provision of assistance requested under the insurance policy. The Company may obtain information related to your health and the assistance requested and/or received in order to manage processing and invoicing.
  • Managing the telephone service and ChatBot that allows, among other things, the following online procedures: (i) claims processing, (ii) submission of medical invoices, and (iii) notification of sick leave.
  • In case of non-payment of amounts due to Mora Assegurances under the contract, processing data relating to non-payment (original amount, start date, due date, outstanding amounts, type of financing, existing guarantees and their valuation) and carrying out recovery tasks.

These processing activities are necessary to carry out the contracting and, if you object, we inform you that it will not be possible to formalize the contract.

Performance of the contract (Article 6.1. b) of Law 29/2021 on Personal Data Protection).
Mora Assegurances must comply with certain legal obligations to manage the products or services requested and contracted by clients, including:
  • Carrying out certain actions to comply with Law 12/2017 on the regulation and supervision of insurance and reinsurance entities of the Principality of Andorra and Law 14/2017 on the prevention and fight against money laundering and terrorist financing, and to prevent, detect and control possible fraud situations, such as unauthorized access to personal information or identity theft.
  • Issuing certain reports to financial authorities, such as the Andorran Financial Authority (AFA), as the supervisor of the Andorran insurance sector, and to other international bodies in relation to obligations imposed by international tax regulations, specifically the Foreign Account Tax Compliance Act (FATCA) and those derived from the Common Reporting Standard (CRS).

Additionally, we inform you that services related to money laundering prevention and terrorist financing, as well as tax services, are delegated to the Bank. This means that the Bank: (i) will communicate to Mora Assegurances all relevant information, and (ii) will obtain information from third-party sources, such as specialized files or publicly available sources on the internet.

Likewise, the Financial Intelligence Unit of Andorra (UIFAND) may receive your personal data for: (i) the periodic submission of operations that meet certain defined parameters, or (ii) to request specific information about an operation.

  • Communicating data to competent public bodies, the Department of Taxes and Borders, the Andorran Social Security Fund (CASS), or to mayors, judges and courts.
  • Managing requests, complaints and claims that may be received regarding clients.
  • Managing requests for the exercise of rights in matters of personal data protection in compliance with Articles 18 to 26 of Law 29/2021 on Personal Data Protection.
  • On certain occasions, the Company may be subject to financial audits, audits on the prevention of money laundering and terrorist financing, product audits and tax audits.

Legal obligations will exist and must be fulfilled by the Company even once the contractual relationship with clients has ended, for as long as it is legally obliged to do so.

It is mandatory to carry out this processing in compliance with the different laws mentioned and, if you object, we inform you that it will not be possible to formalize the contract.

Compliance with a legal obligation (Article 6.1.c) of Law 29/2021 on Personal Data Protection).
– Processing of health data, both at the start of the contract and during its validity, either for claims management or for sick leave, or for co-insurance or reinsurance purposes. Given the specificity of Mora Assegurances’ insurance contracts, the processing of health data will be a condition for being able to formalize and, if applicable, manage the insurance contract. In many of our products, it will not be possible to formalize the contract without processing the health data of the different insured parties.Consent. Processing of special categories of data (Article 9.2.a) of Law 29/2021 on Personal Data Protection).
  • Customer satisfaction surveys via phone calls or electronic means (email, SMS or any equivalent electronic mechanism). This processing is based on the legitimate interest of Mora Assegurances to know the customer experience. We inform you that these services are delegated to the Bank, which, for this purpose, will act in the name and on behalf of Mora Assegurances. You may object to this processing by checking the box provided for this purpose at the beginning of the procedure for contracting our products or services. In any case, you may object to this processing through the procedure provided, in each commercial communication, or whenever you wish by contacting: protecciodedades@morabanc.ad.
  • Ongoing management of your status as a customer of Mora Assegurances and updating of data. Mora Assegurances and the entities of its Group, specifically: Mora Banc Grup, SAU and Mora Gestió d’Actius, SAU will share information associated with the updating of your data. This means that, if you update a personal detail at Mora Assegurances, it may provide the updated data to any of the Group entities, or to those that may share location data (e.g. email, phone or address). This processing is carried out on the basis of the legitimate interest of having all information updated across all MoraBanc Group entities whose products are marketed by the Company, without you having to request this update from each of the different entities of the Group.
Legitimate interest (Article 6.1.f) of Law 29/2021 on Personal Data Protection).
  • Processing related to commercial purposes:

  • From a commercial perspective, the Company may carry out the following actions:

 ProcessingLegal basis
Commercial communications by electronic means (email, SMS or other equivalent electronic mechanism) or telephone of financial products or services of Mora Assegurances.

We inform you that these campaigns may be carried out directly by Mora Assegurances or through third-party companies or the Bank, which, for this purpose, will act in the name and on behalf of Mora Assegurances.

Legitimate interest (Article 6.1.f) of Law 29/2021 on Personal Data Protection).

Finally, you may object to or consent to these processing activities by checking the boxes provided for this purpose at the beginning of the procedure for contracting our products or services. In any case, you may consent to or object to such processing at any time, either through the procedure provided, in each commercial communication, or whenever you wish by contacting: protecciodedades@morabanc.ad.

Balancing of legitimate interest
In the case of those processing activities based on the legitimate interest of the Company detailed above, and to ensure that the necessary safeguards have been taken into account and that the rights of our clients regarding personal data protection are not harmed, the Company has carried out the corresponding balancing tests between such legitimate interests and the rights of the data subjects. The results of these analyses are favorable, given the circumstances of each case analyzed, as it is understood that these safeguards have been taken into account.

If you wish to know the conclusions of the balancing tests of legitimate interest carried out by Mora Assegurances in relation to the processing detailed above to verify that your data protection rights are not harmed, you may request them from the Data Protection Officer at: dpo@morabanc.ad.

Back


 

Who will receive your data?

  • Public bodies, national financial supervisory authorities, authorities for the prevention of money laundering and terrorist financing, Department of Taxes and Borders, Andorran Social Security Fund (CASS), mayors, judges and courts, police, and, in general, competent authorities, whenever the Company has a legal obligation to provide them.
  • Authorities of other countries, in compliance with tax regulations, prevention of money laundering and terrorist financing, and fraud prevention.
  • Mora Banc Grup, SA, depending on the delegation to this entity of the following services: (i) services related to prevention of money laundering and terrorist financing, (ii) tax services, (iii) conducting satisfaction surveys, (iv) telephone and postal management, (v) legal advice and internal audits, and (vi) management of requests for the exercise of rights.
  • Entities of the MoraBanc Group, specifically: Mora Banc Grup, SA, with registered office at Av. Meritxell number 96, AD500 – Andorra la Vella | Principality of Andorra (activity: banking in a broad sense) and Mora Gestió d’Actius, SAU, with registered office at Carrer de l’Aigüeta, 3, AD500 – Andorra la Vella | Principality of Andorra (activity: management of collective investment schemes, discretionary and individualized portfolio management, and investment advice), in order to ensure proper ongoing management of your status as a MoraBanc client and the updating of your data, as well as for fraud prevention and the prevention of money laundering and terrorist financing. Only if you have given your consent for commercial purposes will your personal data be shared with the Group companies identified above for such purposes.
  • Entities in the insurance and reinsurance sector, exclusively for the purpose of signing reinsurance and coinsurance contracts.
  • In addition to the above, the Company collaborates with other third-party service providers, which also have access to client data and process it on behalf of the Company as a result of the provision of such services. Specifically, the Company contracts the provision of the following services from third-party providers, by way of example and not limitation: claims management assistance services, insurance brokerage services, telescreening services, commercial campaigns and medical examinations for risk selection, administrative management and customer service, advisory and consultancy services, audits of service quality, maintenance or technological development, IT services, printing and sending of correspondence, software licensing, maintenance or development, and data hosting. This means that these companies may access, as processors, personal data for which Mora Assegurances is responsible.
  • The Company follows strict criteria in the selection of service providers in order to comply with its obligations regarding data protection and undertakes to sign the corresponding data processing agreement with them, which will impose, among others, the following obligations: applying appropriate technical and organizational measures; processing personal data for the agreed purposes and only according to the documented instructions of the Company; and deleting or returning the data to the Company once the service has been provided.

Back


 

Are there international data transfers?

Certain third-party service providers detailed in the previous section are located outside the national territory, including in countries with data protection levels not comparable to those of Andorra or Europe.

International data transfers that may take place as a result of the provision of the aforementioned services must comply with the appropriate safeguards of Article 44 of Law 29/2021 on Personal Data Protection.

In the event of future international data transfers, these will be carried out on the basis of appropriate safeguards. Furthermore, the Company, in its annual data protection control, includes as a supervision task such international data transfers. If you would like more information about the appropriate safeguards for international transfers, you can contact the Company’s Data Protection Officer at: dpo@morabanc.ad.

Back


 

Retention period

Mora Assegurances must process your data throughout the entire contractual relationship you maintain with us. After the termination of the contractual relationship, we will only keep your personal data for the periods determined in each case by the legal limitation that may arise from each of the signed contracts and the applicable regulation (as a general rule, thirty (30) years once the obligations derived from the contract have ended).

During the period that we keep your data due to legal obligations, it will remain blocked. This means that such data will be reserved with the necessary technical measures to prevent its processing, being made available only to judicial bodies or public administrations that may require this information. Once these periods have passed, Mora Assegurances will proceed to delete the personal data.

Back


 

Data protection risk analysis

Mora Assegurances has carried out various risk analyses regarding data protection for all the processing identified in this document. The issues analyzed took into account aspects such as: processing of special categories of data; data volume; processing of third-party data; involvement of third parties in the data flow; assessment of personal aspects of individuals; execution of asset management tasks; contracting of external providers; data transfers; legal bases of the processing and the possibility of exercising data protection rights by data subjects, among others.

Following the analyses carried out, MoraBanc conducted the data protection impact assessments that were deemed necessary after the prior risk analyses. You may request any additional information by writing to the Data Protection Officer of Mora Assegurances at: dpo@morabanc.ad.

Back


 

Data protection rights

  • Access: you may obtain information related to the processing of your personal data and a copy of such personal data.
  • Rectification: if you believe that your personal data is inaccurate or incomplete, you may request the modification of such personal data.
  • Erasure: you may request the deletion of your personal data, to the extent permitted by law.
  • Restriction of processing: you may request the restriction of the processing of your personal data if (i) you contest the accuracy of your data, (ii) you believe it is unlawful processing, (iii) you need the data to establish or exercise a claim, or (iv) you wish to exercise the right to object.
  • Objection: you may object to the processing of your personal data for reasons related to your particular situation. For example, the data subject has the right to object to the processing of personal data for commercial purposes, which includes the development of analytical models related to such activity.
  • Data portability: as long as it is legally and technically possible, you have the right to have the personal data you have provided returned to you or, when technically possible, transferred to a third party.
  • Withdrawal of consent: whenever you have given consent for the processing of your personal data, you will have the right to withdraw it at any time.

You can exercise these rights by sending an email to protecciodedades@morabanc.ad or by postal mail addressed to MORA ASSEGURANCES, SAU (Attention: Data Protection Officer), Avenida Meritxell, 96 AD500 – Andorra la Vella | Principality of Andorra.

If your identity cannot be verified by other means, you must provide a copy of your passport or official identification document.

Back


 

Data protection claims

If you believe that your data protection rights have been violated, you may contact the Data Protection Officer of Mora Assegurances, who will handle your request and review the best way to process your claim, at: dpo@morabanc.ad.

In any case, you can always contact and file a claim with the Andorran Data Protection Agency, https://www.apda.ad, the supervisory authority in this matter.

Back


 

Annex I: Personal data that Mora Assegurances may process

Identification dataFirst and last name.
Email and physical address.
Phone.
Passport or ID document.
Handwritten and digital signature.
Personal characteristics dataMarital status.
Family data.
Date of birth.
Place of birth.
Age.
Sex.
Nationality.
Physical characteristics.
Commercial informationActivities and businesses.
Goods and services transactionsGoods and services supplied.
Goods and services received.
Data related to product contracting, including banking, financial and transactional data.
Compensations/Indemnities.
Economic and financial dataBank details.
Payroll economic data.
Income, rents, investments and assets.
Credits, loans and guarantees.
Pension and retirement plans.
Taxes.
Insurance.
Mortgages.
Subsidies.
Creditworthiness and credit risk dataContracted products.
Financial information of such products and situations of default or non-payment.
Academic and professional dataEducation and qualifications.
Profession.
Job position.
Work history.
Non-economic payroll data.
Social circumstancesHousing characteristics.
Military situation.
Properties and possessions.
Contracting-related dataClaims, complaints or legal proceedings data.
Data related to your preferences.
Telephone conversation data.
Manager observations.
Forms for information collection on money laundering and terrorist financing prevention.
Contractual conditions of the contracted product.
Information obtained from interviews and forms.
Third-party dataBeneficiaries.
Family.
Spouses.
Deceased.
Affected parties.
Sensitive dataHealth data necessary for the contracting of policies.
Criminal record data that may arise from obligations related to money laundering and terrorist financing prevention.
Data derived from possible fraud situations.
Digital environment dataUser data and content related to digital interaction through operational channels at any given time. IP address and internet domain information, geolocation, cookies, device identifier, our applications and our social media pages, chats, forms and other telephone banking services.

Back