The data controller for ANDBANK’s customers :
- Identity: The data controller for ANDBANK’s customers is Andorra Banc Agrícol Reig, S.A. (hereinafter, “ANDBANK” or the “Institution”), with NRT (tax registration number) A-700158-F and banking institution registration number EB 01/95.
- Registered office/postal address: C/ Manuel Cerqueda i Escaler, 4-6, Escaldes-Engordany, AD700, Principality of Andorra.
- Website: https://www.andbank.com
- Phone number: +376 873 300.
Contact details of the Data Protection Officer: dpo@andbank.com
• Purposes of processing and legal basis for processing:
1. Contract/operational management and maintenance:
a. To manage the request of an interested party in the contracting of Andbank products and services.
b. To manage its contractual relationship with the customer. If the request to enter into a contractual relationship with Andbank is feasible, the latter shall process the personal data for the purpose of developing, controlling and maintaining the contractual relationship for the execution and provision of the products and services contracted between the customer and Andbank. Andbank shall proceed to register as a customer and shall process the customer data necessary to formalise the contracting of the product or service chosen, as well as, in the event that the customer so requests, those necessary for the management of Digital Personal Banking.
c. To manage possible incidents, complaints, queries, claims and suggestions. The processing of those personal data obtained in the formulation of the customer’s query, complaint or claim are necessary to be able to manage the reported incident and/or improve the services provided or offered, whereby the processing of this information is necessary for the execution of the contract entered into between the customer and Andbank.
d. Internal management of the web platform and any other operational platform of Andbank at any given time.
e. For the management of the services requested by the customer, it is sometimes necessary to obtain information from third parties relating to guarantors (bondsmen, co-signers, etc.) or third parties affected (beneficiaries, family members, etc.) by the contract entered into by the customer, such as those authorised in bank accounts. The customer expressly declares that the third-party information communicated is true and accurate and that he has informed about the communication of his data and obtained his consent to communicate his personal information in the corresponding process.
f. Processing of personal data of minors contracting products or affected by contracts entered into by the customer (e.g., authorised). The minor’s information shall be necessary depending on the type of service requested by the legal representative for the execution of the request and provision of the services contracted. Andbank shall only process this information relating to the minor with the duly signed authorisation of the legal representative (mother/father/guardian).
g. To obtain and provide information to and from credit institutions and other payment service providers, as well as from and to the payment systems and related technological service lenders themselves, to which the data necessary to carry out transactions related to the means of payment contracted by customers, such as transfers, cheques, bills of exchange, promissory notes and credit and debit cards requested by the customer are transmitted.
Processing basis: Contract execution.
2.Prevention of Money Laundering and the Financing of Terrorism:
a. Within the framework of the fight against the financing of terrorism and serious forms of organised crime and the prevention of money laundering and, in accordance with the regulations that govern it, Andbank is obliged to formally and actually identify those intervening in or applying for our products and services, as well as to identify the professional or business activity. In compliance with the aforementioned regulations, customers must be asked for any documents deemed necessary and convenient to prove the declared activity or to obtain information about it from sources other than the customer himself, reserving the right to withhold any transaction until they have been delivered and accepted
b. To communicate certain operations and any other personal data to the Andorran Financial Intelligence Unit (UIFAND)
c. To communicate to the Register of financial and similar accounts, an administrative register managed by the Ministry of Finance, to which banking, payment and electronic money institutions operating in the Principality of Andorra are obliged to declare the identification data of holders or beneficial owners relating to the opening or cancellation of bank and payment accounts and information on safe deposit boxes.
d. To obtain information from public sources, including information available on the Internet, on its customers, account holders or parties involved in the accounts, their legal representatives and real account holders
Processing basis: for the purposes indicated in paragraphs a), b), c), d) the processing basis is the fulfilment of a legal obligation.
e. To communicate the identification data of the holder, used for contracting, and the balances of the accounts of the interested parties to the entities of Andbank Group detailed in www.andbank.com, in order to facilitate compliance with their legal obligations regarding the prevention of money laundering, including the transmission of such information to the corresponding authorities.
Basis for processing the above data: Consent.
f. Data processing in fund transfer. Credit institutions as payment service providers transfer personal data to execute transactions and may be obliged to provide transaction personal data to institutions of correspondent banking and custodianship, in the framework of the prevention of money laundering and the financing of terrorism.
Basis for processing the above data: Contract execution.
3.Compliance with monetary obligations:
To assess the solvency and credit risk of the interested party. In order to be able to analyse the interested party’s risk, Andbank shall process the information provided by the latter, and that obtained from the consultation of internal files.
Basis for processing the above data: Legitimate interest.
4.Data transfer for fraud prevention:
Andbank may share customers’ personal data with the other Andbank Group entities, third party companies or to common systems regarding the exchange of fraudulent conduct exclusively for the purposes of fraud prevention.
Basis for processing the above data : Legitimate interest.
5.Profiling:
Profiling using the data provided by the customer and generated in the relationship with Andbank. Andbank may complete the customer’s data with information obtained through internal databases, historical behaviour (e.g. transactions) in the operations that the customer may have subscribed to in the past, commercial interests provided by the customer in the use of the service, as well as information identified or estimated by Andbank based on the credit risk that the customer shows in his contractual relationship.
Basis for processing the above data: Legitimate interest.
6.Video surveillance:
Andbank carries out video surveillance at its offices in accordance with the terms established in the law on private and public security.
Basis for processing the above data: Compliance with legal obligations and legitimate interest.
7.Biometric data:
Andbank uses devices or tablets for writing and signature digitalisation available through its offices or agents, as well as the online application and platform for the execution, by the customer, of opening accounts and contracting products and services, operations, applications, instructions, contracts, orders, declarations or documents of any type whose subscription through these devices requires the processing and conservation of the customer’s biometric data obtained through the recording of their image and the digitalisation of their signature and registration of said data in order to be able to prove the identity of the signatory and the authenticity of the documentation or operation subscribed to.
BBasis for processing the above data: Legal obligation and contract execution.
8.Commercial purpose:
a. Sending commercial communications, both by ordinary means and electronic means, of products, services and promotions of third parties, Andbank group companies, subsidiaries and affiliates (the list of companies: https://www.andbank.com), as well as companies with which Andbank has a collaboration agreement and also belong to any of the following types of products: banking products or services, insurance, welfare, investment services, collective investment, real estate assets, consumer products and services and any other similar products and services, in their various possible forms of marketing, either directly, as ancillary or jointly with others. To this end, Andbank may prepare commercial and risk profiles based on the analysis and evaluation of your personal data indicated in order to adjust the commercial communications and offers sent to you in accordance with the profile, potential interests or possible preferences resulting from such analysis and evaluations.
b. Sending Andbank products, services and promotions both by ordinary means (post and telephone) and electronic means (e-mail, SMS, instant messaging, application). The customer may always object to such processing either at the time of signing the contract, as well as in each communication addressed to the interested party, or at any given time.
c. Transfer of customers’ personal data to the other Andbank Group entities so that they may send personalised commercial communications, both by ordinary means (post and telephone) and electronic means (e-mail, SMS, instant messaging, application).
Basis for processing the above data: Legitimate interest and compliance with a legal obligation.
9.Recording of customer calls:
Andbank may record calls with its customers, the content of which it may be legally obliged to record. The reason for such recording is to be able to prove the content of different procedures or requests sent in accordance with the contract entered into, or, on occasions, to be able to assess or control the quality of the provided services. The customer shall be informed that the call will be recorded and may object to the call being recorded.
Basis for processing the above data: Legitimate interest and compliance with a legal obligation.
10.Data processing at the end of the commercial relationship:
Once the contractual relationship has ended, Andbank shall process your data in order to seek good conditions for the former customer and to try to keep them at Andbank. For this purpose, Andbank may contact you, both by ordinary and electronic means, with communications for the purpose of re-offering you services or promotions of its own products, those of the Group or third-party collaborators.
Basis for processing the above data: Consent.
11.Data processing through the process of anonymisation and pseudonymisation:
Andbank may proceed to the anonymisation of the aggregate data of its customers for certain processes without being able to associate this information with any customer, which is therefore an irreversible process. The data processing shall therefore take place during the anonymisation process, after which the personal data shall not be affected.
Basis for processing the above data: Legitimate interest.
12.Data communication to the competent authorities:
Data transmission to the Andorran judicial authorities, to the Andorran Tax Agency, and any other competent authority of the Principality in order to comply with legal requirements.
Basis for processing the above data: Compliance with a legal obligation.
13.Checking and matching data:
Personal data update. The customers’ personal data may be updated from own sources (customer-related databases) or from data that the interested party has manifestly made public or from another public source (official registers, list of professionals, etc.).
BBasis for processing the above data: Legitimate interest.
Types of data we process
Andbank may process data of potential customers as well as existing customers. With respect to these groups, Andbank may process, among others, the following types of data:
- Identification and contact details
- User data and content related to digital interaction with ANDBANK: IP address, cookies, geolocation, device identifier, applications and ANDBANK’s pages on social media.
- Nationality
- Biometric data, such as fingerprints and captures of the eye’s iris, face or voice;
- Personal information: nationality and family, professional and academic status;
- Tax or fiscal data
- Data related to solvency and risk
- Data related to the procurement of specific products, including banking, financial and transactional data
- Data related to the customers’ preferences
- Data related to claims or legal proceedings
- Data related to phone conversations
- Data obtained in the course of operations pursuant to the regulations on the prevention of money or securities laundering and the financing of terrorism;
- Video surveillance
- Card payment data and, in particular, location data on cash withdrawal sites and payments made
Hereinafter collectively referred to as “personal data”. All of the detailed personal data may be required by Andbank at certain specific times during the contractual relationship with the customer. Depending on the product being contracted, they must be provided on a mandatory basis in order to process the corresponding request. The above is understood to be without prejudice to any others that may be requested by Andbank in accordance with the applicable regulations at the time of processing such requests, and refusal to provide them may make it impossible to contract certain products.
Data’s origin
All the personal data that Andbank processes from its customers are those data provided by customers or individuals authorised by customers through Andbank’s data collection documents, as well as those provided to Andbank on the occasion of the formalisation of the contracting of our products and services, or through our website and apps, the electronic banking service (call centre), as well as in person at the bank offices or financial agents, which we may jointly refer to as “offices”.
Likewise, ANDBANK may obtain it through:
- Public registers
- Official gazettes
- Fraud prevention agencies
- B Databases for money laundering prevention purposes
- Internet, commercial and property registers
ANDBANK’s obligation to safeguard the documentation
ANDBANK will retain its customers’ personal data during the term of the contractual relationship and for as long as they are required for the specific purpose of each act of processing. Once they have been deleted, ANDBANK will block any data that are required for compliance with any legal obligations, in particular:
- For five years, in application of the regulations on the prevention of money laundering and the financing of terrorism, starting from (i) the date of the termination of the business relations with the customers and (ii) the date of the occasional transaction
- During the maximum period of time established in the regulation on the calculation of capital and provisions
- And during the legal prescription periods for the exclusive purposes of claims and legal actions
After these deadlines have elapsed, ANDBANK will destroy its customers’ personal data.
With whom can ANDBANK share its customers’ personal data:
- Supervisory authorities in the Principality of Andorra, such as the AFA or the UIFAND
- Authorities in other countries inside and outside the European Union, in compliance with the regulations on the prevention of money laundering and the financing of terrorism and fraud prevention
- The Batllia (Court of First Instance), the Public Prosecutor’s Office, the Saig (public official for legal matters), the Tax Agency and/or the competent Public Administrations
- Notaries and public registries
- Credit information system management entities or similar
- Professional advisers, counterparties, correspondents and third-party service providers. These third parties may act as the data controllers when they have to process the customers’ data to comply with legal obligations. These disclosures of data which may be performed in a timely manner are required for the management of the contractual relationship between ANDBANK and its customers.
- Institutions belonging to the ANDBANK Group
- Potential purchasers or investors in portfolios owned by Andbank.
Information relating to Andbank Group companies
As detailed in all the information relating to data protection, Andbank may transfer personal data to the different entities of the Andbank Group for each of the purposes described in each of the previous sections. The customer may find out about the Group entities through the link www.andbank.com, any of which may be established either within the European Economic Area (hereinafter, “EEA”) or in countries whose level of protection is equivalent to that of the EEA, as well as in third countries whose level of protection is not equivalent to that of the EEA. In this respect, Andbank has taken the appropriate safeguards provided by law for such international data transfers, such as the corresponding risk analysis of the international transfer, as well as the signature of a contract including the standard clauses approved by the European Commission for such international transfers. Should you wish to obtain a copy, you may request a copy from Andbank’s Data Protection Delegate via the contact details given in the heading.
Rights of the interested party
- Access: Customers may view their personal data in ANDBANK’s possession.
- Correction: Customers may request the modification of their data if they are inaccurate or incomplete.
- Erasure: Customers may request the erasure of their data when, among other reasons, the data are no longer required for the purposes for which they were collected.
- Restriction of the processing: Customers may request the restriction of the processing of their data in the event that these are inaccurate, the processing is unlawful, they are required for the submitting of claims or ANDBANK’s legitimate basis for the processing is being reviewed.
- Data portability: Customers may request that personal data be sent in a commonly used electronic format to another entity.
- Opposition: Customers may request that their personal data not be processed for specific purposes, except in cases of processing required for the continuance of the contractual relationship.
- In addition, customers will have the right not to be subject to a decision that gives rise to legal effects affecting them when this decision is based solely on automated data processing designed to assess certain personality-related aspects, including profiling, notwithstanding the exceptions legally envisaged.
Similarly, customers may withdraw their consent at any time without affecting the lawfulness of the processing.
For the exercise of the above data protection rights, customers may contact ANDBANK’s Data Protection Officer via e-mail at dpo@andbank.com or by writing to the following address: C/ Manel Cerqueda i Escaler, 4-6, Escaldes-Engordany, AD700, Principality of Andorra, specifying the right to be exercised and sending a photocopy of their Passport, ID card or any valid equivalent identification document.
In addition, the interested party may, at any given time, revoke the consent granted for the processing via the aforementioned means.
The exercise of these rights is free of charge.
Likewise, you may request from our DPO (dpo@andbank.com), the essential elements of the weighting analyses carried out in which the application of legitimate interest as an enabling basis for the processing of personal data is understood to be appropriate.
Claims
Customers who believe their data protection rights have been infringed or wish to make a claim regarding their personal information can contact ANDBANK via email at dpo@andbank.com or write to the following address: C/ Manuel Cerqueda i Escaler, 6, Escaldes-Engordany, AD700, Andorra.
In any event, they can contact the ADPA (Andorran Data Protection Agency), the Andorran control authority in matters of data protection, www.apda.ad, Edifici del Consell General, C/ Doctor Vilanova, 15-17 (planta -5), Andorra La Vella (Principality of Andorra). Phone number (+376) 808 115.