Privacy Policy

PRIVACY POLICY

Introduction

The protection of fundamental rights and freedoms, and in particular, the protection of individuals in relation to the processing of personal data, is one of the basic principles of Grupo Catalana Occidente (henceforth, “GCO” or the “Group”), as reflected in its Code of Ethics, in compliance with legal requirements and its corporate governance system.

The purpose of GCO's privacy policy (hereinafter, the "Policy") is to provide a concise, transparent explanation, in clear, simple language, of the way in which companies in the Group will use any personal data collected from its customers (as defined below), in accordance with the provisions of the European Union General Data Protection Regulations, 2016/679, Organic Law 3/2018, of 5 December, on Protection of Personal Data and Guarantee of Digital Rights, and the regulations implementing it in force at any given time (henceforth the "Personal Data Protection Regulations").

Who is the controller of your personal data?

The GCO Entity with which you have a relationship. In the Annex at the end of this Policy, the identification and registered addresses of the entities that make up the Group can be found, together with other information.

Who is the Data Protection Officer?

The Data Protection officer is the person designated by the entities that constitute the Group to ensure compliance with Personal Data Protection Regulations, whom you may contact especially if you think your data protection freedoms and rights have not been respected, been breached, via the postal or email address provided in the Annex at the end of this Policy and published in the Spanish data protection Agency's register of data protection officers.

Who is the personal data protection supervisory authority?

The supervisory authority is the Spanish Data Protection Agency, whose head office is at Calle Jorge Juan, 6, Madrid 28001. It is the independent public authority responsible for ensuring the privacy and protection of citizens' data, to whom you can submit queries and/or complaints regarding this matter, should you consider that your data protection rights and freedoms have not been duly respected by a Group entity. For more information, go to the following website: www.agpd.es.

What personal data can be processed?

All personal data, whether provided directly by the interested party or by an insurance distributor, seller or partner, including documents containing such data, or personal data obtained from recorded telephone conversations, internet website browsing or other means, including biometric and geolocation data, before, during and after the formalisation of an application, pre-contract, contract or service related to any of the products and/or services marketed by Group entities, will be processed when such data are needed for the study, documentation, development and/or execution of a contractual relationship between the parties or any other relationship arising from the same.

In this sense, the definition of customer is established as any data subject that: requests information, a product or a service, is a policyholder, insured person or beneficiary, who causes or is a third party involved in an accident, is a participant, partner, subscriber, claimant, mortgage holder, investor in promissory notes and/or a third party involved in a contractual or service relationship with a Group entity.

If the personal data is provided by a person other than the holder, it shall be the provider's obligation to previously communicate this information to the holder of the personal data, and to obtain his/her consent, when necessary, for the data to be processed by the relevant Group entity.

Subject to the requirements of personal data protection regulations, this personal data can be supplemented by other data obtained from Group suppliers, and any personal data that the data subject has made public.

The personal data of minors will normally only be processed when their parents or legal guardians have given their consent for the processing required to execute a contract or service with a Group entity, when there is a legal obligation and/or legitimate interest, in the latter case after a balancing test has been carried out by the Group entity responsible for the processing, notwithstanding the exercise of personal data protection rights established by current Personal Data Protection Regulations.

What are the categories of data subject to processing?

In general, the personal data subject to processing in the issue of an offer, a precontract or contract, will refer to the identification of the interested party, their personal characteristics and/or social circumstances, and any other data that may be necessary to complete these procedures.

Also in the following specific cases: (i) in the case of life, accident, healthcare, illness and/or death insurance, it will be necessary to process data relating to the profession or activity of the policyholder and/or the insured person, and, where appropriate, data relating to their health, and (ii) in the case of investment funds, data relating to the profession or activity of the policyholder and/or insured person as well as the data necessary for carrying out tests of suitability and/or appropriateness.

Finally, in the case of the contact forms made available to the public by Group entities, when the information prior to the collection of data has been provided, with reference to this Policy, the identification and contact details required to establish contact as requested will be processed.

Which are the purposes of processing your personal data?

(i) Main purpose:

The main purpose of processing personal data is the study, issue, development and/or execution of a pre-contract, contract, contractual relationship or service agreed with a Group entity, effectively complying at all times with the obligations established in the regulations applicable to the Group entity responsible for such data processing.

(ii) Other purposes:

Personal data will be processed for the purpose of setting prices and selecting risks and managing subsequent requests related to the risks that can be contracted. If necessary, processing may include profiling and/or automated decision-making in accordance with the provisions of this Policy.

Personal data will also be processed for the purposes of preventing and combatting fraud, and may be disclosed to the common information systems of the insurance sector for consultation; for compliance by the relevant Group entity with the legal obligations arising from the Civil Liability and Insurance Act regarding the circulation of motor vehicles and/or the Law of Regulation, Supervision and Solvency for Insurance and Reinsurance companies; similarly, in connection with the prevention of money laundering and the financing of terrorism, for compliance by Group entities with their legal obligations and the adoption of due diligence measures arising from the Law on the Prevention of Money Laundering and the Financing of Terrorism and the regulations implementing it.

In order to manage the request and/or any of the contracts or services provided by a group entity, said entity may process your personal data to assess your financial solvency, and may consult insurance sector information systems or credit rating agencies and disclose data to them, in addition to carrying out statistical, quality and technical studies, and implementing satisfaction surveys, loyalty programmes, market analysis, and research and service quality studies.

In the case of insurance products personal data may be processed to manage coinsurance or reinsurance, in compliance with current regulations. The disclosure of data in such cases shall be carried out to comply with a legal obligation, to execute a contract, or in legitimate interest, in the latter case after a balancing test conducted by the Group entity responsible for processing the data.

Finally, with regard to contact forms, telephone numbers, email addresses and social network profiles made available by Group entities, your data will be used (i) to attend to and manage suggestions, requests, queries and/or claims made via these channels; and (ii) to manage CVs provided for selection processes in Group entities.

(iii) Automated decision-making including profiling:

Some processing of personal data necessary to execute or formalise contracts may involve the use of automated decision-making and/or profiling. This means that certain decisions may be made automatically without human involvement, although the data subject will always have the right to: (i) request a review of the results by a person; (ii) express their point of view; and (iii) challenge the decision, in accordance with Personal Data Protection Regulations.

Similarly, the potential use of artificial intelligence will always be in accordance with the general principles and values of the GCO Code of Ethics, which guide the operations and actions of the Entities involved, in particular, regarding privacy and the right to personal data protection. It will also take into consideration the guidelines of the document on ethical principles for the use of Artificial Intelligence in the insurance sector, drawn up by the Spanish Union of Insurance Companies and Reinsurers (UNESPA) and the report of the Advisory Group of the European Insurance and Occupational Pensions Authority (EIOPA) on artificial intelligence (AI) governance principles for an ethical and trustworthy AI in the European insurance sector.

In the aforementioned processing of personal data for the prevention of fraud and/or money laundering and the financing of terrorism, the legal basis of profiling is for the Group entity responsible to comply with its legal obligations.

(iv) Advertising:

If customers authorise it, personal data may also be processed with a view to: (i) carrying out marketing activities and sending them information, even via remote means, on other general or customised products and services, either proprietary or available from other Group entities, as identified in the Annex at the end of this Policy and on the www.gco.com website; (ii) presenting customised advertising on websites, search engines and social networks; and (iii) offering participation in promotional competitions. This will apply even after the termination of services or the customer's contractual relationship with the Group entity. In any of the aforementioned cases products and services may be adjusted to your profile based on the analysis of risk and behavioural profiles, considering both internal and external sources, geolocation information and your browsing habits on the internet or social networks.

What is the legitimate basis of the processing of your personal data?

The legal grounds for processing data referred to in the main purpose described above are based on the management of the offer and, if applicable, execution of the contract or service agreed with the Group entity responsible for processing said data.

Any processing for the other purposes mentioned and for making automated decisions is based on relevant legislation or legitimate interest, if applicable, after a balancing test has been conducted by each Group entity responsible for processing.

In particular, the processing of personal data for the purpose of preventing fraud and/or money laundering and the financing of terrorism is based on applicable legislation, while data processing with the aim of developing loyalty programmes for customers is based on legitimate interest, subject to the aforementioned analysis by the Group entity responsible for said processing.

Lastly, the processing of personal data for advertising purposes is legitimised, where applicable, by the customer's express consent. 

For how long will we hold on to your personal data?

Your personal data will be held throughout your relationship with the Group entity with which the service or contract has been agreed, or with which a relationship has been established.

Once this relationship has ended, this data will be stored for the necessary period of time established by the applicable legislation at all times, and will be available to the courts and tribunals, Public Prosecutor's Office, State security forces and/or competent public administrations, in particular the appropriate personal data protection supervisory authorities, and corresponding supervisory bodies, in order to deal with any legal or contractual liabilities arising from the contract or service related to the data processing in question and during the applicable time in force.

In general, the documentation and information concerning your business must be kept by the entrepreneur for at least six years from the end of the relationship, except as established by general or special provisions, in accordance with the terms of the Commercial Code.

In particular, by virtue of the provisions of the Anti-Money Laundering and Financing of Terrorism Act, in the life and investment insurance sector, the obliged parties must keep, for a period of ten years after the end of the relationship, the documentation that formalises compliance with the due diligence obligations established in the aforementioned law.

Any requests or proposals that do not lead to a contract or the provision of a service, regardless of the reason, shall be held for the time necessary to ensure their effectiveness in the fight against fraud in contracting and to prevent money laundering and the financing of terrorism.

The guidelines on the storage period, erasure and blocking of personal data, to be used by the Group entity responsible for processing, are specified in the internal regulations on the conservation, suppression and blocking of personal data, in line with GCO's policy on personal data protection and the use of ICT resources. Interested parties can access them through the data protection officer.

To which recipients will your personal data be disclosed?

(i) GCO Entities:

The customer's personal data, contract or service and any information arising from or related to them can be transferred to the Group entities specified in the Annex at the end of this Policy and/or on the www.gco.com website to comply with the regulations applicable to each entity, and in general terms, for the prevention of and fight against fraud and/or the prevention of money laundering and the financing of terrorism, and, where applicable, to maintain and comprehensively and centrally manage the customer's relationship with the different entities in the Group.

We also expressly inform you that the entities in the Group share common services, to differing degrees, for the purpose of making use of existing synergies, optimising resources and offering a better service to customers. To this end, they have entered into various framework agreements to provide reciprocal services, which involve access to personal data managed by other entities in the Group, covering the provision of various services, including, but not limited to, the following:

  • a) Services provided to Group entities by Grupo Catalana Occidente, Tecnología y Servicios A.I.E.: (i) data hosting, (ii) maintenance and management of systems, communications and computer equipment, (iii) information security and the security of supporting systems, (iv) development and maintenance of IT applications, (v) the claims management service, (vi) reporting and disclosure of information relating to the services provided, (vii) maintenance and management of presence detection, security and video surveillance systems, and (viii) document management, custody and filing, printing and labelling.
  • b) services provided to Group entities by Grupo Catalana Occidente Contact Center A.I.E.: (i) providing customer service via any means, including remote means, such as telephone, email, internet, instant messaging and/or social networks, and (ii) conducting campaigns and satisfaction surveys.
  • c) services provided to Group entities by Prepersa Peritación de Seguros y Prevención A.I.E.: provision of a service to cooperate in the management of claims related to insurance policies through its network of associates.

(ii) Other Entities:

Personal data can also be disclosed to different associates or service providers of any Group entity responsible for processing data, including but not limited to: insurance brokers, co-insurers, reinsurers, lawsuit experts and investigators, solicitors and barristers, auditors, consultants, medical professionals and health assessors, financial, depository and managing entities and other suppliers and professionals who process personal data on behalf of the corresponding Group entity, in order to ensure the services rendered by the aforementioned entity while carrying out the contract or service, comply with the obligations stipulated in applicable legislation, in their legitimate interest following a balancing test, and/or in accordance with the user's consent, if this has been given.

In any of the above cases, we hereby inform you that the computer servers used by these service providers may be located in countries outside the European Union, where, if the level of privacy protection were not equivalent to European or national Personal Data Protection regulations, because the European Commission has not confirmed their adaptation, the corresponding Group entity will adopt appropriate measures, as envisaged in the Personal Data Protection Regulations for transfers to third countries and international organisations, with the exception of certain situations expressly provided for, in order to ensure that the level of protection of the interested parties is not diminished, and apply appropriate and necessary measures to effectively safeguard the rights of said parties and the security of information, in accordance with the technical measures available at any time.

(iii) Public authorities and official bodies:

Personal data will be released to all those recipients to whom such information must be disclosed by Group entities, in compliance with legal obligations, including, but not limited to, competent public bodies and administrations, such as the Spanish Tax Administration Agency or regional tax authorities, personal data protection control authorities, courts and tribunals, supervisory bodies, the Public Prosecutor's Office and/or State security forces and bodies.

(iv) Common credit information systems:

Group entities are entitled to view and process data regarding failure to comply with monetary, financial or credit obligations, through common credit information systems and any other system that enables them to assess solvency, for prior analysis and maintenance of the contractual relationship and to monitor its progress.

(v) If a motor vehicle insurance policy has been taken out:

In accordance with current legislation, the insurance entities in the Group, will provide the habitual driver insured under the policy with information on sanctions, if any, published in his or her name on current or future certified websites, complying at all times with current legislation on personal data protection.

The insurance company will use the vehicle's registration number to obtain from the Zaragoza Centre of the Vehicle Investigation Institute (Instituto de Investigación sobre Vehículos S.A.) details of the chassis number and all technical and administrative characteristics of the vehicle covered by the policy.

The Group entity through which the car insurance policy has been taken out, as jointly responsible for data processing, will provide, if applicable, the following details regarding the policy to the insurance sector common information systems:

  • (a) historical data of policies and claims registered in the Car Insurance History File, the purpose of which is to provide rigorous and verified information on claims data at the time the contract is signed, by pooling the information obtained through policies and claims over the previous five years, in accordance with the terms set out in the Civil Liability and Motor Vehicle Insurance Act.
  • (b) historical data on the number of claims related to your policy or incidents in which you have been involved, recorded in the Total Loss, Theft and Fire File, the purpose of which is to facilitate the automated identification of possible irregular situations and risks of fraud, cooperate with law enforcement agencies, facilitating the investigation of possible theft and fraud offences, among others, related to the insured motor vehicles; and to cooperate with the Zaragoza Centre, law enforcement agencies, the Directorate General for Traffic and the insurance company concerned in the identification and location of stolen vehicles and vehicles that have received compensation.

To exercise your data protection rights in relation to either Historical Car Insurance Information Systems and Information on Automobiles regarding Writeoffs, Theft and Fire, please contact Tecnologías de la Información y Redes para las Entidades Aseguradoras S.A. (TIREA), Ctra. Las Rozas a El Escorial Km 0.3 Las Rozas 28231 Madrid.

You can find further information regarding data protection on the information systems for the insurance sector in the websites of the Union of Insurance and Reinsurance Companies (UNESPA) (www.unespa.es) and TIREA (www.tirea.es).

(vi) If you have multi-risk home, business, office, owner associations, SME, industry or civil liability insurance policies and/or any other insurance policies in the general insurance category:

The Group insurance entity with which the general insurance policy has been taken out will report, as appropriate, data on claims involving your insurance and/or your claims to the Fraud Management System for General Insurance Policies, which includes the policy purchased by you and any claim involving you, the insuring entity being the joint controller of said System. Its purpose is to prevent and detect fraud either by warning the insurer once the policy is issued, or by detecting fraud in claims. Its purpose is also to cooperate with law enforcement agencies by facilitating the investigation of possible theft and fraud offences, among others, related to the insured assets.

To exercise your data protection rights in relation to any of these Fraud Prevention Systems in general insurance policies, please contact Tecnologías de la Información y Redes para las Entidades Aseguradoras S.A. (TIREA), Ctra. Las Rozas a El Escorial Km 0.3 Las Rozas 28231 Madrid.

You can find further information regarding data protection on the information systems for the insurance sector in the websites of the Union of Insurance and Reinsurance Companies (UNESPA) (www.unespa.es) and TIREA (www.tirea.es).

(vii) If you have life, accident, healthcare, illness or death insurance or any other insurance in connection with which we request or manage data on your health:

Your personal data may be disclosed to the aforementioned partners and service providers of the corresponding Group insurance entity, who will act as data processors on behalf of the entity.

In addition, and specifically, if you are a holder of:

  • (a) a life insurance policy with death benefit and/or an accident insurance policy covering the contingency of the insured party's death, whether the policy is individual or collective, in compliance with current legislation, your personal data will be disclosed to the public register of insurance contracts with death benefit, reporting to the Ministry of Justice or any ministry that may replace it in the future.
  • (b) a health or healthcare insurance policy, in which case your personal data, including health data, may be disclosed to the corresponding Group insurance company and to doctors, health centres, hospitals or other institutions or persons, so that healthcare can be provided, developed and monitored, the reimbursements or compensation stipulated in the insurance contract can be paid, and information from said providers can be requested or verified regarding the medical background of the insured party and the reasons that justify any benefits, reimbursements or compensation, and, where applicable, expenses can be recovered. Specifically, in the case of healthcare insurance, in order to inform the policyholder of the collection of each co-payment, the insurance Entity may communicate to the policyholder the details of the medical services used by each person insured under the policy, including the healthcare and professional centres they have visited and/or the tests each insured person has taken.

(viii) If you have taken out a pension plan:

Your personal data may be exchanged between the Managing Entity, the Depositary and the Promoter and/or Marketing Entity of such social welfare products.

Likewise, in the case of asking to demonstrate vested rights from the Managing Entity or target insurance company, the client must present this demonstration request and an authorization to the Managing Entity or target insurance company so that, in their name, the source fund Managing Entity may be asked to demonstrate such vested rights, in addition to all financial and fiscal data needed in the process.

(ix) If you have subscribed to participations in any investment fund marketed and/or managed by GCO:

Your personal data may be exchanged between the Managing Entity, the Depositary and the corresponding Marketing Entity of the said investment funds.

What are your rights when you provide your personal data?

As owner of your personal data, you are entitled to the rights set out below, which you may exercise by verifying your identity, as explained in the section Who is the Data Protection Officer? previous:

(i) Right to access. You can obtain confirmation from the Group entity responsible for processing your personal data as to whether it is processing said data and, if so, you have the right to access the data and information on the use being made of them, and obtain a copy of them in a structured, commonly used format that is easy to read.

(ii) Right to rectification. You may request the rectification of personal data that is inaccurate, and, where incomplete, you have the right to request that such data be correctly filled in, including an additional declaration where necessary.

(iii) Right to suppression. You may request that your personal data be deleted when it is no longer needed for the purposes for which it was collected by the Group entity responsible for processing it, or if you withdraw the consent on which such processing is based. Such a request cannot be implemented when processing is necessary under the terms of the section "What is the legal basis for processing your personal data?" above.

In this respect, if you exercise your right to be forgotten, the corresponding Group entity will contact the internet service provider to transmit your request to discontinue the processing of personal data that concern them, taking into account the technology available and the cost of using it. In this case, only data required for the formulation and exercise of claims and the entity's defence against them will be retained by the data controller. Such a request cannot be implemented when processing is required under the provisions of the section “What is the legal basis for processing your personal data?” above, if processing is necessary to exercise the right to freedom of expression and information or on the grounds of public interest.

(iv) Right to object. You may object to your personal data being processed, unless the Group entity responsible for such processing, after a balancing test, has a legitimate interest in continuing to do so. In this case only data required for the formulation and exercise of claims and the entity's defence against them will be retained by the data controller. The processing of personal data for commercial or advertising purposes shall not be considered legitimate and therefore the right to object shall be deemed equivalent to the withdrawal of given prior consent. Such requests are not applicable when processing is necessary according to the provisions of the section "What is the legal basis for processing your personal data?" above.

(v) Right to restrict processing. You may ask for the processing of your personal data to be restricted, which may involve your data being blocked in the following circumstances: (i) when you challenge data accuracy, (ii) when the data controller objects to data deletion in the event of lawful processing, (iii) when the controller no longer needs the data but it is needed to make, exercise rights to or defend claims, or (iv) when you have objected to processing, whilst the controller verifies whether your legitimate reasons prevail over theirs; in this case they shall only be held by controller to draw up, exercise or defend claims.

(vi) Right to data portability. Where technically possible, you may request that relevant personal data subject to automated processing be transmitted to another controller, or to yourself as data subject, in a structured, commonly used and easy to read format, and without detriment to your rights of deletion or to be forgotten, in which case such data will only be stored by the data controller for the purpose of formulating, exercising or defending claims. 

Any communications and actions performed in the context of exercising your rights shall be free of charge. However, if the customer's requests are manifestly unfounded or excessive, especially when they are of a repetitive nature, the Group entity's data controller may charge a reasonable fee, according to the expenses incurred to deal with the request.

Confidentiality of personal data

From the first moment it initiates data processing, the Group entity acting as data controller and/or data processor will implement the technical, organisational and security measures necessary, considering the current state of technology, to guarantee the confidentiality, integrity, availability and resilience of data, preventing their loss or alteration and unauthorised access and processing.

We hereby inform you that the computer servers used by some Group service providers may be located in countries outside the European Union, where, if the level of privacy protection were not equivalent to European or national Personal Data Protection regulations, because the European Commission has not confirmed their adaptation, the corresponding Group entity will adopt appropriate measures, as envisaged in the Personal Data Protection Regulations for transfers to third countries and international organisations, with the exception of certain situations expressly provided for, in order to ensure that the level of protection of the interested parties is not diminished, as well as appropriate and necessary measures to effectively safeguard the rights of said parties and the security of information, in accordance with the technical measures available at any time. 

When users are browsing the official websites of Group entities, this privacy policy is always available to them for information purposes, as is the GCO cookie policy, which conforms to the Guide to the Use of Cookies issued by the control authority. Users can manage and customise their preferences regarding the use of cookies at any time.

Validity of the Policy

GCO declares that the Privacy Policy published for information purposes on the www.GCO.com website will be the valid version at any given time and reserves the right to modify it without prior notice whenever necessary. Group entity customers can view the latest updated version of the Policy at any time in their official websites and, should they also wish to access previous versions, they may contact the corresponding Data Protection Officer, as indicated in the Annex to this Policy.

Copyright

GCO reserves all rights regarding the content of this Policy. The reproduction, distribution, transformation, handling, public communication or any other kind of total or partial use, free of charge or in return of a consideration, of this document is strictly forbidden without a written authorisation.

Latest update to the Policy: version 7, approved on 13 December 2023, to be brought into effect on 1 January 2024.

* * * * *

ATTACHMENT: ENTITIES THAT MAKE UP GRUPO CATALANA OCCIDENTE FOR THE PURPOSES OF THIS PRIVACY POLICY (CONTACT DETAILS)

Grupo Catalana Occidente S.A.

A08168064

Calle Méndez Álvaro, 31, Madrid (28045)

Listed in the Madrid Business Register, volume 36,829, folio 141, page M-659,287

Grupo Catalana Occidente Data Protection Officer

dpo@gco.com

Occident GCO, S.A.U. de Seguros y Reaseguros

A28119220

Calle Méndez Álvaro, 31, Madrid (28045)

Listed in the Madrid Business Register, volume 37,110, folio 177, page M-91,458

Occident Seguros Data Protection Officer

dpo@gco.com

NorteHispana de Seguros y Reaseguros S.A., Sociedad Unipersonal

A-08185589

Paseo de la Castellana 4, 28046 Madrid

Listed in the Madrid Business Register, volume 36,935, folio 1, page M-660,565

Nortehispana Seguros Data Protection Officer

dpo@gco.com

Grupo Catalana Occidente Gestión de Activos S.A. S.G.I.I.C., Sociedad Unipersonal

A-28475754

Calle Méndez Álvaro, 31, Madrid (28045)

Listed in the Madrid Business Register, volume 36,521, folio 171, page M-52,463

Data Protection Officer

GCO Gestión de Activos

dpo@gco.com

Occident Hipotecaria E.F.C., S.A.U.

A-48409023

Av. Sabino Arana, 20, 1ª planta, Bilbao - Biskaia (48013)

Listed in the Vizcaya Business Register, volume 2,228, folio 150, page 16,326

Occident Hipotecaria Data Protection Officer

dpo@gco.com

Grupo Catalana Occidente Contact Center, A.I.E.

V-65404063

Jesus Serra Santamans 3, 08174 Sant Cugat del Vallés (Barcelona)

Listed in the Barcelona Business Register, volume 42,241, folio 185, page B-405,292

GCO Contact Center Data Protection Officer

dpo@gco.com

Grupo Catalana Occidente Tecnología y Servicios A.I.E.

V-65004517

Avenida Alcalde Barnils 63, 08174 Sant Cugat del Vallès (Barcelona)

Listed in the Barcelona Business Register, volume 41,030, folio 29, page B-376,366

GCO Tecnología y Servicios Data Protection Officer

dpo@gco.com

Occident GCO Capital, Agencia de Valores, S.A.U.

A-63764138

Avenida Alcalde Barnils 63, 08174 Sant Cugat del Vallès (Barcelona)

Listed in the Barcelona Business Register, volume 37,416, folio 142, page B-298,341

Occident Capital AV Data Protection Officer

dpo@gco.com

Occident Previsión, Individual Voluntary Social Welfare Entity

V-48410120

Av. Sabino Arana, 20, 1ª planta, Bilbao - Bizkaia (48013)

Listed in the Vizcaya Business Register, volume 2111, folio 124, page 5-8

Occident Previsión EPSV Individual Data Protection Officer

dpo@gco.com

Occident Pensiones E.G.F.P., S.A.U.

A-67000471

Calle Méndez Álvaro, 31, Madrid (28045)

Listed in the Madrid Business Register, volume 36,886, folio 90, page M-659,976

Occident Pensiones Data Protection Officer

dpo@gco.com

GCO Activos Inmobiliarios S.L.

B66672544

Avenida Alcalde Barnils 63, 08174 Sant Cugat del Vallès (Barcelona)

Listed in the Barcelona Business Register, page B-478,427

GCO Activos Inmobiliarios S.L. Data Protection Officer

dpo@gco.com

GCO Ventures S.L.

B13803747

Avenida Alcalde Barnils 63, 08174 Sant Cugat del Vallés (Barcelona)

Listed in the Barcelona Business Register, page B-597.181

GCO Ventures S.L. Data Protection Officer

dpo@gco.com