Introduction

The protection of fundamental rights and freedoms, and in particular, the protection of individuals in relation to the processing of personal data, is one of the basic principles of Grupo Catalana Occidente (henceforth, “GCO” or the “Group”), as reflected in its Code of Ethics, in compliance with legal requirements and its corporate governance system.

The purpose of GCO's privacy policy (hereinafter, the "Policy") is to provide a concise, transparent explanation, in clear, simple language, of the way in which companies in the Group will use any personal data collected from its customers (as defined below), in accordance with the provisions of the European Union General Data Protection Regulations, 2016/679, Organic Law 3/2018, of 5 December, on Protection of Personal Data and Guarantee of Digital Rights, and the regulations implementing it in force at any given time (henceforth the "Personal Data Protection Regulations").

Who is the data controller?

The GCO Entity with which you have a relationship. In the Annex at the end of this Policy, the identification and registered addresses of the entities that make up the Group can be found, together with other information.

Who is the Data Protection Officer?

The Data Protection officer is the person designated by the entities that constitute the Group to ensure compliance with Personal Data Protection Regulations, whom you may contact especially if you think your data protection freedoms and rights have not been respected, been breached, via the postal or email address provided in the Annex at the end of this Policy and published in the Spanish data protection Agency's register of data protection officers.

Who is the data protection supervisory authority?

The supervisory authority is the Spanish Data Protection Agency, whose head office is at Calle Jorge Juan, 6, Madrid 28001. It is the independent public authority responsible for ensuring the privacy and protection of citizens' data, to whom you can submit queries and/or complaints regarding this matter, should you consider that your data protection rights and freedoms have not been duly respected by a Group entity. For more information, please visit the following website: www.agpd.es.

What personal data do we process?

All personal data, whether provided directly by the interested party or by an insurance distributor, seller or partner, including documents containing such data, or personal data obtained from recorded telephone conversations, internet website browsing or other means, including biometric and geolocation data, before, during and after the formalisation of an application, pre-contract, contract or service related to any of the products and/or services marketed by Group entities, will be processed when such data are needed for the study, documentation, development and/or execution of a contractual relationship between the parties or any other relationship arising from the same.

In this sense, the definition of "customer" is established as any data subject that: requests information, a product or a service, is a policyholder, insured person or beneficiary, who causes or is a third party involved in an accident, is a participant, partner, subscriber, claimant, mortgage holder, investor in promissory notes and/or a third party involved in a contractual or service relationship with a Group entity.

If the personal data is provided by a person other than the holder, it shall be the provider's obligation to previously communicate this information to the holder of the personal data, and to obtain his/her consent, when necessary, for the data to be processed by the relevant Group entity.

Subject to the requirements of personal data protection regulations, this personal data can be supplemented by other data obtained from Group suppliers, and any personal data that the data subject has made public.

The personal data of minors will normally only be processed when their parents or legal guardians have given their consent for the processing required to execute a contract or service with a Group entity, when there is a legal obligation and/or legitimate interest, in the latter case after a balancing test has been carried out by the Group entity responsible for the processing, notwithstanding the exercise of personal data protection rights established by the current Personal Data Protection Regulation.

What are the categories of data concerned?

In general, the personal data subject to processing in the issue of an offer, a precontract or contract, will refer to the identification of the interested party, their personal characteristics and/or social circumstances, and any other data that may be necessary to complete these procedures.

In addition and specifically; (i) in the case of life, accident, healthcare, illness and/or death insurance, it will be necessary to process data relating to the profession or activity of the policyholder and/or the insured person, and, where appropriate, data relating to their health, and (ii) in the case of investment funds, data relating to the profession or activity of the policyholder and/or insured person as well as the data necessary for carrying out tests of suitability and/or appropriateness.

Finally, in the case of the contact forms made available to the public by Group entities, when the information prior to the collection of data has been provided, with reference to this Policy, the identification and contact details required to establish contact as requested will be processed.

What is the purpose of processing the personal data?

(i) Main purpose:

The main purpose of processing personal data is the study, issue, development and/or execution of a pre-contract, contract, contractual relationship or service agreed with a Group entity, effectively complying at all times with the obligations established in the regulations applicable to the Group entity responsible for such data processing.

(ii) Other purposes:

Personal data will be the object of processing for the purpose of setting prices and selecting risks and managing subsequent requests related to the risks that can be contracted. This processing may include, if necessary, profiling and/or automated decision-making in accordance with the provisions established in this Policy.

Personal data will also be processed for the purposes of preventing and combatting fraud, and may be disclosed to the common information systems of the insurance sector for consultation; for compliance by the relevant Group entity with the legal obligations arising from the Civil Liability and Insurance Act regarding the circulation of motor vehicles and/or the Law of Regulation, Supervision and Solvency for Insurance and Reinsurance companies; similarly, in connection with the prevention of money laundering and the financing of terrorism, for compliance by Group entities with their legal obligations and the adoption of due diligence measures arising from the Law on the Prevention of Money Laundering and the Financing of Terrorism and the regulations implementing it.

In order to manage the request and/or any of the contracts or services provided by a group entity, said entity may process your personal data to assess your financial solvency, and may consult insurance sector information systems or credit rating agencies and disclose data to them, in addition to carrying out statistical, quality and technical studies, and implementing satisfaction surveys, loyalty programmes, market analysis, and research and service quality studies.

In insurance products the personal data may be processed to manage the coinsurance or reinsurance, in conformance with the current regulation. The disclosure of data in such cases shall be carried out to comply with a legal obligation, to execute a contract, or in legitimate interest, in the latter case after a balancing test conducted by the Group entity responsible for processing the data.

Finally, with regard to contact forms, telephone numbers, email addresses and social network profiles made available by Group entities, your data will be used (i) to attend to and manage suggestions, requests, queries and/or claims made via these channels; and (ii) to manage CVs provided for selection processes in Group entities.

(iii) Automated decision-making including profiling:

Some processing of personal data necessary for the execution or formalising of contracts may require the adoption of automated decision-making and/or profiling. This means that certain decisions may be made automatically without human involvement, where the data subject will always have the right to: (i) request the review of the results by a person; (ii) express their point of view; and (iii) contest the decision; in accordance with the Personal Data Protection Regulations.

Similarly, the potential use of artificial intelligence will always be in accordance with the general principles and values of the GCO Code of Ethics, which guide the operations and actions of the Entities involved, in particular, regarding privacy and the right to personal data protection. It will also take into consideration the guidelines of the document on ethical principles for the use of Artificial Intelligence in the insurance sector, drawn up by the Spanish Association of Insurers (UNESPA) and the report of the Advisory Group of the European Insurance and Occupational Pensions Authority (EIOPA) on artificial intelligence governance principles: towards ethical and trustworthy artificial intelligence in the European insurance sector.

In the aforementioned processing of personal data for the prevention of fraud and/or money laundering and the financing of terrorism, the legal basis of profiling is for the Group entity responsible to comply with its legal obligations.

(iv) Advertising purposes:

If customers authorise it, personal data may also be processed with a view to: (i) carrying out marketing activities and sending them information, even via remote means, on other general or customised products and services, either proprietary or available from other Group entities, as identified in the Annex at the end of this Policy and on the www.gco.com website; (ii) displaying targeted advertising on websites, search engines and social networks; and (iii) offering participation in promotional competitions; This will apply even after the termination of services or the customer's contractual relationship with the Group entity. In any of aforementioned cases, the adjustment of products and services to your profile may be based on the analysis of risk and behavioural profiles, taking into account internal and external sources, geolocation information and your browsing habits through the internet or social networks.

What are the legal grounds for processing personal data?

The legal grounds for processing data referred to in the main purpose described above are based on the management of the offer and, if applicable, execution of the contract or service agreed with the Group entity responsible for processing said data.

Any processing for the other purposes mentioned and for making automated decisions is based on relevant legislation or legitimate interest, if applicable, after a balancing test has been conducted by each Group entity responsible for processing.

In particular, the processing of personal data for the purpose of preventing fraud and/or money laundering and the financing of terrorism is based on applicable legislation, while data processing with the aim of developing loyalty programmes for customers is based on legitimate interest, subject to the aforementioned analysis by the Group entity responsible for said processing.

Lastly, the processing of personal data for advertising purposes is legitimised, where applicable, by the customer's express consent. 

For how long will we hold on to your personal data?

Your personal data will be held throughout your relationship with the Group entity with which the service or contract has been agreed, or with which a relationship has been established.

Once this relationship has ended, this data will be stored for the necessary period of time established by the applicable legislation at all times, and will be available to the courts and tribunals, Public Prosecutor's Office, State security forces and/or competent public administrations, in particular the appropriate personal data protection supervisory authorities, and corresponding supervisory bodies, in order to deal with any legal or contractual liabilities arising from the contract or service related to the data processing in question and during the applicable time in force.

In general, the documentation and information concerning your business must be kept by the entrepreneur for at least six years from the end of the relationship, except as established by general or special provisions, in accordance with the terms of the Commercial Code.

In particular, by virtue of the provisions of the Anti-Money Laundering and Financing of Terrorism Act, in the life and investment insurance sector, the obliged parties must keep, for a period of ten years after the end of the relationship, the documentation that formalises compliance with the due diligence obligations established in the aforementioned law.

Any requests or proposals that do not lead to a contract or the provision of a service, regardless of the reason, shall be held for the time necessary to ensure their effectiveness in the fight against fraud in contracting and to prevent money laundering and the financing of terrorism.

The guidelines on the storage period, erasure and blocking of personal data, to be used by the Group entity responsible for processing, are specified in the internal regulations on the conservation, suppression and blocking of personal data, in line with GCO's policy on personal data protection and the use of ICT resources. Interested parties can access them through the data protection officer.

To whom will your personal data be communicated?

(i) GCO Entities:

The customer's personal data, contract or service and any information arising from or related to them can be transferred to the Group entities specified in the Annex at the end of this Policy and/or on the www.gco.com website to comply with the regulations applicable to each entity, and in general terms, for the prevention of and fight against fraud and/or the prevention of money laundering and the financing of terrorism, and, where applicable, to maintain and comprehensively and centrally manage the customer's relationship with the different entities in the Group.

We also expressly inform you that the entities in the Group share common services, to differing degrees, for the purpose of making use of existing synergies, optimising resources and offering a better service to customers. To this end, they have entered into various framework agreements to provide reciprocal services, which involve access to personal data managed by other entities in the Group, covering the provision of various services, including, but not limited to, the following:

a) Services provided to Group entities by Grupo Catalana Occidente, Tecnología y Servicios A.I.E.: (i) data hosting, (ii) maintenance and management of systems, communications and computer equipment (iii) information security and security of supporting systems (iv) development and maintenance of IT applications, (v) rendering claims management service, (vi) reporting and disclosure of information relating to the services provided, (vii) maintenance and management of presence detection,
security systems and video surveillance systems, and (viii) document management, custody and filing, printing and labelling.

b) services provided to Group entities by Grupo Catalana Occidente Contact Center A.I.E.: (i) providing customer service via any means, including remote means, such as telephone, email, internet, instant messaging and/or social networks, and (ii) conducting campaigns and satisfaction surveys.

c) services provided to Group entities by Prepersa Peritación de Seguros y Prevención A.I.E.: provision of a service to cooperate in the management of claims related to insurance policies through its network of associates.

(ii) Other Entities:

Personal data can also be disclosed to different associates or service providers of any Group entity responsible for processing data, including but not limited to: insurance brokers, co-insurers, reinsurers, lawsuit experts and investigators, solicitors and barristers, auditors, consultants, medical professionals and health assessors, financial, depository and managing entities and other suppliers and professionals who process personal data on behalf of the corresponding Group entity, in order to ensure the services rendered by the aforementioned entity while carrying out the contract or service, comply with the obligations stipulated in applicable legislation, in their legitimate interest following a balancing test, and/or in accordance with the user's consent, if this has been given.

In any of the above cases, we hereby inform you that the computer servers used by these service providers may be located in countries outside the European Union, where, if the level of privacy protection were not equivalent to European or national Personal Data Protection regulations, because the European Commission has not confirmed their adaptation, the corresponding Group entity will adopt appropriate measures, as envisaged in the Personal Data Protection Regulations for transfers to third countries and international organisations, with the exception of certain situations expressly provided for, in order to ensure that the level of protection of the interested parties is not diminished, and apply appropriate and necessary measures to effectively safeguard the rights of said parties and the security of information, in accordance with the technical measures available at any time.

(iii) Public authorities and bodies:

Personal data will be released to all those recipients to whom such information must be disclosed by Group entities, in compliance with legal obligations, including, but not limited to, competent public bodies and administrations, such as the Spanish Tax Administration Agency or regional tax authorities, personal data protection control authorities, courts and tribunals, supervisory bodies, the Public Prosecutor's Office and/or State security forces and bodies.

(iv) Common credit information systems:

Group entities are entitled to view and process data regarding failure to comply with monetary, financial or credit obligations, through common credit information systems and any other system that enables them to assess solvency, for prior analysis and maintenance of the contractual relationship and to monitor its progress.

(v) If a motor vehicle insurance policy is purchased:

In accordance with current legislation, the insurance entities in the Group, will provide the habitual driver insured under the policy with information on sanctions, if any, published in his or her name on current or future certified websites, complying at all times with current legislation on personal data protection.

Said insurance entity shall use data belonging to the Vehicle Investigation Institute in the centre of Zaragoza (Instituto de Investigación sobre Vehículos S.A.) to identify the vehicle identification number and all technical and administrative characteristics of the vehicle covered in the insurance policy.

The Group entity through which the car insurance policy has been taken out, as jointly responsible for data processing, will provide, if applicable, the following details regarding the policy to the insurance sector common information systems:

a) historical data regarding policies and claims to the Car Insurance Historical Information System, the purpose of which is to provide rigorous, verified information on claims at the time the contract is signed, by pooling the information obtained through policies and claims over the previous five years, in accordance with the terms set out in the Civil Liability and Motor Vehicle Insurance Act.

b) historical data on the number of claims related to your insurance or claims in which you have been involved will be disclosed to the Total Loss, Theft and Fire Vehicle Information System, the purpose of which is to facilitate the automated identification of possible irregular situations and risks of fraud, cooperate with Security Forces and Bodies, facilitating the investigation of possible theft and fraud offences, among others, related to insured motor vehicles; and cooperate with Centro Zaragoza, Law enforcement agencies, the Directorate General for Traffic and the insurance company affected in the identification and location of stolen vehicles and vehicles that have received compensation.

 

To exercise your data protection rights in relation to either Historical Car Insurance Information Systems and Information on Automobiles on Writeóffs, Theft and fire, please contact Tecnologías de la Información y Redes para las Entidades Aseguradoras S.A. (TIREA), Ctra. Las Rozas a El Escorial Km 0.3 Las Rozas 28231 Madrid.

 

You can find the rest of the data protection information on the information systems for the insurance sector in the websites of the Spanish Association of Insurers (UNESPA) (www.unespa.es) and TIREA (www.tirea.es) websites.

(vi) In the case of multi-risk home, store, business, owner's community, SME, industry or civil liability insurance policies and/or any other insurance policies in the general insurance category:

The Group insurance entity with which the general insurance policy has been taken out will report, as appropriate, data on claims involving your insurance and/or your claims to the Fraud Management System for General Insurance Policies, which includes the policy purchased by you and any claim involving you, the insuring entity being the joint controller of said System. Its purpose is to prevent and detect fraud by either warning the insurer once the policy is issued, or by detecting the fraud committed in the declared claims. Its purpose shall also be to cooperate with law enforcement agencies by facilitating the investigation of possible theft and fraud offences, among others, related to the insured goods.

To exercise your data protection rights in relation to any of these Fraud Prevention Systems in General Insurance Policies, please contact Tecnologías de la Información y Redes para las Entidades Aseguradoras S.A. (TIREA), Ctra. Las Rozas a El Escorial Km 0.3 Las Rozas 28231 Madrid.

You can find the rest of the data protection information on the information systems for the insurance sector in the websites of the Spanish Association of Insurers (UNESPA) (www.unespa.es) and TIREA (www.tirea.es) websites.

(vii) In the case of life, accident, healthcare and illness or death insurance or any other insurance in connection with which we request or manage data on your health:

Your personal data may be disclosed to the aforementioned partners and service providers of the corresponding Group insurance entity, who will act as data processors on behalf of the entity.

In addition, and specifically, if you are a holder of:

(a) a life insurance policy with death coverage and/or an accident insurance policy covering the contingency of the insured person's death, whether individual or collective, in compliance with current legislation, your personal data will be disclosed to the public register of insurance contracts with death coverage controlled by the Ministry of Justice, or any ministry that may replace it in the future.

(b) a health or health care insurance policy, in which case your personal data, including health data, may be disclosed to the corresponding Group insurance company and to doctors, health centres, hospitals or other institutions or persons, so that health care can be developed, delivered and monitored, the reimbursements or compensation stipulated in the insurance contract can be provided, and information from said providers can be requested or verified regarding the medical background of the insured party and the reasons that justify any benefits, reimbursements or compensation, and, where applicable, expenses can be recovered. Specifically, in the case of healthcare insurance, in order to inform the policyholder of the collection of each co-payment, the insurance Entity may communicate to the policyholder the details of the medical services used by each insured person of the policy, including the healthcare and professional centres they have visited and/or the tests each insured person has taken.

(viii) If you have purchased a social welfare product:

Your personal data may be exchanged between the Managing Entity, the Depositary and the Promoter and/or Marketing Entity of such social welfare products.

Likewise, in the case of asking to demonstrate vested rights from the Managing Entity or target insurance company, the client must present this demonstration request and an authorization to the Managing Entity or target insurance company so that, in their name, the source fund Managing Entity may be asked to demonstrate such vested rights, in addition to all financial and fiscal data needed in the process.

(ix) If you have subscribed to participations in any investment fund marketed and/or managed by GCO:

Your personal data may be exchanged between the Managing Entity, the Depositary and the corresponding Marketing Entity of the said investment funds.

What are your rights when you provide your personal data?

As holder of your personal data, you are entitled to the rights set out below, which you may exercise by verifying your identity, in the way explained in the section Who is the Data Protection Officer? previous:

(i) Right to access. You can obtain confirmation from the Group entity responsible for processing your personal data as to whether it is processing said data and, if so, you have the right to access the data and information on the use being made of them, and obtain a copy of them in a structured, commonly used format that is easy to read.

(ii) Right to rectification. You may request the rectification of personal data that are inaccurate, and, if they are incomplete, you have the right to request that such data be correctly entered, by means of an additional declaration if necessary.

(iii) Right to suppression. You may request that your personal data be deleted when it is no longer needed for the purposes for which it was collected by the Group entity responsible for processing it, or if you withdraw the consent on which such processing is based. Such a request shall not be applicable when processing is required on the grounds of what is stipulated in the paragraph "What is the legitimation of the processing of personal data?" above.

In this respect, if you exercise your right to be forgotten, in connection with any of the entities in the Group, the entity concerned will contact the internet service provider to transmit your request to discontinue the processing of personal data that concern them, taking into account the technology available and the cost of using it. In this case, only data required for the formulation and exercise of claims and the entity's defence against them will be retained by the data controller. The request shall not be applicable when the processing is required on the basis of the provisions included in the section “What is the legal basis for processing your personal data?”, whether the processing is required to exercise the right of freedom of expression and information or on grounds of public interest.

(iv) Right to object. You may object to your personal data being processed, unless the Group entity responsible for such processing, after a balancing test, has a legitimate interest in continuing to do so. In this case only data required for the formulation and exercise of claims and the entity's defence against them will be retained by the data controller. The processing of personal data for commercial or advertising purposes shall not be considered legitimate and therefore the right to object shall be deemed equivalent to the withdrawal of given prior consent. Such a request shall not be applicable when processing is required based on that stated in the aforementioned paragraph "What are the legal grounds for processing personal data?".

(v) Right to restriction. You may request the processing of your personal data be restricted, which may involve your data being blocked in the following circumstances: (i) when you challenge data accuracy, (ii) when the data controller objects to data deletion in the event of lawful processing, (iii) when the controller no longer needs the data but it is needed to make, exercise rights to or defend claims, or (iv) when you have objected to processing, whilst the controller verifies whether your legitimate reasons prevail over theirs; in this case they shall only be held by controller to draw up, exercise or defend claims.

(vi) Right to data portability. Where technically possible, you may request that relevant personal data subject to automated processing be transmitted to another controller, or to yourself as data subject, in a structured, commonly used and easy to read format, and without detriment to your rights of deletion or to be forgotten, in which case such data will only be stored by the data controller for the purpose of formulating, exercising or defending claims. 

Any communications and actions performed in the context of exercising your rights shall be free of charge. However, if the customer's requests are manifestly unfounded or excessive, especially when they are of a repetitive nature, the Group entity's data controller may charge a reasonable fee, according to the expenses incurred to deal with the request.

Confidentiality of personal data

From the first moment it initiates data processing, the Group entity acting as data controller and/or data processor will implement the technical, organisational and security measures necessary, considering the current state of technology, to guarantee the confidentiality, integrity, availability and resilience of data, preventing their loss or alteration and unauthorised access and processing.

We hereby inform you that the computer servers used by some Group service providers may be located in countries outside the European Union, where, if the level of privacy protection were not equivalent to European or national Personal Data Protection regulations, because the European Commission has not confirmed their adaptation, the corresponding Group entity will adopt appropriate measures, as envisaged in the Personal Data Protection Regulations for transfers to third countries and international organisations, with the exception of certain situations expressly provided for, in order to ensure that the level of protection of the interested parties is not diminished, as well as appropriate and necessary measures to effectively safeguard the rights of said parties and the security of information, in accordance with the technical measures available at any time. 

When users are browsing the official websites of Group entities, this privacy policy is always available to them for information purposes, as is the GCO cookie policy, which conforms to the Guide to the Use of Cookies issued by the control authority. Users can manage and customise their preferences regarding the use of cookies at any time.

Validity of the Policy

GCO declares that the Privacy Policy published for information purposes on the www.GCO.com website will be the valid version at any given time and reserves the right to modify it without prior notice whenever necessary. Group entity customers can view the latest updated version of the Policy at any time in their official websites and, should they also wish to access previous versions, they may contact the corresponding Data Protection Officer, as indicated in the Annex to this Policy.

Copyright

GCO reserves all rights regarding the content of this Policy. The reproduction, distribution, transformation, handling, public communication or any other kind of total or partial use, free of charge or in return of a consideration, of this document is strictly forbidden without a written authorisation.

Latest update to the Policy: version 7, approved on 13 December 2023, to be brought into effect on 1 January 2024.

ATTACHMENT: ENTITIES THAT MAKE UP GRUPO CATALANA OCCIDENTE FOR THE PURPOSES OF THE CURRENT PRIVACY POLICY

Entity ► Tax ID number ► Registered Office ► Registration Details ► DPO contact details ► Email 

• Grupo Catalana Occidente S.A. ► A-08168064 ► Paseo de la Castellana 4, 28046 Madrid ► Listed in the Madrid Business Register, volume 36,829, folio 141, page M-659,287 ► Data Protection Officer Grupo Catalana Occidente ► dpo@gco.com
• Occident GCO, S.A. de Seguros y Reaseguros ► A-28119220 ► Paseo de la Castellana 4, 28046 Madrid ► Listed in the Madrid Business Register, volume 37,110, folio 177, page M-91,458 ► Occident Seguros Data Protection Officer ► dpo@gco.com 
• Nortehispana de Seguros y Reaseguros S.A., Sociedad Unipersonal ► A-08185589 ► Paseo de la Castellana 4, 28046 Madrid ► Listed in the Madrid Business Register, volume 36,935, folio 1, page M-660,565 ►Data Protection Officer Nortehispana Seguros
  ► dpo@gco.com 
• Grupo Catalana Occidente Gestión de Activos S.A. S.G.I.I.C., Sociedad Unipersonal ► A-28475754 ► Cedaceros 9, planta baja, 28014 Madrid   ► Listed in the Madrid Business Register, volume 36,521, folio 171, page M-52,463 ► Data Protection Officer GCO Gestión de Activos ►  dpo@gco.com
• Occident Hipotecaria E.F.C., S.A.U. ►A-48409023 ► Paseo del Puerto 20, 48992 Neguri- Getxo (Bizkaia) ► Registered in Madrid's Mercantile Registry, volumen 2,228, section 150, page 16,326 ► Occident Hipotecaria Data Protection Officer ► dpo@gco.com
• Grupo Catalana Occidente Contact Center, A.I.E. ► V-65404063 ► Jesus Serra Santamans 3, 08174 Sant Cugat del Vallés (Barcelona)► Registered in Barcelona's Mercantile Registry, volume 42,241, section 185, page B-405,292 ► Data Protection Officer GCO Contact Center ►dpo@gco.com
• Grupo Catalana Occidente Tecnología y Servicios A.I.E.► V-65004517 ► Avenida Alcalde Barnils 63, 08174 Sant Cugat del Vallès (Barcelona) ► Registered in Barcelona's Mercantile Registry, volume 41,030, section 29, page B-376,366 ► Data Protection Officer GCO Tecnología y Servicios ► dpo@gco.com
• Occident GCO Capital, Agencia de Valores, S.A.U. ► A-63764138 ► Avenida Alcalde Barnils 63, 08174 Sant Cugat del Vallès (Barcelona) ► Registered in Barcelona's Mercantile Registry, volume 37,416, section 142, page B-298,341 ► Data Protection Officer Occident Capital AV ► dpo@gco.com
• GCO Previsión, Individual Voluntary Social Welfare Entity ►V-48410120 ► Paseo del Puerto 20, 48992 Neguri- Getxo (Bizkaia) ► Listed in the Bizkaia Business Register, volume 2111, folio 124, page 5-8 ► Data Protection Officer GCO Previsión EPSV Individual ► dpo@gco.com
• GCO Gestora Pensiones E.G.F.P., S.A. ► A-67000471 ► Paseo de la Castellana 4, 28046 Madrid ► Listed in the Madrid Business Register, volume 36,886, folio 90, page M-659,976 ► Data Protection Officer GCO Gestora de Pensiones ►  dpo@gco.com
• GCO Activos Inmobiliarios S.L. ► B66672544 ► Avenida Alcalde Barnils 63, 08174 Sant Cugat del Vallès (Barcelona) ► Registered in Barcelona's Mercantile Registry, page no. B-478,427 ► Data Protection Officer GCO Activos Inmobiliarios S.L.►  dpo@gco.com
• GCO Ventures S.L. ► B13803747 ► Avenida Alcalde Barnils 63, 08174 Sant Cugat del Vallés (Barcelona) ► Registered in Barcelona's Mercantile Registry, page no. B-597.181 ► Data Protection Officer GCO Ventures S.L.►  dpo@gco.com