In accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council, of 27 April 2016 (GDPR) and with Organic Law 3/2018, of 5 December, on the Protection of Personal Data and Guarantee of Digital Rights (LOPDgdd for its initials in Spanish), we hereby inform you that the personal data that we process about you will be incorporated into the processing that makes up the record of activities of the data controller CONSORCIO DE COMPENSACIÓN DE SEGUROS E.P.E., with Tax ID No. Q2826011E, telephone number +34 91 339 55 00, and with registered office at 32, Paseo de la Castellana, 28046, Madrid (hereinafter, CCS).

Your personal data may be processed by CCS for the following purposes and on the following legitimisation basis:

• Issuance of policies for the coverage of compulsory motor vehicle liability insurance, as well as for the processing of claims that may arise during the term of the policy . The processing is lawful in compliance with a legal obligation (Article 6.1 c) GDPR) in relation to the provisions of Article 11 of the Legal Statute of CCS, approved by Royal Legislative Decree 7/2004, of 29 October; as well as in the performance of a contract (Article 6.1 b) GDPR), in relation to the insurance contract signed between the insured and CCS.
• CCS’s role as the MTPL (Motor car Third-Party Liability Insurance) Guarantee Fund: The processing is lawful in compliance with a legal obligation (art. 6.1 c) RGPD) in relation to the provisions of art. 11.3 of the Legal Statute of the CCS, approved by Royal Legislative Decree 7/2004, of 29 October; as well as in relation to the provisions of art. 11 of Royal Legislative Decree 8/2004, of 29 October, which approves the revised text of the Law on civil liability and insurance in the circulation of motor vehicles.
• Processing of claims arising from extraordinary risks, including the appraisal of damage to persons, vehicles and miscellaneous assets that may be applicable. The processing is lawful in compliance with a legal obligation (Article 6.1 c) GDPR) in relation to the provisions of Article 6 of the Legal Statute of CCS, approved by Royal Legislative Decree 7/2004, of 29 October.
• Processing of recovery proceedings. Lawful processing in the legitimate interest of CCS (Article 6.1 f) GDPR). The legitimate interest pursued is the recovery of the amounts paid deriving from the legal obligations of CCS, when there is a party responsible for the damage, in the exercise of the recovery powers in accordance with the legal framework applicable to the insurance sector and, in particular, to CCS.
• Winding-up of insurance companies and management of mortgage loans in favour of CCS once the liquidation of the insurance companies has been completed. The processing is lawful in compliance with a legal obligation (Article 6.1 c) GDPR) in relation to the provisions of Article 14 of the Legal Statute of CCS, approved by Royal Legislative Decree 7/2004, of 29 October.
• Insurance fraud prevention . Lawful processing in compliance with a legal obligation (Article 6.1 c) GDPR) in relation to the provisions of Article 100 of Law 20/2015, of 14 July, on organization, supervision and solvency of insurance and reinsurance undertakings.
• Preparation of statistical, actuarial and insurance technique studies. Lawful processing in compliance with a legal obligation (Article 6.1 c) GDPR) in relation to the provisions of Law 20/2015, of 14 July, on organization, supervision and solvency of insurance and reinsurance undertakings.
• Processing and resolution of complaints and claims.Lawful processing in compliance with a legal obligation (Article 6.1 c) GDPR) in relation to the provisions of Article 97 of Law 20/2015, of 14 July, on organization, supervision and solvency of insurance and reinsurance undertakings.
• Analysis of our service quality through satisfaction surveys. Lawful processing in the legitimate interest of CCS (Article 6.1 f) GDPR). The legitimate interest pursued consists of improving the policyholder service processes and claim processing provided by CCS.
• Analysis of our service quality through call recording. Lawful processing in the legitimate interest of CCS (Article 6.1 f) GDPR). The legitimate interest pursued consists of improving the policyholder service processes provided by CCS via telephone.
• Management of information requests to FIVA (Informative Records of Insured Vehicles). Lawful processing in compliance with a legal obligation (Article 6.1 c) GDPR) in relation to the provisions of Chapter IV of Royal Decree 1507/2008, of 12 September, approving the Regulation of compulsory civil liability insurance for the use of motor vehicles.
• Management of information requests in compliance with the activity of Consorcio de Compensación de Seguros as information centre and register of representatives. Lawful processing in compliance with a legal obligation (Article 6.1 c) GDPR) in relation to the provisions of Article 24 of Royal Legislative Decree 8/2004, of 29 October, approving the consolidated text of the Law on civil liability and insurance for the use of motor vehicles.
• Management of the transparency portal and handling of requests made through it. Lawful processing in compliance with a legal obligation (Article 6.1 c) GDPR) in relation to the provisions of Law 19/2013, of 9 December, on transparency, access to public information and good governance.
• Reinsurance management in the field of civil liability insurance for nuclear damage. Claims management of and receipt of reinsurance premiums. Lawful processing in compliance with a legal obligation (Article 6.1 c) GDPR) in relation to the provisions of Article 9 of the Legal Statute of CCS, approved by Royal Legislative Decree 7/2004, of 29 October.
• Assessment of agricultural insurance adjustments . Lawful processing in compliance with a legal obligation (Article 6.1 c) GDPR) in relation to the provisions of Article 10 of the Legal Statute of CCS, approved by Royal Legislative Decree 7/2004, of 29 October.
• Processing of forest fire accident insurance. Lawful processing in compliance with a legal obligation (Article 6.1 c) GDPR) in relation to the provisions of Article 10 of the Legal Statute of CCS, approved by Royal Legislative Decree 7/2004, of 29 October.
• Management of the Whistle Blower Channel. Lawful processing in compliance with a legal obligation (Article 6.1 c) GDPR) in relation to the provisions of Law 2/2023, of 20 February, regulating the protection of persons who report regulatory infringements and the fight against corruption.
• Management of seizure requests that CCS may receive. Lawful processing in compliance with a legal obligation (Article 6.1 c) GDPR) in relation to the provisions of General Tax Law 58/2003, of 17 December.
• Management of external service contracting processes and service performance. In the pre-contractual phase, data processing is lawful by the legitimate interest of CCS in maintaining professional contact with the prospective contractor’s professional(s) (Article 6.1 f) GDPR) in relation to the provisions of Article 19 of the LOPDgdd. In the contractual phase, if the contractor is a legal entity, the processing of the data of its professionals is also lawful by the legitimate interest of CCS in maintaining professional contact with them (Article 6.1 f) GDPR) in relation to the provisions of Article 19 of the LOPDgdd. In the event that the contractor is a natural person acting as a freelance professional, the processing of their data will be lawful on the basis of the performance of a contract (Article 6.1 b) GDPR), in relation to the contract signed between CCS and the contractor.
• Management of employee selection and hiring processes, in accordance with the conditions set out in each call for applications. Lawful processing by the application of pre-contractual measures at the request of the data subject applying for vacant positions (Article 6.1 b) GDPR).
• Compliance with our internal audit obligations. Lawful processing in compliance with a legal obligation (Article 6.1 c) GDPR) in relation to the provisions of Article 66 of Law 20/2015, of 14 July, on organization, supervision and solvency of insurance and reinsurance undertakings.
• Control access to our facilities through video surveillance and presence control systems.Lawful processing in the public interest (Article 6.1 e) GDPR) in relation to the provisions of Article 22 of the LOPDgdd, in connection with Article 42 of Law 5/2014, of 4 April, on Private Security.
• Management of applications for International Motor Insurance Certificates (IMIC). Said processing is carried out through the figure of joint responsibility together with the Spanish Motor Insurance Bureau (OFESAUTO). Processing lawful in the public interest (Article 6.1 e) GDPR) in relation to the powers established in Directive 72/166/EC, Royal Legislative Decree 8/2004, Law 20/2015, Royal Decree 1507/2008 and Order EIC/764/2017.
• Management of requests for the exercise of data protection rights and other obligations imposed by data protection regulations. Processing lawful in compliance with a legal obligation (Article 6.1 c) GDPR) in relation to the provisions of GDPR and LOPDgdd.
• Management of CCS digital magazine. Processing lawful by the data subject's consent (Article 6.1 a) GDPR) given by means of their subscription request to the magazine.
• Management of the corresponding judicial proceedings arising from the fulfilment of our obligations.
• Any other purposes necessary to meet the obligations imposed on Consorcio de Compensación de Seguros, which you may consult in the Record of Processing Activities at the end of this Policy.

Consorcio de Compensación de Seguros may only communicate your personal data to:

• Those third parties, public bodies and institutions of the General State Administration, Regional and Local Administrations, including jurisdictional bodies to which CCS is legally obliged to provide them or when there is a public interest in making such data communication.
• To insurance companies and other private law entities when CCS has the consent of the data subjects concerned, when it considers that the applicants have a legitimate interest or when there is a legal obligation to communicate.
• To the Directorate General of Insurance and Pension Funds, Agroseguro and the General Intervention of the State Administration in the event of a request by the latter, when the legal requirements necessary for the communication of data are met.
• Law Enforcement Agencies, in the cases established by Law.
• Courts and Tribunals, in the cases established by Law.

In addition, your data may be accessed, depending on the purpose of the processing, by loss adjusters, accident investigation and reconstruction services and medical experts for the assessment of personal and/or material damage reported by the user or by a third party, entities specialised in recovery management services or lawyers; external technological service providers, such as hosting services, IT maintenance, and other similar services; as well as by private security companies, consultancies, satisfaction survey management entities, and similar, which provide their services to CCS, and will process your data strictly according to this organisation’s instructions and under its responsibility. In this regard, CCS has signed the relevant personal data processing contracts with all its service providers who are considered to be data processors, in accordance with the provisions of Article 28 of the GDPR.

Details of the third-party recipients applicable to each processing operation can be consulted in the Record of Processing Activities accessible at the end of this Privacy Policy.

The user's personal data will be kept for the following periods:

• Issuance of direct insurance policies and processing of claims that may arise during the term of the policy: throughout the term of the insurance contract and, once this has ended, for a period of 10 years from the end of the policy. If there are claim files in process, on the date the policy expires, the personal data will be kept for a period of 10 years from the closure of the corresponding claim, recovery or investigation file.
• CCS acting as MTPL (Motor car Third-Party Liability Insurance) Guarantee Fund: for a period of 10 years from the closure of the file.
• Processing of claims files, recovery files, fraud prevention, and preparation of statistical, actuarial and insurance technique studies: for a period of 10 years from the closure of the claim, recovery or investigation, if applicable.
• Winding-up of insurance companies and management of mortgage loans in favour of CCS once the liquidation of the insurance company has been completed: for a period of 10 years from the dissolution of the insurance company being wound-up and, if applicable, until the mortgage loan is cancelled.
• For the processing of credit purchase from participants of insurance companies being wound-up: for a period of 10 years from the dissolution of the insurance company. In the case of the constitution of deposits, the data will be kept for a period of 26 years from the constitution of the deposit.
• Processing of complaints and claims: for a period of 10 years from the closure of the complaint or claim file.
• Analysis of service quality through satisfaction surveys: for a period of 10 years from the closure of the claim/dissolution file of the insurance company being wound-up.
• Analysis of service quality through call recording: in the case of non-insured individuals, for a period of 10 years from the recording. In the case of insured individuals, for a period of 10 years from the termination of the insurance policy.
• FIVA applications: positive enquiries for one year after the enquiry. Queries with a negative result for one month after the query, with the aim of sending the applicant new information on the query that may arise during this period of time.
• Requests for information in compliance with the activity of CCS as information centre and register of representatives: for a period of 7 years from the expiration date of the vehicle registration or insurance policy.
• Requests received through the Transparency Portal: for the time necessary to deal with the request received and, at the most, for a period of 6 years.
• Reinsurance of nuclear damage: for a period of 30 years from the termination of the policy.
• Assessment of adjustments in agricultural insurance: for a period of 10 years from the end of the field assessment.
• Processing of forest fire accident insurance: for a period of 10 years from the closing of the file.
• Collections received from surcharges and from environmental damage settlement processes: for a period of 30 years from the cancellation of the company's policy.
• Communications submitted through our Whistle Blower Channel: Any unnecessary personal data that may be collected during the processing of the file will be deleted immediately. Necessary personal data that may be collected during the processing of the file will be processed during the processing of the same and, subsequently, during the limitation period for legal actions depending on the subject matter of the communication, whose maximum period is 10 years from the presentation of the same.
• Applications for seizure: Until the seizure is lifted.
• External service contracting processes: for a period of 6 years from the end of the supplier selection process.
• Management of external services: for a period of 6 years from the end of the contract.
• Employee selection processes: for a maximum of 6 years from the end of the selection process.
• Internal audit obligations: For a period of 5 years from the issuance of the audit report.
• Access control to our facilities: Images captured through video surveillance cameras will be deleted within a maximum period of one month from their capture. Visits records will be deleted within one month of the visit. In certain cases, CCS processes the photograph of its employees and suppliers' personnel who regularly access its premises in order to guarantee the physical security of the building. In such cases, the image of employees and supplier personnel who regularly access the premises will be deleted after the termination of the employee's employment relationship, or the contractual relationship with the supplier, as appropriate, and subsequently for a period of one month.
• International Motor Insurance Certificate (IMIC): for the period of time that allows compliance with the issuance, management and consultation of the certificate and, subsequently, for a period of 5 years.
• Requests to exercise data protection rights: for a period of 6 years from receipt of the exercise of the right by CCS.
• CCS digital magazine: for a period of 6 years from the end of the relationship with the recipient of the digital magazine.
• Judicial proceedings: the procedural documents will be kept for a period of 10 years from the finality of the judgement.

Once the deletion periods established in the previous paragraphs have been reached, depending on each processing operation, CCS will block the personal data for a period of 3 years, subsequently proceeding to permanently delete them, with the exception of personal data processed within the scope of the International Motor Insurance Certificate (IMIC), whose blocking period is set at 5 years. The aforementioned data blocking will be carried out under the terms established in Article 32 of the LOPDgdd, according to which CCS must block personal data when it proceeds to rectify or delete them, preventing their processing, including their viewing, except for the purpose of making the data available to judges and courts, the Public Prosecutor's Office or the competent Public Administrations, in particular the data protection authorities, for the enforcement of possible liabilities arising from the processing.

The processing of the personal data provided will be carried out by adopting the necessary technical and organisational measures to prevent the loss, misuse, alteration and unauthorised access to them, taking into account the state of technology, the nature of the data, and the risk analysis carried out. In this regard, CCS is in the process of being certified under the National Security Framework (ENS for its initials in Spanish) in accordance with the provisions of Royal Decree 311/2022, of 3 May, which regulates the National Security Framework.

CCS only carries out international data transfers in those cases in which it must process and manage claims in countries outside the European Economic Area, as well as in cases involving the processing of claims for forest fire extinction accidents in Spain, in which citizens of third countries outside the European Economic Area may be affected. Likewise, an international transfer of personal data may occur in the management of the International Motor Insurance Certificate (IMIC), in the event that the data subject allows the competent authorities of a country established outside the European Economic Area to check the QR code of the certificate. Such international transfers are carried out in strict compliance with the GDPR.

In the event you wish to exercise your rights of access, rectification, cancellation, deletion, objection, limitation, portability and the right not to be subject to automated decisions, as well as to revoke your consent, you may contact our Data Protection Officer by sending a written request to the postal address located at 32, Paseo de la Castellana, 28046, Madrid; or by e-mail at dpo@consorseguros.es.

This request must include the name and surname(s) of the data subject, and specification of the purpose of the request. If the applicant is acting on behalf of a third party, proof of such representation must be provided. CCS may request additional information if there is reasonable doubt as to the identity of the applicant and/or their representative.

If the data subject considers that the aforementioned rights have not been complied with in accordance with current legislation, they may file a claim for the protection of their rights with the Spanish Data Protection Agency.