PRIVACY POLICY 

With this Privacy Policy, the ASSOCIACIÓ D’ENTITATS FINANCERES D’INVERSIÓ (hereinafter, we or ADEFI) informs you of the personal data that we collect through the services offered and are reflected through this website, how we treat them and the rights that in relation to your personal data and our treatments confers the Personal Data Protection regulations that apply to us.

Applicable legislation

Law 29/2021, of 28 October, on the Protection of Personal Data of the Principality of Andorra (hereinafter, the LQPD), and the regulations that develop it.

In the following table you will find links to facilitate your access to the points of this policy that are of interest to you. However, please read all the sections of the cookies policy and this privacy policy before using this website:

1. To whom does this Privacy Policy apply?
2. Who is the controller of your personal data?
3. How do we obtain your personal data?
4. What do we use your data for and on what legal basis?
   • To initiate and maintain relationships with our suppliers.
   • To analyse the evaluation of our services.
   • To deal with your requests, queries or complaints.
   • To extract aggregate statistics on the use of our website (analytical cookies).
   • To use Google services.
   • To notify you of security breaches.
   • For other purposes that are not incompatible with the above.
5. With whom may we share your personal data?
6. How long do we keep your personal data?
7. What rights do you have?
   • Your rights.
   • Where and how you can exercise your rights.
   • Forms for exercising your rights.
8. What responsibilities does it have?
9. How do we protect your personal data?
10. Changes to this Privacy Policy.

1. To whom does this Privacy Policy apply?

This Policy applies to individuals who interact with ADEFI through this website, to users of the services that ADEFI offers for the purposes described in section 4 of this policy (the Services), and to all individuals whose personal data (for example, their images) may appear on our website or in the context of the Services.

2. Who is the controller of your personal data?

The sole controller for the processing of your personal data in accordance with this policy is:

The ASSOCIACIÓ D’ENTITATS FINANCERES D’INVERSIÓ (ADEFI), with NRT U-800844-Y and registered office at Calle Bonaventura Armengol, 10, Ed. Montclar, Bl. 1, 5.ª Pl., AD500 Andorra la Vella (Principality of Andorra).

We have a Data Protection Delegate to whom you can contact by e-mail at DPD_Externo@Win2win.ad.

ADEFI is not responsible for the activities carried out by other websites, even if you access them through links on our website. We therefore strongly recommend that you carefully read the information provided to you by these other parties before giving them your personal data (especially the privacy and cookie policies of each website you visit), and that you contact this party if you have any concerns or questions.

3. How do we obtain your personal data?

In general, it is you who directly provides us with your personal data, for example, by means of the forms on this website. The only exceptions to this rule are:

• Contact details provided to us by our service and product providers when you represent them;
• Images that correspond to any news item in which we consider that the public interest and the right to information prevail over the possible interests of individuals, which image or other personal data is published on our website;
• Images that correspond to any content of the website to which we have the corresponding rights;
• Personal data about you that may appear in emails and instant messaging that we receive, or through forms on our website; and
• Cookies on this website, about which you can find more information in our cookie policy.

4. What do we use your data for and on what legal basis?

To initiate and maintain relationships with our suppliers:

If you represent a supplier of products or services, we collect your contact details and signature in order to: 

1. Manage our relations of all kinds with the supplier we represent.
2. Manage the corresponding file of our list of approved suppliers.
3. Manage the quotations and invoices of the supplier you represent.

The processing operations linked to purposes a) and b) are legitimised by the employment or service contract you have signed with the supplier you represent and our legitimate interest in contacting this supplier. And the processing operations linked to purpose c) are legitimised to be necessary for the performance of the contract(s) you have entered into with us.

To analyse the evaluation of our services:

We may process the information you provide to us to request feedback from you on the care you have received.

We may also extract aggregate statistics (i.e. the statistical output of which does not include personal information of any kind) in relation to interest in our services.

The basis for this processing is our legitimate interest in improving the quality of our services.

To deal with your requests, queries or complaints:

We collect the personal data you provide to us in your e-mails, by telephone, through contact forms, or through requests to exercise your rights, in order to deal with your requests, queries or complaints in relation to our services or your rights in relation to your personal data.

The legal basis for this processing is the consent you give when you submit or provide us with this data, our legal obligation to respond to your rights requests, and our legitimate interest in responding to you. The provision of your personal data is therefore voluntary, but if you do not provide it, we will not be able to process your request, query or complaint. You may revoke your consent at any time, but such revocation will also make it impossible to continue processing your request, query or complaint.

To extract aggregated statistics on the use of our website (analytical cookies).:

We use analytical or statistical cookies to identify the most and least visited pages, analyse what content is of most interest to our visitors, and measure the success of our information campaigns, all with the aim of improving the services we offer you through the Web. All these purposes provide aggregated results, in which it is not possible to identify the interests of any specific person.

As these are analytical cookies, we will not use them until we have your consent, and your failure to give or withdraw your consent will have no effect other than to hinder our aim of improving the website by analysing aggregated statistics of our visitors’ browsing.

You can find more information about these cookies in our cookie policy.

In order to use Google services:

In addition, as an obligation imposed by Google LLC, of which Google Ireland Ltd is a subsidiary, on entities, such as ourselves, that use the Google Analytics tools, we inform you that these two services are operated by Google Inc. located at 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA, and that Google Inc. is a beneficiary of these services.

The information generated by the cookies about your use of this website and your advertising preferences is generally transmitted to a Google server in the USA and stored there. For more information, please refer to the page describing how Google uses the information on our website and/or Google’s privacy policy with regard to the aforementioned services.

Please note that we have activated the IP anonymisation feature of the Google service to add additional safeguards in the standard contractual clauses protecting this international transfer of data in the USA. With this, Google will shorten your IP address before transmitting it in the USA (process of obfuscation of your identity). Only in exceptional cases is the full IP address sent to a Google server in the USA and shortened there. Google guarantees that the IP address transmitted by your browser in Google Analytics will not be processed together with any other data held by Google.

You can read about the categories of personal data processed by these services under privacy.google.com/businesses/adsservices.

To notify you of security breaches:

ADEFI takes security measures appropriate to the level of risk to protect personal information against loss, misuse and unauthorised access, disclosure, alteration and destruction, taking into account the risks involved in processing and the nature of personal information; however, if we determine that your data has been misappropriated (including by an employee or former employee of ADEFI), has been exposed by a security breach or has been improperly acquired by a third party, exposing you to a high risk, we will immediately inform you of this security breach, misappropriation or acquisition, and of the steps we have taken and the steps we recommend you take to ensure that the breach does not affect you.

The basis that legitimises this processing is the legal obligation provided for in article 37 of the LQPD, and our legitimate interest in preventing this security breach from harming you.

For other purposes not incompatible with the foregoing:

We may use your personal data for other purposes that are not incompatible with the above (such as archiving purposes in the public interest, scientific or historical research purposes, or statistical purposes) where permitted by applicable data protection laws, and of course acting in accordance with these and other applicable laws. 

5. With whom may we share your personal data?

We do not pass on your personal data to anyone unless: 

• You are the one who asks us to do so.
• We have a legal obligation to do so.
• A company sub-contracted to us needs to process them on our behalf (for example, our external Data Protection Officer, when handling your rights requests on our behalf), and subject to the terms and conditions of the relevant processor contract.
• A company subcontracted to us may have access to personal data held on our website or our systems from time to time, even though they do not need to process it on our behalf. This is the case, for example, with our web development and maintenance company or some of the services of our IT service providers. Because they may have access to ADEFI data, they have a signed service contract that obligates them to maintain the same level of privacy that we have at ADEFI.
• We need to protect or defend ADEFI’s rights or property.

Any international transfer that we may need to make will comply with the regulations in force at any given time.

6. How long do we keep your personal data?

ADEFI retains your personal data only for the duration of the processing that requires it and thereafter for as long as it takes for any legal liabilities applicable to us from time to time arising from the processing in question to expire (including the obligation to be able to demonstrate that we have complied with your request for destruction of personal data).

We will destroy any unnecessary or disproportionate personal data that may appear in emails and instant messaging we receive, or through forms on our website as soon as we receive it.

We will destroy (and rectify) any personal data that we find to be inaccurate as soon as we are satisfied that it is inaccurate.

If you send us a copy of an identity document, we will destroy this copy as soon as we have checked that it fulfils the purpose for which you sent it to us.

Where we do not have a legitimate purpose for processing some of your personal data, we will delete or anonymise it, and if this is not possible (for example, because it is held in backup copies), we will store it securely and block it to isolate it from further processing until such time as it can be deleted.

7. What rights do you have?

You have the right to obtain confirmation as to whether or not we hold any of your personal data. We explain below what other rights you have and how to exercise them.

Your rights

You can ask us to exercise the following rights:

• Access to your personal data. 
• Rectification of any of your personal data, specifying the reason for it. 
• Deletion of some or all personal data. 
• Restriction of the processing of your data, specifying the reason for the restriction. 
• Opposition to the processing of your personal data. 
• Portability of your data where the basis for the legitimisation of the collection has been consent or a contract. 
• Right not to be subject to automated individual decisions. 

The consent given, both for the processing and for the transfer of the data subjects’ data, may be revoked at any time by communicating it to us, as may any other right, as indicated in the following section. This revocation will in no case be retroactive.

Where and how you can exercise your rights:

You can exercise your rights:

1. By sending a written request to ADEFI, addressed to our postal address, indicated in section 2 of this policy, indicating a means of contacting you so that we can respond to your request, or ask you for more information if necessary. We would be grateful if you would mark on the envelope “Exercise of Personal Data Protection Rights". 
2. By sending an email or the form associated with the right you wish to exercise to the email address DPD_Extern@win2win.ad, indicating “Exercise of Personal Data Protection Rights" in the subject line.  You will find these forms further on in this section of the privacy policy.

In both cases, if we are unable to verify that you are who you say you are, we will ask you to please provide us with proof of your identity, and thus ensure that we reply only to the data subject or his or her legal representative.

If the sender of the mail is acting as a representative of the data subject, the accreditation of the representative has to be done by means of documents or legal instruments that correctly identify the data subject and the representative, and specify the assignment or the procedure for which the representation is delegated.

Finally, and especially if you consider that you have not been fully satisfied with the attention given to the exercise of your rights, we inform you that you may lodge a complaint with the national supervisory authority of your country, or by contacting the Andorran Data Protection Agency (APDA) for this purpose.

Forms for exercising your rights:

In order to make it easier for you to exercise your rights, we recommend that you use the appropriate application forms from the following forms:

• Form for exercising the right of acceso. 
• Form for exercising the right of rectification.
• Form for exercising the right to object (model A, y model B).
• Form for exercising the right of cancellation.
• Form for exercising the right to restrict processing.
• Form for exercising the right of portability. 
• Form for exercising the right not to be subject to automated individual decisions.

8. What responsibilities does it have?

By providing us with your details, you guarantee that they are accurate and complete. Likewise, you confirm that you are responsible for the veracity of the personal data that you have communicated to us and that you will keep them suitably updated so that they correspond to your real situation, taking responsibility for any false or inaccurate personal data that you may provide us with, as well as for any damages, direct or indirect, that may arise from their inaccuracy.

You may not provide us with personal data of other persons unless this is justified in relation to the services you are requesting from us. In any case, if you provide us with the personal data of third parties, you assume the responsibility of informing such third parties prior to providing us with their personal data. This information that you have to provide to third parties the data of which you provide us, must include all the provisions provided for in this privacy policy, and it is you who is responsible for the lawfulness of these personal data and for conveying to their holders the rights they have in relation to their personal data.

In cases where you are required to provide us with personal data of a child under the age of 16 or of a person whose rights are restricted, you are obliged to obtain the consent of the holders of parental or guardianship rights in doing so. Without this authorisation, you are prohibited from providing us with any personal data concerning such persons.

9. How do we protect your personal data? 

We are fully committed to protecting your privacy and your personal data. We have drawn up a record of all personal data processing activities that we carry out, we have analysed the risk that each of these activities may pose to you, and we have implemented appropriate legal, technical and organisational safeguards to prevent, to the extent possible, the alteration of your personal data, its misuse, loss, theft, unauthorised access, or unauthorised processing. We keep our policies appropriately up to date to ensure that we provide you with all the information we have about the processing of your personal data, and to ensure that our staff receive appropriate guidance on how they should treat your personal data. We have signed data protection clauses and processor agreements with all our service providers, taking into account the need for each service provider to process personal data.

We restrict access to personal data to those employees who really need to know them in order to carry out any of the processing referred to in this policy, and we have trained and made them aware of the importance of confidentiality and the maintenance of the integrity and availability of information, as well as the disciplinary measures that any possible infringement in this area would entail.

However, if ADEFI, determines that your data has been misappropriated (including by an ADEFI employee), exposed by a security breach or improperly acquired for a third party, ADEFI will immediately inform you of this security breach, misappropriation or misacquisition.

10. Changes to this Privacy Policy 

We will update this policy from time to time to reflect any changes to the law or our processing. If the changes are material, we will notify you before they become effective by sending you a notice or posting a prominent notice on this website, and you will have the option to exercise your rights as set out in a previous section. In any event, we encourage you to periodically review this privacy policy to learn how we are protecting your personal information.

If you have any questions about this policy, please let us know by emailing us at DPD_Extern@win2win.ad.

Last updated: 24 August 2022