Law 29/2021, of 28 October, on the Protection of Personal Data of the Principality of Andorra (hereinafter, the LQPD), and the regulations that develop it.
This Policy applies to individuals who interact with ADEFI through this website, to users of the services that ADEFI offers for the purposes described in section 4 of this policy (the Services), and to all individuals whose personal data (for example, their images) may appear on our website or in the context of the Services.
2. Who is the controller of your personal data?
The sole controller for the processing of your personal data in accordance with this policy is:
The ASSOCIACIÓ D’ENTITATS FINANCERES D’INVERSIÓ (ADEFI), with NRT U-800844-Y and registered office at Calle Bonaventura Armengol, 10, Ed. Montclar, Bl. 1, 5.ª Pl., AD500 Andorra la Vella (Principality of Andorra).
We have a Data Protection Delegate to whom you can contact by e-mail at DPD_Externo@Win2win.ad.
ADEFI is not responsible for the activities carried out by other websites, even if you access them through links on our website. We therefore strongly recommend that you carefully read the information provided to you by these other parties before giving them your personal data (especially the privacy and cookie policies of each website you visit), and that you contact this party if you have any concerns or questions.
3. How do we obtain your personal data?
In general, it is you who directly provides us with your personal data, for example, by means of the forms on this website. The only exceptions to this rule are:
4. What do we use your data for and on what legal basis?
To initiate and maintain relationships with our suppliers:
If you represent a supplier of products or services, we collect your contact details and signature in order to:
The processing operations linked to purposes a) and b) are legitimised by the employment or service contract you have signed with the supplier you represent and our legitimate interest in contacting this supplier. And the processing operations linked to purpose c) are legitimised to be necessary for the performance of the contract(s) you have entered into with us.
To analyse the evaluation of our services:
We may process the information you provide to us to request feedback from you on the care you have received.
We may also extract aggregate statistics (i.e. the statistical output of which does not include personal information of any kind) in relation to interest in our services.
The basis for this processing is our legitimate interest in improving the quality of our services.
To deal with your requests, queries or complaints:
We collect the personal data you provide to us in your e-mails, by telephone, through contact forms, or through requests to exercise your rights, in order to deal with your requests, queries or complaints in relation to our services or your rights in relation to your personal data.
The legal basis for this processing is the consent you give when you submit or provide us with this data, our legal obligation to respond to your rights requests, and our legitimate interest in responding to you. The provision of your personal data is therefore voluntary, but if you do not provide it, we will not be able to process your request, query or complaint. You may revoke your consent at any time, but such revocation will also make it impossible to continue processing your request, query or complaint.
To extract aggregated statistics on the use of our website (analytical cookies).:
We use analytical or statistical cookies to identify the most and least visited pages, analyse what content is of most interest to our visitors, and measure the success of our information campaigns, all with the aim of improving the services we offer you through the Web. All these purposes provide aggregated results, in which it is not possible to identify the interests of any specific person.
As these are analytical cookies, we will not use them until we have your consent, and your failure to give or withdraw your consent will have no effect other than to hinder our aim of improving the website by analysing aggregated statistics of our visitors’ browsing.
In order to use Google services:
In addition, as an obligation imposed by Google LLC, of which Google Ireland Ltd is a subsidiary, on entities, such as ourselves, that use the Google Analytics tools, we inform you that these two services are operated by Google Inc. located at 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA, and that Google Inc. is a beneficiary of these services.
Please note that we have activated the IP anonymisation feature of the Google service to add additional safeguards in the standard contractual clauses protecting this international transfer of data in the USA. With this, Google will shorten your IP address before transmitting it in the USA (process of obfuscation of your identity). Only in exceptional cases is the full IP address sent to a Google server in the USA and shortened there. Google guarantees that the IP address transmitted by your browser in Google Analytics will not be processed together with any other data held by Google.
You can read about the categories of personal data processed by these services under privacy.google.com/businesses/adsservices.
To notify you of security breaches:
ADEFI takes security measures appropriate to the level of risk to protect personal information against loss, misuse and unauthorised access, disclosure, alteration and destruction, taking into account the risks involved in processing and the nature of personal information; however, if we determine that your data has been misappropriated (including by an employee or former employee of ADEFI), has been exposed by a security breach or has been improperly acquired by a third party, exposing you to a high risk, we will immediately inform you of this security breach, misappropriation or acquisition, and of the steps we have taken and the steps we recommend you take to ensure that the breach does not affect you.
The basis that legitimises this processing is the legal obligation provided for in article 37 of the LQPD, and our legitimate interest in preventing this security breach from harming you.
For other purposes not incompatible with the foregoing:
We may use your personal data for other purposes that are not incompatible with the above (such as archiving purposes in the public interest, scientific or historical research purposes, or statistical purposes) where permitted by applicable data protection laws, and of course acting in accordance with these and other applicable laws.
5. With whom may we share your personal data?
We do not pass on your personal data to anyone unless:
Any international transfer that we may need to make will comply with the regulations in force at any given time.
6. How long do we keep your personal data?
ADEFI retains your personal data only for the duration of the processing that requires it and thereafter for as long as it takes for any legal liabilities applicable to us from time to time arising from the processing in question to expire (including the obligation to be able to demonstrate that we have complied with your request for destruction of personal data).
We will destroy any unnecessary or disproportionate personal data that may appear in emails and instant messaging we receive, or through forms on our website as soon as we receive it.
We will destroy (and rectify) any personal data that we find to be inaccurate as soon as we are satisfied that it is inaccurate.
If you send us a copy of an identity document, we will destroy this copy as soon as we have checked that it fulfils the purpose for which you sent it to us.
Where we do not have a legitimate purpose for processing some of your personal data, we will delete or anonymise it, and if this is not possible (for example, because it is held in backup copies), we will store it securely and block it to isolate it from further processing until such time as it can be deleted.
7. What rights do you have?
You have the right to obtain confirmation as to whether or not we hold any of your personal data. We explain below what other rights you have and how to exercise them.
You can ask us to exercise the following rights:
The consent given, both for the processing and for the transfer of the data subjects’ data, may be revoked at any time by communicating it to us, as may any other right, as indicated in the following section. This revocation will in no case be retroactive.
Where and how you can exercise your rights:
You can exercise your rights:
In both cases, if we are unable to verify that you are who you say you are, we will ask you to please provide us with proof of your identity, and thus ensure that we reply only to the data subject or his or her legal representative.
If the sender of the mail is acting as a representative of the data subject, the accreditation of the representative has to be done by means of documents or legal instruments that correctly identify the data subject and the representative, and specify the assignment or the procedure for which the representation is delegated.
Finally, and especially if you consider that you have not been fully satisfied with the attention given to the exercise of your rights, we inform you that you may lodge a complaint with the national supervisory authority of your country, or by contacting the Andorran Data Protection Agency (APDA) for this purpose.
Forms for exercising your rights:
In order to make it easier for you to exercise your rights, we recommend that you use the appropriate application forms from the following forms:
8. What responsibilities does it have?
By providing us with your details, you guarantee that they are accurate and complete. Likewise, you confirm that you are responsible for the veracity of the personal data that you have communicated to us and that you will keep them suitably updated so that they correspond to your real situation, taking responsibility for any false or inaccurate personal data that you may provide us with, as well as for any damages, direct or indirect, that may arise from their inaccuracy.
In cases where you are required to provide us with personal data of a child under the age of 16 or of a person whose rights are restricted, you are obliged to obtain the consent of the holders of parental or guardianship rights in doing so. Without this authorisation, you are prohibited from providing us with any personal data concerning such persons.
9. How do we protect your personal data?
We are fully committed to protecting your privacy and your personal data. We have drawn up a record of all personal data processing activities that we carry out, we have analysed the risk that each of these activities may pose to you, and we have implemented appropriate legal, technical and organisational safeguards to prevent, to the extent possible, the alteration of your personal data, its misuse, loss, theft, unauthorised access, or unauthorised processing. We keep our policies appropriately up to date to ensure that we provide you with all the information we have about the processing of your personal data, and to ensure that our staff receive appropriate guidance on how they should treat your personal data. We have signed data protection clauses and processor agreements with all our service providers, taking into account the need for each service provider to process personal data.
We restrict access to personal data to those employees who really need to know them in order to carry out any of the processing referred to in this policy, and we have trained and made them aware of the importance of confidentiality and the maintenance of the integrity and availability of information, as well as the disciplinary measures that any possible infringement in this area would entail.
However, if ADEFI, determines that your data has been misappropriated (including by an ADEFI employee), exposed by a security breach or improperly acquired for a third party, ADEFI will immediately inform you of this security breach, misappropriation or misacquisition.
If you have any questions about this policy, please let us know by emailing us at DPD_Extern@win2win.ad.
Last updated: 24 August 2022