GDPR and Privacy Policy

1- DATA CONTROLLER AND CONTACT DETAILS OF THE DATA PROTECTION OFFICER

The company responsible for processing the personal data of the Data Subjects is ERSM INSURANCE BROKERS CORREDURÍA DE SEGUROS Y REASEGUROS, S.A. (hereinafter “ERSM” or “We” or the “Company”), a company incorporated under Spanish law, with registered office at calle Princesa, 31, 3º, Madrid 28008 (Madrid) and main office at calle Nicaragua, 50, Bajos, 08029, Barcelona (Barcelona), holder of CIF number A-58.538.687. All the legal information identifying ERSM is available to the Data Subjects in the legal notice of the general conditions of use of the Company's corporate website, accessible at https://ersmbrokers.com/informacion-legal/.

If you have any questions about the processing carried out or wish to request additional information, the Data Subjects may contact ERSM's Data Protection Officer, clearly identifying their request by sending an email to protecciondatos@ersmgrupo.com.

2- WHAT IS PERSONAL DATA AND PROCESSING? WHO ARE THE DATA SUBJECTS?

Personal data is any information about an identified or identifiable natural person, such as a name, an identification number, location data, an IP address, contact details, health data, an image or one or more elements specific to the physical, economic or social identity of that person. Processing of personal data is any operation or set of operations that ERSM performs on the personal data of the Data Subjects, such as collection, recording, storage, use, deletion and/or communication to third parties.

The data subjects are the identified or identifiable natural persons who own the personal data (hereinafter, the “Data Subjects”). With regard to ERSM and this Privacy Policy, the Data Subjects are the clients who contract ERSM's products and services (hereinafter, the “End Clients”), the potential clients (hereinafter, the “Potential End Clients”), the users of its corporate websites (hereinafter, the “Users”) and the persons who express their interest in ERSM's products and services, as well as in the Company itself and/or its novelties, regardless of whether they are Clients of ERSM or not (hereinafter, the “Subscribers”),

3- THROUGH WHAT CHANNELS DO WE COLLECT PERSONAL DATA FROM DATA SUBJECTS?

ERSM may collect the personal data of the Data Subjects directly from them through the following channels:

  • Interaction of the Data Subjects with ERSM through the various channels in force at any given time from which the ERSM Customer Service Center provides its service;
  • Use of ERSM's corporate website (hereinafter, the “Website”), as well as those informative and/or promotional websites and corporate profiles on different social networks that ERSM makes available to the Data Subjects at any given time;
  • Completion of forms that ERSM makes available to the Data Subjects at any given time, such as information request forms, client registration forms, contact forms or subscription to the sending of commercial communications through the communication channels enabled at any given time for this purpose by ERSM (electronic, telephone, postal communication, etc.);
  • Contracting, use and enjoyment of the services and products contracted with ERSM by the End Clients; and
  • Filing a complaint or claim by the End Clients and/or Potential End Clients with the Customer Service Department.

ERSM may also receive personal data from End Clients and Potential End Clients from third parties, such as experts, insurance companies and/or external collaborators who carry out their professional activities and/or intervene in any way within the framework of the insurance distribution activity in accordance with the provisions of the current regulations applicable to insurance distribution activities.

In those cases in which, for the effective and correct performance of a certain processing by ERSM, it is necessary for the Data Subject to provide certain personal data, the refusal to supply said personal data by the Data Subject will entail the impossibility for ERSM to carry out said processing.

4- WHAT PERSONAL DATA PROCESSING DO WE CARRY OUT AT ERSM?

Below, we detail the processing that we carry out at ERSM with the personal data of the Data Subjects, specifying in each case the purposes, legitimizing bases and retention periods of each processing:

  1. Management of the contractual relationship:

Purposes:

  • Provide the Company's own services contracted in each case by the End Clients.
  • Provide the customer service center service (“ERSM Customer Service Center”) through the channels made available to End Clients and Potential End Clients by ERSM at any given time.
  • Conduct surveys or studies to measure the quality of services aimed at End Clients.
  • Maintain regular communication with End Clients for any issue or incident related to insurance and the Company's own services contracted in each case by the End Clients.
  • Keep the history of End Clients with respect to their contractual relationship with ERSM.
  • Comply with those obligations that are legally required of ERSM, such as in matters of insurance distribution regulation; prevention of fraud, money laundering, financing of terrorism; consumers and users, personal data protection, etc.
  • Bring legal actions or present the corresponding defense against them when this is necessary as a consequence of and/or in relation to any of the purposes described above and/or other personal data processing carried out by ERSM.

Personal data subject to processing:

  • Identification data: full name, DNI or NIE, social security number, image and/or voice, IP address.
  • Contact details: telephone, email, address.
  • Personal data: date and place of birth, age, marital status, family data.
  • Economic-financial data: bank account details, card details, income, rents, credits, loans, guarantees, pension plan, retirement, properties.
  • Professional data: category or position, employer company, salary.
  • Social data: type and date of driving license, aid or subsidies, receipt of social assistance benefits, subsidies, pensions.
  • Special categories of personal data: health data, where applicable.
  • Data generated for the purpose of the contractual relationship maintained with ERSM: history of contracted insurance, renewals, cancellations, declared claims, modifications of conditions, beneficiaries, etc.

Legitimizing bases of the processing:

  • Execution of a contract in which the End Client is a party or for the application at the request of the Potential End Client of pre-contractual measures.
  • Compliance with the obligations legally required of ERSM such as legislation regulating insurance distribution; prevention of fraud, money laundering, financing of terrorism; consumers and users, personal data protection and commercial, accounting and tax.
  • Satisfaction of the legitimate interest pursued by ERSM as data controller to defend its economic, legal and reputational interests against any breach, irregularity, fraud or claim related to its activity, as well as to guarantee the continuity of its activity in the event of being subject to any commercial transaction.

Retention period:

  • ERSM will process the personal data of the End Clients while the contractual relationship with them is in force and the personal data of the Potential End Clients until the resolution of the query or request for pre-contractual measures made by them through the means in force at any given time of service provision from the ERSM Customer Service Center.
  • Once the contractual relationship between ERSM and the End Clients and the pre-contractual relationship between ERSM and the Potential Clients has ended, ERSM will keep their personal data for the mandatory retention periods stipulated in the current regulations on pre-contractual matters of insurance distribution (6 years), commercial and accounting (5 years) and tax (4 years) and prevention of money laundering (10 years).

  1. Recording of calls made to the ERSM Customer Service Center and analysis of the service provided from it:

Purposes:

  • Analysis of the service provided in each case by the ERSM Customer Service Center through the different channels enabled for this purpose at any given time.
  • Internal measurement of the levels of quality and efficiency of the service provided in each case by the ERSM Customer Service Center through the different channels enabled for this purpose at any given time.
  • Manage any request, incident, complaint or claim, as well as any other management or communication received in the ERSM Customer Service Center.
  • Comply with those obligations that are legally required of ERSM such as in matters of insurance distribution regulation; prevention of fraud, money laundering, financing of terrorism, etc.
  • Bring legal actions or present the corresponding defense against them when this is necessary as a consequence of, and/or in relation to any of the purposes described above and/or other personal data processing carried out by ERSM.

Personal data subject to processing:

  • Identification data: full name, DNI or NIE, social security number, image and/or voice, IP address.
  • Contact details: telephone, email, address.
  • Personal data: date and place of birth, age, marital status, family data.
  • Economic-financial data: bank account details, card details, income, rents, credits, loans, guarantees, pension plan, retirement, properties.
  • Professional data: category or position, employer company, salary.
  • Social data: type and date of driving license, aid or subsidies, receipt of social assistance benefits, subsidies, pensions.
  • Special categories of personal data: health data, where applicable.
  • Data generated for the purpose of the contractual relationship maintained with ERSM: current contracts, history of contracted insurance, renewals, cancellations, declared claims, modifications of conditions, beneficiaries, etc.

Legitimizing bases of the processing:

  • The satisfaction of ERSM's legitimate interest in guaranteeing the achievement and improvement of its economic interests and maintaining a constant relationship with its End Clients, Potential Clients and Users in order to provide them with a better service and build loyalty.

Retention period:

  • ERSM will process the personal data of the End Clients while the contractual relationship with them is in force and the personal data of the Potential End Clients until the resolution of the query or request for pre-contractual measures made by them through the means in force at any given time of service provision from the ERSM Customer Service Center.
  • Once the contractual relationship between ERSM and the End Clients and the pre-contractual relationship between ERSM and the Potential Clients has ended, ERSM will keep their personal data for the mandatory retention periods stipulated in the current regulations on pre-contractual matters of insurance distribution (6 years).

  1. Commercial action:

Purposes:

  • Contact by telephone or send advertising or promotional communications by email or other equivalent electronic or postal means to End Clients, Potential End Clients and Subscribers about the products, services, promotions, novelties and other information relating to ERSM and its activity that may be of interest to them.

Personal data subject to processing:

  • Identification data: full name; and
  • Contact details: telephone, mobile phone, email and address.

Legitimizing bases of the processing:

  • The consent of the Subscribers (the Data Subjects have the right to withdraw their consent at any time without affecting the lawfulness of the processing previously carried out on the basis of said consent prior to its withdrawal. If consent is not granted, ERSM will not carry out the processing).
  • The satisfaction of ERSM's legitimate interest in maintaining a regular communication with its End Clients that allows them to be informed of the products, services, promotions and novelties that ERSM offers at any given time.

Retention period:

  • ERSM will process the personal data of the Data Subjects until they exercise their right of deletion or opposition.

  1. Management of claims submitted to the Customer Service Department:

Purposes:

  • Attend to and resolve the types of complaints and claims in accordance with the provisions of the ERSM Customer Service regulations.
  • Comply with those obligations that are legally required of ERSM such as in matters of insurance distribution regulation; prevention of fraud, money laundering, financing of terrorism; consumers and users, personal data protection, etc.
  • Bring legal actions or present the corresponding defense against them when this is necessary as a consequence of and/or in relation to any of the purposes described above and/or other personal data processing carried out by ERSM.

Personal data subject to processing:

  • Identification data: full name, DNI or NIE, social security number, image and/or voice, IP address.
  • Contact details: telephone, email, address.
  • Personal data: date and place of birth, age, marital status, family data.
  • Economic-financial data: bank account details, card details, income, rents, credits, loans, guarantees, pension plan, retirement, properties.
  • Professional data: category or position, employer company, salary.
  • Social data: type and date of driving license, aid or subsidies, receipt of social assistance benefits, subsidies, pensions.
  • Special categories of personal data: health data, where applicable.
  • Data generated for the purpose of the contractual relationship maintained with ERSM: history of contracted insurance, renewals, cancellations, declared claims, modifications of conditions, beneficiaries, etc.

Legitimizing bases of the processing:

  • Compliance with the obligations legally required of ERSM derived from the current regulations on insurance distribution.
  • Satisfaction of the legitimate interest pursued by ERSM as data controller to defend its economic, legal and reputational interests against any breach, irregularity, fraud or claim related to its activity.

Retention period:

  • ERSM will process the personal data of the End Clients and the Potential End Clients until the effective resolution of the claim submitted to the Customer Service Department.
  • Once the claim has been resolved, ERSM will keep their personal data for the mandatory retention periods stipulated in the current regulations on pre-contractual matters of insurance distribution (6 years) and on prevention of money laundering (10 years).

  1. Blocking of personal data and maintenance of deletion lists:

Purposes:

  • Process, when appropriate, the deletion and/or rectification of the personal data of the Data Subjects subject to processing.
  • Prevent the processing of personal data, including its visualization, except for its provision to the judges and courts, the Public Prosecutor's Office or the competent Public Administrations, in particular the data protection authorities.
  • Bring legal actions or present the corresponding defense against them when this is necessary as a consequence of and/or in relation to the responsibilities derived from the processing of personal data carried out by ERSM.

Personal data subject to processing:

  • Identification data: full name, national identity document (DNI) or foreign identity number (NIE), social security number, image and/or voice, IP address.
  • Contact information: telephone, email, address.
  • Personal data: date and place of birth, age, marital status, family data.
  • Financial data: bank account details, card details, income, revenue, credit, loans, guarantees, pension plan, retirement, properties.
  • Professional data: category or position, employer company, salary.
  • Social data: type and date of driving license, aid or subsidies, receipt of social assistance benefits, subsidies, pensions.
  • Special categories of personal data: health data, where applicable.
  • Data generated for the purpose of the contractual relationship maintained with ERSM: history of insurance policies taken out, renewals, cancellations, claims declared, modifications of conditions, beneficiaries, etc.

Legitimizing bases of the processing:

  • Compliance with the legal obligations required of ERSM derived from current regulations on the protection of personal data.

Retention period:

  • When ERSM proceeds to rectify or delete the personal data of the Data Subjects, it will proceed to block them, adopting appropriate technical and organizational measures to prevent their processing, except for making the data available to the judges and courts, the Public Prosecutor's Office or the competent Public Administrations, in particular the data protection authorities, for the enforcement of possible liabilities arising from the processing and only for the limitation period thereof; specifically 6 years in tax and pre-contractual matters of insurance distribution, 5 years in contractual matters, insurance distribution, consumers and users and prevention of money laundering, 3 years in matters of personal data protection and 2 years in matters of information society services.
  • Once the maximum limitation period for liabilities arising from the processing has elapsed, ERSM will anonymize or permanently delete the personal data of the Data Subjects.

  1. Analysis of use, exploitation and improvement of the Website:

Purposes:

  • Collect information on Users' browsing of the Website in order to know the origin of visits and other similar data at a statistical level.
  • Allow Users to view the Website, display content and interact with it.
  • Avoid spam.
  • Store and retrieve information about the browsing habits and preferences of Users or their devices.

Personal data subject to processing:

  • Identification data: IP address;
  • Information on the use and browsing of the Website by the User: login data, origin page of the visit to the Website, pages subsequent to the visit of the Website, layers of the Website visited, duration of browsing, products recommended, data of the browser used and data of the device used.

Legitimizing bases of the processing:

  • The consent of the User (the Data Subject has the right to withdraw their consent at any time without affecting the lawfulness of the processing previously carried out on the basis of said consent prior to its withdrawal. In case of not granting their consent, ERSM will not carry out the processing); and
  • The satisfaction of the legitimate interest of ERSM to maintain the security, accessibility and usability of the Website.

Retention period:

  • ERSM will process the personal data of the Users during the retention times of each cookie used at any time or until they withdraw their consent to the use of cookies and in any case for a maximum period of 24 months.

5- WHAT RIGHTS CAN DATA SUBJECTS EXERCISE BEFORE ERSM OVER THEIR PERSONAL DATA?

Right of access

Data Subjects have the right to know if ERSM is processing their personal data or not and, if so, the right to know what data it processes.

Right of rectification

Data Subjects have the right to modify those data of theirs that are inaccurate and to complete those data that are incomplete. Whenever they request to rectify any personal data, they must indicate which data they wish to modify in each case and adequately accredit them.

Right to object

In the cases legally foreseen, the Data Subjects may object at any time, for reasons related to their particular situation, to ERSM processing their personal data when the legitimizing basis of said processing is a legitimate interest of ERSM or the fulfillment of a mission of public interest by the same. In any case, the Data Subjects must remember that opposition to the performance of those processing based on consent or on the execution of a contract will entail the impossibility for ERSM to carry out said processing or execute said contract. For all those processing whose object is direct marketing, you can always oppose them and/or revoke your consent at any time.

Right of deletion

Data Subjects have the right to obtain without undue delay from ERSM the deletion of personal data concerning them, provided that certain circumstances provided for in the applicable current regulations occur. This does not mean that the data of the Data Subjects are totally eliminated, but that they will be duly kept blocked, that is, kept in a way that prevents their processing except for making them available to public administrations, judges and courts for the attention of possible liabilities that have arisen as a result of the processing during the limitation period of the latter. Once that period has elapsed, the data will be duly anonymized or permanently deleted.

Right to data portability

Data Subjects have the right to receive and/or request that those personal data that concern them and that they have provided to ERSM be transferred to another data controller other than ERSM. ERSM reminds Data Subjects that it is only possible to exercise this right when the legitimizing basis for the processing of their personal data is the execution of a contract or the consent of the Data Subject and the processing is carried out by automated means.

Right to restriction of processing

Data Subjects have the right to request ERSM to suspend the processing of their data (i) when they have challenged the accuracy of their data, while ERSM verifies said accuracy; or (ii) when they have exercised their right to object to the processing of their data, while it is verified whether the legitimate interests of ERSM prevail over those of the Data Subjects. Likewise, this right allows Data Subjects to request ERSM to keep their personal data when (i) the data processing is illegal and the Data Subject opposes the deletion of their data, requesting instead a restriction of its use; or (ii) ERSM no longer needs their personal data for the purposes of the processing, but needs them for the formulation, exercise, or defense of claims.

In those personal data processing that we carry out on the legitimizing basis of the consent of the Data Subjects, the latter have the right to withdraw said consent at any time without affecting the lawfulness of the processing previously carried out based on the consent prior to its withdrawal. Those data processing that ERSM carries out on the legitimizing basis of the consent of the Data Subject may not be carried out by ERSM if the Data Subject refuses to give their consent.

ERSM does not currently carry out any profiling of the Data Subjects, nor does it carry out any automated processing of their personal data on which decisions are made that may legally affect or significantly similarly affect the Data Subjects.

Data Subjects may exercise their rights free of charge, freely and at any time by communicating it to ERSM by email addressed to its DPO at the address protecciondatos@ersmgrupo.com and specifying which right in particular is being exercised. If we have difficulties identifying the Data Subject, we may request the same to send an identifying document in order to duly confirm their identity and correctly manage their request. In the event that you consider that ERSM has not correctly satisfied the exercise of your rights, you may file a claim with the Spanish Data Protection Agency - https://www.aepd.es/es.

6- TO WHOM DO WE COMMUNICATE THE PERSONAL DATA OF THE DATA SUBJECTS?

ERSM may communicate the personal data of the Final Clients and Potential Final Clients to different insurance companies in order to request the corresponding insurance quotations requested by the Final Clients and the Potential Clients.

ERSM may also communicate the personal data of the Final Clients to the insurance companies with whom the Final Clients have contracted insurance, as well as the professionals who, in case of any incident related to their insurance, it is appropriate to contact (tow truck drivers, manufacturers, plumbers, medical centers, etc.) in order to carry out the appropriate procedures derived from the execution of the insurance contract of which the Final Client is a party. In any case, ERSM will only communicate the personal data of the Final Clients and Potential Final Clients when said communication is necessary for the achievement of the purposes of the aforementioned processing and only to the extent that said communication is necessary.

In addition, ERSM may communicate the personal data of the Data Subjects for the formulation, exercise or defense of claims when this is necessary (i) upon receipt of the corresponding legal requirement from the competent authority; (ii) in application of a legal obligation required of ERSM; or (iii) in execution of the legitimate interest of ERSM to defend its economic, legal, reputational or any other type of interests to the following third parties:

  • Customer Service
  • Legal advisors
  • Courts and Tribunals
  • Tax Administration
  • Regional Consumer Agencies
  • Spanish Data Protection Agency
  • Security Forces
  • Public Administrations

As provided for in the current regulations applicable in matters of personal data protection, ERSM may communicate the personal data of the Data Subjects to third companies interested in acquiring the Company or its assets if ERSM or substantially all of its assets are subject to the development of any operation of structural modification of companies or the contribution or transfer of business or business line. In such cases, ERSM will only communicate the personal data of the Data Subjects when said communication is necessary for the success of the operation and guarantees, when appropriate, the continuity in the provision of services by ERSM or the acquiring company.

7- WHO CAN ACCESS THE PERSONAL DATA OF THE DATA SUBJECTS?

At ERSM we work with suppliers whose services are necessary for the proper functioning of our organization, the correct presentation and usability of the Website and the guarantee of operation and security of our information systems. Some of these suppliers may have access to the personal data of the Data Subjects by reason of the service provided to ERSM, holding the consideration of data processors. This is the case, for example, of the suppliers that help improve and optimize the Website, the providers of technological services or the suppliers or those that offer maintenance services for their databases and information systems. At ERSM we have and apply a protocol for contracting data processors in accordance with the provisions of current regulations on personal data protection.

8- IS THE PERSONAL DATA OF THE DATA SUBJECTS SAFE?

ERSM adopts the appropriate procedures and information systems and implements the necessary technical and organizational security measures to guarantee a level of security appropriate to the risks that the processing included in this Privacy Policy may entail. All information provided will be stored on secure servers. Thus, once ERSM has received all the information from the Data Subjects, strict security procedures will be used to try to prevent any unauthorized access. Likewise, ERSM ensures that its service providers also have adequate security standards for the protection of personal data with respect to which they have or may have access, in accordance with the data protection legislation applicable at all times.

ERSM does not transfer the personal data of the Data Subjects outside the European Economic Area.

9- CHANGES IN THIS PRIVACY POLICY

This Privacy Policy may vary over time due to possible changes in criteria followed at any time by the Spanish Data Protection Agency or other control authorities, legislative modifications that may take place and jurisprudential pronouncements that are applicable to this privacy policy. ERSM reserves the right to modify this Privacy Policy in order to adapt it to said criteria, as well as to jurisprudential or legislative developments.

Current version since: June 12, 2025


PRIVACY AND DATA PROTECTION POLICY

In accordance with the provisions of Organic Law 3/2018 on the Protection of Personal Data and Regulation (EU) 2016/679 of the European Parliament and of the Council, dated 4-27-2016, ERSM Insurance Brokers undertakes to adopt the technical and organizational measures necessary, according to the level of security of the data collected, in a way that guarantees the security of personal data and prevents its alteration, loss, processing or unauthorized access.

In accordance with the provisions of article 11 of the aforementioned Organic Law 3/2018, the User is informed that the personal data collected by ERSM Insurance Brokers, through the forms extended on its pages, will be entered into an automated file under the responsibility of ERSM Insurance Brokers, in order to facilitate, expedite and fulfill the commitments established between both parties or the maintenance of the relationship established in the forms that it subscribes or to attend to a request or query.

As long as the User does not communicate otherwise to ERSM Insurance Brokers, it will be understood that their data has not been modified, that the User undertakes to notify any variation and that they have the consent to use them for the determined, explicit and legitimate purposes for which they have been obtained. It may even be, in addition, used for a commercial purpose of personalization, operation and statistics, and activities of its corporate purpose, expressly authorizing ERSM Insurance Brokers for the extraction, storage of data and marketing studies to adapt the Content offered to the User, and thus improve the quality, operation and navigation of the Website.

On occasions when the User may provide their data through forms, in order to make inquiries, request information and/or for reasons related to the Content offered on the Website, if the data provided by the User were essential for the correct development of all this, the User will be informed of this, indicating that they are data whose completion is mandatory.

In case of not authorizing the processing of their data for the purpose indicated in the previous paragraph, the User may exercise their rights of:
Information-Access - art. 15 Regulation (EU) 2016/679
Rectification - art. 16 same Regulation
Deletion – art. 17 same Regulation
Opposition – art. 21 same Regulation
as well as the rights of limitation of processing (art. 18 Regulation) and data portability (art. 20 Regulation) that they have and that can be exercised before ERSM Insurance Brokers, in accordance with the repeated Regulation EU 2016/679.
To do this, you must take into account the following indications:

  • Right of Access: This is the User's right to obtain information about their specific personal data and the processing that ERSM Insurance Brokers has carried out or is carrying out, as well as information available on the origin of said data and the communications made or planned regarding the same.
  • Right of Rectification: This is the User's right to have the data modified that, being within the automated file, turns out to be inaccurate or incomplete.
  • Right of Suppression: This is the right to suppress the User's personal data, with the exception of what is provided in other applicable laws that determine the mandatory nature of its conservation, in terms of time and form.
  • Right of Opposition: This is the User's right to prevent the processing of their personal data or to cease the processing thereof by ERSM Insurance Brokers.

Thus, the User may exercise their rights by means of a written communication addressed to ERSM Insurance Brokers with the reference "Personal Data Protection", specifying:

  • Name, surnames of the User and copy of the DNI (National Identity Document). In cases where representation is permitted, identification by the same means of the person representing the User will also be necessary, as well as the document proving the representation. The photocopy of the DNI may be replaced by any other means valid in law that proves identity.
  • Petition with the specific reasons for the request or information to which access is desired.
  • Address for notification purposes.
  • Date and signature of the applicant.
  • Any document that proves the request made.

The User must use a method of sending that allows proof of sending and receipt of the request and its attached documents, which must be sent to the following address and/or email:
C. Nicaragua, 50 bajos, 08029 Barcelona, Telf. 934391400
protecciondatos@ersmgrupo.com
ERSM Insurance Brokers reserves the right to modify its Privacy Policy, according to its own criteria, or motivated by a legislative or jurisprudential change.
The use of the Web after said changes will imply acceptance of the same.