Privacy Policy

1. Introduction and scope of application

The purpose of this privacy policy (hereinafter, the "Privacy Policy" or the "Policy"), in accordance with Regulation (EU) 679/2016 of 27 April 2016, approving the General Data Protection Regulation (hereinafter, the "GDPR") and other applicable implementing data protection legislation, is to regulate and provide information about the processing carried out by Open Bank, S.A. (hereinafter “Openbank” or “we”) of personal data of customers (hereinafter, “you” or the “Customer”) who sign up for a store’s payment service when they buy goods and/or services, so that they can pay Openbank directly for their purchase (hereinafter, the “Service“). The Service is run by Zinia (hereinafter, “Zinia”), a registered trademark of Openbank.

This Policy provides you with information about the categories of personal data we process, the means by which we have obtained your personal data, the purposes for which we collect and process your personal data, the legitimate basis for such processing, the data recipients, the applicable data retention periods and the rights granted to you by the regulations in relation to your personal data.

Please take a few minutes to read and properly understand its contents. If you have any questions, please contact our Data Protection Officer, whose contact details can be found below.

2. Who is the Data Controller?

“Open Bank, S.A”, operating through its registered trademark, “Zinia”.

Business address: Plaza de Santa Bárbara 2, 28004 Madrid, Spain.

Email address for contacting the Data Protection Officer: datenschutz.de@zinia.com.

3. What information do we collect from you and how do we obtain it?

We will process the categories of personal data listed below that we obtain directly from you through the various forms for requesting information, or from third parties (e.g., the business where you make your purchase, credit reporting agencies (such as Infoscore Consumer Data GmbH, Schufa Holding or CRIF GmbH) or other external/public sources).

The data we indicate in each of the forms as "mandatory" is necessary for the proper undertaking of your relationship with Openbank. If we do not receive this information, we will not be able to process your request or provide you with the Service.

  • Contact and identification data: name and surname, billing and shipping address, mobile phone number, fingerprint, email address and country of residence.
  • Economic, financial and insurance data: data related to the price of the goods you purchase, data related to the payment of your purchase (e.g., bank account, bank name and branch), data related to arrears, solvency and debt history, pending payment orders and information about negative payment history and previous credit approvals.
  • Data on the goods and services purchased: data related to the product you purchase, such as item, model, price and tracking number.
  • Device data: IP address, language settings, browser settings, time zone, operating system, platform, screen resolution, log in through the different devices you use and other similar device settings.
  • Data about your personal characteristics: date of birth, age, sex and nationality.
  • Unique identifiers: data collected from cookie ID, device ID, fingerprint, recorded voice calls, chat conversations and email correspondence.
  • Employment data: position and contact details of the contact persons acting as legal representatives of the businesses we collaborate with.
  • Special categories of personal data: data that reveals information about health and information related to sanctions lists.
  • Data about politically exposed persons and sanction lists: sanctions and PEP lists containing information such as name, date of birth, place of birth, occupation or position, and the reason why the person is included on the respective list.

In addition to the above data that you provide us with directly, e.g., through the various forms for requesting information or which we collect from third parties (such as the business where you make your purchase or credit reporting agencies), we will also process other data that we may have about you from our internal sources, such as:

  • Personal data we obtain derived from the relationship we have with you for the provision of the Services.
  • Personal data we obtain as a result of your interaction through our website/app.
  • Inferred data that we deduce and/or obtain from data that you have previously provided us with (e.g., when we create profiles).
  • As Zinia and Openbank are in fact the same data controller, personal data relating to you that we may have obtained as part of a contractual relationship between you and Openbank, in addition to the provision of the Services under the Zinia trademark.

4. Data processing activities we carry out

Data processing activityPurpose of the data processing activity. What we do and whyCategories of personal data processedLegal basis for the data processing activityTermination of data processing purposes
1User/Customer registration management

Manage customer interaction in accordance with the terms and conditions of the Service, including registration and communication of relevant information.

Contact and identification data.

Economic, financial and insurance data.

Data on goods and services transactions.

Adequate execution and performance of the Services, as per Article 6.1(b) GDPR.When your relationship with Openbank terminates.
2

Conducting a risk analysis on fraud prevention

See Section 5 for further information.

Analysis of potentially fraudulent activities as part of your request for our Buy Now, Pay Later service (or similar) and your relationship with us in order to prevent registration requests that could be fraudulent (automated decisions).

Contact and identification data.

Data related to your personal characteristics.

External sources:

Profile information and other data from social platforms and publicly available sources.

Legitimate interest of Openbank in preventing fraudulent activities and protecting existing customers and its business, as per Article 6.1(f) GDPR.When the fraud assessment is performed.
3

Cross-referencing your data with those of Infoscore Consumer Data GmbH to verify your identity and billing and shipping address

See section 5 for further information.

We will send your name and billing and shipping address to Infoscore Consumer Data GmbH in order to cross-reference them with the data included in its credit register and prevent and detect fraud by identifying possible inconsistencies.

Contact and identification data.

External sources:

Infoscore Consumer Data GmbH

Legitimate interest of Openbank in preventing fraudulent activities and protecting existing customers and its business, as per Article 6.1(f) GDPR.When the cross-referencing to detect fraud is carried out.
4Disclosure of data to third parties for fraud prevention purposesWe will transfer your data to Emailage Ltd., to detect and prevent potential fraud attempts and to comply with the procedures, rights and guarantees that the current legislation establishes and recognises at all times. Emailage also acts as a data controller when processing your personal data and will use it for the purposes established in its privacy policy. You can exercise your rights regarding data protection against Emailage at DPO@lexisnexisrisk.com.

Contact and identification data.

Economic, financial and insurance data.

Legitimate interest of Openbank in preventing fraudulent activities and protecting existing customers and its business, as per Article 6.1(f) GDPR.When data is transferred to the third party.
5

Disclosure of data to other entities within Banco Santander’s Group of Companies for marketing purposes

See Section 7 for further information.

Transfer Customer data to other companies within Banco Santander’s Group of Companies (as per the definition of Group of Companies set forth in Article 42 of the Spanish Code of Commerce, which can be consulted here), so that these companies can send you marketing about their products and services through various means (including electronic means).

Contact and identification data.

Economic, financial and insurance data.

Data on goods and services transactions.

Prior informed consent obtained from you, as per Article 6.1(a) GDPR.When You withdraw your consent.
6

Exercising data protection rights and related inquiries

Handle, manage and resolve requests relating to customers, interested parties and other data controllers exercising their GDPR rights, as well as complaints submitted directly by the data subject to Openbank or through the corresponding supervisory authorities.

Contact and identification data.

Economic, financial and insurance data.

Data relating to goods and services transactions.

Commercial data.

As per Article 6.1(c) of GDPR, legal obligation of Openbank, as data controller, to comply with obligations set forth in Article 15-22 of GDPR.When the request to exercise rights has been duly processed.
7Debt collectionManaging the collection of Customer’s debts with Openbank.

Contact and identification data.

Economic, financial and insurance data.

Adequate execution and performance of the Services, as per Article 6.1(b) GDPR.When you pay the debt you have with Openbank.
8

Selling debt portfolio

See Section 9 for further information.

Selling the debt portfolio of Openbank Customers to third-party companies in order to obtain a benefit from debt defaults.

Contact and identification data.

Economic, financial and insurance data.

Data relating to goods and services transactions.

Legitimate interest of Openbank in managing the debt portfolio of Customers and selling it to third parties in order to obtain a financial benefit as per Article 6.1(f) GDPR.When we transfer the outstanding debt to third-party companies.
9

Financial data processing

Maintain accounting and administrative procedures as required by accounting laws and to comply with the applicable law. Creation of reports and/or communication of personal data to the different supervisory bodies (Bank of Spain). Filing and accounting in accordance with accounting legislation.

Contact and identification data.

Economic, financial and insurance data.

As per Article 6.1(c) of GDPR, legal obligation of Openbank to keep accounting and administrative records and to comply with reporting obligations with the corresponding financial and anti-money laundering supervisory authorities, as per Spanish Law 44/2002 of the Financial System and Spanish Law 10/2010 on the prevention of money laundering and terrorism financing.When your relationship with Openbank terminates.
10

Transfer of data from the business where you purchase products to Openbank

See Section 6 for further information.

The business’s right to charge you for your purchase is transferred to Openbank (sale of the invoice).

Contact and identification data.

Economic, financial and insurance data.

Data relating to goods and services transactions.

Adequate execution and performance of the Services, as per Article 6.1(b) GDPR.

When the purchase takes place.

11

Email validation

Data processing to confirm the email address provided by the Customer, check the data provided are correct and to ensure the quality of said data.

Contact and identification data.

Adequate execution and performance of the Services, as per Article 6.1(b) GDPR.When the validation is concluded.
12

Sending of communications for fraud prevention purposes

During the contract formalisation process and after you have completed the process and have become an Openbank Customer, we will send you communications in order to verify your identity or to prevent fraudulent attempts or detected fraudulent activities.

Contact and identification data.

Data relating to personal characteristics.

Economic, financial and insurance data.

Legitimate interest of Openbank in preventing fraudulent activities and protecting existing Customers and its business, as per Article 6.1(f) GDPR.When your relationship with Openbank terminates.
13

Sending of marketing

See Section 7 for further information.

Sending of marketing based on customer segmentation.

Contact and identification data.

Economic, financial and insurance data.

Data relating to goods and services transactions.

Prior informed consent obtained from you, as per Article 6.1(a) GDPR.When you withdraw your consent.
14

Customers satisfaction surveys and market research

Calls to Customers to conduct satisfaction and other surveys, market research and internal statistics to prepare commercial reports to better understand the consumption habits of our Customers; thereby allowing us to internally assess the design, creation and improvement of new products that may be of interest to our Customers or to reach commercial agreements with third parties.

Contact and identification data.

Economic, financial and insurance data.

Unique ID.

Prior informed consent obtained from you, as per Article 6.1(a) GDPR.When you withdraw your consent.
15

Ensure network and service information security

Ensure the security of Openbank’s network and information. The processing is necessary to achieve the specific purpose. The legitimate interest takes precedence over a Customer’s right to oppose it.

Contact and identification data.

Economic, financial and insurance data.

Unique ID.

Legitimate interest of Openbank in protecting its network and information security system in order to safeguard its business and services, as per Article 6.1(f) GDPR.When your relationship with Openbank terminates.
16

Processing of vulnerable Customer data

Only if you have asked us to do so and based on your prior informed consent, we will process data relating to your disability or situation of vulnerability in order to provide you with the Service adapted to your personal needs and circumstances. For example, if you have a hearing or visual impairment, we can arrange for special assistance if so required.

Contact and identification data.

Special categories of personal data.

Economic, financial and insurance data.

Prior informed consent obtained from you, as per Article 6.1(a) GDPR.When your relationship with Openbank terminates or when you withdraw your consent.
17

Personal data anonymisation

Anonymisation of your personal data in order to enhance our services and products and to analyse consumer behaviour, create statistics and reports for market analysis or the analysis of payment tendencies or volumes in certain regions or industries and for the development and testing of products. The purpose of the foregoing is to enhance our risk and credit models and to design our Services (if possible, we will first anonymise the data prior to carrying out such activities to ensure that no personal data will be subsequently processed).

Contact and identification data.

Economic, financial and insurance data.

Commercial data.

Data on the goods and services purchased.

Data relating to your personal characteristics.

Data relating to employment.

Unique ID.

Legitimate interest of Openbank in using Customers’ anonymised data to improve our products and the provision of Services to Customers, as per Article 6.1(f) GDPR.When your relationship with Openbank terminates.

18

Profiling activities with internal data to understand which Openbank products and services could be of interest to you in order to, at a later stage, offer you such products and send you marketing about them.

See Section 7 for further information.

Analysis and profiling related to your economic and personal characteristics, based solely on the consultation of information from internal sources, in order to determine which of our own products and services best suit you and/or your interests.

Contact and identification data.

Economic, financial and insurance data.

Commercial data.

Data on the goods and services purchased.

Data relating to your personal characteristics.

Data relating to employment.

Unique ID.

Prior informed consent obtained from you, as per Article 6.1(a) GDPR.When your relationship with Openbank terminates or when you withdraw your consent.

19

Profiling with internal data to decide which type of marketing of third-party products we offer

See Section 7 for further information.

Analysis and profiling related to your economic and personal characteristics, based on the consultation of information from internal sources, in order to determine which third-party products and services best suit you.

Contact and identification data.

Economic, financial and insurance data.

Commercial data.

Data on the goods and services purchased.

Data relating to your personal characteristics.

Data relating to employment.

Unique ID.

Prior informed consent obtained from you, as per Article 6.1(a) GDPR.When your relationship with Openbank terminates or when you withdraw your consent.
20

Profiling with internal and external data for admission-related scoring on Openbank's own initiative.

On Openbank’s own initiative, profiling interested people with information obtained from both internal and external sources to analyse the Customer’s admission.

Contact and identification data.

Economic, financial and insurance data.

Commercial data.

Data on the goods and services purchased.

Data related to your personal characteristics.

Data relating to employment.

Unique ID.

External sources:

CRIF’s databases

SCHUFA’s databases

Prior informed consent obtained from you, as per Article 6.1(a) GDPR.When your relationship with Openbank terminates or when you withdraw your consent.
21

Profiling with internal and external data for creditworthiness analysis and fraud scoring

See Section 5 for further information.

Profiling interested people with information obtained from both internal and external sources in order to conduct a creditworthiness analysis of the Customer and to prevent possible fraud.

Contact and identification data.

Data relative to the personal characteristics.

Economic, financial and insurance data.

Commercial data.

Data relating to employment.

Data relating to goods and services transactions.

Unique ID.

External sources:

CRIF’s databases

SCHUFA’s databases

Prior informed consent obtained from you, as per Article 6.1(a) GDPR.When your relationship with Openbank terminates or when you withdraw your consent.
22

Legal, administrative and judicial complaints

To handle the complaints of different parties according to the Service provided.

Contact and identification data.

Economic, financial and insurance data.

Legal obligation, as per 6.1(c) of GDPR.When the complaint has been handled.
23

Customer phone service

Answer calls made to customer services, managing and resolving all inquiries made.

Contact and identification data.

Economic, financial and insurance data.

Unique ID.

Commercial data.

Legal obligation as per Article 6.1 (c) of GDPR in connection with legal obligations set forth in Spanish Law 44/2002 of the Financial System and Order ECO/734/2004 of 11 March, regulating customer services in financial institutions.When the call has been handled.
24

Legal/contractual communications

Sending communications to Customers in order to provide accurate and updated information regarding their relationship, such as amendments to the Terms and Conditions or the Privacy Policy, account closing, refund, payment letters.

Contact and identification data.

Economic, financial and insurance data.

Adequate execution and performance of the Services, as per article 6.1(b) GDPR. Legal obligation to keep our Customers updated on any changes in the T&Cs governing the Services relating to this Privacy Policy, as per Article 6.1 (c) GDPR.When your relationship with Openbank terminates.
25

Customer registration approval through creditworthiness analysis (automated decision)

See Section 6 and 9 for further information.

Analysis of the creditworthiness of the potential customer based on fully automated decisions in order to approve the purchase of the invoice.

Contact and identification data.

Economic, financial and insurance data.

External sources:

CRIF’s databases

SCHUFA’s databases

Infoscore Consumer Data GmbH database

Adequate execution and performance of the Services, as per Article 6.1(b) GDPR.

Legitimate interest of Openbank in assessing the solvency of potential customers with a view to approving the Service, as per article 6.1(f) GDPR.

When your relationship with Openbank terminates.
26Debt paymentPayment of debt by the Customer.

Contact and identification data.

Economic, financial and insurance data.

Adequate execution and performance of the Services, as per Article 6.1(b) GDPR.When you pay off the debt.
27

Call recording

Recording and safekeeping of telephone calls and communication registers through different means provided for this purpose.

Contact and identification data.

Prior informed consent obtained from you, as per Article 6.1(a) GDPR.When you withdraw your consent.
28

Quality and service metrics

Conducting quality metrics to better understand the quality level reached during the provision of the Services and, thus, being able to internally assess quality standards and improvements to be made.

Contact and identification data.

Economic, financial and insurance data.

Unique ID.

Commercial data.

Legitimate interest of Openbank in measuring its quality standards to improve products and the provision of Services to Customers, as per Article 6.1(f) GDPR.When your relationship with Openbank terminates.
29

Complaints related to the product acquired

Management of complaints from Customers relating to the product acquired, as well as coordinating complaints with the business where you made your purchase.

Contact and identification data.

Economic, financial and insurance data.

Data relating to goods and services transactions.

Legal obligation to handle and manage complaints received from Customers, as per Article 6.1(c) GDPR.When the complaint has been handled.
30

Sending of marketing based on data obtained from external sources

See Section 7 for further information.

Sending marketing based on data obtained from external sources.

Contact and identification data.

Economic, financial and insurance data.

External sources:

CRIF’s databases

SCHUFA’s databases

OpenStreetMap provides us with information relating to geographic data, such as street maps.

Here. com provides us with information relating to your address: https://www.here.com/here-statement-gdpr

Prior informed consent obtained from you, as per Article 6.1(a) GDPR.When you withdraw your consent.
31

Sending of marketing relating to third-party products based on data obtained from external sources

See Section 7 for further information.

Sending marketing relating to third-party products based on data obtained from external sources.

Contact and identification data.

Economic, financial and insurance data.

External sources:

CRIF’s databases

SCHUFA’s databases

OpenStreetMap provides us with information relating to geographic data, such as street maps.

Here. com provides us with information relating to your address: https://www.here.com/here-statement-gdpr

Prior informed consent obtained from you, as per Article 6.1(a) GDPR.When you withdraw your consent.
32External auditVerification of compliance with the regulations in the context of external audits. Processing of Customer data for audit samples.

Contact and identification data.

Economic, financial and insurance data.

Legal obligation, as per article 6.1(c) GDPR.When the external audit has ended.
33Internal auditVerification of compliance with regulations and internal policies of Openbank. Conducting the verification may require testing that involves access to Customer databases.

Contact and identification data.

Economic, financial and insurance data.

As per Article 6.1(f) GDPR, our legitimate interest in verifying the suitability and adequacy of our processes in order to comply with legal obligations and internal quality standards for the identification, control and mitigation of legal or operational risks. Bear in mind that this information may be accessed by third-party companies that provide the auditing service for such purpose.When the control or the compliance audit terminates.
34Respond to your requests on social media and social media analyticsWhen you use our social media, we will process your data to respond to your requests and to analyse your interactions with Zinia.

Contact and identification data.

Unique ID.

Our legitimate interest in properly handling the requests you send us on social media, as well as in offering the Services in a simple and efficient manner and adapting our products in a way that meets your needs and expectations, as per Article 6.1(f) GDPR.When the request you make to Openbank is resolved.
35Sweepstakes and competitionsCollection of data from competitions, raffles and cultural offers, among others, in order to carry out commercial actions.Contact and identification data.Prior informed consent obtained from you, as per Article 6.1(a) GDPR.When the competition has ended.
36

Identity validation

Data processing to confirm your identity and check whether the data that you have provided us are correct, as well as to prevent criminal activities. Checking and verifying the Customer’s identity.Contact and identification data.

Legal obligation, as per Article 6.1(c) GDPR. Article 5(d) GDPR, principle of accuracy.

When we validate your data.
37

Reporting information to credit information agencies

See Section 9 for further information

We will process your personal data to report information regarding the Services, as well as information regarding any breach, default or fraudulent conduct, to credit information agencies (i.e., SCHUFA and CRIF).

Contact and identification data.

Economic, financial and insurance data.

Data relating to goods and services transactions.

As per Article 6.1(f) GDPR, our legitimate interest in preventing non-payment that is detrimental to us and to adequately control it, and in accordance with the legitimate rights held by third-party financial institutions to be informed of any non-payment when processing new financing applications.When the debt is satisfied.
38

Cookies

See Section 12 for further information

Storage of user browsing data for analysis or measurement, preferences, or personalisation, and behavioural advertising, as envisaged at https://www.zinia.com/en-de/cookie-policy.Contact and identification data.Prior informed consent obtained from you, as per Article 6.1(a) GDPR.When you withdraw your consent.
39Click and collectRequest from the Customer, through the business’s website, to collect the purchase at its physical premises.

Contact and identification data.

Economic, financial and insurance data.

Adequate execution and performance of the Services, as per Article 6.1(b) GDPR.When the purchase is collected.
40Point of saleRequest from the Customer to formalise the purchase at the business’s physical premises.

Contact and identification data.

Economic, financial and insurance data.

Adequate execution and performance of the Services, as per Article 6.1(b) GDPR.When the purchase is collected.
41Prevent money laundering or terrorist financing (including automated decision-making)

Carry out a verification of the information provided and prevent criminal activities.

Verify that the end-user of the Service, or the individual acting as the legal representative or proxy of a business, is a publicly or politically exposed person and, if so, apply enhanced measures of due diligence in the business relationships or operations that we carry out with you.

Contact and identification data.

External sources:

Information from external sanction lists and PEPs lists.

Legal obligation, as per Article 6.1(c) of the GDPR.

Law 10/2010, on the Prevention of Money Laundering and Terrorist Financing and Royal Decree 304/2014 of May 5, approving the Regulations of Law 10/2010.

When the contract between you and Openbank terminates or, in the case of proxies and legal representatives, when you stop representing them.
42Processing details of proxies or representatives of legal entities or related to self-employed professionalsIf you are self-employed or represent a business that is interested in collaborating with us, we will process your contact details, as well as those relating to the position you hold, and, in general, the data necessary to contact you. Under no circumstance will we use the personal data we hold to establish a relationship with you at an individual level.Contact and identification data.Adequate execution and performance of the agreement with the business we collaborate with, as per Article 6.1(f) GDPR.When the contract between the business and Openbank terminates or when you stop acting as a representative of the company.

In addition to the information provided in the table above, relating to all the data processing activities we carry out, a more detailed explanation is provided below of some of the processing activities we consider particularly relevant, including, where applicable, information about external data sources, the logic involved in automated data-processing activities and the potential consequences of such processing.

5. Fraud prevention

We have the obligation and aim to avoid fraud and to protect you and all our other customers against possible fraudulent actions.

  • Approval of the application to use the service (automated decision)

To this end, when you request the Service, we will use automated decision-making that significantly affects you. Therefore, profiling is carried based on the automated processing of your data to evaluate the information provided during your application in order to make a decision on whether or not to purchase your invoice, or to assess whether your use of our Services involves a risk of fraud. We profile your user behaviour through specialised fraud-prevention tools and compare the data on behaviour and conditions with our internally established risk criteria.

The consequence of these automated decisions for you is that, based on the analysis carried out, we will decide if we are able to preliminarily approve your application to use the Service. We use the data you provide, as well as data from external sources and Openbank’s own internal information, which includes information we have about you, including data on your previous use of our Services and on the device you use to request it.

We decide whether or not you pose a risk of fraud in the event that our processing shows that your behaviour indicates possible fraudulent conduct, that your behaviour is not consistent with your previous use of our Services, or that you have attempted to conceal your true identity. Automated decisions, whereby we assess whether or not you constitute a fraud risk, are based on information you have provided, data from fraud prevention tools and service providers that we use and collaborate with, as well as Openbank’s own internal information.

The personal data categories used in each decision are set out in Section 4. Please note that if before carrying out the transaction, you already have a relationship with Openbank, as Zinia and Openbank are in fact the same data controller, we will also process, for the purposes established in this section, the personal data relating to you that we have obtained through said relationship. See Section 9 for more information about who we share information with as regards profiling during automated decision-making.

If you are not approved in the automated decision-making process mentioned in this section, you will not have access to the Service. We have several control mechanisms in place to ensure that our automated decision-making is appropriate. These mechanisms include ongoing testing and reviewing of our decision models and detailed documentation of rejected applications and the reasoning behind them. If you have any concern about the outcome, you can contact us, and one of our analysts will intervene to determine whether or not the procedure was performed appropriately. You can also object in accordance with the following instructions:

Under data protection legislation, you have the right to object to any automated decision with legal consequences or decisions that can otherwise significantly affect you. In this case, you can do so by sending an email to datenschutz.de@zinia.com. Upon receiving your request, we will proceed to review the decision made, taking into account any additional information and circumstances that you may provide.

  • Verification of identity and shipping and billing address (automated decisión)

In line with our goal of protecting you and the rest of our customers from possible fraudulent and criminal behavior - such as identity theft - when you request the Service, we will cross-reference some of the data you have provided to us (in particular, your name and shipping and billing address) with Infoscore Consumer Data GmbH (hereinafter, “ICD”), who will process them as data controller, complying with and respecting the procedures, rights and guarantees established at all times and recognised by the legislation in force.

This processing will be carried out with the sole purpose of detecting and preventing fraud attempts. To this end, ICD will analyse the suitability of the claimed identity, as well as the accuracy and appropriateness of the address you provide as well as the characteristics of the area.

ICD will process the data in line with its privacy policy. You can exercise your data protection rights against ICD here.

The logic applicable to this processing is as follows: we will cross-reference your data with those included in the ICD Credit Register in order to detect possible inconsistencies between the name and shipping and billing address that you have indicated during your purchase process and the data under the responsibility of ICD. With the information obtained in the framework of the above cross-referencing activity, we may deny your Service request.

Furthermore, since this processing is carried out based on an automated decision, you have the right to request an explanation about the decision made, to exercise your right not to be the subject of exclusively automated decisions, requesting the intervention of one of our analysts, to express your point of view on the decision made and to challenge it. To do so, you can provide the additional documentation that you consider necessary.

The legitimate basis for this data processing is our legitimate interest in preventing fraud (Recital 47 GDPR) and preventing harm to our customers. This processing is not opposable because there are compelling reasons for this purpose.

6. Transfer of data from the business where you make the purchase to Openbank and Customer registration approval through creditworthiness analysis (automated decision)

When you request the Service, the business where you are making a purchase will disclose to us certain personal data relating to you, so as to transfer to Openbank its right to charge you for your purchase.

We need to process personal data (i) received from the business, (ii) provided directly by you and (iii) collected by Openbank from external sources (such as other third parties, such as Infoscore Consumer Data GmbH and other credit reference agencies), in order to analyse and manage the approval of the sale of the invoice and – if the invoice purchase finally takes place – to comply with the derived obligations and to maintain the relationship with you.

To that end, we will assess your solvency in order to predict if you can afford the payment of the goods purchased and to prevent a possible default on the debt with the aim of avoiding situations that may be detrimental to both Openbank and you.

The sources from which we obtain the data, as well as the specific categories of personal data that we collect from such sources, are set out in Section 4. Please note that if before carrying out the transaction you already have a relationship with Openbank, as Zinia and Openbank are in fact the same data controller, we will also process for the purposes established in this section the personal data relating to you that we have obtained through said relationship.

The logic behind the analysis we carry out to approve the purchase of the invoice is based on the analysis of the information that you have provided us, such as your purchase history and payments, together with the external sources listed in Section 4 that provide us with information relating to your identity and financial situation, or their own creditworthiness scoring. The aforementioned data and the analytical properties of our risk models, enable us to automatically infer if you would be able to afford the payment of the product, which consequently allows us to approve or reject your request, based on the probability of you failing to meet your payment obligation.

You are entitled to ask for an explanation about the decision made, to exercise your right to not be subject to exclusively automated decisions – by requesting the intervention of one of our analysts –, to express your point of view regarding the decision made on the basis of the profiling and to challenge it.

7. Commercial and marketing communications

As part of the aforementioned data processing activities, we will process your personal data for marketing purposes. The scope and purpose of such data processing activities, as well as the legal basis for them and the categories of personal data processed, are set out below in greater detail:

  • Sending marketing about our own products and services

Provided that you have given us your prior express consent to perform this data processing activity, Openbank may send you personalised marketing about its own products and services, for as long as our relationship continues. This marketing may be made by automated and non-automated means (by post, telephone, SMS, instant messaging applications, email, web push, pop-up or any other electronic or telematic means available at any time) and will take into consideration the analysis of your Customer commercial profile.

This profile will be generated from the analysis of your behavioural and risk patterns, other internal sources, such as payment details, as well as from information obtained from external sources.

The sources from which we obtain the data, as well as the specific categories of personal data that we collect from such sources, are established in Section 4. Please note that if before carrying out the transaction you already have a relationship with Openbank, as Zinia and Openbank are in fact the same data controller, we will also process, for the purposes described in this section, the personal data relating to you that we have obtained through said relationship.

The legal basis of this data processing activity is having obtained your prior informed consent. The objective we pursue with the creation of these profiles is to be able to carry out an analysis of your economic and personal characteristics, in order to determine which products marketed by this bank best suit you based on two variables: your predisposition to acquire the product and probability of approving the transaction.

The creation of the profile will be the result of an automated decision, in which the following logic will be applied: we will process the information you provide in order to determine your payment behaviour, the customer segment or segments to which you belong – according to our internal classification criteria – and the periodic fulfilment of your obligations. This activity may lead us to decide not to offer you certain products or services, according to the risk that is estimated by the bank and the rating that results from the analysis of the information obtained.

In relation to this data processing activity, you can withdraw the consent provided to Openbank at any time through the channels referred to in Section 10 of this Privacy Policy.

It is important that you understand that this data processing activity is limited to the above-mentioned purpose, i.e., to offer you suggestions of Openbank products and services based on data obtained from internal and external sources.

  • Sending marketing about third-party products and services

Provided that you have given us your prior express consent to perform this data processing activity, Openbank may send you personalised marketing about the products and services of third parties. This marketing may be sent by automated and non-automated means (by post, telephone, SMS, instant messaging applications, email, web push, pop-up or any other electronic or telematic means available at any time) and will take into account the analysis of your commercial profile.

We will send you marketing about products and services of third parties that undertake their business particularly, but not limited to, the following sectors: financial, insurance, leisure and tourism, entertainment, telecommunications, information society, retail, luxury, health, food, automotive, hospitality, department stores, energy, real estate and security services, among others.

This profile will be generated from the analysis of your behavioural and risk patterns. For instance, if the information we have about you shows that you enjoy tech products, we will send you marketing about products offered by companies in this sector. We also use other internal sources, such as payment details, as well as from information obtained from external sources.

The sources from which we obtain the data, as well as the specific categories of personal data that we collect from such sources, are set out in Section 4. Please note that if before carrying out the transaction you already have a relationship with Openbank, as Zinia and Openbank are in fact the same data controller, we will also process, for the purposes described in this section, the personal data relating to you that we have obtained through said relationship.

The legal basis of this data processing activity is having obtained your prior informed consent. The objective we pursue with the creation of these profiles is to be able to carry out an analysis of your economic and personal characteristics, in order to determine which of the products marketed by those third-party companies best suit you based on two variables: your predisposition to acquire the product and probability of approving the transaction.

The creation of the profile will be the result of an automated decision, in which the following logic will be applied: we will process the information you provide in order to determine your payment behaviour, the customer segment or segments to which you belong – according to our internal classification criteria – and the periodic fulfilment of your obligations. This activity may lead us to decide not to offer you certain products or services, according to the risk that is estimated by the bank and the rating that results from the analysis of the information obtained.

In relation to this data processing activity, you can withdraw the consent provided to Openbank at any time through the channels referred to in Section 10 of this Privacy Policy.

It is important that you understand that this data processing activity is limited to the above-mentioned purpose, i.e., to offer you suggestions of third-party products and services.

  • Transfer of data to other Santander Group companies for sending marketing and promotional offers of their products and services

Provided that you have given us your prior express consent to perform this data processing activity, Openbank may share your personal data with other companies of the Santander Group in order to allow them to offer you their products and services that may be of interest to you.

The Santander Group companies we may share your personal data with are those within the Santander Group of companies, with the term ‘group of companies’ understood as provided for in Article 42 of the Spanish Code of Commerce. You can see which companies form part of the Santander Group of companies at any time here.

This marketing may be made by automated and non-automated means (by post, telephone, SMS, instant messaging applications, email, web push, pop-up or any other electronic or telematic means available at any time) and will take into consideration the analysis of your Customer profile, according to the information provided to these third parties.

This profile will be generated from the analysis of your behavioural and risk patterns, other internal sources, such as payment details, as well as from information obtained from external sources.

The sources from which we obtain the data, as well as the specific categories of personal data that we collect from such sources, are set out in Section 4. Please note that if before carrying out the transaction you already have a relationship with Openbank, as Zinia and Openbank are in fact the same data controller, we will also process, for the purposes established in this section, the personal data relating to you that we have obtained through said relationship.

In relation to this data processing activity, you can withdraw the consent provided to Openbank at any time through the channels referred to in Section 10 of this Privacy Policy.

It is important that you understand that this data processing activity is limited to the above-mentioned purpose which is disclosing your personal data to other Santander Group companies so that they can make suggestions to you regarding other Santander Group products and services.

8. How long do we keep your personal data for?

Openbank will keep your data for as long as required to undertake the purpose for which they were collected and, subsequently, they will be blocked for the corresponding retention period provided for by law or as per the statute of limitations. After these periods, where applicable, Openbank will destroy or completely anonymise the data.

The blocking of your data implies Openbank refraining from carrying out any processing of your data. However, your data will be retained for the purpose of making them available to the competent public administrations, judges, courts and tribunals or the Public Prosecutor's Office in relation to any liability that may arise from the contractual relationship held with you or relating to the processing of such data.

Furthermore, if you are a customer, we will process your data until your contractual relationship with Openbank terminates. After said termination, as a general rule, we will keep your personal data blocked. Please note that some actions provided for by consumer law, such as injunctions or actions for declaration of nullity, are not subject to any statute of limitations.

9. Who will your personal data be shared with?

  • Authorities: third parties to whom we are legally obliged to provide information, such as public bodies, tax authorities, courts and tribunals.
  • Service providers and subcontractors: we will collaborate with third-party service providers which may have access to your personal data, and process them on our behalf, as a consequence of the services they provide us. We follow strict criteria in selecting our service providers so as to comply with the corresponding data protection requirements and obligations, and we undertake to sign the corresponding data processing agreements with them, whereby we will impose them, among others, the following obligations: to apply appropriate technical and organisational measures; to process the personal data for the agreed purposes and only in accordance with our documented instructions; and to delete or return to us the data once the provision of the services has been completed or terminated. In particular, we will outsource the provision of services by third-party service providers which are part of the following sectors, among others: logistic services, legal advice, private valuation services, supplier certification, multidisciplinary professional service companies, maintenance-related companies, technology service providers, IT service providers, instant messaging service providers, and call centre companies.
  • Fraud prevention service providers: we will share your data with Emailage Limited, a company we collaborate with to prevent fraud. Emailage also acts as a controller for the processing of your personal data and will use it for the purposes established in its privacy policy. You can exercise your data protection rights as regards Emailage by sending an email to: DPO@lexisnexisrisk.com.
  • Debt buyers: we may assign open debts to debt buyers, duly complying with the procedures, rights and guarantees established and recognised by the applicable regulations. The aforementioned assignment will entail disclosing the following categories of personal data relating to you to the debt buyer (acting as a separate data controller): contact and identification data; economic, financial and insurance data; data relating to goods and services transactions; and any data that we obtain from our contractual relationship with you. The legal ground for performing the mentioned disclosure is the legitimate interest of Openbank in managing its customer’s debt portfolio and selling it to third parties in order to obtain a financial benefit, as per Article 6.1(f) of the GDPR. The debt buyer will process your personal data in accordance with its own privacy notice. In any event, you will be informed of the specific debt buyer upon transfer of the debt.
  • In the event of non-payment, we will send the data to creditworthiness databases, complying with the procedures and guarantees established at all times and recognised by current legislation, namely:

SCHUFA: “Openbank shall transfer personal data – collected within the scope of this contractual relationship – regarding the application, development and termination of this business relationship, as well as information regarding any behaviour in breach of the contract or fraudulent conduct, to SCHUFA Holding AG, Kormoranweg 5, 65201 Wiesbaden. The permissibility of this data transfer is provided for in Article 6 Paragraph 1(b) and Article 6 Paragraph 1(f) of the General Data Protection Regulation (GDPR). Data may only be transferred on the basis of Article 6 Paragraph 1(f) of the GDPR if this is necessary to defend the legitimate interests of the bank/savings bank or third parties and does not outweigh the interests or fundamental rights and freedoms of the affected party requiring the protection of personal data. Data is also exchanged with SCHUFA to fulfil legal obligations concerning the performance of customer credit rating checks (Section 505(a) of the German Civil Code; Section 18(a) of the German Banking Act). In this regard, the customer also releases Openbank from banking secrecy. SCHUFA shall process the data it receives and also use them for profiling (scoring) purposes, in order to provide its contractual partners in the European Economic Area, Switzerland and any other third country (provided the European Commission has declared such country as appropriate) with information used for credit rating checks on natural persons and other purposes. More detailed information on SCHUFA’s activities can be found on the SCHUFA-Information in accordance with Art. 14 of the GDPR, and online at www.schufa.de/datenschutz.”

CRIF: “Within the framework of this contractual relationship, we transfer information regarding defaults to CRIF GmbH, Leopoldstraße 244, 80807 Munich, Germany. The legal basis for these transfers is set out in point (b) of Article 6 (1) and point (f) of Article 6 (1) General Data Protection Regulation (GDPR). CRIF GmbH processes the data received and also uses them for the purpose of creating profiles (scoring) to provide its contractual partners in the European Economic Area and Switzerland, and where applicable, third countries (where an adequacy decision of the European Commission exists) with information, among other things, for assessing the creditworthiness of individuals. You may find more detailed information about the operations of CRIF GmbH online at www.crif.de/en/privacy.”

  • Providers that access or process your data outside the European Union. We may transfer your data internationally within the framework of some of the above-mentioned services offered by third-party providers. The purpose thereof will always be the maintenance and management of the relationship you have with us or the prevention of fraudulent actions or transactions. These transfers are made both to countries that offer an adequate level of protection, comparable to that of the European Union, and also to countries without such a level. In the latter case, we use several mechanisms established by applicable regulations to comply with all safeguards when dealing with your personal data, such as standard contractual clauses or certification mechanisms. You can obtain more information about any international data transfers we carry out by sending an email to datenschutz.de@zinia.com.

10. Your data protection rights

You are entitled to exercise the following rights at any time:

  • Right of access: you have the right to know whether or not Openbank processes personal data relating to you and, if so, to access such data.
  • Right to data portability: you have the right to receive a copy of the personal data you have provided us, in a readable, structured and commonly used format, and also to request its transfer to another institution.
  • Right to rectification: you have the right to request that inaccurate data be corrected.
  • Right to erasure: you have the right to request erasure of your data when, among other things, they are no longer necessary for the purpose for which they were provided.
  • Right to object: under certain circumstances, you can object to the processing of your personal data. If you object, Openbank will stop processing the data, except where there are compelling legitimate reasons for doing so, or for the exercising or challenging of possible claims.
  • Right to restriction of processing: under certain circumstances laid down in the applicable data protection legislation, you can request that the processing of your data be restricted.
  • Right to withdraw your consent: you are entitled, at any time and without providing specific reasons, to withdraw the consent you previously and specifically provided. The withdrawal of the consent will not affect the lawfulness of the data processing activities carried out based on that consent prior to its withdrawal.
  • The right not to be subject to exclusively automated decisions: in the event that you have consented to the profiling and that this it is done through an exclusively automated process, you can request the intervention of one of our analysts, express your point of view and challenge the decisions made on the basis of said profiling.

You can exercise the rights established above through the following channels:

  • Email address: datenschutz.de@zinia.com
  • Postal address: Privacy, Open Bank, S.A., Plaza de Santa Bárbara 2, 28004 Madrid, Spain.
  • Location: Plaza de Santa Bárbara 2, 28004 Madrid, Spain.
  • Contact centre: 0800 0292 008

Finally, you can submit a claim to Openbank and/or the German Data Protection Authority (the supervisory authority competent in the field of data protection), particularly if you have not been satisfied with the process of exercising your rights, by writing to the above-mentioned address or via the website www.bfdi.bund.de. If you live in an EU member state, other than Germany, you can also directly contact your national data protection supervisory authority.

11. Keeping your data up to date

To enable us to communicate with you, please ensure that all the information you provide for our databases is true, complete, accurate and completely up to date.

If the personal information you have provided us, particularly your postal address, email address and telephone number (landline and mobile), has changed, we kindly ask you to immediately inform us through any of the channels referred to in Section 10.

In the event that you do not notify us of such changes, you acknowledge and agree that all communications sent by us to the postal address or email address or to the contact telephone numbers that feature in our filing systems, are valid, binding and in full force and effect.

12. Use of Cookies

At Openbank, we use cookies, among others, to remember who you are when you access your private area or to customise content that may be of interest to you based on your browsing habits.

When you access the Zinia website, we will inform you about the cookies we use, and you can configure the analysis, advertising and personalisation cookies used when browsing the Zinia website. You can read our Cookie Policy for more information.

13. Amendments to the Privacy Policy

We are committed to keeping this Privacy Policy updated to reflect any new developments that occur in relation to the scope of the processing of your personal data. As such, it is important that you take the time to read and understand this Policy. We will notify you of any amendments made to this Privacy Policy by email.

In the event of any dispute regarding or discrepancy between the German and the English version of this Privacy Policy, the German version shall take precedence.

You can download our Privacy Policy here.