Privacy Policy

1. Introduction: scope of application

In this privacy policy (hereinafter, the “Privacy Policy” or the “Policy”), Open Bank, S.A.U. (hereinafter, “Openbank”, “Zinia”, its registered trademark, or “we”/“us”) will provide you (hereinafter, “you” or the “Customer”) with information about the processing of your personal data it carries out when you apply for a loan (general consumer loan agreement within the meaning of § 491 BGB) (hereinafter, the “Service”). The Service will be offered under the trademark, Zinia.

This Privacy Policy applies to anyone whose data may be processed in relation to the Service (such as our customers, agents, legal representatives (natural or legal persons), guarantors, etc).

This Policy is intended to provide you with the information necessary in accordance with Regulation (EU) 679/2016 of 27 April 2016 (hereinafter, the "GDPR"). It covers the categories of personal data (hereinafter, also “data”) that we will process under the Service, how we obtain your personal data, the purposes for processing them, the underlying legal bases for such processing, the recipients of your data, how long we store them for, your legal rights with regard to your personal data, as well as any other privacy information we believe you should know about to ensure full transparency.

Please consider this Privacy Policy to be additional to any other privacy notice that we provide or send you at any point during our pre-contractual or contractual relationship with you.

Please take a moment to read and fully understand its contents. If you have any questions or queries, please contact our data protection officer using the contact details set out below.

2. Who is the data controller and how can the data protection officer be contacted?

The controller, pursuant to Article 4 (7) of the GDPR, responsible for processing your personal data, is:

Open Bank, S.A.U. (under its trademark, “Zinia”)

Plaza de Santa Bárbara 2,
28004, Madrid,
Spain

If you have any queries relating to the processing of your personal data, you may contact our data protection officer via the aforementioned address or by sending an email to: datenschutz.de@zinia.com.

In certain cases, both the Store, where you make your purchase, or the Broker, where you enter your data for the loan, and Openbank, may act as separate data controllers. This means that each party will independently determine the means and purposes of the data processing. In other cases – regarding which you will be specifically informed by either the Store, the Broker or Openbank –, Openbank and the Store, or, Openbank and the Broker, may act as joint controllers; this means that we jointly determine the means and purposes of certain data processing activities, or the Broker or the Store may act as our processors.

Whether we act as separate or co-joint controllers depends on the nature of the data processing and the Store’s or Broker’s configuration of the loan application process. For detailed information on this, which goes beyond that provided this Privacy Policy, please do not hesitate to contact Openbank using the contact details provided in this Section or in Section 11. In the event of joint control, you are also entitled to receive information about the essential aspects of the co-responsibility agreement, which can be done using the contact details set out in the foregoing sections.

3. What data do we process and how do we obtain them?

During the Service, we will process the following categories of personal data:

• Contact and identification data: salutation; name and surname; date of birth; marital status; citizenship; residency/billing and shipping address (including street, house number, postcode, city); country; information on whether or not the applicant has lived at the current address for more than 3 years (including the previous address in the event the customer has lived at the current address for less than 3 years); email address; and mobile phone number.
• Information on your financial situation: number of children in the household; number of children for whom the applicant pays child benefits; monthly housing costs; income tax liability in Germany; Tax Identification Number (Tax ID); IBAN; profession (since when); professional sector; and company name of the employer.
• Identifying information: Tax ID/National ID number; first name and last name; address; signature/fingerprints; image/voice; electronic signature; Social Security/mutual insurance company number; health or medical card; telephone; email address; IP address; and biometric data or physical characteristics.
• Information on your personal characteristics: marital status; native language; physical characteristics; family information; date of birth; place of birth; age; and gender and nationality.
• Academic and professional information: training and qualifications; student record; professional experience; and membership of professional associations.
• Employment information: profession; position; non-financial payroll data; and employee history.
• Commercial information: activities and business; commercial licenses; subscription to publications, and artistic, literary or scientific works.
• Economic, financial and insurance information: income and revenues; tax deductions; investments and assets; information on insurance, mortgages, and loans taken out; guarantees; banking information, subsidies and benefits; pension and retirement plans; credit history; financial payroll data; and credit card.
• Information on goods and services transactions: compensation or indemnities; financial transactions; and goods and services received or supplied.

We will process your personal data that we have received directly from you (for example, through information request forms and/or product/service application forms). In addition, we will process your data that we have obtained from:

1. Previous contractual relationships with you;
2. Your interaction with our website(s)/app(s); or
3. Data derived from information that you previously provided us with (e.g., obtained when creating profiles).

We will also process personal data from the following external sources, including: (i) the Store where the purchase is or will be made; (ii) our service providers (such as CRIF GmbH, SCHUFA Holding AG, Lexis Nexis Risk Solutions), (iii) public administration bodies, (iv) publicly accessible sources, (v) debt collection agencies, (vi) third-party companies to which you have given your consent to transfer your data to Openbank, or which otherwise legitimately transfer your data to Openbank including, among others: service providers (e.g., financial aggregator), qualified trust service provider (qualified electronic signature), or other Santander Group companies of which you are a customer.

4. How do we process personal data?

Depending on the type of relationship you have with Openbank, we will process your personal data for the following purposes and to the following extent, and based on the following legal bases:

4.1 Applying for the Service

4.1.1 Store

As our Service is meant to provide you with a financial solution so you can purchase goods or engage a service at a Store we collaborate with (“Store”), your application for a loan to purchase the selected goods will start on the respective Store’s platform/online store by initiating the check-out process as follows.

If you want to purchase a product in-store, you can use a staffed checkout or a self-service checkout to apply for the Service. If you choose a staffed checkout, the respective Store will help you with the process. A store member of staff will guide you through the application process hosted and provided by the service provider, Payever GmbH. The Store will first gather all the information that it considers relevant for the purchase. The Store will then gather the relevant personal data that is required to apply for the Service. Next, the Store, acting as our processor, will gather all the information need for us to approve the Service (see below). A member of staff will then enter the relevant personal data (see below) that is required in the application process and, by doing so, will share with us the information needed to approve the Service.

Some stores will also offer you the option of self-checkout. You will then be asked to enter the required information in the above-mentioned application process, which will be shared directly with us.

The same applies if you choose to make the purchase via an online store. In this case, at the online check out, you will be asked to enter the information required in the application process, which will be sent to us.

During the application process, you will – in any case - be asked to provide, directly to us or via the account aggregation service provided by Tink AB (“Tink”), which will act as an independent controller, certain documents and information, e.g., regarding your financial situation.

Openbank will process your data to manage the application and provide you and the Store with a decision regarding the outcome of the application, as well as to carry out the corresponding pre-contractual steps necessary to provide the Service, including sending appropriate communications relating to your application.

Data processed: contact and identification data; information on your financial situation; employment information; economic, financial and insurance information.

In relation to this process, the aim of the following information is to help you understand the role of both parties:

• Information that will be shared by the Store and Openbank – acting as separate controllers: name and surname, email address, phone number, address, and price of the goods purchased.
• Information that will be shared by the Store (acting as a processor) with Openbank: nationality, marital status, date of birth, first name, profession, employer, employment information, income information, expenses, and the documents provided during the process, information provided by Tink. In some processes, for the provider Payever, will process this information on our behalf (acting as a processor).

Legal basis for the data processing: fulfilment of precontractual measures and establishment of a contractual relationship with you, i.e., for the proper processing of your application, as per Art. 6 (1)(b) GDPR. Regarding the communications, we have a legitimate interest in assisting you during the application procedure by sending the appropriate communications, pursuant to Art.6 (1)(f) GDPR.

4.1.2 Healthcare Services

As our Service is meant to provide you, as our Customer, with a financial solution for Healthcare Services (e.g., medical treatment or surgery) you can apply for a loan regarding these Healthcare Services on a Broker platform or by using its written application form.

In the event the Broker provides you with a written application form, you will need to enter your data on it yourself and send it to the Broker, which will transfer your data to us via a secure interface. When you submit your application on the Broker’s platform, the Broker will transfer to us your personal data via the same secure interface (provided by our processor Payever GmbH – see Section 7). This data transfer is required to fulfil the loan agreement (Art. 6 (1)(b) GDPR). However, in the case of sensitive data, the Broker will gather your explicit consent for the transfer (Art. 6 (1)(a), Art. 9 (2)(a) GDPR). We have formalised a cooperation agreement with the Broker and act as separate controllers in this event.

We will process your personal data to manage the application, as well as to carry out the corresponding pre-contractual steps necessary to provide the loan, including sending appropriate communications relating to your application. After the application has been submitted by you, the Broker will act as our processor. As such, the Broker will have access to your personal data in order to process your application on our behalf (e.g., check you have provided the personal data required) and handle the relevant communications with you (e.g., in terms of questions regarding the provided data). As regards, this processing, we have also entered into a data processing agreement with the Broker that meets the requirements under Art. 28 GDPR (see Section 7).

During the application process, you will – in any case – be asked to provide, directly to us or via the account aggregation service provided by Tink AB (“Tink”), which will act as an independent controller, certain documents and information, e.g., regarding your financial situation.

Data processed: contact and identification data; information on your personal characteristics (in particular physical characteristics), information on your financial situation; economic, financial and insurance information.

4.1.3 Automated decision making

To decide whether to approve or decline your loan application, we will carry out a fully automated fraud and creditworthiness check. The legal basis for the creditworthiness check is Art. 6 (1)(b) GDPR (see Section 4.2, 4.3 and 4.4). As part of the creditworthiness check, we (Openbank) are responsible under data protection law for assessing the risk associated with the loan under the agreement. For this purpose, CRIF (CRIF GmbH, Victor-Gollancz-Str. 5, 76137 Karlsruhe) and SCHUFA (SCHUFA HOLDING AG, Kormoranweg 5, 65201 Wiesbaden) are consulted and automated decisions made during the internal evaluation in order to fulfil the legal obligations as part of a credit check (§ 505a BGB, § 18a KWG). This includes information, such as your contact and identification data and the credit score (details can be found in the data protection declaration of Schufa (www.schufa.de/datenschutz) and CRIF (www.crif.de/datenschutz/)). We will compare these data to infer the risks (profiling), apply our internal risk policies and take into account internal information that we may already have about you, e.g., information about your past behaviour and your purchase and payment history. These data and the analytical characteristics of our risk models allow us to derive automatically a probability of whether or not the formalisation of the loan agreement carries a risk of fraud (for example, in the event of detecting signs of fraudulent behaviour, inconsistent behaviour, or attempted identity fraud) and whether you are capable of paying for the purchased goods or can afford the loan, which, therefore, allows us to approve or reject a decision about the loan under the agreement. We have implemented several controls to ensure that automated decision making is appropriate. These mechanisms include ongoing testing and review of decision models and detailed documentation of rejected applications and the rationale behind them.

You have the right to request an explanation of the decision taken, to exercise your right not to be subject to automated decisions – by obtaining the intervention of one our analysts – and to express your point of view and challenge the decision based on profiling. To exercise your rights, you may use the contact channels specified in Section 11 of this document.

For more information see the following Sections 4.2, 4.3 and 4.4.

Further detailed information on the activities of SCHUFA can be found in SCHUFA’s information in accordance with Art. 14 of the GDPR and online at www.schufa.de/datenschutz. More detailed information on the activities of CRIF GmbH can be found online at www.crif.de/datenschutz/.

4.2 Transfer of data to credit agencies

We will transfer your personal data to the credit agencies SCHUFA Holding AG, Kormoranweg 5, 65201 Wiesbaden, Germany (“SCHUFA”) and CRIF GmbH, CRIF GmbH, Victor-Gollancz-Str. 5, 76137 Karlsruhe , Germany (“CRIF”) in the following situations:

a) Credit Checks

Purpose of the data processing: (i) obtain a credit report (“Bonitätsauskunft”) on you in the form of a payment probability score, (ii) to validate the address details provided by you and (iii) for fraud prevention purposes. As part of this check, the details of your address will also be used to obtain information about known cases of fraud or attempted fraud by people with the same address (see Section b).

Data processed: identifying data, in particular your first name, surname(s), address or addresses, date of birth, IBAN, telephone number and email address.

Legal basis for the data processing: our legitimate interest to reduce the risk of debt defaults, pursuant to Article 6 (1)(f) of the GDPR.

b) Reporting of non-payments to credit bureaus:

In addition, we will transfer your personal data occasionally during the contractual relationship to SCHUFA and CRIF as follows:

- SCHUFA: Openbank will transfer personal data – collected within the scope of this contractual relationship – regarding the application, development and termination of this business relationship, as well as information regarding any behaviour in breach of the contract or fraudulent conduct, to SCHUFA Holding AG, Kormoranweg 5, 65201 Wiesbaden. The permissibility of this data transfer is provided for in Article 6 Paragraph 1(b) and Article 6 Paragraph 1(f) of the General Data Protection Regulation (GDPR). Data may only be transferred on the basis of Article 6 Paragraph 1(f) of the GDPR if this is necessary to defend the legitimate interests of the bank/savings bank or third parties and does not outweigh the interests or fundamental rights and freedoms of the affected party requiring the protection of personal data. Data is also exchanged with SCHUFA to fulfil legal obligations concerning the performance of customer credit rating checks (Section 505(a) of the German Civil Code; Section 18(a) of the German Banking Act). In this regard, the customer also releases Openbank from banking secrecy. SCHUFA shall process the data it receives and also use them for profiling (scoring) purposes, in order to provide its contractual partners in the European Economic Area, Switzerland and any other third country (provided the European Commission has declared such country as appropriate) with information used for credit rating checks on natural persons and other purposes. More detailed information on SCHUFA’s activities can be found on the SCHUFA-Information in accordance with Art. 14 of the GDPR, and online at www.schufa.de/datenschutz.

- CRIF: within the framework of this contractual relationship, we transfer information regarding defaults to CRIF GmbH, CRIF GmbH, Victor-Gollancz-Str. 5, 76137 Karlsruhe, Germany. The legal basis for this transfer is Article 6(1) sentence 1(b) and (f) of the General Data Protection Regulation (GDPR). The data exchange with CRIF GmbH also serves to fulfil legal obligations to carry out creditworthiness checks (sections 505a and 506 of the German Civil Code). CRIF GmbH processes the data received and also uses it for the purpose of profiling (scoring) in order to provide its contractual partners in the European Economic Area and Switzerland and, if applicable, other third countries with information, among other things, to assess the creditworthiness of natural persons. The transfer of personal data to third countries takes place in accordance with Art. 44 ff. GDPR. Further information on the activities of CRIF GmbH can be found in its information sheet or online at www.crif.de/datenschutz.

We advise you that payment experience data, in particular regarding undisputed claims not paid when due, as well as address data, are transmitted to CRIF GmbH, Diefenbachgasse 35, 1150 Vienna, for lawful processing within the bounds of its business licenses under §§ 151 (address publishing), 152 (credit agencies) and 153 (automated data processing services and electronic data processing technology) under the 1994 Trade, Commerce and Industry Regulation Act. CRIF is furthermore used for identity and credit checks. Further information can be found at www.crif.at.

For the explained purpose, we will report any payment default on your part during the contractual relationship with Openbank, to the credit agencies SCHUFA and CRIF.

Data processed: identifying information and information relating to defaults or debts you have acquired.

Legal basis for the processing activity: our legitimate interest in preventing and adequately controlling non-payment situations that are detrimental to us, as well as the legitimate interest of third-party financial institutions to be informed of any non-payment when processing new financing applications pursuant to Art. 6 (1)(f) GDPR.

4.3. Assessing financial solvency and creditworthiness (automated decision making)

When applying for the Service, we will assess your creditworthiness. This is done by means of automated decision making. We will compare, process and profile your application data based on our behaviour and risk models to predict the risk of default. This will involve profiling and include an automated analysis of the information you provided to us during the application, the information retrieved from the metadata from the application process, and your financial creditworthiness by consulting credit databases, such as SCHUFA and CRIF, to identify any known cases of debt and non-payments (see more detail in Section 4.2.).

If you are already an Openbank Customer, we will also automatically analyse your already existing data, such as account balance, securities purchased, plans, funds, mortgages, cards, deposits (deposits/repayments), loans (amount and number), direct debits, spending with merchants and card transactions (physical/online), payroll and pensions, cash (inflows and outflows), card use, age and cases of payment default with Openbank. We will also verify whether you have any debt and/or non-payments with other institutions as reported by SCHUFA and CRIF.

Moreover, we will consider the information gathered from Tink. If certain criteria (such as amount of the loan) are met, you will need to register with the account information service provider, Tink. Tink aggregates financial movements from the accounts you add and provides us with the transaction details including date, amount, destination, and balance information.

Tink will process your data based on your consent pursuant to Art. 6 (1)(a) GDPR as controller and transfer it to Openbank under our cooperation agreement with Tink. For more information, please see Tink’s privacy policies available at: https://tink.com/legal/notices/.

The data obtained through Tink (data of each transaction, such as amount, item, date, associated account, and the ownership data of valid aggregated accounts) will be categorised to help us determine your credit eligibility.

You also have the option of uploading the relevant documents (e.g., salary statements and bank statements).

By combining all sources of the information described above and using our behaviour and risk models, we can infer your potential payment behaviour to ensure you can meet the cost resulting from the amount and term requested, while leaving enough to cover your basic needs. We will use this method, therefore, to determine your risk of default regarding the Service. Please note that as a result of this automated decision making, i.e., profiling, we may either approve or decline your application. If your request is denied, you will be duly informed, if the decision is based on information provided by a credit bureau.

You may request information on the result of such automated decision making in order to receive an explanation of the decision taken. Openbank has taken proper measures to safeguard your rights and freedoms. For instance, you can express your point of view on the matter, object to the result, and request human intervention in the form of a manual review of the decision made. For this purpose, you may submit any additional documentation that you deem necessary.

Please note that the process of providing the Service involves long-term management and monitoring. Therefore, we may also need to analyse your financial situation and borrowing capacity on an ongoing basis.

Legal basis for the processing activity: assessment your financial solvency as explained is necessary for the establishment of an agreement with you. The legal basis is Art. 6 (1)(b) GDPR.

4.4 Fraud Prevention

We are required by law to take measures to prevent fraud and are committed to protect our customers from potentially fraudulent activities, such as identity theft or password theft. We will therefore check that your application for the Service is not subject to any fraudulent activities.

For this purpose, during the application process we may check whether there are any indications of fraudulent activities in the application by using the services of third specialised fraud-prevention tools. By way of an automated decision-making process, we evaluate the data and information provided during your application in order to detect and prevent possible fraudulent activities We will also perform different checks such as verifying your identity and detecting possible inconsistencies in the information provided before you enter into a contract with us.

This processing activity allows us to identify any potentially fraudulent activities such as unauthorised access to customers’ personal information, possible identity theft or any situation that could be interpreted, in order to protect our customers’ interests.

Please note that your personal data will be subject to an automated decision-making process. Depending on the result of the fraud analysis carried out, we will determine whether there is a risk of fraud and, therefore, whether or not we can (preliminarily) approve your application to use the Service. We will issue a risk of fraud where our analysis comes to the conclusion that:

1. the behaviour indicates possible fraudulent conduct;
2. your behaviour presents anomalies compared with previous use of our Services, or;
3. you have attempted to conceal your true identity.

If an attempted fraud or suspicious activity is detected (e.g., repetitive operations, use of a device other than usual, or unusual behaviour compared to your previously established transaction profile), and except where public interest is involved, we may make an automated decision of which we will inform you accordingly, review the available information and request additional information, if necessary. Likewise, as a precautionary measure, and until we have performed the appropriate checks, any transaction will be put on hold.

If your application has to be declined, you will not be able to use the Service.

We have a several number of control mechanisms in place to ensure that our automated decisions are appropriate. These mechanisms include ongoing tests and reviews of our decision models and detailed documentation of rejected applications and the reasoning behind them. If you are concerned about the appropriateness of the result, you can contact us, and one of our analysts will review whether the process was performed appropriately. You can also object in accordance with the following instructions:

You have the right to object to any automated decision that has legal consequences or decisions that can otherwise significantly affect you. You can do so by sending an email to datenschutz.de@zinia.com. Upon receipt of your request, we will proceed to review the decision made, considering any additional information and circumstances that you may provide.

Data processed: all processing activities, including automated decisions, are based on both (i) information and data you have provided us with directly, e.g., data related to your location, patterns of conduct, (ii) data from fraud prevention tools and service providers that we use and collaborate with, and (iii), if applicable, Openbank’s own internal information to detect and prevent potential fraud attempts.

Legal basis for the processing activity: our legitimate interest in carry out fraud prevention measures; legal basis is Art. 6 (1)(f) GDPR.

Sharing of personal data with third parties: to carry out this processing activity, we will share your personal data to the necessary extent with third-party service providers that help us to detect and prevent possible fraud attempts as described.

Data shared: Information we share with these third parties include some of the application data you provide to us, such as your email address, as well as information related to your browsing, such as the IP address of your device.

We make use of the following service providers that help us detect and prevent fraudulent transactions:

a) Emailage

We use the service “Emailage” provided by LexisNexis Risk Solutions (Europe) Limited.

Data shared: your first name and surname, email address and IP address will be transmitted to Lexis Nexis Risk Solutions. We will process your email address and IP address through the service provided by Lexis Nexis Risk Solutions to generate a fraud risk score. For this purpose, Emailage. compares and evaluates the data points provided with associated metadata (email data, IP geolocation data) and previous customer queries and fraud indicators (address reputation, behaviour and metadata) that have been added to the global fraud network of Emailage. Using the fraud risk score is a helpful tool for us to identify fraudulent behaviour and prevent fraud.

In this respect, Emailage acts as a data controller within the meaning of Art. 4 (7) GDPR and will use it for the purposes set out in its privacy policy. You can exercise your data protection rights with Emailage at DPO@lexisnexisrisk.com.

Legal basis for the processing activity: legitimate interest in preventing fraud both with new customers and with existing customers and avoiding harm to our customers, pursuant to Art 6 (1)(f) GDPR.

b) Threametrix

We use the service “Threatmetrix” provided by LexisNexis Risk Solutions (Europe) Limited. LexisNexis Risk Solutions acts as our processor.

ThreatMetrix supports us in our fraud prevention processes. For this purpose, we share personal data with Threatmetrix, where it is stored in pseudonymised form. This is used to detect device-related attacks. ThreatMetrix will create a pseudonymous device ID that will be used by ThreatMetrix to determine unique characteristics for that device based on the behaviours and data described below, known as device fingerprinting. ThreatMetrix will process the following personal data:

Device fingerprinting data: IP address, location data, web pages visited, and the beginning, end and length of web pages visited and other device information (language and country settings, screen information, colour depth, and information about installed browsers, plug-ins, software, and versions).

Transaction data: salutation, first name, Family name and maiden name, date of birth, email address, telephone number and address (street, house number, postcode) and amount of the funding request.

The aforementioned data are stored and processed for the purposes of preventing misuse and fraud as described above.

Legal basis for the processing activity: legitimate interest in preventing fraud pursuant to Art. 6 (1)(f) GDPR.

c) CRIF

We will also share your data with CRIF for the purpose of fraud prevention. To this end, we will transmit your first name, last name, date of birth, email address, telephone number and postal address (including street, house number, postcode, city) and IBAN to CRIF. CRIF will compare these data with those in their databases in order to prevent the risk of impersonation or to check if the data have been previously used in a fraud case.

Data processed: Identifying information; information on your personal characteristics; information on goods and services transactions; employment information; and internet browsing data and details about the device used.

Legal basis for the processing activity: legitimate interest to prevent and avoid fraud and to adequately protect our legitimate customers against fraud, pursuant to Art 6 (1)(f) GDPR.

4.5. Customer Identification

As a bank, we are legally required to verify the identity of our customers for certain transactions and services, such as applying for the Service.

To reliably verify your identity using a valid ID document, we will store and analyse your identification document (including your image) for the purpose of verifying your identity when necessary to perform the contract with you as a customer and to meet the requirements of the competent authorities and/or comply with our legal obligations.

Data processed: identification information and information on your personal characteristics.

Legal basis for the processing activity: our legal obligation to identify our customers under the Spanish Anti Money Laundering Regulation (Law 10/2010 of 28 April, on the prevention of money laundering and terrorist financing and Royal Decree 304/2014 of 5 May, on the adoption of Regulation of Law 10/2010 of 28 April, on the prevention of money laundering and terrorist financing), pursuant to Art. 6 (1)(c) GDPR.

We offer the following solutions for customer identification: video identification, Account ID or physical identification in the Store.

Based on the identification method you choose, the personal data undergoing processing may vary as follows:

a) Physical identification in the Store

If you choose the physical identification method in the Store, an employee of the respective Store will carry out the verification. For this purpose, the store employee will process the aforementioned data. The legal basis in this case is Art. 6 (1)(c) GDPR. The Store will be acting as our processor within the meaning of Art. 4(8) GDPR.

b) Video identification

You can also use the video identification to carry out the identification process. The video identification process is carried out on our behalf by WebID Solutions GmbH (“WebID”) as our processor. During a video call, an agent of WebID will verify your identity.

Data processed: first name, surname, place of birth, date of birth, nationality, full address, gender, mobile phone number, email address, photo/screenshot of the person and the front and back of the ID (biometrical data), document ID data (such as date and place of issue, issuing authority, etc.), the transaction number (TAN) transmitted to you.

Please note that there will be a video and audio recording of the video call.

Legal basis for the processing activity: your consent pursuant to Art. 6 (1)(a) GDPR.

c) Account ID

If you choose to carry out the identification process via Account ID, you can identify yourself by logging in to your online bank. The Account ID process is carried out on our behalf by WebID as our processor.

Identification via Account ID is a biometric identification and involves the matching of your portrait photo (a selfie you will be asked to take) and the picture on your ID card. In the event of a match, you will be asked to access your online account and initiate a reference transfer.

Data processed: first name, surname, place of birth, date of birth, nationality, full address, gender, mobile phone number, email address, photo/screenshot of the person and the front and back of the ID, document ID data (such as date and place of issue, issuing authority, etc.).

Legal basis for the processing activity: your consent pursuant to Art. 6 (1)(a) GDPR.

4.6. Electronic signature

To electronically sign the contract for the Service using a qualified electronic signature (hereinafter “QES”) we use the services of WebID. Via WebID, you can sign the contract regarding the Service with us electronically via a QES.

Data processed: first name and surname, sex, date of birth, address (street, street number, postcode, city), email address, nationality, information on the ID document used for the identification (date of issue and date of the last day of validity of the ID document used for identification, type of ID document, ID number, authority that issued the relevant identity document, country that issued the identity document in question) telephone number, email and mobile phone number. And the content of the agreement that will be signed (loan details and IBAN).

To be able to provide the service, WebID will share your data further with service providers, as explained during the process. Please see WebID’s privacy policy for more information: [Link]

Legal basis for the processing activity: fulfilment of precontractual measures and establishment of a contractual relationship with you, as per Art. 6 (1)(b) GDPR.

4.7. Management of the contractual relationship and exchange of information with the Store

We will process your data to manage our relationship with you and to provide you with the Service as well as any assistance you may need related to it. In this regard, we may process your data particularly in: (i) fulfilling the applicable contractual obligations; (ii) processing your instructions; (iii) processing the payment of loans (full or partial repayments); (iv) and, where applicable, terminating the relationship.

If you want to pay the instalments by direct debit, you will be asked to enter your IBAN manually, which will be validated during the Know your Customer (KYC) process, as described above. The rest of the instalments will be debited from this account.

As the Service is connected with your purchase from a certain Store, we will exchange information with the Store regarding our Service and any claims under it. For example, if the Store accepts a return of the product, which is financed by the Service, the Store will notify us, as the purchase and the Service is closely related. This will allow us to cancel the Service accordingly.

Data processed: identity data; employment data; economic, financial and insurance data; data relating to your personal characteristics.

Legal basis for the processing activity: (i) execution and performance of our contractual obligations, pursuant to Art. 6 (1)(b) GDPR; and (ii) to comply with our legal obligations, pursuant to Art. 6 (1)(c) GDPR.

4.8. Debt collection

We will process your personal data for the purpose of collecting outstanding debt. The processing is necessary to resolve the defaults that may occur, to avoid any inconvenience, and to prevent the accrual of interest and additional expenses. We may contact you through various contact channels (including post, phone, SMS, instant messaging applications, email, web push, pop-up or any other electronic or telematic means available at all times). We will use the service provided by Concentrix GmbH, acting as processor.

Data processed: identification data; economic, financial and insurance data to the extent necessary.

Legal basis for the processing activity: performance of the contractual relationship with you, the legal basis is Art. 6 (1)(b) GDPR.

4.9. Reporting to public authorities and other Santander Group companies

Under the contractual relationship, we will share your personal data with public authorities, official bodies or banking monitoring and supervisory institutions, as well as with competent tax authorities, to the extent necessary, provided that we are legally required to do so by the applicable laws for the banking and financial sector, e.g., the Spanish Anti-Money Laundering Regulation (Law 10/2010 of 28 April, on the prevention of money laundering and terrorist financing and Royal Decree 304/2014 of 5 May, on the adoption of Regulation of Law 10/2010 of 28 April, on the prevention of money laundering and terrorist financing) and any regulation combating the financing of terrorism and legislation on consumer protection (see below). As an example, Spanish law requires reporting credit risk information to the Central Credit Register of the Bank of Spain (CIRBE), a public database used by financial institutions to assess customer’s credit exposure.

We will also report certain customer data to other companies of Santander Group for the prevention of (financial) crime, and to: (i) comply with the internal regulations of the Santander Group developed to comply with our legal obligations in the area of financial crime prevention; (ii) to allow the companies of the Santander Group to comply with their legal obligations arising from anti-money laundering and anti-terrorism-financing regulations; and (iii) to allow the companies belonging to the Santander Group to comply with their regulatory reporting obligations to the supervisory authorities.

Data processed: identifying information; tax residence and information related to the contractual relationship; information on your personal characteristics; employment data; economic, financial and insurance information; and information on goods and services transactions.

Legal basis for the processing activity: (i) our legal obligations (as described above) pursuant to Art. 6 (1)(c) GDPR, including sector-specific reporting duties, such as the Spanish Law 44/2022 on the Reform of the Financial System, which governs mandatory reporting to the Central Credit Register of the Bank of Spain; (ii) for the sharing of information with other companies of the Santander Group, our legitimate interest to combat financial crime, Art. 6 (1)(f) GDPR.

4.10. Responding to and managing your requests for information about Openbank products and/or services

You can contact us via our contact centre, website and/or app, and request information about our other products or services if you are interested in receiving information about our other products or services, or in performing simulations to take out one of our (other) products.

Data processed: we will process the data you provide for the purpose of handling your request, as well as providing you with the requested information and contacting you by any means, including electronic means.

Legal basis for the processing activity: application of pre-contractual measures at your request, pursuant to Art. 6 (1)(b) GDPR or our legitimate interest to properly respond to your request pursuant to Art. 6 (1)(f) GDPR.

4.11. Anti-money laundering and anti-terrorism-financing

We are legally required to process your personal data to comply with requirements resulting from the applicable anti-money laundering laws, such as the Spanish Anti-Money Laundering Regulation (Law 10/2010 of 28 April, on the prevention of money laundering and terrorist financing and Royal Decree 304/2014 of 5 May, on the adoption of Regulation of Law 10/2010 of 28 April, on the prevention of money laundering and terrorist financing), including regulations on anti-terrorism-financing. In this context, your data will be processed including, but not limited to, the following activities:

1. Reporting information to third parties: as explained in the previous section.
2. PEP list monitoring and other external databases: monitoring politically exposed persons (PEPs) and other relevant databases.
3. Verifying your identity: as explained in Section 4.5 and requesting further information and updated data. Openbank will verify that the information is correct and update it accordingly if only minor changes are applied.
4. Continuing to monitor customer relationships: this includes transaction tracking; verification of the origin of funds; reviewing documents and information available on the institution’s customers and requesting the update of documents deemed necessary, etc.

If the Customer does not provide the updated documents within a reasonable period of time, the data will be processed to block the use of the customer’s products/services (this blocking may concern both the products/services taken out/engaged and the possibility of concluding new products/services with Openbank) and/or to terminate the business relationship with the Customer.

In accordance with the regulations on the prevention of money laundering and terrorist financing, we will analyse any behaviour that is unusual or does not pursue a legitimate economic purpose, or any behaviour or information available to us that indicates a possible criminal offence.

Data processed: we will process the following data in this context: identifying information; employment information; economic, financial and insurance information; and information on goods and services transactions.

Legal basis for the processing activity: comply with the applicable regulations on anti-money laundering and anti-terrorism financing, pursuant to Art. 6 (1)(c) GDPR; and our legitimate interest of combating financial crime in the Santander Group (Art. 6 (1)(f) GDPR).

4.12. Design and training of risk and behaviour models

We are keen to understand the needs of our customers for financial and banking products and services, the creditworthiness and consumption habits of our active customers. For this reason, we will anonymise your personal data to use it in the design and training of algorithms that help us to develop various behavioural and risk models (hereinafter, the “models”). We will never use your personal data to train the models.

We may use the models to profile our Customers for various purposes, such as in the context of targeted marketing communications, risk and creditworthiness assessments; approval of applications for our products; fraud prevention and for the prevention of money laundering and terrorist financing, as described in the corresponding section of the Policy.

We would also like to inform you that we have a control model that ensures the quality of the information of the algorithms used for the design of our behaviour and risk models.

Data processed: economic, financial and insurance information; information on goods and services transactions, information on financial solvency. We will anonymise the information from both internal and external sources, such as: (i) information you have provided during the contractual relationship with us; (ii) internal information regarding your behaviours during operations undertaken with us (for example, time and place of the execution of a particular type of transaction); (iii) information obtained from the mentioned creditworthiness databases.

Legal basis for the processing activity: our legitimate interest in designing, creating and offering innovative and efficient financial products and services to our customers based on different models created by our algorithms, as well as to analyse and assess the level of risk and creditworthiness of our customers, to detect and prevent possible fraud attempts, and to prevent money laundering and terrorist financing, pursuant to Art. 6 (1)(f) GDPR.

4.13. Tracking of our messages with you for analytical purposes

To improve our products and services, we monitor how you interact with the messages we send you. For example, if you receive an email from Openbank, we can determine whether you have opened it and view further information associated with the email. We process this data for analytical purposes to (i) determine your interest in our messages, (ii) improve the quality of the messages, and (iii) to understand how we can enhance the customer experience.

Data processed: identifying information and metadata linked to the message sent, such as the time the email is opened.

Legal basis for the processing activity: your consent pursuant to Art. 6 (1)(a) GDPR.

4.14. Recording of your voice and/or image and electronic conversations held with you

Based on your consent, we may record your voice and/or image, and electronic conversations during telephone calls relating to your contractual relationship with Openbank. You will be informed in advance and explicitly about such recordings. We process the telephone and/or electronic conversation data for the following purposes: (i) to conduct an internal audit of the quality of the service; and (ii) to use the recording as evidence of the instructions you provided and/or the service provided, both in and out of court, to the extent necessary.

Data processed: identifying information; economic, financial and insurance information; as well as data and information necessary to audit the quality of our services.

Legal basis for the processing activity: your prior consent pursuant to Art 6 (1)(a) GDPR.

4.15. Sending notifications

We will process your data to send you notifications through email, web push, SMS, the Zinia website and/or app or Openbank’s website and/or app or any other available channel for the following purposes:

(i) to inform you about certain circumstances relating to the Service; and (ii) to send you alerts and notifications for the prevention of financial fraud, security alerts and/or status or expense control.

You can manage and customise some of these notifications as you wish by adjusting the “Notifications” settings in the main menu of the app or in your customer area on our website.

Data processed: contact and identification data; information on your financial situation; economic, financial and insurance information; information on goods and services transactions.

Legal basis for the processing activity: proper performance of the contract, pursuant to Art. 6 (1)(b) GDPR, where applicable, and, in the remaining cases, our legitimate interest in sending you notifications, the purpose of which is the prevention of financial fraud or information on the status of your products and services and expense control, as well as security alerts pursuant to Art. 6 (1)(f) GDPR.

4.16. Surveys and market studies

Openbank will process your personal data to conduct customer satisfaction surveys via email, SMS, telephone or other communication channels, including market studies or internal statistics. We will create commercial reports to better understand the consumption habits and preferences of our customers. This helps us design new products that might be of interest to our customers. Whenever possible, we will anonymise your personal data for these surveys and market research.

For example, we will use the Net Promoter Score (NPS) methodology, in order to identify whether our customers recommend Openbank products. To do so, your personal data can be transferred to the third party conducting the survey.

Data processed: identifying information; economic, financial and insurance information; and browsing data.

Legal basis for the processing activity: your prior informed consent pursuant to Art. 6 (1)(a) GDPR.

4.17. Answering legal complaints, requirements from competent bodies and protecting legal rights on behalf of Openbank

We will process personal data that is necessary to: (i) assist you or persons legitimately authorised to exercise your rights; (ii) process and respond to requests from authorities (both judicial and extrajudicial), such as requests for information in the course of judicial investigations; (iii) make or defend against claims, judicial or extrajudicial, whether initiated by Openbank or by you.

Data processed: identity data; economic, financial and insurance data; and data required to resolve the complaint lodged or to respond to the requirements of the competent authority.

Legal basis for the processing activity: (i) legal obligation pursuant to Art. 6 (1)(c) GDPR; or (ii) our legitimate interest pursuant to Art. 6 (1)(f) GDPR in responding to legal, administrative, or judicial claims, addressing them and taking legal action, as well as to defend ourselves against any claims made against us.

4.18. Addressing your requests for information on social media

When you use our social media channels, such as Facebook, X (Twitter) or Instagram, to request information or make an enquiry, we will process your personal data using specialised tools, for the following purpose: (i) to streamline and optimise the answers to your questions made through social media; (ii) to analyse your interactions (comments or contributions) with us through social media channels in order to determine the potential for improvement with regard to our company and our products and services.

Please note that when you use our social media channels, your personal data will also be processed according to the provisions of the privacy policy of the corresponding social media network.

Data processed: your identifying information.

Legal basis for the processing activity: our legitimate interest pursuant to Art. 6 (1)(f) GDPR in being duly able, in the quickest and most attainable way, to address enquiries from our customers submitted to us through social media, as well as offering an efficient and simple operation and products that meet the expectations and needs of our customers.

4.19. Audits and verification of compliance

We will process your data related to the performance of the internally implemented compliance verification controls, as well as in the context of different audits.

Data processed: all the categories of personal data to which we have access.

Legal basis for the processing activity: (i) legal obligations pursuant to Art. 6 (1)(c) GDPR; or (ii) our legitimate interest in verifying the adequacy of our processes, to comply with legal obligations and internal quality standards for the identification, control and mitigation of legal or operational risks, pursuant to Art. 6 (1)(f) GDPR. Please note that this information may be accessed by third parties providing the audit service for these purposes.

4.20. Sending marketing communications

We will process your personal data for marketing purposes, such as sending your marketing communications, to the extent as described as follows:

- By marketing communications, we mean the following:

Marketing communications include all forms of communication that serve to directly or indirectly promote the sale of goods and services, and the image of Openbank, including customer satisfaction and market surveys.

- Type of marketing communications that you will receive:

We will process your personal data to send you marketing communications about:

a) Openbank products and services, including Openbank accounts, cards, loans, savings and investment products.

b) Products and services of the other Santander Group companies that may be of interest to you. You can see a list of these companies here.

c) Offers from our collaboration partners about their products and services. This includes:

i) If you have an Openbank product, such as an account, card or loan, etc., you may receive offers and discounts on the products and services of our partners through Open Discounts. You can see a list of the current partners by clicking here. This list is updated on a regular basis.

ii) If you have selected a Zinia payment method and accepted the Zinia Terms and Conditions, you may receive offers and discounts on third-party products and services where that payment method is available. You can see a list of these third parties here. This list is updated on a regular basis.

iii) If you are an Openbank customer or have selected a Zinia payment method and accepted the Zinia Terms and Conditions, you may also receive offers from third parties that Openbank collaborates with in order to offer you products or services that may be of interest to you, such as insurance. Furthermore, if you have taken out or engaged a service or product offered by Openbank in collaboration with a third party, you may also be sent offers of those third parties, which will be mentioned when the corresponding product or service is taken out or engaged.

Your data will not be shared with these third parties, and all marketing communications will be sent by Openbank in accordance with your marketing consent.

In addition, Openbank will process your personal data to monitor and understand how you interact with our advertising, such as open rates and click rates, etc., and how successful they are (e.g., if the product is eventually taken out). As a result, our marketing strategies will be optimised based on this behaviour, both in a collective and, in some cases, a personalised manner.

- Means and channels through which you will receive marketing communications:

We send marketing communications through the following channels:

- Post (letter)

- Phone (calls and/or SMS)

- App (push messages and banners, etc.)

- Email

- Other electronic means

- Personalisation of the marketing communications:

We will personalise advertising and marketing communications by means of profiling. For this purpose, we will use data from internal and external sources (e.g., fraud prevention databases and credit agencies, such as SCHUFA) to analyse your economic and personal characteristics, interests, and behaviour and risk patterns. Our profiling model we use for that helps us to understand which offers, discounts, products and services that are of interest to you.

Profiling might affect the discounts, products or services you are offered.

- Data processed by Openbank for sending commercial and marketing communications:

We process the following categories of personal data:

- Master data (name and contact details);

- Information on personal characteristics, interests and preferences: date of birth, age, place of residence and, for tax purposes, family information, gender and nationality;

- Economic, financial and insurance information, such as your financial circumstances, credit standing and payment behaviour; income, investments and assets, banking information, subsidies and benefits, payroll financial data;

- Information about how you interact with our advertising and marketing, such as opening an email and your click behaviour.

In general, we collect this personal data directly from you. However, we also receive information about you from the following external sources:

- Third-party companies to which you have given your consent to transfer your data to Openbank or which otherwise legally transfer your data to Openbank.

- Credit agencies, such as SCHUFA Holding AG and CRIF GmbH.

The legal basis for sending you marketing communications is the following: your consent pursuant to Art. 6 (1)(a) GDPR.

4.21. Sending information on products and services that are of interest to you through social media:

When visiting and interacting with our social media account, we will process your personal data for the following purposes:

To show you targeted advertisements relating to our products or services that are similar to those you have used and that may be of interest to you. To do this, we will use tools provided by social media companies such as Facebook Custom Audiences. Please see the privacy notice of the social media network that will provide you with more information about how your data is processed using these tools. With regard to this processing, we will be considered joint data controllers together with the social media platform or separate controllers, as the case may be.

By using these tools, we segment users in audiences based on their interests. If you are a social media user and fall within the audience we target, you may see advertisements from Openbank. Please note that in these cases, Openbank only performs audience segmentation and does not have access to the end users who receive the advertisements.

Data processed: Identifying information and economic, financial and insurance information.

Legal basis for this processing activity: your prior and informed consent pursuant to Art. 6 (1)(a) GDPR.

4.22. Draws and promotions

Whether you are an Openbank customer or not, if you participate in any of our prize draws or promotions, we will process your data to manage your participation. This includes: confirming that you meet the requirements to participate in the draw/promotion and, where applicable, to communicate with you and send you the prize if you win.

If you win one of our prizes, draws or promotions we will also process your data to the extent necessary to meet our legal obligations, such as making a tax deduction on the prize. In such cases, we will transmit your data to the competent tax authority to the extent necessary.

Data processed: identification information and economic, financial and insurance information.

Legal basis for this processing activity: (i) the performance of our contractual obligations that we entered into with you pursuant to Art. 6 (1)(b) GDPR; (ii) and the fulfilment of our legal tax obligations, pursuant to Art. 6 (1)(c) GDPR.

4.23. Reviews and ratings of our products and services

Whether you are an Openbank customer or not, we will process your data when you leave a review or rating of our products and services on public websites or through the designated platforms. If you identify yourself or provide us with your personal data, we will use this information to respond to you and consider your feedback for future improvements.

Data processed: identification data and the data you provide through the review or rating.

Legal basis for this processing activity: our legitimate interest pursuant to Art. 6 (1)(f) GDPR in responding to the assessments and using them to implement the relevant changes.

To carry out this processing we will share your personal data to the necessary extent with third-party service providers that help us channel and answer your reviews and ratings on our products and services.

We make use of the following service providers that help us to manage the reviews and ratings.

a) Sprinklr

We use the services provided by Sprinklr, Inc. (“Sprinklr”), with Sprinklr acting as our processor.

Sprinklr helps us channel and respond to our reviews and ratings on social media, public websites and platforms. We will process identification data and all the data that you provide in the review or evaluation through the service provided by Sprinklr.

The aforementioned data are stored and processed for the purposes described above. The processing is based on our legitimate interest pursuant to Art. 6 (1)(f) GDPR in responding to the reviews and making use of them to apply the relevant changes.

4.24. Designing, training and using artificial intelligence models

We may use certain personal data to design and train artificial intelligence (AI) models and to run them with the goal of creating or enhancing solutions that streamline our internal processes and improve the services we offer to our customers.

During the design and training phase of such models, we will anonymise or pseudonymise your personal data to the extent possible, in which case will not produce any legal effects or similarly significant impact on customers.

Once a final model has been developed and we decide to implement it, we are more likely to use personal data, which may include the processing of special categories of personal data. If the process has an impact on our customers, we will provide appropriate and transparent information in accordance with the applicable data protection regulations. Openbank has implemented robust control mechanisms to ensure the quality, relevance, and integrity of the data used in the algorithms underpinning these models.

The legal basis used in each case will be duly communicated to the interested parties and may be the following:

- Our legitimate interest in designing, creating and running the models in order to offer innovative and efficient financial products and services to our customers pursuant to Art. 6 (1)(f) GDPR. Openbank applies the corresponding criteria of proportionality and necessity when the processing has a greater impact on the privacy of data subjects.

- Our legitimate interest in applying anonymisation or pseudonymisation techniques for the creation, training and running of models in those cases, where possible in order to reduce the impact on the privacy of data subjects, in accordance with Art. 6 (1)(f) GDPR.

- The performance of our contractual obligations that we entered into with you when strictly necessary to perform the contract under Art. 6 (1)(b) GDPR.

- Your consent when processing special categories of personal data to run the model in accordance with Art. 9 (2)(a) GDPR.

- We may also request your consent to process your personal data when necessary due to the impact that the model may have on your privacy pursuant to Art. 6 (1)(a) GDPR.

The categories of personal data processed for this purpose include identity-related data (e.g., name, ID number, contact information) economic, financial and insurance information; information on goods and services transactions; as well as information on financial solvency; metadata, such as data from your device when you connect; any other information that will be duly reported in each case. In addition, special categories of personal data may be processed.

5. Use of cookies

Openbank uses cookies and similar technologies to, among other things, remember who you are when you log in to your customer area, or to personalise content based on your browsing habits to ensure that it is of interest to you.

When you enter Openbank’s website and/or app, we will inform you about the cookies or similar technologies that we use. You can configure the scope of the analysis, advertising and personalisation, as well as product development and improvement cookies (and similar technologies) you want to consent to in the relevant cookie management platform.

You can also set your browser to block the use of cookies for certain cases or in general. You can delete cookies that have already been set via your browser. Please note that if you delete or do not accept certain cookies, the functionality of our Website may be limited.

For further details on the cookies we use and to activate or deactivate certain cookies, please read the following policies:

• Zinia Website Cookie Policy
• Zinia App Cookie Policy

6. How long will Openbank store your data

We process your personal data for as long as necessary for the purpose for which it is processed and for the fulfilment of our contractual and legal obligations and execution of our rights. At the end of this period, we will destroy or anonymise your personal data.

We are subject to several storage and documentation obligations, which result, among other things, from the German Commercial Code (Handelsgesetzbuch, HGB), Spanish General Tax and other specific tax laws, the Banking Act (Gesetz über das Kreditwesen, KWG), the Spanish Anti-Money Laundering Regulation (Law 10/2010 of 28 April, on the prevention of money laundering and terrorist financing and Royal Decree 304/2014 of 5 May, on the adoption of Regulation of Law 10/2010 of 28 April, on the prevention of money laundering and terrorist financing) and the Securities Trading Act (Wertpapierhandelsgesetz, WpHG). The time limits for storage and documentation set out in this document are two to ten years. Finally, the storage period is also assessed according to the statutory limitation periods, which are, for example, according to §§ 195 ff. of the Civil Code (Bürgerliches Gesetzbuch, BGB), the regular limitation period is three years.

7. Who will your personal data be shared with?

We may share your personal data with third parties when processing your data to the extent described above:

• Store: in connection with the application for and use of the Service we will exchange your personal data with the respective Store to the extent necessary as described in this Privacy Policy. This includes both the transfer to us of your personal data by the Store where this is necessary for the provision of our Service, and the transfer of personal data by us to the Store, especially to confirm that the Service has been approved so that it can provide you with the goods purchased. The exchange of data is limited to what is necessary for the Service. The Store acts both as our processor (in connection with the collection of some application data) and as controller.
• Credit agencies: SCHUFA and CRIF (as described under Section 4.2).
• Debt collection agencies (as described under Section 4.8).
• Fraud Prevention Service Providers: Lexis Nexis Risk Solutions and Crif (as described under Section 4.4).
• Other Companies in the Santander Group (as described in Section 4.9.)
• CIRBE (Central Credit Register of the Bank of Spain) (as described in Section 4.9).
• Competent authorities (as described under Section 4.9.).
• Identification service providers: WebID Solutions GmbH.
• Qualified Trust Service Providers (as described under Section 4.6).
• Openbank works with third-party service providers, which will process data on our behalf as processors, within the meaning of Art. 4 (8) GDPR, such as Payever GmbH, Rödingsmarkt 20, 20459 Hamburg. We have entered into data processing agreements that meet the requirements under Art. 28 GDPR with all processors. We have obliged our processors to comply with the necessary requirements under Art. 28 GDPR, in particular to comply with our instructions. Specifically, Openbank uses the services from third-party providers which operate in many different sectors, including, but not limited to, the following: logistics services, legal advice, supplier approval, multidisciplinary professional services companies, hosting companies, maintenance-related companies, technological service providers, software service providers, physical security companies, instant messaging service providers, infrastructure management and maintenance companies, call centre service companies and control companies. You can consult the third-party providers here, or request it by sending an email to datenschutz@openbank.de.

8. International data transfers

We will only transfer your data in countries outside the EU/EEA (so-called third countries) where it is necessary for the purposes described in this Privacy Policy. The transfer may, therefore, be part of some of the above-described services provided by third parties.

We will only transfer data to a third country in compliance with the applicable data protection laws, in particular the GDPR and the guarantee of an adequate level of data protection. This means that your data will only be transferred if the pre-requisites of Art. 44 et. seq. GDPR are met, in particular if the EU Commission has decided that an adequate level of data protection exists in the third country in question (Art. 45 GDPR), or if there are adequate safeguards for the protection of your personal data (see Art. 46 GDPR) or if there is legal authorisation (Art. 49 GDPR). Appropriate safeguards within the meaning of Art. 46 GDPR include, particularly, the standard data protection clauses published by the EU Commission. You can see all international data transfers that we make, either directly or through our providers, here or by writing to datenschutz@openbank.de or by referring to the table here link.

9. Obligations to provide personal data

If you want to use to the Service, we will ask you to provide us with the information necessary to provide our services. Please note that the data we specify in each of the forms as being “required” is necessary for the proper performance of the contractual or pre-contractual relationship with Openbank. Please also note that without such personal information, we will not be able to offer you the Service at all. However, you are under no legal or contractual obligation to provide us with your personal data until you enter into a contractual relationship with us. Once you have applied for the Service, you may be required to provide us with certain information during the course of the contractual relationship as set out above.

10. To what extent is automated decision making, including profiling, carried out in accordance with Art. 22 GDPR?

Automated decision-making, including profiling pursuant to Art. 22 GDPR, takes place to the extent described under the different processing activities of Section 4.

11. What are your rights regarding the processing of your personal data?

You have the following rights, which you may exercise at any time:

• Right of access (Art. 15 GDPR): you have the right to obtain confirmation as to whether or not we are processing personal data concerning you and, if so, to access such data as per Art. 15 GDPR. This includes the right to obtain a copy of your personal data.
• Right to rectification (Art. 16 GDPR): you have the right to obtain the rectification of inaccurate personal data, which includes the right to have incomplete personal data completed (including by providing a supplementary statement), taking into account the purposes of the processing.
• Right to erasure (Art. 17 GDPR): you have the right to obtain the erasure of your personal data.
• Right to restriction of processing (Art. 18 GDPR): you have the right to obtain restriction of the processing of your personal data.
• Right to data portability (Art. 20 GDPR): you have the right to receive your personal data in structured, commonly used and machine-readable format and also the right to have that data unhinderedly transmitted to another controller where the processing is based on consent or on a contract and the processing is carried out by automated means.
• When personal data is processed based on your consent, you have the right to withdraw such consent according to Art. 7 (3) GDPR. Please keep in mind that your withdrawal will only affect future processing and will not affect the lawfulness of processing based on consent before its withdrawal.
• In the event you consider the processing of your personal data to be unlawful, you have the right to lodge a complaint with the competent supervisory authority pursuant Art. 77 GDPR. The right to lodge a complaint is without any prejudice to any other administrative or judicial remedy.
• To the extent the personal data are processed for the purpose of our legitimate interest according to Art. 6 (1)(f) GDPR, you have the right to object pursuant to Art. 21 GDPR. Pleas find further information regarding your right to object in the text box below under “Information on your right to object pursuant to Art. 21 General Data Protection Regulation (GDPR)”.

You may also exercise the aforementioned rights via the following channels:

- Email: datenschutz.de@zinia.com

- Post: Open Bank, S.A.U, Plaza de Santa Bárbara 2, 28004 Madrid (Spain)

- Contact Centre: + 49 216 1621 0029

12. Compliance with codes of conduct

Openbank complies with the Code of Conduct for Data Protection in Advertising of the Association for Advertising Self-regulation (hereinafter "AUTOCONTROL"), accredited by the Spanish Data Protection Agency, and, therefore, it is bound by its extrajudicial system for processing claims when they concern data protection and advertising, available to data subjects here. Bear in mind that the language of mediation is Spanish and, in exceptional cases, English.

13. Changes to this Privacy Policy

We may update this Privacy Policy from time to time.

You can download this Privacy Policy here.

Last update: December 2025.