Privacy Policy
Last update: May 2024
1. Introduction
The purpose of this privacy policy (hereinafter, the “PrivacyPolicy” or the “Policy”), in accordance with Regulation (EU) 679/2016 of 27 April 2016, approving the General Data Protection Regulation (hereinafter, the "GDPR") and other applicable implementing data protection legislation, is to regulate and provide information about the processing carried out by Open Bank, S.A. (hereinafter “Openbank”, “Zinia”, its registered trademark, or “we”) of personal data of customers (hereinafter, “you” or the “Customer”) who sign up for a store’s payment service when they buy goods and/or services, so that they can pay Openbank directly for their purchase (hereinafter, the “Service”). The Service is run by Zinia (hereinafter, “Zinia”).
This Policy provides you with information about the categories of personal data we process, the means by which we have obtained your personal data, the purposes for which we collect and process your personal data, the legitimate basis for such processing, the data recipients, the applicable data retention periods and the rights granted to you by the regulations in relation to your personal data.
Please take a few minutes to read and properly understand its contents. If you have any questions, please contact our Data Protection Officer, whose contact details can be found below.
2. Who is the Data Controller?
“Open Bank, S.A.”, acting in its capacity of independent data controller or co-controller. You are expressly informed in this Privacy Policy when we process your data jointly with another data controller.
Business address: Plaza de Santa Bárbara 2, 28004 Madrid, Spain.
Email address for contacting the Data Protection Officer: datenschutz.de@zinia.com.
3. What information do we collect from you and how do we obtain it?
We will process the categories of personal data listed below that we obtain directly from you through the various forms for requesting information, or from third parties (e.g., the business where you make your purchase, credit reporting agencies (such as Infoscore Consumer Data GmbH, Schufa Holding or CRIF GmbH), external providers of aggregation services or other external/public sources).
The data we indicate in each of the forms as "mandatory" is necessary for the proper undertaking of your relationship with Openbank. If we do not receive this information, we will not be able to process your request or provide you with the Service.
- Contact and identification data: name and surname, billing and shipping address, mobile phone number, fingerprint, email address and country of residence.
- Economic, financial and insurance data: data related to the price of the goods you purchase, data related to the payment of your purchase (e.g., bank account, bank name and branch), data related to arrears, solvency and debt history, pending payment orders and information about negative payment history and previous credit approvals.
- Data on the goods and services purchased: data related to the product you purchase, such as item, model, price and tracking number.
- Device data: IP address, language settings, browser settings, time zone, operating system, platform, screen resolution, log in through the different devices you use and other similar device settings.
- Data about your personal characteristics: date of birth, age, sex and nationality.
- Unique identifiers: data collected from cookie ID, device ID, fingerprint, recorded voice calls, chat conversations and email correspondence.
- Employment data: position and contact details of the contact persons acting as legal representatives of the businesses we collaborate with.
- Special categories of personal data: data that reveals information about health and information related to sanctions lists.
- Data about politically exposed persons and sanction lists: sanctions and PEP lists containing information such as name, date of birth, place of birth, occupation or position, and the reason why the person is included on the respective list.
In addition to the above data that you provide us with directly, e.g., through the various forms for requesting information or which we collect from third parties (such as the business where you make your purchase or credit reporting agencies), we will also process other data that we may have about you from our internal sources, such as:
- Personal data we obtain derived from the relationship we have with you for the provision of the Services.
- Personal data we obtain as a result of your interaction through our website/app.
- Inferred data that we deduce and/or obtain from data that you have previously provided us with (e.g., when we create profiles).
- As Zinia and Openbank are in fact the same data controller, personal data relating to you that we may have obtained as part of a contractual relationship between you and Openbank, in addition to the provision of the Services under the Zinia trademark.
4. Data processing activities we carry out
Data processing activity | Purpose of the data processing activity. What we do and why | Categories of personal data processed | Legal basis for the data processing activity | Termination of data processing purposes | |
|---|---|---|---|---|---|
1 | User/Customer registration management | Manage customer interaction in accordance with the terms and conditions of the Service, including registration and communication of relevant information. | Contact and identification data. Economic, financial and insurance data. Data on goods and services transactions.
| Adequate execution and performance of the Services, as per Article 6.1(b) GDPR. | When your relationship with Openbank terminates. |
2 | Conducting a risk analysis on fraud prevention, including the cross-checking of data to verify identity, and delivery and invoicing addresses See Section 5 for further information. | Analysis of potentially fraudulent activities as part of your request for our Buy Now, Pay Later service (or similar) and your relationship with us in order to prevent registration requests that could be fraudulent (automated decisions).
| Contact and identification data. Data related to your personal characteristics. External sources: Emailage Ltd. | Legitimate interest of Openbank in preventing fraudulent activities and protecting existing customers and its business, as per Article 6.1(f) GDPR. | When the fraud assessment is performed. |
3 | Account aggregation for Customer identity verification See section 6 for further information. | Account aggregation for the verification of your identity with that of the account holder of the aggregated account, in order to carry out the transaction. | Contact and identification data. Economic, financial and insurance data.
External sources: Tink AB | Execution of the contract and proper provision of the Services, according to Article 6.1(b) of the GDPR, when the chosen financing option does not fall into the category of a banking product. In compliance with our legal obligations, according to Article 6.1 (c) of the GDPR when the chosen financing option is a banking product. | Once the identity verification process has been carried out. |
4 | Disclosure of data to third parties for fraud prevention purposes | We will transfer your data to Emailage Ltd., to detect and prevent potential fraud attempts and to comply with the procedures, rights and guarantees that the current legislation establishes and recognises at all times. Emailage also acts as a data controller when processing your personal data and will use it for the purposes established in its privacy policy. You can exercise your rights regarding data protection against Emailage at DPO@lexisnexisrisk.com. | Contact and identification data. Economic, financial and insurance data. | Legitimate interest of Openbank in preventing fraudulent activities and protecting existing customers and its business, as per Article 6.1(f) GDPR. | When data is transferred to the third party. |
5 | Disclosure of data to other entities within Banco Santander’s Group of Companies for preventing money launder and financial crime. | We will share your data with entities of the Santander Group (within the meaning of Article 42 of the Code of Commerce), in order to comply with their internal regulations on the prevention of financial crime, their legal obligations to prevent money laundering, regulatory reporting to supervisory authorities. | Contact and identification data. Economic, financial and insurance data. Data on goods and services transactions. | In compliance with our legal obligations under Article 6.1 (c) of the GDPR. | When the disclosure takes place. |
6 | Exercising data protection rights and related inquiries | Handle, manage and resolve requests relating to customers, interested parties and other data controllers exercising their GDPR rights, as well as complaints submitted directly by the data subject to Openbank or through the corresponding supervisory authorities. | Contact and identification data. Economic, financial and insurance data. Data relating to goods and services transactions. Commercial data. | As per Article 6.1(c) of GDPR, legal obligation of Openbank, as data controller, to comply with obligations set forth in Article 15-22 of GDPR. | When the request to exercise rights has been duly processed. |
7 | Debt collection | Managing the collection of Customer’s debts with Openbank. | Contact and identification data. Economic, financial and insurance data. | Adequate execution and performance of the Services, as per Article 6.1(b) GDPR. | When you pay the debt you have with Openbank. |
8 | Selling debt portfolio to other entities that will act as creditors See Section 10 for further information. | Selling the debt portfolio of Openbank Customers to third-party companies in order to obtain a benefit from debt defaults. | Contact and identification data. Economic, financial and insurance data. Data relating to goods and services transactions. | Legitimate interest of Openbank in managing the debt portfolio of Customers and selling it to third parties in order to obtain a financial benefit as per Article 6.1(f) GDPR. | When we transfer the outstanding debt to third-party companies. |
9 | Financial data processing | Maintain accounting and administrative procedures as required by accounting laws and to comply with the applicable law. Creation of reports and/or communication of personal data to the different supervisory bodies (Bank of Spain). Filing and accounting in accordance with accounting legislation. | Contact and identification data. Economic, financial and insurance data. | As per Article 6.1(c) of GDPR, legal obligation of Openbank to keep accounting and administrative records and to comply with reporting obligations with the corresponding financial and anti-money laundering supervisory authorities, as per Spanish Law 44/2002 of the Financial System and Spanish Law 10/2010 on the prevention of money laundering and terrorism financing. | When your relationship with Openbank terminates. |
10 | Transfer to Openbank of your customer data from the store where you purchase products See Section 6 for further information. | The business’s right to charge you for your purchase is transferred to Openbank (sale and purchase of the invoice). | Contact and identification data. Economic, financial and insurance data. Data relating to goods and services transactions. | Adequate execution and performance of the Services, as per Article 6.1(b) GDPR. | When the purchase takes place, given that the transfer is carried out in a single action. |
11 | Email validation | Data processing to confirm the email address provided by the Customer, check the data provided are correct and to ensure the quality of said data. | Contact and identification data. | Adequate execution and performance of the Services, as per Article 6.1(b) GDPR. | When the validation is concluded. |
12 | Sending of communications for fraud prevention purposes | During the contract formalisation process and after you have completed the process and have become an Openbank Customer, we will send you communications in order to verify your identity or to prevent fraudulent attempts or detected fraudulent activities. | Contact and identification data. Data relating to personal characteristics. Economic, financial and insurance data. | Legitimate interest of Openbank in preventing fraudulent activities and protecting existing Customers and its business, as per Article 6.1(f) GDPR. | When your relationship with Openbank terminates. |
13 | Sending of marketing See Section 8 for further information. | Sending of marketing based on customer profiling. | Contact and identification data. Economic, financial and insurance data. Data relating to goods and services transactions. | Prior informed consent obtained from you, as per Article 6.1(a) GDPR, which you may withdraw at any time. | When you withdraw your consent. |
14 | Customers satisfaction surveys and market research | Contacting Customers by phone and email to conduct satisfaction and other surveys, market research and internal statistics to prepare commercial reports to better understand the consumption habits of our Customers; thereby allowing us to internally assess the design, creation and improvement of new products that may be of interest to our Customers or to reach commercial agreements with third parties. | Contact and identification data. Economic, financial and insurance data. Unique ID. | Prior informed consent obtained from you, as per Article 6.1(a) GDPR, which you may withdraw at any time which you may withdraw at any time. | When you withdraw your consent. |
15 | Ensure network and service information security | Ensure the security of Openbank’s network and information. The processing is necessary to achieve the specific purpose. The legitimate interest takes precedence over a Customer’s right to oppose it. | Contact and identification data. Economic, financial and insurance data. Unique ID. | Legitimate interest of Openbank in protecting its network and information security system in order to safeguard its business and services, as per Article 6.1(f) GDPR. | When your relationship with Openbank terminates. |
16 | Processing of vulnerable Customer data | Only if you have asked us to do so and based on your prior informed consent, we will process data relating to your disability or situation of vulnerability in order to provide you with the Service adapted to your personal needs and circumstances. For example, if you have a hearing or visual impairment, we can arrange for special assistance if so required. | Contact and identification data. Special categories of personal data. Economic, financial and insurance data. | Prior informed consent obtained from you, as per Article 6.1(a) GDPR, which you may withdraw at any time. | When your relationship with Openbank terminates or when you withdraw your consent. |
17 | Personal data anonymisation | Anonymisation of your personal data in order to enhance our services and products and to analyse consumer behaviour, create statistics and reports for market analysis or the analysis of payment tendencies or volumes in certain regions or industries and for the development and testing of products. The purpose of the foregoing is to enhance our risk and credit models and to design our Services (if possible, we will first anonymise the data prior to carrying out such activities to ensure that no personal data will be subsequently processed). For the duration of the contractual relationship, the personal data of Customers will be constantly anonymised for the aforementioned purposes. | Contact and identification data. Economic, financial and insurance data. Commercial data. Data on the goods and services purchased. Data relating to your personal characteristics. Data relating to employment. Unique ID. | Legitimate interest of Openbank in using Customers’ anonymised data to improve our products and the provision of Services to Customers, as per Article 6.1(f) GDPR. | When the data is anonymised, it will lose its personal data status and we will cease processing it. |
18 | Profiling with internal data to decide which type of Openbank marketing, third-party products or Santander Group company products we offer
See Section 8 for further information. | Analysis and profiling related to your economic and personal characteristics, based on the consultation of information from internal sources, in order to determine which Santander Group and third-party products and services best suit you. | Contact and identification data. Economic, financial and insurance data. Commercial data. Data on the goods and services purchased. Data relating to your personal characteristics. Data relating to employment. Unique ID. | Prior informed consent obtained from you, as per Article 6.1(a) GDPR, which you may withdraw at any time. | When you withdraw your consent. |
19 | Profiling with internal and external data to analyse the admission of the Customer on Openbank's own initiative. | On Openbank’s own initiative, profiling interested people with information obtained from both internal and external sources to analyse the Customer’s admission. | Contact and identification data. Economic, financial and insurance data. Commercial data. Data on the goods and services purchased. Data related to your personal characteristics. Data relating to employment. Unique ID. External sources: CRIF’s databases SCHUFA’s databases | Prior informed consent obtained from you, as per Article 6.1(a) GDPR, which you may withdraw at any time. | When your relationship with Openbank terminates or when you withdraw your consent. |
20 | Profiling with internal and external data for creditworthiness analysis See Section 5 for further information. | Profiling interested people with information obtained from both internal and external sources in order to conduct a creditworthiness analysis of the Customer. | Contact and identification data. Data relative to the personal characteristics. Economic, financial and insurance data. Commercial data. Data relating to employment. Data relating to goods and services transactions. Unique ID. External sources: CRIF’s databases SCHUFA’s databases | Legitimate interest, as per Article 6.1(a) GDPR. | When your relationship with Openbank terminates or when you withdraw your consent. |
21 | Legal, administrative and judicial complaints | To handle the complaints of different parties according to the Service provided. | Contact and identification data. Economic, financial and insurance data. | Legal obligation, as per 6.1(c) of GDPR. | When the complaint has been handled. |
22 | Customer phone service | Answer calls made to customer services, managing and resolving all inquiries made. | Contact and identification data. Economic, financial and insurance data. Unique ID. Commercial data. | Legal obligation as per Article 6.1 (c) of GDPR in connection with legal obligations set forth in Spanish Law 44/2002 of the Financial System and Order ECO/734/2004 of 11 March, regulating customer services in financial institutions. | When the call or consultation has been handled or managed. |
23 | Legal/contractual communications | Sending communications to Customers in order to provide accurate and updated information regarding their relationship, such as amendments to the Terms and Conditions or the Privacy Policy, account closing, refund, payment letters. | Contact and identification data. Economic, financial and insurance data. | Adequate execution and performance of the Services, as per article 6.1(b) GDPR. Legal obligation to keep our Customers updated on any changes in the T&Cs governing the Services relating to this Privacy Policy, as per Article 6.1 (c) GDPR. | When your relationship with Openbank terminates. |
24 | Customer registration approval through creditworthiness analysis (automated decision) See Section 6 and 10 for further information. | Analysis of the creditworthiness of the potential customer based on fully automated decisions in order to approve the purchase of the invoice. | Contact and identification data. Economic, financial and insurance data. External sources: CRIF’s databases SCHUFA’s databases Infoscore Consumer Data GmbH database Tink AB | Adequate execution and performance of the Services, as per Article 6.1(b) GDPR. Legitimate interest of Openbank in assessing the solvency of potential customers with a view to approving the Service, as per article 6.1(f) GDPR. | When your relationship with Openbank terminates. |
25 | Debt payment | Payment of debt by the Customer according to the type chosen (whether it’s a transfer, card payment, etc.). | Contact and identification data. Economic, financial and insurance data. | Adequate execution and performance of the Services, as per Article 6.1(b) GDPR. | When you pay off the debt. |
26 | Pre-approval of a purchase (automated decision) See Sections 7 and 109 for further information. | When the Customer wishes to request the pre-approval of an in-store product purchase (pre-approval of the amount of an invoice), after selecting Zinia as the payment method, Openbank will transfer the Customer's data to the store, which will process them for a maximum of 72 hours to process the Customer's purchase. | Identification data. Economic, financial and insurance data. External sources: CRIF’s databases SCHUFA’s databases Infoscore Consumer Data GmbH database Tink AB | Execution of the contract for pre-approval in accordance with Article 6(1)(b) of the GDPR and prior informed consent obtained in accordance with Article 6(1)(a) of the GDPR for the transfer of data, which you may withdraw at any time. | When the invoice amount has been pre-approved. |
27 | Direct debits | Direct debit of payments using the account number provided by the Customer (SEPA mandate). | Contact and identification data. Economic, financial and insurance data. | Prior informed consent, obtained in accordance with Article 6.1(a) of the GDPR, which you may withdraw at any time. | When the customer repays the debt. |
28 | Pay Now payment processing | In the event that Openbank is unable to approve the Customer's request for the use of the service or the product is not financeable, the Customer will be offered the possibility of making the payment via Pay Now. For this purpose, the Customer will be redirected from Zinia's environment to that of a payment initiation provider (which will act as the party responsible for processing the payment to be made). | Contact and identification data. Economic, financial and insurance data. | Execution of the contract and proper performance of the Services, in accordance with Article 6.1 (b) of the GDPR. | When the Customer makes the payment. |
29 | Data storage | Storage of data relating to transfers or payments received by the Customer for legal reasons. | Contact and identification data. Economic, financial and insurance data. | Legal obligation under Article 6(1)(c) of the GDPR. | When the contractual relationship with Openbank ends. |
30 | Call recording | Recording and safekeeping of telephone calls and communication registers through different means provided for this purpose. | Contact and identification data. | Prior informed consent obtained from you, as per Article 6.1(a) GDPR, which you may withdraw at any time. | When you withdraw your consent. |
31 | Quality and service metrics | Conducting quality metrics to better understand the quality level reached during the provision of the Services and, thus, being able to internally assess quality standards and improvements to be made. | Contact and identification data. Economic, financial and insurance data. Unique ID. Commercial data. | Legitimate interest of Openbank in measuring its quality standards to improve products and the provision of Services to Customers, as per Article 6.1(f) GDPR. | When your relationship with Openbank terminates. |
32 | Complaints related to the product acquired | Management of complaints from Customers relating to the product acquired, as well as coordinating complaints with the business where you made your purchase. | Contact and identification data. Economic, financial and insurance data. Data relating to goods and services transactions. External sources: the store where the Customer purchases products. | Legal obligation to handle and manage complaints received from Customers, as per Article 6.1(c) GDPR. | When the complaint has been handled. |
33 | Sending of marketing related to Openbank, Santander Group and third-party products based on data obtained from external sources See Section 8 for further information. | Sending marketing based on data obtained from external sources. | Contact and identification data. Economic, financial and insurance data. External sources: CRIF’s databases SCHUFA’s databases OpenStreetMap provides us with information relating to geographic data, such as street maps. Here. com provides us with information relating to your address: https://www.here.com/here-statement-gdpr | Prior informed consent obtained from you, as per Article 6.1(a) GDPR, which you may withdraw at any time. | When you withdraw your consent. |
34 | External audit | Verification of compliance with the regulations in the context of external audits. Processing of Customer data for audit samples. | Contact and identification data. Economic, financial and insurance data. | Legal obligation, as per article 6.1(c) GDPR. | When the external audit has ended. |
35 | Internal audit | Verification of compliance with regulations and internal policies of Openbank. Conducting the verification may require testing that involves access to Customer databases. | Contact and identification data. Economic, financial and insurance data.
| As per Article 6.1(f) GDPR, our legitimate interest in verifying the suitability and adequacy of our processes in order to comply with legal obligations and internal quality standards for the identification, control and mitigation of legal or operational risks. Bear in mind that this information may be accessed by third-party companies that provide the auditing service for such purpose. | When the control or the compliance audit terminates. |
36 | Respond to your requests on social media and social media analytics | When you use our social media, we will process your data to respond to your requests and to analyse your interactions with Zinia. | Contact and identification data. Unique ID. | Our legitimate interest in properly handling the requests you send us on social media, as well as in offering the Services in a simple and efficient manner and adapting our products in a way that meets your needs and expectations, as per Article 6.1(f) GDPR. | When the request you make to Openbank is resolved. |
37 | Draws and competitions | Collection of data from competitions, raffles and cultural offers, among others, in order to carry out commercial actions. | Contact and identification data. | Performance of the contract and proper performance of the Services (i.e., participation in the prize draw itself), according to Article 6(1)(b) of the GDPR. | When the competition has ended. |
38 | Identity control | Data processing to confirm your identity and check whether the data that you have provided us are correct, as well as to prevent criminal activities. Checking and verifying the Customer’s identity. | Contact and identification data. | Legal obligation, as per Article 6.1(c) GDPR. Article 5(d) GDPR, principle of accuracy. | When we validate your data. |
39 | Biometric identification | When you want to purchase certain products, we are obliged to identify you. To do this, one of the possible solutions we provide is to carry out biometric identification through our service provider WebID, who identifies you on our behalf. This biometric identification will be carried out, firstly, by matching your photo and your scanned ID card and, secondly, by using a solution that allows us to identify you by accessing your online account with your bank. If you do not consent to biometric identification, we will provide you with alternative methods of identification. | Contact and identification data. Biometric data. Economic and financial data. | The identification is based on our legal obligation according to Article 6.1 (c) of the GDPR. However, this identification by means of biometric data is based on your prior informed consent, obtained in accordance with Article 6.1 (a) of the GDPR, which you may withdraw at any time. | When the data are validated. |
40 | Communication of information to the qualified signature-trust-service provider | In order to electronically sign the contract by means of a qualified electronic signature, our WebID service provider provides your data to the electronic trust service provider, as it is necessary for a third party to validate your signature. | Contact and identification data. | Execution of the contract and proper performance of the Services, according to Article 6.1 (b) of the GDPR | When the contract is signed. |
41 | Reporting information to credit information agencies See Section 10 for further information | We will process your personal data to report information regarding the Services, as well as information regarding any breach, default or fraudulent conduct, to credit information agencies (i.e., SCHUFA and CRIF). | Contact and identification data. Economic, financial and insurance data. Data relating to goods and services transactions. | As per Article 6.1(f) GDPR, our legitimate interest in preventing non-payment that is detrimental to us and to adequately control it, and in accordance with the legitimate rights held by third-party financial institutions to be informed of any non-payment when processing new financing applications. | When the debt is satisfied. |
42 | Cookies See Section 13 for further information | Storage of user browsing data for analysis or measurement, preferences, or personalisation, and behavioural advertising, as envisaged at https://www.zinia.com/en-de/cookie-policy. | Contact and identification data. | Prior informed consent obtained from you, as per Article 6.1(a) GDPR, which you may withdraw at any time. | When you withdraw your consent. |
43 | Click and collect | Request from the Customer, through the business’s website, to collect the purchase at its physical premises. | Contact and identification data. Economic, financial and insurance data. | Adequate execution and performance of the Services, as per Article 6.1(b) GDPR. | When the purchase is collected. |
44 | Point of sale | Request from the Customer to formalise the purchase at the business’s physical premises. | Contact and identification data. Economic, financial and insurance data. | Adequate execution and performance of the Services, as per Article 6.1(b) GDPR. | When the purchase is collected. |
45 | Transfer to the store of information collected at the point of sale | When the Customer purchases in some specific stores in point-of-sale mode, if the Customer wants to use the Service from Openbank, we will have to provide certain data to the store for the issuance of the corresponding invoice (for example, when the Customer purchases products at Apple stores). | Contact and identification data. Economic, financial and insurance data. Data relating to goods and services transactions. | Execution of the contract and proper provision of the Services, according to Article 6.1 (b) of the GDPR. | When the transfer is carried out. |
46 | Prevent money laundering or terrorist financing (including automated decision-making) | Carry out a verification of the information provided and prevent criminal activities. Verify that the end-user of the Service, or the individual acting as the legal representative or proxy of a business, is a publicly or politically exposed person and, if so, apply enhanced measures of due diligence in the business relationships or operations that we carry out with you. | Contact and identification data. External sources: Information from external sanction lists and PEPs lists. | Legal obligation, as per Article 6.1(c) of the GDPR. Law 10/2010, on the Prevention of Money Laundering and Terrorist Financing and Royal Decree 304/2014 of May 5, approving the Regulations of Law 10/2010. | When the contract between you and Openbank terminates or, in the case of proxies and legal representatives, when you stop representing them. |
47 | Processing details of proxies or representatives of legal entities or related to self-employed professionals | If you are self-employed or represent a business that is interested in collaborating with us, we will process your contact details, as well as those relating to the position you hold, and, in general, the data necessary to contact you. Under no circumstance will we use the personal data we hold to establish a relationship with you at an individual level. | Contact and identification data. | Adequate execution and performance of the agreement with the business we collaborate with, as per Article 6.1(f) GDPR. | When the contract between the business and Openbank terminates or when you stop acting as a representative of the company. |
In addition to the information provided in the table above, relating to all the data processing activities we carry out, a more detailed explanation is provided below of some of the processing activities we consider particularly relevant, including, where applicable, information about external data sources, the logic involved in automated data-processing activities and the potential consequences of such processing.
5. Fraud prevention
We have the obligation and aim to avoid fraud and to protect you and all our other customers against possible fraudulent actions.
- Approval of the application to use the service (automated decision)
To this end, when you request the Service, we will use automated decision-making that significantly affects you. Therefore, profiling is carried based on the automated processing of your data to evaluate the information provided during your application in order to make a decision on whether or not to purchase your invoice, or to assess whether your use of our Services involves a risk of fraud. We profile your user behaviour through specialised fraud-prevention tools and compare the data on behaviour and conditions with our internally established risk criteria.
The consequence of these automated decisions for you is that, based on the analysis carried out, we will decide if we are able to preliminarily approve your application to use the Service. We use the data you provide, as well as data from external sources and Openbank’s own internal information, which includes information we have about you, including data on your previous use of our Services and on the device you use to request it.
We decide whether or not you pose a risk of fraud in the event that our processing shows that your behaviour indicates possible fraudulent conduct, that your behaviour is not consistent with your previous use of our Services, or that you have attempted to conceal your true identity. Automated decisions, whereby we assess whether or not you constitute a fraud risk, are based on information you have provided, data from fraud prevention tools and service providers that we use and collaborate with, as well as Openbank’s own internal information.
The personal data categories used in each decision are set out in Section 4. Please note that if before carrying out the transaction, you already have a relationship with Openbank, as Zinia and Openbank are in fact the same data controller, we will also process, for the purposes established in this section, the personal data relating to you that we have obtained through said relationship. See Section 9 for more information about who we share information with as regards profiling during automated decision-making.
If you are not approved in the automated decision-making process mentioned in this section, you will not have access to the Service. We have several control mechanisms in place to ensure that our automated decision-making is appropriate. These mechanisms include ongoing testing and reviewing of our decision models and detailed documentation of rejected applications and the reasoning behind them. If you have any concern about the outcome, you can contact us, and one of our analysts will intervene to determine whether or not the procedure was performed appropriately. You can also object in accordance with the following instructions:
Under data protection legislation, you have the right to object to any automated decision with legal consequences or decisions that can otherwise significantly affect you. In this case, you can do so by sending an email to datenschutz.de@zinia.com. Upon receiving your request, we will proceed to review the decision made, taking into account any additional information and circumstances that you may provide.
- Verification of identity and shipping and billing address (automated decision)
In line with our goal of protecting you and the rest of our customers from possible fraudulent and criminal behavior - such as identity theft - when you request the Service, we will cross-reference some of the data you have provided to us (in particular, your name and shipping and billing address) with Infoscore Consumer Data GmbH (hereinafter, “ICD”), who will process them as data controller, complying with and respecting the procedures, rights and guarantees established at all times and recognised by the legislation in force.
This processing will be carried out with the sole purpose of detecting and preventing fraud attempts. To this end, ICD will analyse the suitability of the claimed identity, as well as the accuracy and appropriateness of the address you provide as well as the characteristics of the area.
ICD will process the data in line with its privacy policy. You can exercise your data protection rights against ICD here.
The logic applicable to this processing is as follows: we will cross-reference your data with those included in the ICD Credit Register in order to detect possible inconsistencies between the name and shipping and billing address that you have indicated during your purchase process and the data under the responsibility of ICD. With the information obtained in the framework of the above cross-referencing activity, we may deny your Service request.
Furthermore, since this processing is carried out based on an automated decision, you have the right to request an explanation about the decision made, to exercise your right not to be the subject of exclusively automated decisions, requesting the intervention of one of our analysts, to express your point of view on the decision made and to challenge it. To do so, you can provide the additional documentation that you consider necessary.
The legitimate basis for this data processing is our legitimate interest in preventing fraud (Recital 47 GDPR) and preventing harm to our customers. This processing is not opposable because there are compelling reasons for this purpose.
6. Transfer of data from the business where you make the purchase to Openbank and Customer registration approval through creditworthiness analysis (automated decision)
When you request the Service, the business where you are making a purchase will disclose to us certain personal data relating to you, so as to transfer to Openbank its right to charge you for your purchase (sale and purchase of the invoice).
In certain cases, the store where you make your purchase and Openbank may act as separate data controllers, i.e., each of us will determine separately how we process your data, and we will therefore have to comply independently with the existing data protection requirements and obligations. In other cases (where either the store or Openbank specifically informs you of this), for certain phases of data processing we will jointly determine the means and purposes of such processing, i.e., we will be jointly responsible.
Whether we act as an independent or co-controller will depend on the data processing carried out and the configuration of the payment process with the store. If you would like to receive more information about the processing of your data by the store and by us, please do not hesitate to contact Openbank using the contact details provided in sections 2 and 10. In the case of co-responsibility, you are also entitled to receive information about the essential aspects of the co-responsibility agreement, also using the contact details provided in the above sections.
We need to process personal data (i) received from the business, (ii) provided directly by you and (iii) collected by Openbank from external sources (such as other third parties, such as Infoscore Consumer Data GmbH and other credit agencies or account aggregation providers), in order to analyse and manage the approval of the sale of the invoice and – if the invoice purchase finally takes place – to comply with the derived obligations and to maintain the relationship with you.
To that end, we will assess your solvency in order to predict if you can afford the payment of the goods purchased and to prevent a possible default on the debt with the aim of avoiding situations that may be detrimental to both Openbank and you.
Please note that before the generation of the payment mandate, you will be redirected from Zinia to the environment of Tink AB, the external aggregation provider that will act as the data controller. Tink will transfer to Openbank within the framework of the collaboration agreement signed between both entities, and in accordance with its privacy policy, the following data on the accounts you have aggregated (external sources): your balances in different asset and liability products in other financial institutions.
Once the aggregation has been carried out by the third-party provider, we will also verify that your identity matches that of the account holder of the account added through Tink.
The sources from which we obtain the data, as well as the specific categories of personal data that we collect from such sources, are set out in Section 4. Please note that if before carrying out the transaction you already have a relationship with Openbank, as Zinia and Openbank are in fact the same data controller, we will also process for the purposes established in this section the personal data relating to you that we have obtained through said relationship.
The logic behind the analysis we carry out to approve the purchase of the invoice is based on the analysis of the information that you have provided us, such as your purchase history and payments, together with the external sources listed in Section 4 that provide us with information relating to your identity and financial situation, or their own creditworthiness scoring. The aforementioned data and the analytical properties of our risk models, enable us to automatically infer if you would be able to afford the payment of the product, which consequently allows us to approve or reject your request, based on the probability of you failing to meet your payment obligation.
You are entitled to ask for an explanation about the decision made, to exercise your right to not be subject to exclusively automated decisions – by requesting the intervention of one of our analysts –, to express your point of view regarding the decision made on the basis of the profiling and to challenge it.
7. Pre-approval of a purchase (automated decision)
When the Customer wishes to request the pre-approval of a purchase for the acquisition of products in the store (pre-approval of the amount of an invoice), after selecting Zinia as the payment method, Openbank will transfer the Customer's data to the store, which will process them for a maximum of 72 hours in order to process the Customer's purchase of the product.
In certain cases, the store from which you make a purchase and Openbank may act as separate data controllers, i.e., we will each determine separately how we process your data and will therefore have to comply independently with existing data protection requirements and obligations. In other cases (where either the store or Openbank specifically informs you of this), for certain stages of data processing we will jointly determine the means and purposes of such processing (i.e., we will jointly decide how we will process your data and for what purpose). Whether we act as a separate or co-responsible controller depends on the data processing carried out and the configuration of the payment process with the store. If you would like to receive more information about the processing of your data by the store and by us, please do not hesitate to contact Openbank using the contact details provided in sections 2 and 10. In the case of co-responsibility, you are also entitled to receive information about the essential aspects of the co-responsibility agreement, also using the contact details provided in the above sections.
We need to process personal data (i) provided directly by you and (ii) collected by Openbank from external sources (such as other third parties, such as Infoscore Consumer Data GmbH and other credit bureaus or account aggregation providers, as indicated in the relevant row of the table in section 4 in order to handle the approval of invoices and, if the invoice is finally approved, to fulfil the resulting obligations and to maintain the contractual relationship with you.
In addition, we transfer your personal data (identification, economic, financial and insurance data) to the store for the purpose of invoice approval.
To this end, we assess your creditworthiness in order to predict whether you can afford to pay the invoices, thus avoiding possible non-payment of the debt and situations that could be detrimental to both Openbank and you.
Please note that prior to the generation of the payment mandate, you will be redirected from Zinia to the environment of Tink AB, the external aggregation provider who will act as an independent data controller. Tink will transfer to Openbank, within the framework of the collaboration contract signed between both entities, and in accordance with its privacy policy, the following data on the accounts you have aggregated (external sources): your balances in different asset and liability products in other financial institutions.
Once the aggregation has been carried out by the third-party provider, we will also verify that your identity matches that of the account holder of the account added through Tink.
The sources from which we receive data and the specific categories of personal data we collect from these sources are described in section 4. Please note that if you already had a contractual relationship with Openbank prior to the execution of the transaction, due to the fact that Openbank operates through Zinia, with Openbank being the controller, we will also process personal data about you received in the course of that prior contractual relationship, for the purposes described in this section.
The logic behind our pre-approval analysis is based on analysis of the information you provide to us, such as your purchase and payment history, as well as the sources listed in section 4, which provide us with information regarding your identity and financial situation, or your own credit score. The above data and the analytical functions of our risk models allow us to automatically infer whether you can afford to pay for the product so that we can approve or reject your application, based on the likelihood that you will default on your payment obligation.
You have the right to request an explanation of the decision taken, to exercise your right not to be subject to an exclusively automated decision by requesting the intervention of one of our analysts, to express your opinion on the decision taken on the basis of profiling and to oppose the decision.
8. Commercial and marketing communications
As part of the aforementioned data processing activities, we will process your personal data for marketing purposes. The scope and purpose of such data processing activities, as well as the legal basis for them and the categories of personal data processed, are set out below in greater detail:
Type of marketing communications that you will receive:
Your personal data will be processed in order for Openbank to send you marketing regarding the following:
a) Openbank products and services, including Openbank accounts, cards, loans, savings and investment products.
b) Products and services of the Santander Group companies that may be of interest to you. You can see a list of these companies here.
c) Offers of third parties that collaborate with Openbank and which offer its products and services. This may include the following:
i. If you have an Openbank product, such as an account, card or loan, etc., you may be sent offers and discounts on the products and services of our partners through Open Discounts. You can see a list of the current partners by clicking here. This list is updated on a regular basis.
ii. If you have selected a Zinia payment method and have accepted the Zinia Terms and Conditions, you may be sent offers and discounts on third-party products and services where such payment method is available. You can see a list of these third parties here. This list is updated on a regular basis.
iii. If you are an Openbank customer or have selected a Zinia payment method and have accepted the Zinia Terms and Conditions, you may also be sent offers of third parties that Openbank collaborates with in order to offer you products or services that may be of interest to you, such as insurance. Furthermore, if you have taken out or engaged a service or product offered by Openbank in collaboration with a third party, you may also be sent offers of those third parties, which will be mentioned when the corresponding product or service is taken out or engaged.
Based on your marketing consent, your data will not be shared with third parties, even in the event you receive information about their products and services that may be of interest to you. All marketing on the products and services of third parties, in accordance with this marketing consent, will be sent by Openbank.
In addition, Openbank will process your personal data to monitor and understand how you interact with our advertising, such as open rates and click rates, etc., and how successful they are (e.g., if the product is eventually taken out). As a result, our marketing strategies will be optimised based on this behaviour, both in a collective and, in some cases, a personalised manner.
By marketing communications we mean the following:
Marketing includes all forms of communication that serve to directly or indirectly promote the sale of goods and services, and the image of Openbank, including customer satisfaction and market surveys.
Means and channels through which you will receive marketing communications:
You may be sent marketing through the following means and channels:
- Post (letter)
- Phone (calls and/or SMS)
- App (push messages and banners, etc.)
- Other electronic means.
Personalisation of the marketing communications:
Personalised advertising and marketing will be tailored to you by means of profiling. For this purpose, data from internal and external sources (e.g., fraud detection databases and credit reference agencies, such as SCHUFA) will be processed in order to analyse your economic and personal characteristics, interests, and behaviour and risk patterns. Profiling is designed to understand the offers, discounts, products and services that best suit you and to offer you tailored offers, discounts, products and services.
Profiling may result in you not being offered certain Openbank discounts, products or services as part of its advertising and marketing.
Data processed by Openbank for sending commercial and marketing communications:
We process the following categories of personal data:
- Master data (name and contact details);
- Information on personal characteristics, interests and preferences: date of birth, age, place of residence and, for tax purposes, family information, gender and nationality;
- Economic, financial and insurance information, such as your financial circumstances, credit standing and payment behaviour; income, investments and assets, banking information, subsidies and benefits, payroll financial data;
- Information about how you interact with our advertising and marketing, such as opening an email and your click behaviour.
In general, we collect this personal data directly from you. However, we may also receive information regarding you from the following external sources:
- Third-party companies to which you have given your consent to transfer your data to Openbank or which otherwise legally transfer your data to Openbank.
- Credit agencies, such as SCHUFA Holding AG and CRIF.
The legal basis for sending you marketing communications is the following:
The legal basis for this data processing is:
- Your consent: this processing is based on your consent to process your personal data (Article 6(1)(a) of the GDPR).
9. How long do we keep your personal data for?
Openbank will keep your data for as long as required to undertake the purpose for which they were collected and, subsequently, they will be blocked for the corresponding retention period provided for by law or as per the statute of limitations. After these periods, where applicable, Openbank will destroy or completely anonymise the data.
The blocking of your data implies Openbank refraining from carrying out any processing of your data. However, your data will be retained for the purpose of making them available to the competent public administrations, judges, courts and tribunals or the Public Prosecutor's Office in relation to any liability that may arise from the contractual relationship held with you or relating to the processing of such data.
Furthermore, if you are a customer, we will process your data until your contractual relationship with Openbank terminates. After said termination, as a general rule, we will keep your personal data blocked. Please note that some actions provided for by consumer law, such as injunctions or actions for declaration of nullity, are not subject to any statute of limitations.
10. Who will your personal data be shared with?
- Authorities: third parties to whom we are legally obliged to provide information, such as public bodies, tax authorities, courts and tribunals.
- Service providers and subcontractors: we will collaborate with third-party service providers which may have access to your personal data, and process them on our behalf, as a consequence of the services they provide us. We follow strict criteria in selecting our service providers so as to comply with the corresponding data protection requirements and obligations, and we undertake to sign the corresponding data processing agreements with them, whereby we will impose them, among others, the following obligations: to apply appropriate technical and organisational measures; to process the personal data for the agreed purposes and only in accordance with our documented instructions; and to delete or return to us the data once the provision of the services has been completed or terminated.
In particular, we will outsource the provision of services by third-party service providers which are part of the following sectors, among others: logistic services, legal advice, private valuation services, supplier certification, multidisciplinary professional service companies, maintenance-related companies, technology service providers, IT service providers, instant messaging service providers, and call centre companies.
- Fraud prevention service providers: we will share your data with Emailage Limited, a company we collaborate with to prevent fraud. Emailage also acts as a controller for the processing of your personal data and will use it for the purposes established in its privacy policy. You can exercise your data protection rights as regards Emailage by sending an email to: DPO@lexisnexisrisk.com.
- Tink AB, as a third-party account aggregation provider. Tink AB will act as the data controller and we will share certain information about you with them in order to verify your identity and determine whether you will be able to pay your invoice and your risk of over-indebtedness.
- Third-party payment initiation providers, such as Tink AB or Getnet Europe, Entidad de Pago, S.L.U., in order to enable you to make a Pay Now payment in the event that Openbank is unable to approve your application to use the Service or the product is not fundable.
- Debt buyers: we may assign open debts to debt buyers, duly complying with the procedures, rights and guarantees established and recognised by the applicable regulations. The aforementioned assignment will entail disclosing the following categories of personal data relating to you to the debt buyer (acting as a separate data controller): contact and identification data; economic, financial and insurance data; data relating to goods and services transactions; and any data that we obtain from our contractual relationship with you. The legal ground for performing the mentioned disclosure is the legitimate interest of Openbank in managing its customer’s debt portfolio and selling it to third parties in order to obtain a financial benefit, as per Article 6.1(f) of the GDPR. The debt buyer will process your personal data in accordance with its own privacy notice. In any event, you will be informed of the specific debt buyer upon transfer of the debt.
- In the event of non-payment, we will send the data to creditworthiness databases, complying with the procedures and guarantees established at all times and recognised by current legislation, namely:
SCHUFA: “Openbank shall transfer personal data – collected within the scope of this contractual relationship – regarding the application, development and termination of this business relationship, as well as information regarding any behaviour in breach of the contract or fraudulent conduct, to SCHUFA Holding AG, Kormoranweg 5, 65201 Wiesbaden. The permissibility of this data transfer is provided for in Article 6 Paragraph 1(b) and Article 6 Paragraph 1(f) of the General Data Protection Regulation (GDPR). Data may only be transferred on the basis of Article 6 Paragraph 1(f) of the GDPR if this is necessary to defend the legitimate interests of the bank/savings bank or third parties and does not outweigh the interests or fundamental rights and freedoms of the affected party requiring the protection of personal data. Data is also exchanged with SCHUFA to fulfil legal obligations concerning the performance of customer credit rating checks (Section 505(a) of the German Civil Code; Section 18(a) of the German Banking Act). In this regard, the customer also releases Openbank from banking secrecy. SCHUFA shall process the data it receives and also use them for profiling (scoring) purposes, in order to provide its contractual partners in the European Economic Area, Switzerland and any other third country (provided the European Commission has declared such country as appropriate) with information used for credit rating checks on natural persons and other purposes. More detailed information on SCHUFA’s activities can be found on the SCHUFA-Information in accordance with Art. 14 of the GDPR, and online at www.schufa.de/datenschutz.”
CRIF: “Within the framework of this contractual relationship, we transfer information regarding defaults to CRIF GmbH, Leopoldstraße 244, 80807 Munich, Germany. The legal basis for these transfers is set out in point (b) of Article 6 (1) and point (f) of Article 6 (1) General Data Protection Regulation (GDPR). CRIF GmbH processes the data received and also uses them for the purpose of creating profiles (scoring) to provide its contractual partners in the European Economic Area and Switzerland, and where applicable, third countries (where an adequacy decision of the European Commission exists) with information, among other things, for assessing the creditworthiness of individuals. You may find more detailed information about the operations of CRIF GmbH online at www.crif.de/en/privacy.”
We also inform you that payment experience data, in particular data relating to uncontested claims not paid when due, as well as address data, are transmitted to CRIF GmbH, Diefenbachgasse 35, 1150 Vienna, for lawful processing within the limits of its business licences under Sections 151 (publication of addresses), 152 (credit agencies) and 153 (automated data processing services and electronic data processing technology) under the Trade and Industry Regulation Act 1994. CRIF is also used for identity and credit checks. More information can be found at www.crif.at.
- Santander Group entities. We will share your data with entities of the Santander Group (within the meaning of Article 42 of the Code of Commerce), in order to comply with their internal regulations on the prevention of financial crime, their legal obligations to prevent money laundering and regulatory reporting to supervisory authorities.
- Providers that access or process your data outside the European Union. We may transfer your data internationally within the framework of some of the above-mentioned services offered by third-party providers. The purpose thereof will always be the maintenance and management of the relationship you have with us or the prevention of fraudulent actions or transactions. These transfers are made both to countries that offer an adequate level of protection, comparable to that of the European Union, and also to countries without such a level. In the latter case, we use several mechanisms established by applicable regulations to comply with all safeguards when dealing with your personal data, such as standard contractual clauses or certification mechanisms. You can obtain more information about any international data transfers we carry out by sending an email to datenschutz.de@zinia.com.
11. Your data protection rights
You are entitled to exercise the following rights at any time:
- Right of access: you have the right to know whether or not Openbank processes personal data relating to you and, if so, to access such data.
- Right to data portability: you have the right to receive a copy of the personal data you have provided us, in a readable, structured and commonly used format, and also to request its transfer to another institution.
- Right to rectification: you have the right to request that inaccurate data be corrected.
- Right to erasure: you have the right to request erasure of your data when, among other things, they are no longer necessary for the purpose for which they were provided.
- Right to object: under certain circumstances, you can object to the processing of your personal data. If you object, Openbank will stop processing the data, except where there are compelling legitimate reasons for doing so, or for the exercising or challenging of possible claims.
- Right to restriction of processing: under certain circumstances laid down in the applicable data protection legislation, you can request that the processing of your data be restricted.
- Right to withdraw your consent: you are entitled, at any time and without providing specific reasons, to withdraw the consent you previously and specifically provided. The withdrawal of the consent will not affect the lawfulness of the data processing activities carried out based on that consent prior to its withdrawal.
- The right not to be subject to exclusively automated decisions: in the event that you have consented to the profiling and that this it is done through an exclusively automated process, you can request the intervention of one of our analysts, express your point of view and challenge the decisions made on the basis of said profiling.
You can exercise the rights established above through the following channels:
- Email address: datenschutz.de@zinia.com
- Postal address: Privacy, Open Bank, S.A., Plaza de Santa Bárbara 2, 28004 Madrid, Spain.
- Location: Plaza de Santa Bárbara 2, 28004 Madrid, Spain.
- Contact centre: 0800 0292 008
Finally, you can submit a claim to Openbank and/or the German Data Protection Authority (the supervisory authority competent in the field of data protection), particularly if you have not been satisfied with the process of exercising your rights, by writing to the above-mentioned address or via the website www.bfdi.bund.de. If you live in an EU member state, other than Germany, you can also directly contact your national data protection supervisory authority.
12. Keep your data up to date
To enable us to communicate with you, please ensure that all the information you provide for our databases is true, complete, accurate and completely up to date.
If the personal information you have provided us, particularly your postal address, email address and telephone number (landline and mobile), has changed, we kindly ask you to immediately inform us through any of the channels referred to in Section 10.
In the event that you do not notify us of such changes, you acknowledge and agree that all communications sent by us to the postal address or email address or to the contact telephone numbers that feature in our filing systems, are valid, binding and in full force and effect.
13. Cookies
At Openbank, we use cookies, among others, to remember who you are when you access your private area or to customise content that may be of interest to you based on your browsing habits.
When you access the Zinia website, we will inform you about the cookies we use, and you can configure the analysis, advertising and personalisation cookies used when browsing the Zinia website. You can read our Cookie Policy for more information.
14. Adherence to the codes of conduct
Openbank adheres to the Code of Conduct on Data Protection in Advertising Activities of the Association for the Self-Regulation of Commercial Communication (hereinafter, ‘AUTOCONTROL’), accredited by the Spanish Data Protection Agency and is therefore linked to its extrajudicial system for handling complaints when they are related to data protection and advertising, available to interested parties here. Please note that the language of mediation is Spanish and, in exceptional cases, English. In the event of any discrepancy between the German and the English version of this Privacy Policy, the German version shall take precedence.
15. Amendments to the Privacy Policy
We are committed to keeping this Privacy Policy updated to reflect any new developments that occur in relation to the scope of the processing of your personal data. As such, it is important that you take the time to read and understand this Policy. We will notify you of any amendments made to this Privacy Policy by email.
You can download our Privacy Policy here.