Privacy Policy

1. Introduction

This privacy policy (hereinafter referred to as the “Privacy Policy”) is intended to regulate, in ac-cordance with Regulation (EU) 2016/679 of 27 April 2016, which approves the General Data Protection Regulation (hereinafter referred to as the “GDPR”) and other applicable data protection laws to be implemented, the processing carried out by Open Bank, S.A. (hereinafter referred to as “Openbank” or “we”) of personal data of customers (hereinafter referred to as “you” or the “Customer”), who register and provide information when purchasing goods and/or services for the direct payment of their purchase from Openbank (hereinafter referred to as the “Service”). The Service is provided by Zinia (hereinafter “Zinia”), a registered trademark of Openbank.

 

In this Privacy Policy, you will find information about each category of personal data we process, the means by which we received your personal data, the purposes for which we collect and process your personal data, the legal basis for this data processing, the data recipients, the relevant data retention periods and the rights granted to you by the regulations in relation to your personal data.

 

Please take a few minutes to read and properly understand the contents of the Privacy Policy. If you have any questions, please do not hesitate to contact our Data Protection Officer, whose contact details can be found below.

 

2. Who is the Data Protection Officer?

 

"Open Bank, S.A“, acting through its registered trademark "Zinia“.

Registered address: Plaza de Santa Bárbara 2, 28004 Madrid, Spain.

Email address to contact the Data Protection Officer: datenschutz.de@zinia.com.

 

3. What information do we collect from you and how to we obtain it?

 

We process the categories of personal data listed below that we obtain from you either directly through the various forms of data collection or through third parties (e.g., the business where you make your purchase, credit bureaus or other external/public sources).

 

The information we provide in each form as “mandatory” is necessary for the proper conduct of your relationship with Openbank. If we do not receive this information, we will not be able to process your request or provide you with the Service.

 

  • Contact and identification data: First and last name, billing and shipping address, mobile phone number, fingerprint, email and country of residence.

 

  • Data of an economic, financial and insurance nature: Data related to the price of the goods you purchased, payment data (e.g. account number, bank and branch name), payment arrears data, solvency and debt history, open payment orders, and information about negative payment history and credit commitments made.

 

  • Data on goods and services purchased: Information related to the product you purchased, such as item number, model, price, and tracking number.

 

  • Device data: IP address, language settings, browser settings, time zone, operating system, platform, screen resolution, login via the different devices you use, and similar device settings.

 

  • Data about you: Date of birth, age, gender and nationality.

 

  • Unique identifiers: Information collected from the cookie identifier, device number, fingerprint, recorded calls, and email correspondence.

 

  • Employment data: Position and contact details of the persons acting as the legal representatives of the business-es we work with.

 

  • Special categories of personal data: Health and sanctions list information.

 

  • Politically exposed persons and sanctions list information: Sanctions lists and lists of politically exposed persons, information such as name, date of birth, place of birth, employment or function, as well as the reason for including the person in the respective list.

 

In addition to the abovementioned data that you provide us with directly, e. g., through the various information forms or which we receive from third parties (e.g., the business in which you make your purchase or credit bureaus), we also process data about you that we obtain from our internal sources, such as:

 

  • personal data we obtain derived from the business relationship we have with you to provide the Services.

 

  • personal data we receive as a result of your interaction through our website/app.

 

  • Information inferred or received from information you previously provided to us (e.g., when we create profiles).

 

  • personal data about you that we may have received as part of a contractual business relationship between you and Openbank (as Zinia and Openbank are the same data controllers) in addition to providing the services under the Zinia trademark.

 

4. Data processing activities we carry out

 

Data processing activity

Purpose of the data processing activity. What exactly do we do and why?

Categories of personal data processed

Legal basis for data processing

The purpose of the processing ends:

1

User/Customers registration management

Manage customer interaction in accordance with the terms and conditions of the Service, including registration and communication of relevant information.

 

Contact and identification data.

 

Data of an economic, financial and insurance nature.

 

Data on goods and service transactions.

 

Appropriate execution and provision of the Services in accordance with Article 6.1b GDPR.

Upon termination of your business relationship with Openbank.

2

Conducting a fraud risk analysis

 

See Section 5 for more information.

 

Analyse possible fraudulent activity as part of your request for our Buy Now, Pay Later service (or similar) and your relationship with us to avoid registration requests that could be fraud (automated decisions).

 

 

Contact and identification data.

 

Information about you.

 

External sources:

 

Profile information and other data from social platforms and publicly available sources.

 

 

 

Legitimate interest on the part of Openbank to avoid fraudulent activities and to protect existing customers and their business activities (see Article 6.1f GDPR).

When performing the fraud assessment.

3

Disclosure of data to third parties for the purpose of fraud prevention

We will share your information with Emailage Ltd., to detect and prevent potential fraud and to comply with the relevant procedures, rights and warranties set out in the applicable legislation and recognised at all times. Emailage acts as a controller when processing your personal data and uses your data for the purposes set out in its privacy policy. To exercise your data protection rights against Emailage, you can send an email to: DPO@lexisnexisrisk.com

Contact and identification data.

Data of an economic, financial and insurance nature.

 

Legitimate interest of Openbank to avoid fraudulent activities and to protect existing customers and their business activities (see Article 6.1f GDPR).

When transferring data to the third party.

4

Disclosure of data to other companies within the Santander Group for advertising purposes

 

See Section 7 for more information.

Sharing customer data with other companies within the Santander Group (according to the definition of a group of companies within the scope of Article 42 of the Spanish Commercial Code, which can be viewed here), so that these companies can send you advertising about their products and services via various means (including electronic channels).

 

Contact and identification data.

 

Data of an economic, financial and insurance nature.

 

Data on goods and services transactions.

 

.

 

 

With your prior consent in accordance with Article 6.1a GDPR.

If you withdraw your consent.

5

Exercising data protection rights and related requests

 

Process, manage and resolve requests from customers, data subjects and other data protection officers to exercise their GDPR rights, as well as complaints sent by the data subject directly to Openbank or through the relevant supervisory authorities.

 

Contact and identification data.

Data of an economic, financial and insurance nature.

Data on goods and services transactions.

Business data.

Pursuant to Article 6.1c GDPR, Openbank’s legal obligation as the Data Protection Officer to comply with its obligations within scope of Articles 15-22 GDPR.

When exercising data protection rights.

6

Debt collection

Manage the collection of customer debt to Openbank.

Contact and identification data.

 

Data of an economic, financial and insurance nature.

 

 

Appropriate execution and provision of the Services in accordance with Article 6.1b GDPR.

When paying your debts to Openbank.

7

Selling the debt portfolio

Sale of Openbank’s debt portfolio to third parties to obtain a return from default debts.

Contact and identification data.

Data of an economic, financial and insurance nature.

Data on goods and services transactions.

Legitimate interest of Openbank in managing its clients’ debt portfolio and selling it to third parties to obtain a return, pursuant to Article 6.1f GDPR.

When we pass the open debt on to third parties.

8

Processing of financial data

 

Maintain accounting and administrative procedures as required under accounting law and to comply with applicable law. Preparation of reports or messages on personal data to the various supervisory authorities (Spanish Central Bank). Data collection and accounting in accordance with accounting laws.

Contact and identification data.

Data of an economic, financial and insurance nature.

 

Pursuant to 6.1c GDPR, Open-bank’s legal obligation to retain accounting and administrative data and to comply with reporting obligations to the relevant financial and anti-money laundering authorities as set out in the Spanish Law 44/2002 on Financial Systems and the Spanish Law 10/2010 on Anti-Money Laundering and Countering the Financing of Terrorism.

Upon termination of your business relationship with Openbank.

9

Data transfers from the business where you made your purchase to Openbank

 

See section 6 for more information.

 

The right of the business to ask for money for your purchase is transferred to Openbank (invoice sales).

 

 

Contact and identification data.

Data of an economic, financial and insurance nature.

Data on goods and services transactions.

 

 

Appropriate execution and provision of the Services in accordance with Article 6.1b GDPR.

When the purchase occurs.

 

10

Email validation

 

Data processing to confirm the email address provided by the customer and to verify that the data mentioned is correct and to ensure data quality.

Contact and identification data.

 

Appropriate execution and provision of the Services in accordance with Article 6.1b GDPR.

Upon validation completion.

11

Sending messages for fraud prevention purposes

 

During and after the contractual process, once you have signed the contract and become an Openbank customer, we will send you notices to verify your identity or to detect fraudulent activities.

Contact and identification data.

 

Information about you.

 

Data of an economic, financial and insurance nature.

Legitimate interest of part of Openbank to avoid fraudulent activities and to protect existing customers and their business activities (see Article 6.1f GDPR).

Upon termination of your business relationship with Openbank.

12

Sending messages for marketing purposes

 

See Section 7 for more information.

 

Sending promotional messages based on customer segmentation.

Contact and identification data.

Data of an economic, financial and insurance nature.

Data on goods and services transactions.

 

With your prior consent in accordance with Article 6.1a GDPR.

If you withdraw your consent.

13

Customer satisfaction and market research surveys

 

Customer calls to conduct customer satisfaction surveys, conduct surveys, market research or international statistics, and prepare commercial reports to better understand our customers’ consumption patterns and to internally evaluate the design, creation and improvement of new products that may be of interest to our customers or to enter into commercial agreements with third parties.

Contact and identification data.

Data of an economic, financial and insurance nature.

Unique identifier.

With your prior consent in accordance with Article 6.1a GDPR.

If you withdraw your consent.

14

Ensuring the security of network and service information

Ensuring the security of Openbank’s network and information. Data processing is required to achieve the specific purpose. The legitimate interest takes precedence over the customer’s right to object.

Contact and identification data.

Data of an economic, financial and insurance nature.

Unique identifier.

Legitimate interest of Openbank in protecting its network and information security system for its business and its services (see Article 6.1f GDPR).

Upon termination of your business relationship with Openbank.

15

Processing sensitive customer data

 

Only upon your express request and based on your prior consent will we process data relating to your disability or precarious situation in order to be able to provide the Service to you in a manner that is tailored to your personal needs and circumstances. For example, if you have hearing or vision problems, we can arrange special help for you at your request.

Contact and identification data.

Special categories of personal data.

Data of an economic, financial and insurance nature.

With your prior consent in accordance with Article 6.1a GDPR.

Upon termination of your business relationship with Openbank or if you withdraw your consent.

16

Anonymisation of personal data

 

Anonymisation of your personal data to improve our services and products and to analyse consumer behaviour, compile statistics and reports for market analysis or analysis of payment trends or volumes in specific regions or industries, and to develop and test products; to improve our risk and credit models and to shape our services (where possible, we first anonymise the data before carrying out these activities to ensure that no personal data will be processed later).

Contact and identification data.

Data of an economic, financial and insurance nature.

Business data.

Data on goods and services transactions.

Information about you.

Employment data.

Unique identifier.

 

Legitimate interest of Openbank in using the anonymised customer data to improve our products and to provide the ser-vices to customers (see Article 6.1f GDPR).

Upon termination of your business relationship with Openbank.

17

 

Profiling activities with internal sources to understand which of our products and services could be of interest to you in order to, at a later stage, offer you those products and send corresponding advertising.

 

See Section 7 for more information.

Analysis and profiling of your economic and personal characteristics based solely on the retrieval of information from internal sources to determine which of our products and services are best suited to your situation and/or areas of interest.

 

Contact and identification data.

Data of an economic, financial and insurance nature.

Business data.

Data on goods and services transactions.

Information about you.

Employment data.

Unique identifier.

 

With your prior consent in accordance with Article 6.1a GDPR.

Upon termination of your business relationship with Openbank or if you withdraw your consent.

18

 

Profiling against internal data to determine what type of marketing of third-party products we offer.

 

See Section 7 for more information.

Analysis and profiling of your economic and personal characteristics based on the retrieval of information from internal sources to determine which third-party products and services are best suited to you.

 

Contact and identification data.

Data of an economic, financial and insurance nature.

Business data.

Data on goods and services transactions.

Information about you.

Employment data.

Unique identifier.

With your prior consent in accordance with Article 6.1a GDPR.

Upon termination of your business relationship with Openbank or if you withdraw your consent.

19

Profiling based on internal and external data on customer acceptance analytics data at the initiative of Openbank.

 

At Openbank’s initiative to profile interested individuals based on information we have collected from internal sources in addition to external sources to analyse customer adoption.

Contact and identification data.

Data of an economic, financial and insurance nature.

Business data.

Data on goods and services transactions.

Information about you.

Employment data.

Unique identifier. E

xternal sources:

CRIF databases.

SCHUFA databases.

With your prior consent in accordance with Article 6.1a GDPR.

Upon termination of your business relationship with Openbank or if you withdraw your consent.

20

Profiling internal and external data for credit and fraud analysis

 

See Section 5 for more information.

Profiling interested individuals using information we have collected from internal sources in addition to external sources to analyse the customer’s creditworthiness and avoid possible fraud situations.

Contact and identification data.

Information about you.

Data of an economic, financial and insurance nature.

Business data.

Employment data.

Data on goods and services transactions.

Unique identifier.

External sources:

CRIF databases.

SCHUFA databases.

With your prior consent in accordance with Article 6.1a GDPR.

Upon termination of your business relationship with Openbank or if you withdraw your consent.

21

Legal, administrative and judicial complaints

 

To handle complaints from different parties depending on the service provided.

Contact and identification data.

Data of an economic, financial and insurance nature.

 

 

Legal obligation pursuant to Arti-le 6.1c GDPR.

After the complaint is handled.

22

Customer service

 

Answer calls to customer service and customer management, and handle customer service enquiries.

Contact and identification data.

Data of an economic, financial and insurance nature.

Unique identifier.

Business data.

 

Legal obligation under Article 6.1c GDPR in connection with the legal obligations under the Spanish Financial Systems Act 44/2002 and the Spanish Order ECO/734/2004 of 11 March regulating customer service in financial companies.

After completion of the telephone call.

23

Legal/contractual messages

 

Sending messages to customers to provide them with accurate and updated information about the business relationship, such as a change of the terms and conditions or privacy policy, account termination, refund, payment letter.

Contact and identification data.

Data of an economic, financial and insurance nature.

Appropriate execution and provision of the Services in accordance with Article 6.1b GDPR. Legal obligation to inform our customers of changes in the terms and conditions for the Services, pursuant to Article 6.1c GDPR.

Upon termination of your business relationship with Openbank.

24

Approval of customer registration using creditworthiness analyses (automated decision)

 

See Section 6 and 9 for more information.

Analyse the prospective customer's creditworthiness through fully automated decisions to approve the purchase.

Contact and identification data.

Data of an economic, financial and insurance nature.

External sources:

CRIF databases.

SCHUFA databases.

Appropriate execution and provision of the Services in accordance with Article 6.1b GDPR.

Upon termination of your business relationship with Openbank.

25

Debt payment

Payment of customer's debt.

Contact and identification data.

 

Data of an economic, financial and insurance nature.

Appropriate execution and provision of the Services in accordance with Article 6.1b GDPR.

When your debt is paid.

26

Recording of calls

 

Recording and storing telephone calls and notification records by various means provided for this purpose.

Contact and identification data.

 

 

With your prior consent in accordance with Article 6.1a GDPR.

If you withdraw your consent.

27

Quality and service metrics

 

Perform quality metrics to better understand the level of quality achieved during the provision of the Services to internally assess the quality standards and improvements to be made.

 

Contact and identification data.

Data of an economic, financial and insurance nature.

Unique identifier.

Business data.

 

 

Legitimate interest of Openbank in measuring its quality standards to improve our products and to provide the services to customers (see Article 6.1f GDPR).

Upon termination of your business relationship with Openbank.

28

Complaints about the purchased product

 

Manage customer complaints about the purchased product, coordinate complaints with the business where you purchased the product.

 

Contact and identification data.

Data of an economic, financial and insurance nature.

Data on goods and services transactions.

 

 

Legal obligation to process and manage complaints received from customers (see Article 6.1c GDPR).

After the complaint is processed.

29

Send advertising based on data received from external sources.

 

See Section 7 for more information.

Send advertising based on data received from external sources.

Contact and identification data.

Data of an economic, financial and insurance nature.

External sources: CRIF databases.

SCHUFA databases.

OpenStreetMap provides us with information about generally accessible geographic data such as street maps.

Here.com provides us with information about your address: https://www.here.com/here-statement-gdpr

With your prior consent in accordance with Article 6.1a GDPR.

If you withdraw your consent.

30

Sending advertisements regarding third-party products using data from external sources.

 

See Section 7 for more information.

Send advertisements regarding third-party products using data from external sources.

Contact and identification data.

Data of an economic, financial and insurance nature.

External sources:

CRIF databases.

SCHUFA databases.

OpenStreetMap provides us with information about generally accessible geographic data such as street maps.

Here.com provides us with information about your address: https://www.here.com/here-statement-gdpr

With your prior consent in accordance with Article 6.1a GDPR.

If you withdraw your consent.

31

External audit

Verify compliance with external audit requirements. Processing customer data for audit sampling.

Contact and identification data.

Data of an economic, financial and insurance nature.

Legal obligation pursuant to Article 6.1c GDPR.

After completion of the external audit.

32

Internal audit

Verify compliance with Openbank’s regulations and internal rules. To conduct the internal audit, tests may need to be performed that require access to customer databases.

Contact and identification data.

Data of an economic, financial and insurance nature.

 

 

Our legitimate interest to verify that our processes are adequate and appropriate to comply with legal obligations and internal quality standards to identify, control and mitigate legal or operational risks (see Article 6.1f GDPR). It should be noted that this information may need to be accessible to third parties performing the audit services in question.

Upon completion of the inspection or audit.

33

Responding to your requests on social media and carrying out social media analytics

When you use our social media pages, we process your data when responding to your enquiries and analysing your interactions with Zinia.

Contact and identification data.

Unique identifier.

Our legitimate interest in properly handling your requests sent to us via social media and in providing the Services in a simple and efficient manner and adapting our products in a way that meets your requirements and expectations (see Article 6.1f GDPR).

When the request between you and Openbank has been closed.

34

Draws and competitions

Data collection from, among other things, competitions, draws and cultural offers to conduct promotions.

Contact and identification data.

With your prior consent in accordance with Article 6.1a GDPR.

Upon termination of the competition.

35

Identity verification

 

Data processing to confirm your identity with verification of the accuracy of your data sent to us and to pre-ent criminal activity. Verify customer identity.

Contact and identification data.

Legal obligation pursuant to Article 6.1c GDPR. Principle of accuracy (Art. 5.d GDPR).

 

 

When your data has been verified.

36

Disclosure of information to credit bureaus

 

See Section 9 for more information.

We process your personal data to report information regarding the Service, as well as information regarding any breach of contract, failure to make payments or fraudulent conduct to credit bureaus (e.g., SCHUFA and CRIF).

Contact and identification data.

Data of an economic, financial and insurance nature.

Data on goods and services transactions.

 

Our legitimate interest in avoiding non-payment situations that harm us and in controlling them appropriately, as well as the legitimate interest of third-party financial institutions to be informed of all payments not made when processing new financial applications.

For debt repayment.

37

Cookies
See Section 12 for more information.

Store user browsing data for analysis or measurement, settings, personalisation, and behavioural advertising as provided by  https://www.zinia.com/en-de/cookie-policy.

Contact and identification data.

With your prior consent in accordance with Article 6.1a GDPR.

If you withdraw your consent.

38

Click&Collect

Request from the customer via the website of the busi-ness to collect the pur-chased goods directly from the business.

Contact and identification data.

Data of an economic, financial and insurance nature.

Appropriate execution and provision of the Services in accordance with Article 6.1b GDPR.

When the purchased goods have been picked up.

39

Point of Sale

Request from the customer to make the purchase directly in store.

Contact and identification data.

Data of an economic, financial and insurance nature.

Appropriate execution and provision of the Services in accordance with Article 6.1b GDPR.

When the purchased goods have been picked up.

40

Anti-money laundering or terrorist financing through automated decisions, among others

Reviewing the information provided and avoiding criminal activity.

Verifying whether the end user of the Service or the person acting as a legal representative or repre-sentative of a business is a publicly or politically exposed person, in this case, applying enhanced due diligence measures in the business relationships or services provided to you by us.

Contact and identification data.

External sources:

Information from external sanctions lists and lists of politically exposed persons.

Legal obligation pursuant to Article 6.1c GDPR.

Law 10/2010 on the fight against money laundering and terrorist financing and Royal Decree 304/2014 of 5 May on the approval of the regulations of Law 10/2010.

 

At the end of the contract between you and Openbank or (for legal representatives) when your representation comes to an end.

41

Processing of the information of (legal) representatives of legal entities or involved self-employed persons

If you are self-employed or represent a business that is interested in working with us, we will process your contact details, as well as details relating to your role and in general your contact details. We do not use your personal data to create a business relationship with you at an individual level.

Contact and identification data.

Appropriate execution and performance of the contract with the businesses with which we work (see Article 6.1f GDPR).

When the contract entered into between you and Openbank ends, or when you no longer act as a representative of the company.

 

In addition to the information provided in the table above about the data processing we perform, below is a detailed explanation of some of our data processing activities that we consider particularly relevant, including, where applicable, information about external data sources, the logic involved in automated data processing, and the possible consequences of such data processing, such as:

 

5. Fraud prevention

 

We are committed to and strive to prevent fraud and to protect you and our other customers against possible fraudulent behaviour.

To this end, we use automated decisions for your application for the Service, which can have significant consequences for you. Profiling is thus carried out by automated processing of your data in order to assess the information received as part of your application and to decide whether to purchase your invoice, or to assess whether your use of our services is associated with a risk of fraud. Based on your user behaviour, we create a profile based on specific anti-fraud tools and compare this usage behaviour and conditions data with our risk criteria established internally.

The effect of these automated decisions for you is that we decide whether we are able to approve your application to use the Service based on the analysis carried out. We use the information you provide, as well as data from external sources and Openbank’s internal data, including information we have about you from your previous use of our services and data relating to the device you use to request the Service.

If our data processing reveals that your conduct constitutes possible fraudulent conduct, that it does not match your previous use of our Services, or that you have attempted to hide your true identity, we will decide whether you pose a fraud risk to us. Automated decisions, where we assess whether you pose a fraud risk to us, are based on information you provide, information from fraud tools and information from service providers we use or work with, and Openbank’s internal information.

The categories of personal data used in each decision are described in Section 4. Please note that if you have had a business relationship with Openbank prior to the transaction being conducted, due to the fact that Zinia and Openbank are the same data protection officer, we will also process personal data about you for the purposes described in this section that we have received as part of the busi-ness relationship mentioned. For more information on who we share profiling information with dur-ing automated decision making, see Section 9.

If you are not approved due to the automated decisions described in this section, you will not be granted access to the Service. We have several controls in place to ensure that our automated decisions are appropriate. These mechanisms include ongoing testing and revision of our decision models, as well as complete documentation of rejected applications and the appropriate justifications. If you do not agree with the outcome, please feel free to contact us and one of our analysts will determine if the procedure was performed appropriately. You also have the option to object using the instructions below.

Under data protection laws, you have the right to object to automated decisions with legal consequences or to decisions that may otherwise have significant consequences for you. In this case, please send an email to datenschutz.de@zinia.com. Upon receipt of your objection, we will review the decision, taking into account additional information and circumstances you may provide.

 

6. Data transfer from the business where you made your purchase to Openbank and approval of the customer registration using a credit score analysis (automated decision)

When you request the Service, the business where you make a purchase provides us with certain personal information about you in order to grant Openbank the right to charge you for your purchase.

We have to process personal data (i), that we received from the business, (ii) provided directly by you to us and (iii) collected by Openbank from external sources (such as other third parties and publicly available sources) in order to analyse and manage the approval of the sale of invoices and, if an invoice purchase is finally made, to comply with the resulting liabilities and maintain the business relationship with you.

To that end, we assess your solvency so that we can predict whether you can afford to pay for the goods purchased and avoid possible non-payment of the debt and situations that could harm both Openbank and you.

The sources from which we receive the data and the special categories of personal data we collect from these sources are described in Section 4. Please note that if you already had a business relationship with Openbank prior to the transaction being conducted, due to the fact that Zinia and Openbank are the same data protection officer, we will also process personal data about you for the purposes described in this section that we have received as part of the relationship mentioned.

The logic behind the invoice purchase approval analysis we perform is based on the analysis of the information provided by you, such as your purchase history and payments, as well as the sources listed in Section 4 that provide us with information related to your identity and financial condition. The abovementioned data and the analytical characteristics of our risk models allow us to automatically derive whether you can afford to pay for the product so that we can approve or reject your re-quest.

You have the right to request a statement of the decision made, to exercise your right not to be subject to fully automated decisions, by requesting the intervention of one of our analysts, to express your opinion on the decision made based on the profiling and to object to the decision.

7. Commercial and promotional messages

As part of the abovementioned data processing, we also process your personal data for marketing purposes. The scope and purpose of these data processing activities, as well as the relevant legal basis and the categories of personal data processed, are described in detail below:

 

  • Sending promotional messages about our products and services

 

Provided that you have given us your prior consent to carry out this data processing activity, Openbank may send you personalised promotional messages about its products and services while the business relationship remains in force. These promotional messages may be generated by automated and non-automated means (by post, phone, SMS, instant messaging applications, email, web push, pop-up or other electronic or telematic means available at any time) and take the analysis of your customer profile into account.

This profile is created by analysing your behavioural and risk patterns, other internal sources such as payment details, and information obtained from external sources.

The sources from which we receive the data and the specific categories of personal data we collect from those sources are described in Section 4. Please note that if you have had a business relationship with Openbank prior to the transaction being conducted, due to the fact that Zinia and Openbank are the same data protection officer, we will also process personal data about you for the purposes described in this section that we have received as part of the business relationship mentioned.

The legal basis for this data processing is the consent previously obtained from you. The purpose of this profiling is to enable us to analyse your economic and personal characteristics in order to determine which of the products offered best suits your situation; to do this, we use two variables: your tendency to contractually take out the product, and the likelihood of the transaction being approved.

Profiling is the result of an automated decision using the following logic. We process the information received from you in order to determine your payment behaviour, the customer segment(s) to which you are assigned, in accordance with our internal classification criteria, as well as the regular performance of our obligations. As a result of this activity, we may decide not to offer you certain products or services in view of the risk that the bank takes on and the assessment resulting from the analysis of the information received.

You may withdraw the consent you have given to Openbank in relation to this data processing activity at any time through the channels referred to in Section 10 of this Privacy Policy.

It is important that you understand that this data processing is based on the abovementioned purpose, i.e., to recommend Openbank products and services to you based on the information received from internal and external sources.

 

  • Sending promotional messages about third-party products and services

Provided that you have given us your prior explicit consent to carry out this data processing, Openbank may send you personalised promotional messages about the products and services of third parties. These promotional messages may be sent by automated and non-automated means (by post, phone, SMS, instant messaging applications, email, web push, pop-up or other electronic or telemat-ic means available at any time) and take the analysis of your customer profile into account.

We send you promotional messages about third-party products and services that carry out business activities in, including but not limited to: Finance, Insurance, Leisure and Tourism, Entertainment, Telecommunications, Information Society, Retail, Luxury, Health, Food, Automotive, Hospitality and Hotel, Department Stores, Energy, Real Estate and Security Services. This profile is created by analysing your behavioural and risk patterns. For example, if the information we have about you shows that you like technology products, we will send you promotional messages about products offered by companies in this area. We also use other internal sources such as payment details and information from external sources.

The sources from which we receive the data and the specific categories of personal data we collect from those sources are described in Section 4. Please note that if you have had a business relationship with Openbank prior to the transaction being conducted, due to the fact that Zinia and Openbank are the same data protection officer, we will also process personal data about you for the purposes described in this section that we have received as part of the business relationship mentioned.

The legal basis for this data processing is the consent previously obtained from you. The purpose of this profiling is to enable us to analyse your economic and personal characteristics to determine which of the products offered by these third parties best suits your situation by using two variables: your tendency to contractually take out the product, and the likelihood of the transaction being approved.

Profiling is the result of an automated decision using the following logic. We process the information received from you in order to determine your payment behaviour, the customer segment(s) to which you are assigned, in accordance with our internal classification criteria, as well as the regular performance of our obligations. As a result of this activity, we may decide not to offer you certain products or services in view of the risk that the bank takes on and the assessment resulting from the analysis of the information received.

You may withdraw the consent you have given to Openbank in relation to this data processing activity at any time through the channels referred to in Section 10 of this Privacy Policy.

It is important that you understand that this data processing is based on the abovementioned purpose, i.e., to suggest third-party products and services to you based on information received from internal and external sources.

 

  • Transfer data to other Santander Group companies to send promotional messages and special offers in relation to their products and services

 

Provided that you have given us your prior express consent to carry out this data processing, Openbank may share your personal data with other companies belonging to the Santander Group so that they can offer you products and services that may be of interest to you.

The Santander Group companies to which we may transfer your personal data are all Santander Group companies as defined in Article 42 of the Spanish Trade Act. You can see which companies belong to the Santander Group here.

These promotional messages may be generated by automated and non-automated means (by post, telephone, SMS, instant messaging applications, email, web push, pop-up or other electronic or telematic means available at any time) and will take the analysis of your customer profile into account in accordance with the information provided to such third parties.

This profile is created by analysing your behavioural and risk patterns, other internal sources such as payment details, and information obtained from external sources.

The sources from which we receive the data and the specific categories of personal data we collect from those sources are described in Section 4. Please note that if you have had a business relationship with Openbank prior to the transaction being conducted, due to the fact that Zinia and Openbank are the same data protection officer, we will also process personal data about you for the purposes described in this section that we have received as part of the business relationship mentioned.

You may withdraw the consent you have given to Openbank in relation to this data processing activity at any time through the channels referred to in Section 10 of this Privacy Policy.

It is important that you understand that this data processing is based on the abovementioned purpose, i.e., the disclosure of your personal data to other Santander Group companies so that they can recommend their products and services to you.

 

8. How long do we keep your personal data for?

 

We will retain your information for as long as your business relationship with us remains in force. After the end of said relationship, we will, as a general rule, block your data, implementing technical and organisational measures necessary to avoid its processing, including its visibility; this excludes making your data available to judges and courts, the public prosecutor's office or public administra-tions and competent authorities if we are requested to do so in order to fulfil possible responsibilities arising from the data processing. However, this only applies for the duration of the retention period under applicable consumer law.

 

9. Who will your personal data be shared with?

  • Authorities: Third parties to whom we are required by law to provide information, such as public institutions, tax authorities and courts.
  • Service providers and subcontractors: We will collaborate with third-party service providers which may have access to your personal data, and process them on our behalf, as a consequence of the services they provide us. We follow strict criteria when selecting our service providers in order to comply with the data protection requirements and obligations, and we undertake to sign the corresponding data processing agreements with them, whereby we will enforce, among others, the following obligations: to apply appropriate technical and organisational measures; to process the personal data for the agreed purposes and only in accordance with our documented instructions; and to delete or return to us the data once the provision of the services has been completed or terminated.

 

In particular, we will outsource the provision of services by third-party service providers from the following sectors, among others: logistics services, legal advice, private valuation services, supplier certification, multidisciplinary professional services companies, maintenance-related companies, technology service providers, IT service providers, instant messaging service providers, and call centre companies.

 

  • Fraud prevention service providers: We will share your data with Emailage Limited, a company we collaborate with to prevent fraud. Emailage also acts as a Controller for the processing of your personal data and will use it for the purposes established in its privacy policy. You can exercise your rights regarding data protection by contacting Emailage at: DPO@lexisnexisrisk.com.
  • Debt buyers: We may transfer outstanding debt to debt buyers, in compliance with the procedures, rights and warranties set forth and recognised in applicable regulations. The transfer mentioned means sharing the following categories of personal data about you with the debt buyer (who acts as a separate data controller): Contact and identification data, economic, financial and actuarial data; data relating to the transaction of goods and services and any data we obtain from our contractual relationship with you. The legal basis for carrying out the described data transfer is Openbank’s legitimate interest in managing its customer's debt portfolio and selling it to third parties in order to obtain an economic return in accordance with Article 6.1.f) of the GDPR. The debt buyer processes your personal data in accordance with its privacy policy. In any case, when your debt is transferred, you will be informed of the specific debt buyer.
  • If payment is not made, we send the data to creditworthiness databases, following the procedures and warranties set out in and recognised by the applicable legislation, namely:

 

SCHUFA: “Openbank shall transfer personal data collected within the framework of this contractual relationship with regard to the application, development and termination of this business relationship as well as information about infringing or fraudulent conduct to SCHUFA Holding AG, Kormoranweg 5, 65201 Wiesbaden. The legal basis for this data transfer is contained in the provisions of Article 5 Paragraph 1b and Article 6 Paragraph 1f of the General Data Protection Regulation (GDPR). Data may only be transferred in accordance with the provisions of Article 6 Paragraph 1f of the GDPR where this is necessary to defend the legitimate interest of the bank/savings bank or third parties, and where this does not exceed the interests or fundamental rights and freedoms of the data subject who requires the protection of their personal data. Data will also be exchanged with SCHUFA to comply with legal obligations in relation to the performance of credit checks of customers (Section 505a BGB (Bürgerliches Gesetzbuch [German Civil Code]), Section 18a Banking Act). In this regard, the customer also indemnifies Openbank from banking secrecy. SCHUFA processes the data it receives and also uses such data for profiling (scoring) in order to make information available to its contractual partners in the EEA, Switzerland and other third countries (provided that the European Commission has declared such countries suitable) for credit checks of natural persons and for other purposes. More detailed information on SCHUFA’s activities can be found in online at www.schufa.de/datenschutz.“

 

CRIF: “We transfer information within the framework of this contractual relationship with regard to non-payments to CRIF GmbH, Leopoldstraße 244, 80807 Munich. The legal basis for these data transfers is contained in Article 6 Paragraph 1b and in Article 6 Paragraph 1f of the General Data Protection Regulation (GDPR). CRIF GmbH processes the data it receives and also uses such data for profiling (scoring) in order to make information available to its contractual partners in the EEA, Switzerland and other third countries (provided that the European Commission has declared such countries suitable) for credit checks of natural persons and for other purposes. Detailed information on the cooperation of CRIF GmbH is available online at www.crif.de/datenschutz.“

 

  • Service providers outside the European Union who have access to or process your data. As part of some of the above services offered by third-party service providers, we may transfer your data internationally. This is always for the purpose of maintaining and managing the business relationship you have with us or to avoid fraudulent actions or transactions. These data transfers will be made both to countries that offer an adequate level of data protection comparable to that of the European Union and to countries without such a level of data protection. In the latter case, however, you do not have to worry. We use various mechanisms established by applicable regulations to comply with all safeguards such as standard contractual clauses or certification mechanisms when handling your personal data. To learn more about the international data transfers we have made, please email datenschutz.de@zinia.com.

 

10. Your data protection rights

You have the following rights, which you can exercise at any time:

 

  • Right of access: You have the right to obtain an answer to whether or not Openbank processes personal data relating to you and, if so, to access such data.
  • Right to data portability: You have the right to receive a copy of the personal data you have provided to us, in a readable, structured, commonly used format, and also to request the transfer to another institution.
  • Right to rectification: You have the right to request the correction of inaccurate data.
  • Right to erasure: You have the right to request the erasure of your data when, among other reasons, it is no longer necessary for the purposes for which you provided it to us.
  • Right to object: Under certain circumstances, you can object to the processing of your personal data. If you object, Openbank will stop processing the data, except where there are compelling legitimate reasons, or for the exercise or defense of possible claims.
  • Right to restriction of processing: Under certain circumstances laid down in applicable data protection law, you can request that the processing of your data be restricted.
  • Right to withdraw consent: You have the right to, at any time and without providing any specific cause, to withdraw your previously given consent. The withdrawal of consent will not affect the lawfulness of the data processing carried out on the basis of that consent prior to its withdrawal.
  • Right not to subject to exclusively automated decisions: In the event that you have consented to profiling and it is carried out through an exclusively automated process, you can request the intervention of one of our analysts, express your point of view and contest the decisions made on the basis of this profiling.

 

You can exercise the rights described above through the following channels:

 

  • Email: datenschutz.de@zinia.com
  • Post: Privacy, Open Bank, S.A., Plaza de Santa Bárbara 2, 28004 Madrid, Spanien
  • Location: Plaza de Santa Bárbara 2, 28004 Madrid, Spanien
  • Contact centre: 0800 0292 008

 

Finally, you may file a claim to Openbank and/or the German Data Protection Authority, in particular if you are not satisfied after exercising your rights, by writing to the above address or via the website www.aepd.es. If you live in a Member State other than Germany, you may also contact your national Data Protection Supervisory Authority directly.

 

11. Make sure your data is up to date

In order for us to communicate with you, we ask that you ensure that all information you provide to us for our databases is correct, complete, accurate and completely up to date.

If the personal data you have provided to us has changed, in particular your mailing address, email address and telephone number (landline and mobile), we ask that you inform us of the change immediately via one of the channels listed in Section 10.

If you do not notify us of these changes, you acknowledge and agree that any notices we send to your mailing address or email address, or the contact telephone numbers displayed in our file system, are valid, binding and fully legal and effective.

12. Cookies

At Openbank, one of the reasons we use cookies is so that the website remembers you when you access your space or customise the content you are interested in according to your browsing habits.

When you access Zinia's website, we will inform you about the cookies we use, and you will then have the opportunity to configure the analytics and advertising cookies you use, as well as the cus-tomisation cookies when navigating Zinia's website. For more information, please see our Cookies Policy.

 

13. Changes to the Privacy Policy

We will endeavour to keep this Privacy Policy up to date to reflect any new developments in the scope of our processing of your personal data. Therefore, it is important that you take the time to read and understand this Privacy Policy. We will notify you by email of any changes we need to make to this Privacy Policy.