Privacy Policy

1. Introduction: scope of application

The purpose of this privacy policy (hereinafter, referred to as the “Privacy Policy” or the “Policy”), in accordance with Regulation (EU) 679/2016 of 27 April 2016, approving the General Data Protection Regulation (hereinafter, the "GDPR") and other applicable implementing data protection legislation, is to provide information about the processing carried out by Open Bank, S.A. (hereinafter “Openbank”, “Zinia”, its registered trademark, or “we”) of the personal data of customers (hereinafter, the “Customer” or directly, “you”) that apply for a loan (general consumer loan agreement within the meaning of § 491 BGB) (hereinafter, the “Service”). The Service will be offered under the trademark, Zinia.

This Privacy Policy is applicable to anyone whose data may be subject to processing in relation to the Service, such as our customers, agents, legal representatives (of natural or legal persons) and guarantors, etc.

This Policy is intended to provide you with the necessary information about the categories of personal data (hereinafter, also referred to as “data”) that we will process under the Service, as well as information on the means by which we have obtained your personal data, the purposes for which we collect and process your personal data, the legal basis for such processing, the recipients of the data, the period of time data during which they are stored, your legal rights regarding your personal data, and any other privacy information that we believe you should be provided with in accordance with the requirements set out in the applicable data protection legislation, all for the purpose of ensuring complete transparency.

Please consider this Privacy Policy to be additional to any other privacy policy and/or notice that we may provide or send you at any point during our pre-contractual or contractual relationship with you.

Please take a moment to read and fully understand its contents. If you have any questions or queries, please contact our data protection officer using the following contact details.

2. Who is the data controller and how can the data protection officer be contacted?

The controller, pursuant to Article 4 (7) of the GDPR, responsible for processing your personal data is:

Open Bank, S.A. (under its trademark, “Zinia”)

Plaza de Santa Bárbara 2,
28004, Madrid,
Spain

You may also contact our local German branch:

Open Bank, S.A., Zweigniederlassung Deutschland

An der Welle 5

Frankfurt am Main

Germany

If you have any queries relating to the processing of your personal data, you may contact our data protection officer via the address mentioned above or by email to: datenschutz.de@zinia.com.

3. What data do we process and how do we obtain them?

We process the following categories of personal data:

• Contact and identification data: salutation, name and surname, date of birth, marital status, citizenship, residency/billing and shipping address (including street, house number, postcode, city), country, information on whether or not the applicant has lived at the current address for more than 3 years, email address and mobile phone number.
• Information on your financial situation: number of children in the household, number of children for which the applicant pays child benefits, monthly housing costs, income tax liability in Germany, Tax Identification Number (Tax ID), IBAN, profession (and date started) and professional sector, and company name of the employer.
• Identifying information: Tax ID/National ID Number, first name and last name, address, signature/fingerprints, image/voice, electronic signature, Social Security/mutual insurance company number, health card, telephone number, email address, IP address, and biometric data or physical characteristics.
• Information on your personal characteristics: marital status, native language, physical characteristics, family information, date of birth, place of birth, age, gender and nationality.
• Information on social circumstances: licences, permits or authorisations, membership with clubs or associations, hobbies and lifestyle, property and possessions, family situation and accommodation characteristics.
• Academic and professional information: training and qualifications, student record, professional experience, and membership of professional associations.
• Employment information: profession, position, non-financial payroll data, and employee history.
• Commercial information: activities and business, commercial licences, subscriptions to publications, and artistic, literary or scientific works.
• Economic, financial and insurance information: income and revenue, tax deductions, investments and assets; information on insurance, mortgages, and loans taken out; guarantees, banking information, subsidies and benefits, pension and retirement plans, credit history, financial payroll data, and credit card.
• Information on goods and services transactions: compensations or indemnities, financial transactions, and goods and services received or supplied.

We will process the aforementioned categories of personal data that we have received directly from you (e.g., various information requests and/or product or service application forms).

In addition, we will process your data that we have obtained (i) during previous contractual relationships with you; (ii) as a result of your interaction with our website or app; or (iii) that we have derived and/or obtained from data that you have previously provided us with (e.g., obtained when we prepare profiles).

We will also process personal data that we obtain from the following external sources: (i) the store where the purchase is to be made or has been made; (ii) our service providers (such as CRIF GmbH, SCHUFA Holding AG, Lexis Nexis Risk Solutions), (iii) public administration bodies, (iv) publicly accessible sources, (v) debt collection agencies, (vi) third-party companies to which you have given your consent to transfer your data to Openbank or which, otherwise, legitimately transfer your data to Openbank, including service providers (e.g., financial aggregators), qualified trust-service providers (qualified electronic signature), or other Santander Group companies, of which you are a customer.

4. How do we process personal data?

Depending on the type of relationship you have with Openbank (from simply being interested in engaging the Service, to becoming an Openbank customer) we will process your personal data for the following purposes to the following extent and based on the following legal bases.

4.1 Applying for the Service

As our Service is meant to provide you with a financial solution so you can purchase goods or engage a service at a store we collaborate with (hereinafter referred to as, the “Store”), your loan application will start during the checkout process at the respective Store’s platform or online store.

If you want to purchase goods in-store, you can either use an assisted checkout or a self-checkout. If you choose an assisted checkout, the respective Store will help. A member of staff at the Store will guide you through the application process provided by the service provider, Payever GmbH, and collect all the information deemed relevant for the purchase and service application. The Store, acting as our processor, will provide in the application process all the information collected and send it to us for approval of the service (see below).

Some Stores will also offer you the option to use a self-checkout. In this case, you will be asked to enter the required information in the application process, which will be sent directly to us.

The same applies in purchases of goods via the online store. At checkout, you will be asked to enter the information required in the application process and the information will be sent to us.

During the application process you will – in any case - be asked to provide some documents and information, e.g., regarding your financial situation, which you will be able to provide us directly or by means of the account aggregation service provided by Tink AB (“Tink”), which will act as an independent controller.

Openbank will process your data to evaluate the application and provide you and the Store with a decision regarding the application approval, as well as to carry out the corresponding pre-contractual steps required to provide the Service, including sending appropriate notifications relating to your application.

Data processed: contact and identification data, information on your financial situation, economic, financial and insurance information.

In relation to this process, the following information serves to help you understand the role of both parties:

• Information that will be shared by the Store and Openbank (acting as separate controllers): first name and surname, email address, phone number, postal address and the price of the goods.
• Information that the Store (acting as a processor) will share with Openbank: nationality, marital status, date of birth, birth name, profession, employer, employment information, income information, expenses, and the documents provided during the process, as well as information provided by Tink. In some processes, Payever, the provider, will process this information on our behalf (acting as a processor).

Legal basis for the data processing: fulfilling precontractual measures and establishing of a contractual relationship with you, i.e., for the proper processing of your application, as per Article 6 (1)(b) GDPR. As regards communications, we have a legitimate interest in assisting you during the application process, which includes sending you appropriate communications, pursuant to Article 6 (1)(f) of the GDPR.

4.2 Data transfer to credit agencies

We will share your personal data with the credit agencies SCHUFA Holding AG, Kormoranweg 5, 65201 Wiesbaden, Germany (“SCHUFA”) and CRIF Bürgel GmbH, Radlkoferstr. 2, 81373 Munich, Germany (“CRIF”) in the following situations:

a) Credit Checks

Purpose of the data processing: (i) obtain a credit report (“Bonitätsauskunft”) on you in the form of a payment probability score, (ii) to validate the address details provided by you and (iii) for fraud prevention purposes. As part of this check, the details of your address will also be used to obtain information about known cases of fraud or attempted fraud by people with the same address (see Section b).

Data processed: identifying data, in particular your first name, surname(s), address or addresses, date of birth, IBAN, telephone number and email address.

Legal basis for the data processing: our legitimate interest to reduce the risk of debt defaults, pursuant to Article 6 (1)(f) of the GDPR.

b) Reporting of non-payments to credit agencies:

In addition, during our contractual relationship, we will occasionally share your personal data with SCHUFA and CRIF as set out below:

- SCHUFA: Openbank will transfer personal data – collected within the scope of this contractual relationship – regarding the application, performance and termination of this business relationship, as well as information regarding any breach of contract or fraudulent conduct, to SCHUFA Holding AG, Kormoranweg 5, 65201 Wiesbaden. The permissibility of this data transfer is provided for in Article 6 (1)(b) and Article 6 (1)(f) of the General Data Protection Regulation (GDPR). Data may only be transferred on the basis of Article 6 (1)(f) of the GDPR where it is required to defend the legitimate interests of the bank/savings bank or third parties, and does not outweigh the interests or fundamental rights and freedoms of the affected party requiring the protection of their personal data. Data is also exchanged with SCHUFA to fulfil legal obligations concerning the performance of customer credit rating checks (Section 505(a) of the German Civil Code; Section 18(a) of the German Banking Act). In this regard, the customer also releases Openbank from banking secrecy. SCHUFA shall process the data it receives and also use them for profiling (scoring) purposes, in order to provide its contractual partners in the European Economic Area, Switzerland and any other third country (provided the European Commission has declared such country as appropriate) with information used for credit rating checks on natural persons and other purposes. More detailed information on SCHUFA’s activities can be found in the SCHUFA-Information, in accordance with Article 14 of the GDPR, and online at www.schufa.de/datenschutz.

- CRIF: within the framework of our contractual relationship, we transfer information regarding defaults to CRIF GmbH, Leopoldstraße 244, 80807 Munich, Germany. The legal basis for these data transfers is set out in Article 6 (1)(b) and Article 6 (1)(f) of the General Data Protection Regulation (GDPR). CRIF GmbH processes the data received and uses them for the purpose of creating profiles (scoring) to provide its contractual partners in the European Economic Area and Switzerland, and where applicable, third countries (where an adequacy decision of the European Commission exists) with information, among other aspects, for the purpose of assessing the creditworthiness of individuals.

We advise you that payment experience data, in particular regarding undisputed claims not paid when due, as well as address data, are transferred to CRIF GmbH, Diefenbachgasse 35, 1150 Vienna, for lawful processing within the scope of its business licences under §§ 151 (address publishing), 152 (credit agencies) and 153 (automated data-processing services and electronic data processing technology) under the 1994 Trade, Commerce and Industry Regulation Act. CRIF is also used for identity and credit checks. Further information can be found at www.crif.at.

For the aforementioned purposes, we will report to the credit agencies, SCHUFA and CRIF, any payment default on your part during the contractual relationship with Openbank.

Data processed: identifying information and information relating to defaults or debts you have accumulated.

Legal basis for the data processing: our legitimate interest in preventing and adequately controlling detrimental non-payments, as well as the legitimate interest of third-party financial institutions to be informed of any non-payment when processing new financing applications, pursuant to Article 6 (1)(f) of the GDPR.

4.3. Assessing financial solvency and creditworthiness (automated decision making)

When applying for the Service, we will check and assess your creditworthiness. This is done by means of automated decision-making. We may compare, process and profile your application data according to the behaviour and risk models we have designed to predict the risk of default in the taking out of the Service. The profiling will comprise an automated analysis of the information you have directly provided us during the application process, the information retrieved from the metadata obtained at the time of the application process and your financial creditworthiness by consulting credit and equity databases, such as SCHUFA and CRIF, during the scoring process to identify known cases of debt and non-payments (see more details in Section 4.2).

Additionally, if you are already an Openbank Customer, the data belonging to you that are currently processed will be automatically analysed. These data include your account balance, securities purchased, plans, funds, mortgages, cards, deposits (deposits/repayments), loans (amount and number), direct debits, spending with merchants and card transactions (physical/online), payroll and pensions, cash (inflows and outflows), card use, age and cases of payment default with Openbank. We will also verify whether you have any debt and/or non-payments with other institutions, according to what is reported by SCHUFA and CRIF.

Moreover, we will take into account the information gathered from Tink. Before submitting the application for the Service, if certain criteria (amount of the loan) are met, it will be necessary to register with the account information service provider, Tink. Tink aggregates all financial movements of the accounts you add. As such, through the accounts you add (external sources), we will obtain information on account transactions, including date, amount, destination and balance information. Please note that Tink will process your data as a data controller and transfer them to Openbank in accordance with the cooperation agreement we have with it.

Tink will process your data based on your consent, pursuant to Article 6 (1)(a) of the GDPR. For more information, please see Tink’s privacy policies at: https://tink.com/legal/notices.

The data obtained though Tink will be shared with CRIF. CRIF uses the data of each transaction (amount, item, date, associated account) and the ownership data of valid aggregated accounts. CRIF N.E.O.S., acting as our processor, categorises the data, which helps us to determine whether or not we can grant you credit.

In addition to the foregoing, you also have the option of uploading the relevant documents (e.g., salary statements and bank statements).

By combining all sources of information (both internal and external) the information mentioned above and the analytical capabilities of our behaviour and risk models, using a profiling process, we are able to infer the potential payment behaviour of a Customer. This is to ensure that customers have sufficient capacity to meet the payable sum resulting from the amount and term requested, leaving them with sufficient funds to meet their basic needs, and, therefore, determine the corresponding risk of default in relation to the Service. Please note that as a result of this automated decision making, i.e., profiling, we may either approve or reject your application. If your request is rejected, you will be duly informed and specifically told if the result is based exclusively on the information provided by a credit bureau.

You may request information on the result of such automated decision-making in order to receive an explanation of the decision taken, express your point of view, oppose the result of the profiling, and request the manual review of the decision by an employee of Openbank. You may also provide any additional documentation that you may consider necessary.

Please note that the process of providing the Service involves long-term management and monitoring of the entire cycle, which is why we need to analyse your financial situation and borrowing capacity not only when you apply for it, but also afterwards.

Legal basis for the data processing: assessing your financial solvency is necessary for the establishment of a contract as a necessary pre-contractual measure, pursuant to Article 6 (1)(b) of the GDPR.

4.4 Fraud Prevention

Purpose of the data processing: we are required by law to take measures to prevent fraud and we are committed to protecting our customers from potentially fraudulent activities, such as identity or password theft. We will, therefore, check that your application for the Service is not subject to any fraudulent activities.

For this purpose, during the ecommerce process, we may check whether or not there are any indications of fraudulent activity in the application by using the services of third-party specialised fraud-prevention tools. By way of the automated decision-making process, we evaluate the data and information provided during your application in order to detect and prevent possible fraudulent activities. We will also perform different checks, such as verifying your identity and detecting possible inconsistencies in the information provided, before you enter into an agreement with us.

This processing activity allows us to identify any potentially fraudulent activities, such as unauthorised access to customers’ personal information, possible identity theft or any situation that could be interpreted, in order to protect our customers’ interests.

Please note that your personal data will be subject to automated decision-making. Depending on the result of the fraud analysis carried out, we will determine whether or not there is a risk of fraud and, therefore, whether or not we can (preliminary) approve your application to use the Service. We will issue a fraud risk in the event our analysis concludes: (i) that the behaviour indicates possible fraudulent conduct, that your behaviour presents anomalies compared to the previous use of our Services, or; (iii) that you have attempted to conceal your true identity.

If an attempted fraud or suspicious activity is detected (e.g., repetitive transactions, use of a device other than the usual one, or unusual behaviour compared to your previously established transaction profile), and except where public interest is involved, we may make an automated decision, informing you accordingly of the outcome, review the available information and request additional information, if necessary. Likewise, as a precautionary measure, and until we have performed the appropriate checks, any transaction will be put on hold.

If your application is not approved in the automated decision-making process, you will not be granted access to the Service. We have several control mechanisms in place to ensure that our automated decisions are appropriate. These mechanisms include ongoing tests and reviews of our decision models and detailed documentation of rejected applications and the reasoning behind them. If you are concerned about the appropriateness of the result, you can contact us, and one of our analysts will review whether or not the process was appropriately performed. You can also object in accordance with the following instructions:

You have the right to object to any automated decision that has legal consequences or decisions that may otherwise significantly affect you. You can do so by sending an email to datenschutz.de@zinia.com. Upon receipt of your request, we will proceed to review the decision made, considering any additional information and circumstances that you may provide.

Data processed: all processing activities, including automated decisions, are based on both (i) information and data you have directly provided us, e.g., data related to your location, patterns of conduct, (ii) data from fraud prevention tools and service providers that we use and collaborate with, and (iii), if applicable, Openbank’s own internal information in order to detect and prevent potential attempted fraud.

Legal basis for the data processing: our legitimate interest in carrying out fraud prevention measures; legal basis is Article 6 (1)(f) of the GDPR.

Sharing of personal data with third parties:

To carry out this data processing, we will share your personal data to the necessary extent with third-party service providers that help us detect and prevent possible fraudulent attempts as described.

Data shared: information we share with these third parties includes some of the application data you provide us, such as your email address, as well as information related to your browsing, such as the IP address of your device.

We make use of the following service providers that help us detect and prevent fraudulent transactions:

a) Emailage

We use the Emailage service (“Emailage”) provided by LexisNexis Risk Solutions (Europe) Limited.

Data shared: your first name and surname, email address and IP address will be shared with Lexis Nexis Risk Solutions. We will process your email address and IP address through the service provided by Lexis Nexis Risk Solutions to generate a fraud-risk score. For this purpose, Emailage. compares and evaluates the data points provided with associated metadata (email data, IP geolocation data) and previous customer queries and fraud indicators that have been added to the global fraud network of Emailage. Using the fraud-risk score along with other verifications that we may perform, we can assess the risk associated with the request or transaction and make decisions in order to identify fraudulent behaviour and prevent fraud.

In this respect, Emailage acts as a data controller within the meaning of Article 4 (7) GDPR and will use it for the purposes set out in its privacy policy. You may exercise your data protection rights with Emailage at DPO@lexisnexisrisk.com.

Legal basis for the data processing: legitimate interest in preventing fraud both with new and existing customers, and avoiding harm to them pursuant to Article 6 (1)(f) of the GDPR.

b) Threametrix

We use the “Threatmetrix” service provided by LexisNexis Risk Solutions (Europe) Limited, with LexisNexis Risk Solutions acting as our processor.

ThreatMetrix will create a pseudonymous device ID that will be used by ThreatMetrix to determine unique characteristics for that device based on the behaviour and data described below, known as device fingerprinting. ThreatMetrix will process the following personal data:

Device fingerprinting data: IP address, location data, web pages visited, and the beginning, end and length of web pages visited and other device information (language and country settings, screen information, colour depth, and information on installed browsers, plug-ins, software, and versions).

Transaction data: salutation, first name, family name and maiden name, date of birth, email address, telephone number and postal address (street, house number, postcode) and amount of the financing request.

The aforementioned data are stored and processed for the purposes of preventing misuse and fraud as described above.

Legal basis for the data processing: legitimate interest in preventing fraud pursuant to Article 6 (1)(f) of the GDPR.

c) CRIF

We will also share your data with CRIF for the purpose of fraud prevention. To this end, we will transfer your first name, last name, date of birth, email address, telephone number, postal address (including street, house number, postcode, city) and IBAN to CRIF. CRIF will compare these data with those in their databases in order to prevent the risk of impersonation or to check if the data have been previously used in a fraud case.

Data processed: identifying information, information on your personal characteristics, information on goods and services transactions, employment information, and internet browsing data and details about the device used.

Legal basis for the data processing: legitimate interest to prevent and avoid fraud and to adequately protect our legitimate customers against fraud, pursuant to Article 6 (1)(f) of the GDPR.

4.5. Customer Identification

As a bank, we are legally obliged to identify our customers. The identification allows us to confirm the identity of our customers by verifying the accuracy of the provided information, and also helps to prevent criminal activities.

• Purpose of the data processing: to reliably verify your identity using a valid ID document, we will store and analyse your identification document (including your image) for the purpose of verifying your identity when necessary to perform the contract with you as customer and to meet the requirements of the competent authorities and/or comply with our legal obligations.

Data processed: identification information and information on your personal characteristics.

Legal basis for the data processing: our legal obligation to identify our customers under the German Anti-Money Laundering Act (Geldwäschegesetz, GwG), pursuant to Article 6 (1)(c) of the GDPR.

We will offer the following solutions for the customer identification process: video identification, account ID or physical identification in the Store. Depending on the way you want to be identified, the process and the personal data processed may vary.

Depending on how you want to be identified, the process and the personal data processed may vary as follows:

a) Video identification

The video identification process is carried out on our behalf by WebID Solutions GmbH (“WebID”) as our processor. The Customer will have a video call with a WebID agent , during which the Customer’s identity will be verified.

Data processed: first name, surname, place of birth, date of birth, nationality, full address, gender, mobile phone number, email address, photo/screenshot of the person and the front and back of the ID (biometrical data), document ID data (such as date and place of issue, issuing authority, etc.), the transaction number (TAN) shared with you.

Please note that the image and audio of the video call with be recorded.

Legal basis for the data processing: your consent pursuant to Article 6 (1)(a) of the GDPR.

b) Account ID

If you choose to identify yourself via Account ID, you can do so by logging into in your online bank. The Account ID process is carried out on our behalf by WebID as our processor. If you want to use this identification method, you need an internet-enabled device with a camera, such as a smartphone, your German ID card (or residence permit or eID card for citizens of the EU and the EEA).

Identification via Account ID is a biometric identification, that will be carried out, firstly, by matching your photo and your scanned ID card and, secondly, by using a solution that allows us to identify you by accessing your online account with your bank. If you do not consent to biometric identification, we will provide you with alternative methods of identification.

The matching process will involve an automatic decision about the result of the identification. You can request information about the result of this automated decision to receive an explanation of the decision made, state your point of view on the matter, object to the result of the decision and request the involvement of the Openbank team responsible to review the decision made as a consequence of the profiling.

Data processed: first name, surname, place of birth, date of birth, nationality, full address, gender, mobile phone number, email address, photo/screenshot of the person and the front and back of the ID, document ID data (such as date and place of issue, issuing authority, etc.).

Legal basis for the data processing: your consent pursuant to Article 6 (1)(a) of the GDPR.

c) Post office (Postident)

If you choose POSTIDENT by Deutsche Post, acting as our processor, you will receive your POSTIDENT coupon via the POSTIDENT portal. Once you receive the coupon, you will need to take it to the post office. Post office employees will take the information from the coupon and verify the ID document you give them. Once you have confirmed your ID details, they will be digitally sent to us and processed by us.

Data processed: identifying information.

Legal basis for the data processing: our legal obligations pursuant to Article 6 (1)(c) of the GDPR.

4.6. Electronic signature

To electronically sign the Service contract using a qualified electronic signature (hereinafter “QES”) we use the services of WebID as our service provider. By using WebID services, our customers will be able to sign the contract electronically via a QES.

Data processed: first name and surname, sex, date of birth, address (street name, street number, postcode, city), email address, nationality, information on the ID document used for the identification process (date of issue and date of the last day of validity of the ID document used for identification, type of ID document, ID number, authority that issued the relevant identity document, country that issued the identity document in question) telephone number, email address, mobile phone number and the content of the agreement that will be signed (loan details and IBAN).

To be able to provide the service, WebID will also share your data to service providers, as will be explained during the process.

Legal basis for the data processing: fulfilling pre-contractual measures and establishing a contractual relationship with you, as per Article 6 (1)(b) of the GDPR.

4.7. Management and cancellation of the relationship

We will process your data to manage our relationship with you and to provide you with the Service and any assistance you may need relating to it.

As part of that relationship, we will process your data to, among other activities: (i) fulfil the applicable contractual obligations; (ii) process your instructions; (iii) process the payment of loans (full or partial repayments); (iv) and, cancel the relationship.

If you want to pay the instalments by direct debit, you will be asked to enter your IBAN manually. This is checked as part of the Know Your Customer (KYC) process described above. Subsequent instalments will then be debited from this account.

As the Service depends on the purchase placed at the Store, we will exchange information with the Store regarding the maintenance of the Service and any claims that may arise. For example, the Store accept a return of the product the Store will notify us, as the purchase and the Service is closely related. This will allow us to cancel the Service accordingly.

Data processed: identity data; employment data; economic, financial and insurance data; data relating to your personal characteristics.

Legal basis for the data processing: (i) execution and performance of our contractual obligations, pursuant to Article 6 (1)(b) of the GDPR; and (ii) to comply with our legal obligations, pursuant to Article 6 (1)(c) of the GDPR.

4.8. Debt collection

We process your personal data for the purpose of collecting any outstanding debt you owe us. This processing is necessary to rectify any defaults, avoid inconveniences, and to prevent the accrual of interest and additional costs. For this purpose, we may contact you via the various contact options (mail, telephone, SMS, instant messaging, email, web push, pop-up or any other electronic or telematic systems available at any time). We will use the service provided by Concentrix GmbH, which will act as processor.

Accordingly, we will process your data, among others, to inform you of the existence of the default, as well as to obtain settlement or to transfer the management of the debt collection a specialised entity.

Data processed: identification data; economic, financial and insurance data to the extent necessary.

Legal basis for the data processing: performance of the contractual relationship with you, the legal basis is Article 6 (1)(b) of the GDPR.

4.9. General Processing activities

4.9.1. Reporting to public authorities and other Santander Group entities

Under the contractual relationship, we will transfer your personal data to public authorities, official bodies or bank monitoring, and supervisory institutions and competent tax authorities to the extent required, provided that we are legally required by the applicable laws on the banking and financial sector, e.g., the German Anti-Money Laundering Act (Geldwäschegesetz, GwG) and any regulation against the financing of terrorism and legislation on consumer protection (see below).

We will also report certain data of customers to other Santander Group entities for the prevention of (financial) crime, and to: (i) comply with the internal regulations of the Santander Group created to comply with our legal obligations in the area of financial crime prevention; (ii) to allow the Santander Group entities to comply with their legal obligations relating to anti-money laundering and anti-terrorism-financing regulations; and (iii) to allow the entities of the Santander Group to comply with their regulatory reporting obligations to the supervisory authorities.

Data processed: identifying information; tax residence and information related to the contractual relationship; information on your personal characteristics; employment data; economic, financial and insurance information; and information on goods and services transactions.

Legal basis for the data processing: (i) our legal obligations (as described above) pursuant to Article 6 (1)(c) of the GDPR; (ii) for the sharing of information with other entities of Santander Group, our legitimate interest to combat financial crime, Article 6(1)(f) of the GDPR.

4.9.2. Responding to and managing your requests for information about Openbank products and/or services

You can contact us via our contact centre, website and/or app, and request information about our other products or services or about perform product simulations.

Data processed: we will process the data you provide for the purpose of handling your request, as well as providing you with the requested information and contacting you by any means, including electronic means.

Legal basis for the data processing: application of pre-contractual measures at your request, pursuant to Article 6 (1)(b) of the GDPR or our legitimate interest to properly respond to your request, pursuant to Article 6 (1)(f) of the GDPR.

4.9.3. Anti-money laundering and anti-terrorism-financing

For the establishment and maintenance of your relationship with Openbank, we may be legally required to process your personal data to comply with requirements resulting from the applicable anti-money laundering laws, such as the German Anti-Money Laundering Act (Geldwäschegesetz, GwG), including regulations on anti-terrorism financing.

As a result of that, your data will be processed, including, but not limited to, the following actions:

1. Reporting information to third parties (as explained in the previous section).
2. PEP list monitoring and other external databases.
3. Verification of your identity: as explained in Section 4.5, as well as requesting further information and updated data. Openbank will check the accuracy of the information and update it accordingly, provided that only minor changes are present.
4. Ongoing monitoring of customer relationships: this includes tracking transactions; reviewing the source of funds; reviewing documents and information available through the bank’s customers; and requesting updates to documents deemed necessary, etc.

With regard to the above points, if applicable, e.g., if the Customer does not provide the updated documents within a reasonable period of time, the data will be used to block the use of the customer’s products/services (such blocking may impact both the products/services taken out/engaged and the possibility of taking out or engaging new products/services with Openbank) and/or to terminate the business relationship with the Customer.

In accordance with the regulations on the prevention of money laundering and terrorist financing, we will analyse any behaviour that is unusual or does not pursue a legitimate economic purpose, or any behaviour or information available to us that indicates a possible criminal offence.

Data processed: we will process the following data in this context: identifying information; employment information; economic, financial and insurance information; and information on goods and services transactions.

Legal basis for the data processing: complying with the applicable regulations on anti-money laundering and anti-terrorism financing, pursuant to Article 6 (1)(c) of the GDPR; and our legitimate interest in combating financial crime in the Santander Group (Article 6 (1)(f) of the GDPR).

4.9.4. Design and training of risk and behaviour models

For Openbank, it is important to have a solid understanding of the need for financial and banking products and services, the creditworthiness and consumption habits of our active customers. For this reason, we will anonymise your personal data, which we will use to design and train algorithms allowing us to develop various behavioural and risk models (hereinafter, the “Models”), which we will subsequently use to conduct active customer profiling activities.

This processing will not have any legal consequences for you and, upon training the model, at no time will we use your identifying personal data.

Subsequently, and in relation to other processing activities explained in the Policy, we may apply these models to profile our Customers, for different purposes, such as: marketing purposes (sending marketing communications), to analyse and assess risk and creditworthiness; approval of applications for our products; to detect and prevent possible fraud attempts; and for the prevention of money laundering and terrorist financing.

Similarly, according to the model that we use, we could use internal and/or external sources, depending on: (i) the credit product you want to take out; and (ii) whether you are an existing Openbank customer. The reason why the level of profiling is different, depending on whether or not you are an existing Openbank customer, is because, if you are a customer, we already have information about you derived from the contractual relationship, which enables us to predict your risk of non-performing loans without consulting external sources.

We would also like to inform you that we have a control model that ensures the quality of the information of the algorithms used for the design of our behaviour and risk models.

Data processed: economic, financial and insurance information; information on goods and services transactions, information on financial solvency. We will process the mentioned anonymised information from both internal and external sources, such as: (i) information you have provided during the contractual relationship with us; (ii) internal information regarding your behaviour during transactions undertaken with us (for example, time and place of the execution of a particular type of transaction); (iii) information obtained from the mentioned creditworthiness databases.

Legal basis for the data processing: our legitimate interest in designing, creating and offering innovative and efficient financial products and services to our customers based on different models created by our algorithms, as well as to analyse and assess the level of risk and creditworthiness of our customers, to detect and prevent possible fraudulent attempts, and to prevent money laundering and terrorist financing, pursuant to Article 6 (1)(f) of the GDPR.

4.9.5. Tracking of our messages with you for analytical purposes

To analyse product and service transactions, we will monitor how you interact with the various messages we send you. If you receive an email from Openbank, we can determine whether you have opened it and view further information associated with the email. We use this information for analytical purposes to determine whether: you are interested in receiving our messages, if we should improve them and how we can improve our customer experience through the different communication channels, according to customer needs and interests, for example, by analysing whether or not our customers are more receptive to telephone calls than to emails.

Data processed: identifying information and metadata linked to the message sent, such as the time the email is opened.

Legal basis for the data processing: your consent pursuant to Article 6 (1)(a) of the GDPR.

4.9.6. Recording of your voice and/or image and electronic conversations held with you

During telephone calls regarding the contractual relationship, we may record your voice, and/or image and electronic conversations based on your prior express consent. In such situations – of which you will be expressly informed in advance – we will store the telephone and/or electronic conversation for the following purposes: (i) to conduct an internal audit of the quality of the service; and, (ii) to use the recording as proof of the instructions received and/or the service provided – both in and out of court – if necessary.

Data processed: identifying information; economic, financial and insurance information; as well as data and information necessary to audit the quality of our services.

Legal basis for the data processing: your prior consent pursuant to Article 6 (1)(a) of the GDPR.

4.9.7. Sending notifications

We will process your data to send you notifications via email, web push, SMS, the Zinia website and/or app or Openbank’s website and/or app. To do so, we will process your identification information for the following purposes: (i) notify you about certain circumstances that occur with the Service; (ii) send you notifications for the prevention of financial fraud, security alerts and/or expense control when you use one of our Services.

You can activate/deactivate and configure some of the notifications according to your wishes by accessing the settings under "Notifications" in the main menu of the app or in your customer area on our website.

Data processed: contact and identification data; information on your financial situation; economic, financial and insurance information; and information on goods and services transactions.

Legal basis for the data processing: proper performance of the contract, pursuant to Article 6 (1)(b) of the GDPR and, in some cases, our legitimate interest in sending you notifications, the purpose of which is to prevent financial fraud, as well as security alerts, pursuant to Article 6 (1)(f) of the GDPR.

4.9.8. Surveys and market studies

Openbank will process the personal data associated with the use of the Service in order to conduct customer satisfaction surveys via email, SMS, telephone or other communication channels, including market studies or internal statistics. We will issue commercial reports to better understand the consumer habits of our customers. In doing so, we will be able to assess and improve the design of new products that may be of interest to our customers. Wherever possible, we will anonymise your personal data to conduct our surveys and market research.

As part of the activities set out above, among others, we will carry out satisfaction surveys using the Net Promoter Score (NPS) methodology, in order to identify whether our customers would recommend Openbank products, for the purposes of which your personal data may be transferred to the third party conducting the survey.

Data processed: identifying information; economic, financial and insurance information; and browsing data.

Legal basis for the data processing: your prior informed consent, pursuant to Article 6 (1)(a) of the GDPR

4.9.9. Answering legal complaints, requirements from competent bodies and protecting legal rights on behalf of Openbank

We will process personal data required to: (i) assist you or persons legitimately acting on your behalf in the exercise of your rights; (ii) process and respond to requests from the competent authorities and bodies (both judicial and extrajudicial), such as requests for information in the course of judicial investigations; (iii) to make or defend against claims, judicial or extrajudicial, initiated by Openbank or by you.

Data processed: identity data; economic, financial and insurance data; and data required to resolve the complaint lodged or to respond to the requirements of the competent authority.

Legal basis for the data processing: (i) legal obligations, pursuant to Article 6 (1)(c) of the GDPR; or (ii) our legitimate interest in responding to legal, administrative, or judicial claims, addressing them and taking the legal action we deem necessary, as well as to defend ourselves against any claims brought against the company, all pursuant to the right to effective judicial protection pursuant to Article 6 (1)(f) of the GDPR.

4.9.10. Addressing your requests for information on social media

When you make use of our social media channels, such as Facebook, Twitter or Instagram, to request information from us or to make an enquiry, we will process your personal data using specialised tools, for the following purpose: (i) to streamline and optimise the answers to your questions made through social media –please note that when you use our social media channels, the processing of your personal data will also be subject to the provisions of the privacy policy of the corresponding social media company through which you request information or make an enquiry; (ii) to analyse the interactions (comments or contributions) relating to Openbank that you submit via various social media channels in order to internally determine the potential for improvement with regard to our company and our products and services.

Data processed: your identifying information.

Legal basis for the data processing: our legitimate interest pursuant to Article 6 (1)(f) of the GDPR in being duly able, in the quickest and most attainable way, to address enquiries from our customers, submitted to us through social media, as well as offering an efficient and simple operation, along with products that meet the expectations and needs of our customers.

4.9.11. Audits and verification of compliance

We will process your data related to the performance of the internally implemented compliance verification controls, as well as in the context of different audits.

Data processed: all the categories of personal data to which we have access.

Legal basis for the data processing: (i) legal obligations, pursuant to Article 6 (1)(c) of the GDPR; or (ii) our legitimate interest in verifying the adequacy of our processes, to comply with legal obligations and internal quality standards for the identification, control and mitigation of legal or operational risks, pursuant to Article 6 (1)(f) of the GDPR. Please note that this information may be accessed by third parties providing the audit service for these purposes.

4.9.12. Sending marketing messages

We will process your personal data for marketing purposes to the following extent:

- Type of marketing communications that you will receive:

Your personal data will be processed to be able to send you the following marketing communications:

a) Openbank products and services, including Openbank accounts, cards, loans, savings and investment products.

b) Products and services of the other Santander Group companies that may be of interest to you. You can see a list of these companies here.

c) Offers of third parties that collaborate with Openbank and which offer its products and services.

This may include the following:

i) If you have an Openbank product, such as an account, card or loan, etc., you may be sent offers and discounts on the products and services of our partners through Open Discounts. You can see a list of the current partners by clicking here. This list is updated on a regular basis.

ii) If you have selected a Zinia payment method and have accepted the Zinia Terms and Conditions, you may be sent offers and discounts on third-party products and services where such payment method is available. You can see a list of these third parties here. This list is updated on a regular basis.

iii) If you are an Openbank customer or have selected a Zinia payment method and have accepted the Zinia Terms and Conditions, you may also be sent offers of third parties that Openbank collaborates with in order to offer you products or services that may be of interest to you, such as insurance. Furthermore, if you have taken out or engaged a service or product offered by Openbank in collaboration with a third party, you may also be sent offers of those third parties, which will be mentioned when the corresponding product or service is taken out or engaged.

Based on your marketing consent, your data will not be shared with any of these third parties, even if you receive information about their products and services that may be of interest to you. All marketing communications, even those relating to third parties, will be sent by Openbank in accordance with your marketing consent.

In addition, Openbank will process your personal data to monitor and understand how you interact with our advertising, such as open rates and click rates, etc., and how successful they are (e.g., if the product is eventually taken out). As a result, our marketing strategies will be optimised based on this behaviour, both in a collective and, in some cases, a personalised manner.

- By marketing communications we mean the following:

Marketing communications include all forms of communication that serve to directly or indirectly promote the sale of goods and services, and the image of Openbank, including customer satisfaction and market surveys.

- Means and channels through which you will receive marketing communications:

You may be sent marketing through the following means and channels:

- Post (letter)

- Phone (calls and/or SMS)

- App (push messages and banners, etc.)

- Email

- Other electronic means

- Personalisation of the marketing communications:

Personalised advertising and marketing communications will be tailored to you by us by means of profiling. For this purpose, we will use data from internal and external sources (e.g., fraud detection databases and credit reference agencies, such as SCHUFA) to analyse your economic and personal characteristics, interests, and behaviour and risk patterns. The model is designed to understand which offers, discounts, products and services that will be of interest to you.

Profiling may result in you not being offered certain Openbank discounts, products or services as part of its advertising and marketing.

- Data processed by Openbank for sending commercial and marketing communications:

We process the following categories of personal data:

- Master data (name and contact details);

- Information on personal characteristics, interests and preferences: date of birth, age, place of residence and, for tax purposes, family information, gender and nationality;

- Economic, financial and insurance information, such as your financial circumstances, credit standing and payment behaviour; income, investments and assets, banking information, subsidies and benefits, payroll financial data;

- Information about how you interact with our advertising and marketing, such as opening an email and your click behaviour.

In general, we collect this personal data directly from you. However, we may also receive information regarding you from the following external sources:

- Third-party companies to which you have given your consent to transfer your data to Openbank or which otherwise legally transfer your data to Openbank.

- Credit agencies, such as SCHUFA Holding AG and CRIF.

The legal basis for sending you marketing communications is the following:

- Your consent pursuant to Article 6(1)(a) of the GDPR.

ii. 4.9.12. Sending information on products and services that are of interest to you through social media:

When visiting and interacting with our social media account, we will process your personal data for the following purposes:

To show you advertisements specifically targeted at you in relation to Openbank products or services that are similar to those you have already taken out with us and that may be of interest to you. To do this, we will use tools that social media companies have developed specifically for this purpose (such as Facebook Custom Audiences). Social media privacy policies will give you information about how your data is processed using these tools. With regard to this processing, we will be considered joint data controllers together with the social media platform or separate controllers, as the case may be.

By using these tools, Openbank performs segmentation based on users' interests and, therefore, if you are a social media user and are classified as being in the audience we select, you may receive advertising from Openbank. Please note that in these cases, Openbank only performs audience segmentation and does not have access to the end users who receive the advertisements.

Data processed: identifying information and economic, financial and insurance information.

Legal basis for this data processing: your prior and informed consent pursuant to Article 6 (1)(a) of the GDPR.

Notwithstanding the foregoing, when, based on the use of the different tools that social media companies have developed, you are subject to comprehensive profiling, we will check that the tool has requested prior and express consent from users to carry out the processing described herein and to be able to send you information about products and services of interest to you.

4.9.13. Draws and promotions

Whether you are an Openbank customer or not, we will process your data if you participate in any prize draws or promotions organised by Openbank to administer your participation (including confirmation of compliance with the requirements for participating in the draw/promotion and, where applicable, communicating with you and sending you the prize, in the event you are the winner).

Please note that we will also process your data to the extent necessary to fulfil our legal obligations if you are the winner of one of our prizes, draws or promotions, and we have to make a tax deduction on the prize. The data will be transferred to the competent tax authority for tax purposes, if applicable.

Data processed: identifying information and economic, financial and insurance information.

Legal basis for this data processing: (i) the performance of our contractual obligations that we entered into with you, pursuant to Article 6 (1)(b) of the GDPR; (ii) and the fulfilment of our legal tax obligations, pursuant to Article 6 (1)(c) of the GDPR.

4.9.14. Reviews and ratings of our products and services

Regardless of whether or not you are an Openbank customer, we will process your data when you leave a review or rating of our products and services on public websites or through the platforms available for this purpose and identify yourself or directly provide us with your personal data so that we can respond to you and take your contribution into account for future improvements.

Data processed: identification data and the data you provide through the review or rating.

Legal basis for this data processing: our legitimate interest in responding to the assessments and using the assessments to implement the relevant changes.

5. Use of cookies

Openbank uses cookies and similar technology, among other things, to remember who you are when you log in to your private area, or to personalise content based on your browsing habits to ensure that it is of interest to you.

When you enter Openbank’s website and/or app, we will inform you about the cookies or similar technology that we use. You can configure the scope of the analysis, advertising and personalisation, as well as product development and improvement cookies (and similar technology) you want to consent to in the relevant cookie management platform.

You can also set your browser to block the use of cookies for certain cases or in general. You can delete cookies that have already been set via your browser. Please note that if you delete or do not accept certain cookies, the functionality of our Website may be limited.

For further details on the cookies we use and to activate or deactivate certain cookies please refer to the following policies:

• Zinia Website Cookie Policy
• Zinia App Cookie Policy

6. How long will Openbank store my data

We process your personal data for as long as necessary for the purpose for which it is processed and for the fulfilment of our contractual and legal obligations and execution of our rights. At the end of this period, we will destroy or anonymise your personal data.

We are subject to various storage and documentation obligations, which result, among other things, from the German Commercial Code (Handelsgesetzbuch, HGB), the Fiscal Code (Abgabenordnung, AO), the Banking Act (Gesetz über das Kreditwesen, KWG), the German Anti-Money Laundering Act (Geldwäschegesetz, GwG) and the Securities Trading Act (Wertpapierhandelsgesetz, WpHG). The time limits for storage and documentation set out in this document are two to ten years. Finally, the storage period is also assessed according to the statutory limitation periods, which are, for example, according to §§ 195 ff of the Civil Code (Bürgerliches Gesetzbuch, BGB), the regular limitation period is three years.

7. With whom do we share your personal data?

We may share your personal data with third parties when processing your data to the extent described above:

• Store: In connection with the application for and use of the Service, we will exchange your personal data with the respective Store to the extent necessary, as described in this Privacy Policy. This includes both the transfer of your personal data by the Store to us where necessary for the provision of our Service, and the transfer of personal data by us to the Store, especially to confirm that the Service has been approved, so that the Store can provide you with the purchases goods. The exchange of data is limited to what is necessary for the Service. The Store acts both as our processor (in connection with the collection of some application data) and as controller.
• Credit agencies: SCHUFA and CRIF (as described under Section 4.2).
• Debt collection agencies (as described under Section 4.8).
• Fraud Prevention Service Providers: Lexis Nexis Risk Solutions and Crif (as described under Section 4.4).
• Other Santander Group companies (as described under Section 4.9.1)
• Competent authorities (as described under Section 4.9.1).
• Identification service providers: WebID Solutions GmbH, Deutsche Post (as described under Section 4.5).
• Qualified Trust Service Providers (as described under Section 4.6).
• Openbank works with third-party service providers, which will process data on our behalf as processors within the meaning of Article 4 (8) of the GDPR. We have entered into data processing agreements that meet the requirements under Article 28 of the GDPR with all pro-cessors. We have obliged our processors to comply with the necessary requirements under Article 28 of the GDPR, in particular to comply with our instructions. Specifically, Openbank uses the services from third-party providers, which operate in many different sectors, including, but not limited to, the following: logistics services, legal advice, supplier approval, multidisciplinary professional services companies, hosting companies, maintenance-related companies, technological service providers, software service providers, physical security companies, instant messaging service providers, infrastructure management and maintenance companies, call centre service companies and control companies. You can consult the third-party providers here, or request it by email to datenschutz.de@zinia.com.

8. International data transfers

We will only transfer your data to countries outside the EU/EEA (so-called third countries) where it is necessary for the purposes described in this Privacy Policy. The transfer may, therefore, be part of some of the above-described services provided by third parties.

We will only transfer data to a third-party country in compliance with the applicable data protection laws, in particular the GDPR and the guarantee of an adequate level of data protection. This means that your data will only be transferred if the prerequisites of Article 44 et. seq. of the GDPR are met, in particular, if the EU Commission has decided that an adequate level of data protection exists in the third-party country in question (Article 45 of the GDPR), or if there are adequate safeguards for the protection of your personal data (see Article 46 of the GDPR) or if there is a legal authorisation (cf. Article 49 of the GDPR). Appropriate safeguards within the meaning of Article 46 of the GDPR include particularly the standard data protection clauses published by the EU Commission. You can see all international data transfers that we make, either directly or through some of our suppliers, here or by consulting datenschutz.de@zinia.com or by referring to the table under the following link.

9. Obligations to provide personal data

If you want to use to the Service, we will ask you to provide us with the information required to provide our services. Please note that the data we specify in each of the forms as being “required” is necessary for the proper performance of the contractual or pre-contractual relationship with Openbank. Please also note that without such personal information, we will not be able to offer you the Service at all. However, you are under no legal or contractual obligation to provide us with your personal data until you enter into a contractual relationship with us. Once you have applied for the Service, you may be required to provide us with certain information during the course of the contractual relationship as set out above.

10. To what extent is automated decision making, including profiling, carried out in accordance with Article 22 of the GDPR?

Automated decision-making, including profiling pursuant to Article 22 of the GDPR, takes place to the extent described under the different processing activities of Section 4.

11. What are your rights regarding the processing of your personal data?

You have the following rights, which you can exercise at any time:

• Right of access (Article 15 of the GDPR): you have the right to obtain confirmation as to whether or not we are processing personal data concerning you and, if so, to access such data as per Article 15 of the GDPR. This includes the right to obtain a copy of your personal data.
• Right to rectification (Article 16 of the GDPR): you have the right to obtain the rectification of inaccurate personal data, which includes the right to have incomplete personal data completed (including by providing a supplementary statement), taking into account the purposes of the processing.
• Right to erasure (Article 17 of the GDPR): you have the right to obtain the erasure of your personal data.
• Right to restriction of processing (Article 18 of the GDPR): you have the right to restrict the processing of your personal data.
• Right to data portability (Article 20 of the GDPR): you have the right to receive your personal data in a structured, commonly used and machine-readable format. You also have the right to have that data unhinderedly transmitted to another controller where the processing is based on consent or on an agreement and the processing is carried out by automated means.
• When personal data is processed based on your consent, you have the right to withdraw your consent according to Article 7(3) of the GDPR. Please keep in mind that your withdrawal will only affect future processing and will not affect the lawfulness of processing based on consent before its withdrawal.
• In the event you consider the processing of your personal data is unlawful, you have the right to lodge a complaint with the competent supervisory authority, pursuant Article 77 of the GDPR. The right to lodge a complaint is without any prejudice to any other administrative or judicial remedy.
• To the extent the personal data are processed for the purpose of our legitimate interest, according to Article 6 (1)(f) of the GDPR, you have the right to object, pursuant to Article 21 of the GDPR. Please find further information regarding your right to object in the text box below under “Information on your right to object pursuant to Article 21 of the General Data Protection Regulation (GDPR)”.

You may also exercise the aforementioned rights through the following channels:

- Email: datenschutz.de@zinia.com

- Post: Open Bank, S.A., Plaza de Santa Bárbara 2, 28004 Madrid (Spain)

- You may also contact our local German branch by writing to: Open Bank S.A., Zweigniederlassung Deutschland, An der Welle 5, 60322 Frankfurt am Main.

- Contact Centre: + 49 216 1621 0029

12. Compliance with Codes of Conduct

Openbank complies with the Code of Conduct for Data Protection in Advertising of the Association for Advertising Self-regulation (hereinafter, "AUTOCONTROL"), accredited by the Spanish Data Protection Agency. As such, it is bound by its extrajudicial system for processing claims when they concern data protection and advertising, available to data subjects here. Bear in mind that the language of mediation is Spanish and, in exceptional cases, English.

13. Changes to this Privacy Policy

We may update this Privacy Policy from time to time.

You can download this Privacy Policy here.

Last update: August 2025.