Privacy Policy

Last updated: December 2023

1. Introduction and scope of application

The purpose of this privacy policy (hereinafter, the "Privacy Policy" or the "Policy"), in accordance with Regulation (EU) 679/2016 of 27 April 2016, approving the General Data Protection Regulation (hereinafter, the "GDPR"), Organic Law 3/2018 of 5 December, on the Protection of Personal Data and the Guarantee of Digital Rights (hereinafter, the “LOPDGDD”), and other applicable implementing data protection legislation, is to regulate and provide information about the processing carried out by Open Bank, S.A., (hereinafter “Openbank” or “we”) of personal data of customers (hereinafter, “you” or the “Customer”) when, upon purchasing from a merchant, they use any of the services managed by Openbank under its registered trademark “Zinia” (hereinafter, the “Service”).

This Policy provides you with information about the categories of personal data we process, the means by which we obtain your personal data, the purposes for which we collect and process your personal data, the legitimate basis for such processing, the data recipients, the applicable data retention periods and the rights granted to you by the regulations in relation to your personal data.

Please take a few minutes to read and properly understand its contents. If you have any questions, please contact our Data Protection Officer, whose contact details can be found below.

2. Who is the Data Controller?

“Open Bank, S.A.”, operating through its registered trademark, Zinia.

Business address: Plaza de Santa Bárbara, 2, 28004 Madrid, Spain.

Email address for contacting the Data Protection Officer: privacidad.es@zinia.com.

3. What information do we collect from you and how do we obtain it?

We process the categories of personal data listed below. The data we indicate in each of the forms as "mandatory" are necessary for the proper undertaking of your relationship with Openbank. If we do not receive this information, we will not be able to process your request or provide you with the Service.

• Contact and identification details: first name and surname, invoicing and delivery address, mobile phone number, fingerprints, email address, and country of residence.
• Economic, financial and insurance data: data related to the price of the products you purchase, data related to the payment of your purchase (such as bank account, bank name and branch, debit card number), data related to arrears, solvency and debt history, as well as to orders pending payment, and information about negative payment history and previous credit approvals.
• Data on the goods and services purchased: data related to the product you purchase, such as the item, model, price, and tracking number.
• Device data: IP address, language settings, browser settings, time zone, operating system, platform, screen resolution, login via the different devices you use and other similar device settings.
• Personal details: date of birth, age, sex and nationality.
• Unique identifiers: data collected from the cookie ID, device ID, recorded voice calls, chat conversations and email correspondence.
• Employment data: position and contact details of contact persons acting as legal representatives of the businesses we collaborate with.
• Special categories of personal data: data that reveals health information and information related to sanctions lists.
• Data about politically exposed persons and sanction lists: sanction and PEP lists contain information such as the name, date of birth, place of birth, occupation or position of a person included on the respective list as well as why he or she features on it.

In addition to the data you provide us with directly, for example, through the various forms for requesting information, we will also process other data relating to you that we may obtain from our internal sources, such as:

• The personal data that we obtain from the contractual relationship we have with you with respect to the provision of the Services.
• The personal data we obtain as a result of your interaction through our website or our app.
• The inferred data that we deduce or obtain from the data you have previously provided us with (when we create profiles).
• Given that Zinia and Openbank are, in fact, the same data controller, the personal data related to you that we may obtain in the context of a contractual relationship that you maintain with Openbank, apart from the Services that we provide to you under the trademark, Zinia.

Similarly, as explained in more detail below, we shall process additional data about you that we obtain from the external or publicly available sources listed below, complying with the procedures, rights and guarantees established at all times by the laws in force:

• Business where you make your purchase.
• Public Administration bodies, such as the Ministry of Finance or the Bank of Spain. In this case, the data obtained will be purely statistical in nature.
• Publicly available sources, such as public registries (for example, the Spanish National Statistics Institute, the Trade Registry and the Cadastre). In this case, the data obtained will also be purely statistical in nature.
• Credit reference files, such as the database of Asnef-Equifax Servicios de Información sobre Solvencia y Crédito, S.L. (hereinafter, the “ASNEF Database”) and that of Experian Bureau de Crédito, S.A. (hereinafter, the “BADEXCUG Database”); and credit reference files such as the Central Credit Register of the Bank of Spain (Central de Información de Riesgos del Banco de España, CIRBE) (hereinafter, “CIRBE”).
• Fraudulent data detection databases, such as the database of Confirma Sistemas de Información, S.L. (hereinafter, the “CONFIRMA Database”) and the database of Emailage Ltd. (hereinafter, the “EMAILAGE Database”).
• Third-party companies to which you have given your consent for the transfer of your data to Openbank, or which otherwise lawfully transfer your data in accordance with the laws in force.

4. Data processing activities we carry out

In addition to the information provided in the table above relating to all data processing that we carry out, in Sections 4.1 to 4.5 below, a more detailed explanation is provided below of some of the processing activities that we consider particularly important, including, where applicable, information on the logic applied to automated data processing and the potential consequences of such processing.

4. 1. Validation of the Customer’s identity when requesting a transaction (automated decision)

When you request a financed payment from Openbank, we must verify and validate your identity, for which purposes we will adopt the measures we consider necessary. In particular, we will ask you for a copy of your national ID document and verify its validity through an automated mechanism.

Accordingly, we will store a copy of the document (including your image) and, if necessary, view it using any means, formats and media, for the sole purpose of verifying your identity whenever necessary in order to comply with the contract signed with you in your capacity as Customer (as is the case whenever a claim is filed) and to meet the requirements of the competent authorities and/or comply with our legal obligations.

We will carry out the aforementioned verification by means of an automated decision, the logic of which consists of capturing and processing the document image in order to perform a recognition analysis upon it and subsequently validate it.

You have the right to request an explanation of the decision made, to exercise your right not to be subject to a decision based solely on automated processing, requesting the involvement of one of our analysts, to express your point of view on the decision made based on profiling, and to object to it.

The legal basis of this processing is our legal obligation to ensure the accuracy of information as stipulated in Article 5 of the GDPR, in accordance with Article 6.1 (c) of the GDPR.

The categories of personal data we use in the framework of this processing are listed in Section 4.

4. 2. Fraud detection and prevention (automated decision)

We have the obligation and goal to prevent fraud and protect you and all our other Customers against potential fraudulent behaviour, such as identity theft or password theft.

If you are not yet a Zinia/Openbank customer, before you enter into a contractual relationship with us, we will perform different analyses to prevent fraudulent transactions, such as verifying your identity and detecting possible inconsistencies in the information provided. If we detect any irregularity when opening the account, we shall proceed to block the operation until the situation is clarified.

Our analyses involve using information that you provide to us during the registration process or that is transferred to us by the merchant through your request, such as: your name and surname, email address, telephone number and other variables associated with the request that you are making, as well as metadata associated with your request related to the devices from which you request the account opening, or the browser you use.

Likewise, we will share some of your personal data with third-party service providers that help us detect and prevent possible fraud attempts, at all times complying with and respecting the procedures, rights and guarantees that the laws in force establish and grant you. The information we share with these third parties includes some of the information you provide when you register as a Customer, such as your email address, as well as information related to your browsing, such as the IP address of your device. You can find details about the third parties we use to help us detect and prevent fraudulent transactions in Section 6.

Accordingly, when you request the Service, we will apply automated decisions that will significantly affect you, applying the following logic. We will process the information you provide us with during your request in order to make the decision on whether or not to provide you with our Services, or to determine if your use of our Services poses a fraud risk. We will analyse your user behaviour profile using specialised fraud prevention tools and compare this data to our internally established risk criteria.

The consequence that these automated decisions will have for you is that, based on the analysis carried out, we will decide if the identification data provided is robust and, therefore, we can continue with your application to subsequently perform an analysis of your creditworthiness. To do this, we will use the data you provide us with, as well as data from external sources (the fraud prevention tools and service providers we consult and collaborate with) and own internal Openbank information, including information we hold about you, such as data about your previous use of our Services and data related to the device you use to request the Service.

We will decide whether or not you pose a fraud risk when our processing shows that your behaviour indicates possible fraudulent conduct, that it is inconsistent with your previous use of our Services, or that you have attempted to hide your true identity. If you are not approved under the automated decisions described in this section, you will not be given access to the Service.

We have several control mechanisms in place to ensure that our automated decisions are correct. These mechanisms include ongoing testing and review of our decision models and exhaustive documentation of rejected applications and the rationale behind such decisions. If you have any concerns about the outcome, you can contact us and one of our analysts will personally determine if the procedure was properly performed. You may also object in accordance with the following instructions.

Under the data protection law, you have the right to object to any automated decision with legal consequences or decisions that could otherwise significantly affect you. In this case, you can do this by emailing privacidad.es@zinia.com. Upon receiving your request, we will proceed to review the decision, taking into account any additional information and circumstances you may provide us with.

The legal bases of this processing is: (i) our legitimate interest in preventing fraud (Recital 47 of the GDPR and Legal Report 195/2017 of the Spanish Data Protection Agency) and preventing harm to our customers; and (ii) compliance with other legal obligations: in particular, we will carry out this processing in accordance with Decision (EU) 2016/456 of the European Central Bank, of 4 March 2016, concerning the terms and conditions for European Anti-Fraud Office investigations of the European Central Bank, in relation to the prevention of fraud, corruption and any other illegal activities affecting the financial interests of the Union (ECB/2016/3) (recast) (OJEU of 30 March).

The sources from which we obtain the data, as well as the categories of personal data we collect from such sources, are listed in Section 4. Please note that if you already have a contractual relationship with Openbank before entering into the buy now, pay later transaction, we will also process – for the purposes described in this section – the personal data relating to you that we have obtained in the context of said relationship, given that Zinia and Openbank are, in fact, the same data controller.

See Section 6 for more information about the entities with which we share information in connection with profiling during automated decisions.

4. 3. Transferring data between the merchant where the Customer makes the purchase and Openbank, and approval of the transaction by analysing their creditworthiness (automated decision).

When you request the Service, the business where you make a purchase will transfer to us certain personal data relating to you so that we can provide you with the Service.

We need to process the personal data: (i) received from the business; (ii) provided directly by you; and (iii) collected by Openbank from external sources (such as other third parties and public sources), in order to analyse and manage the approval of the provision of the Service and, if the Service is ultimately provided, to comply with the obligations derived from it and maintain the contractual relationship with you.

Accordingly, we will assess your creditworthiness to predict if you will be able to afford to pay for the products and prevent a potential default on the debt, thereby avoiding situations that could be detrimental to both you and Openbank.

The logic that governs the analysis we carry out to approve the provision of the Service is based on the analysis of both the information you have provided us with and your purchase and payment history, as well as that obtained from the external sources listed in Section 4 that provide us with information related to your identity and financial situation. The aforementioned data and analytical capabilities of our risk models allow us to automatically determine if you are able to pay for the buy now, pay later product, thus allowing us to approve or reject your request.

You have the right to request an explanation of the decision made, to exercise your right not to be subject to a decision based solely on automated processing, requesting the involvement of one of our analysts, to express your point of view on the decision made based on profiling, and to object to it.

The legal basis of this profiling is the correct performance of the contract, in particular, the application – at your request – of pre-contractual measures and the execution and fulfilment of our contractual obligations in the event of you ultimately signing up to our Services.

The sources from which we obtain the data, as well as the categories of personal data we collect from such sources, are listed in Section 4. Please note that if you already have another contractual relationship with Openbank before entering into the buy now, pay later transaction, we also process – for the purposes described in this section – the personal data relating to you that we have obtained in the context of the said relationship, given that Zinia and Openbank are, in fact, the same data controller.

4. 4. Marketing

As part of the aforementioned data processing, we will process your personal data for the purpose of sending marketing. The scope and purposes of such processing, as well as the lawful basis and the categories of personal data processed, are described in more detail below:

• Sending marketing about our own products and services and those related to the purpose of the contract based on our legitimate interest and based on profiling with data from internal sources (direct marketing) (automated decision).

Once you sign up to our Services, your personal data will be used to send you marketing about Openbank products and services, including those you have already taken out (for example, communications about our loans, credits or cards). Such marketing may be sent by automated and non-automated means (by mail, telephone, SMS, instant messaging apps, email, web push, pop-up or any other electronic or telematic means available at any time) and will be relevant to you based on information obtained from our internal sources, from which we perform profiling according to your behavioural patterns.

The marketing referred to in this section includes advertisements that we display whenever you log in to Zinia, about functionalities, products and services that we think could be relevant to you based on the Services you have signed up to. If you wish, you may object to receiving this type of personalised advertising, following the instructions in Section 7. However, please note that, in any case, you will continue to receive generic advertisements that will not be based on your interests or preferences and, depending on your privacy preferences, you may also receive other types of advertising.

The goal we pursue with the creation of these profiles is to be able to carry out an analysis related to your economic and personal characteristics, based solely on the search for information from internal sources, in order to determine which related products and services best suit your situation based on two variables: your willingness to take out the product and the probability of the transaction being approved.

The profile will be created through an automated decision, to which the following logic will be applied. We will process the information you provide to determine your payment behaviour, the customer segment or segments you belong to -according to our internal classification criteria- and the periodic fulfilment of your contractual obligations. This activity may lead us to make a decision not to offer you certain products or services, depending on the risk that the bank estimates and the rating resulting from the analysis of the information obtained.

In addition, we will process your personal data to analyse your behaviour regarding the impact and success of our commercial campaigns.

This data processing will be carried out while your contractual relationship with Openbank is valid, unless you tell us otherwise through the channels provided for in Section 7 of this Privacy Policy.

Likewise, since this processing is carried out based on automated decision-making, you have the right to request an explanation regarding the decision made, to exercise your right not to be subject to a decision based solely on automated processing, requesting the involvement of one of our analysts, to express your point of view on the decision made based on profiling, and to object to it.

The legal basis of this data processing is our legitimate interest in promoting and offering our products and services by sending general or personalised correspondence. Openbank’s main interest in carrying out this data processing is to maintain our relationship with you by offering new products and improving the terms and conditions of the products and/or services you have signed up to, and offering you information about Openbank and its products that could be relevant to you. We consider that the aforementioned data processing activities do not constitute an impediment to the normal exercise of your rights and freedoms, as they are considered normal practice within the business sector, so we understand that the receipt of this type of correspondence will not be detrimental to your expectations. We also undertake to use the least harmful means to carry out such data processing activities.

The categories of personal data we use in the framework of this processing are listed in Section 4. Please note that if you already have another contractual relationship with Openbank before entering into the buy now, pay later transaction, we also process – for the purposes described in this section – the personal data relating to you that we have obtained in the context of the said relationship, given that Zinia and Openbank are, in fact, the same data controller.

• Sending marketing about our own products and services based on information obtained from and profiling with internal and external sources (automated decision).

As long as you have given us your express prior consent, we may send you relevant marketing about Openbank products and services (for example, marketing about our loans, credit or cards), while our contractual relationship remains valid. Such marketing may be sent by automated and non-automated means (by post, telephone, SMS, instant messaging apps, email, web push, pop-up or any other electronic or telematic means available at any time) and will take into account the analysis of your Customer commercial profile.

The marketing referred to in this section includes advertisements that we display whenever you log in to Zinia, about functionalities, products and services that we think could be relevant to you based on the Services you have signed up to. If you wish, you may object to receiving this type of personalised advertising, following the instructions in Section 7. However, please note that, in any case, you shall continue to receive generic advertisements that will not be based on your interests or preferences and, depending on your privacy preferences, you may also receive other types of advertising.

The goal we pursue with the creation of these profiles is to be able to carry out an analysis related to your economic and personal characteristics, in order to determine which products marketed by this bank best suit your situation based on two variables: your willingness to take out the product and the probability of the transaction being approved.

This profile will be created following an analysis of your behavioural and risk patterns, from internal sources such as payment details, as well as the information obtained from external sources.

The profile will be created through an automated decision, in which the following logic will be applied. We will process the information you provide to determine your payment behaviour, the customer segment or segments to which you belong—according to our internal classification criteria—and the periodic fulfilment of your contractual obligations. This activity may lead us to make a decision not to offer you certain products or services, depending on the risk we estimate, and the rating determined following analysis of the information obtained.

It is important that you understand that this data processing activity is limited to the aforementioned purpose, which is to recommend Openbank products and services to you based on data obtained from internal and external sources.

Likewise, since this processing is carried out based on automated decision-making, you have the right to request an explanation regarding the decision made, to exercise your right not to be subject to a decision based solely on automated processing, requesting the involvement of one of our analysts, to express your point of view on the decision made based on profiling, and to object to it.

The legal basis of this data processing is obtaining your prior informed consent. You can withdraw the consent provided to Openbank at any time through the channels provided for in Section 7 of this Privacy Policy.

The sources from which we obtain the data, as well as the categories of personal data we collect from such sources, are listed in Section 4. Please note that if you already have another contractual relationship with Openbank before entering into the buy now, pay later transaction, we also process – for the purposes described in this section – the personal data relating to you that we have obtained in the context of the said relationship, given that Zinia and Openbank are, in fact, the same data controller.

• Sending marketing about third-party products and services based on profiling with internal and external sources (automated decision).

Provided you have given us your prior express consent, Openbank may send you relevant marketing about third-party products and services (for example, marketing about promotions or discounts offered by such third parties). Such marketing may be sent by automated and non-automated means (by post, telephone, SMS, instant messaging apps, email, web push, pop-up or any other electronic or telematic means available at any time) and will take into account the analysis of your Customer commercial profile.

The marketing referred to in this section includes advertisements that we display whenever you log in to Zinia, about functionalities, products and services offered by third-party companies. If you wish, you may object to receiving this type of personalised advertising, following the instructions in Section 7. However, please note that, in any case, you shall continue to receive generic advertisements that will not be based on your interests or preferences and, depending on your privacy preferences, you may also receive other types of advertising.

With regard to third-party companies from which we will send you marketing about products and services, please note that such companies carry out their business activity in – but not limited to – the following sectors: financial, insurance, leisure and tourism, entertainment, telecommunications, information society, retail, luxury, health, food and beverage, automotive, hospitality, department stores, energy, real estate and security services, among others.

The goal we pursue with the creation of these profiles is to be able to carry out an analysis related to your economic and personal characteristics, in order to determine which products marketed by such third-party companies best suit your situation based on two variables: your willingness to take out the product and the probability of the transaction being approved.

This profile will be created following the analysis of your behavioural and risk patterns. So, for example, if the information we have about you shows that you are interested in technology products, we shall send you marketing about products offered by companies in this sector. We also use other internal sources, such as payment details, as well as information obtained from external sources.

The profile will be created through an automated decision, in which the following logic will be applied. We will process the information you provide to determine your payment behaviour, the customer segment or segments to which you belong—according to our internal classification criteria—and the periodic fulfilment of your contractual obligations. This activity may lead us to make a decision not to offer you certain products or services, depending on the risk we estimate, and the rating determined following analysis of the information obtained.

It is important that you understand that this data processing activity is limited to the aforementioned purpose, which is to recommend third-party products and services to you.

Likewise, as this processing is carried out based on automated decision-making, you have the right to request an explanation regarding the decision made, to exercise your right not to be subject to a decision based solely on automated processing, requesting the involvement of one of our analysts, to express your point of view on the decision made based on profiling, and to object to it.

The legal basis of this data processing is obtaining your prior informed consent. You can withdraw the consent provided to Openbank at any time through the channels provided for in Section 7 of this Privacy Policy.

The sources from which we obtain the data, as well as the categories of personal data we collect from such sources, are listed in Section 4. Please note that if you already have another contractual relationship with Openbank before entering into the buy now, pay later transaction, we will also process – for the purposes described in this section – the personal data relating to you that we have obtained in the context of the said relationship, given that Zinia and Openbank are, in fact, the same data controller.

• Transferring data to other companies of the Santander Group for sending marketing and promotional offers about their products and services.

Provided that you have given us your prior express consent, Openbank may transfer your personal data to other companies of the Santander Group in order to allow them to offer you their products and services that could be relevant to you.

The companies to which we may transfer your personal data are those of the Santander Group (in accordance with Article 42 of the Commercial Code).

Such marketing may be sent by automated and non-automated means (by post, telephone, SMS, instant messaging apps, email, web push, pop-up or any other electronic or telematic means available at any time) and will take into account the analysis of your Customer commercial profile, based on the information provided to such third parties.

This profile will be created following the analysis of your behavioural and risk patterns, other internal sources such as payment details, as well as information obtained from external sources.

It is important that you understand that this data processing is limited to the aforementioned purpose, which is to transfer your personal data to other companies of the Santander Group so that they can offer you other products and services of the Santander Group.

The legal basis of this data processing is obtaining your prior informed consent. You can withdraw the consent provided to Openbank at any time through the channels provided for in Section 7 of this Privacy Policy.

The categories of personal data we use in the framework of this processing are listed in Section 4. Please note that if you already have another contractual relationship with Openbank before entering into the buy now, pay later transaction, we will also process – for the purposes described in this section – the personal data relating to you that we have obtained in the context of the said relationship, given that Zinia and Openbank are, in fact, the same data controller.

4. 5. Risk and behavioural model design and training

It is important to us that we have a solid understanding of the needs for products and services, as well as the creditworthiness and consumption habits of our active Customers. Therefore, we will carry out pseudonymisation and/or anonymisation procedures on your personal data that we will use to design and train algorithms, allowing us to create different behavioural and risk models, which we will then use to carry out profiling activities on active Customers. Specifically, in order to design and train our behavioural and risk models, we use pseudonymised and/or anonymised personal and financial information from both our own sources as well as external sources.

While your personal data will be used to design and train our behavioural and risk models, this processing linked exclusively to such design and training will not have any individualised legal consequences on you and, upon training the model, at no time will we use your identifying personal data.

Subsequently, and in other cases of personal data processing as explained in previous sections of this Policy, we will be able to use these behavioural and risk models to compare with our Customer database, to profile our Customers, both for marketing purposes (sending advertising) and to analyse and assess your level of risk and creditworthiness and your propensity to take out any of our products.

We also have a control model at Openbank that ensures the quality of the information of the algorithms used for designing our behavioural and risk models.

The legal basis of this processing is our legitimate interest in designing, creating and offering innovative and efficient financial products and services to our Customers based on the different behavioural and risk models created by our algorithms.

The sources from which we obtain the data, as well as the categories of personal data we collect from such sources, are listed in Section 4. Please note that if you already have another contractual relationship with Openbank before entering into the buy now, pay later transaction, we will also process – for the purposes described in this section – the personal data relating to you that we have obtained in the context of the said relationship, given that Zinia and Openbank are, in fact, the same data controller.

5. How long do we keep your personal data for?

Openbank will keep your data for as long as required to undertake the purpose for which they were collected and, subsequently, they will be blocked for the corresponding retention period provided for by law or as per the statute of limitations. After these periods, where applicable, Openbank will destroy or completely anonymise the data.

The blocking of your data implies Openbank refraining from carrying out any processing of your data. However, your data will be retained for the purpose of making them available to the competent public administrations, judges, courts and tribunals or the Public Prosecutor's Office in relation to any liability that may arise from the contractual relationship held with you or relating to the processing of such data.

Furthermore, if you are a customer, we will process your data until your contractual relationship with Openbank terminates. After said termination, as a general rule, we will keep your personal data blocked. Please note that some actions provided for by consumer law, such as injunctions or actions for declaration of nullity, are not subject to any statute of limitations.

6. Who will your personal data be shared with?

• Authorities: to those third parties to whom we are legally obliged to provide information, such as public bodies, tax authorities, courts and tribunals.
• Anti-fraud service providers: Emailage Ltd. and Confirma Sistemas de Información, S.L. in order to detect and prevent potential fraud attempts, complying with and respecting the procedures, rights and guarantees that the laws in force establish and grant you at all times.

With regard to the CONFIRMA Database, we are required to inform you of the following:

“The requesting persons are informed that the data of this request is reported to the Confirma database, the purpose of which is to compare requests and transactions registered in the database by the participating banks in order to detect possible fraud when signing up. This purpose implies, among others, assessing the probability of fraud from the request. The lawful basis for the processing of personal data is the legitimate interest of the joint data controllers to prevent fraud (Recital 47 GDPR), in order to avoid potential negative economic consequences and possible legal infringements by the requesting persons. Consulting the Confirma database is suitable for the purpose sought, and proportionate relative to the benefit obtained by the joint data controllers and the impact on the privacy of the requesting persons. In addition, the data processing falls within the reasonable expectations of the data subjects as it is a common practice and occurs within the framework of taking out a product/service or during the contractual relationship. To prevent damage and negative consequences for requesting persons, technical and organisational measures have been adopted to reinforce the confidentiality and security of this information.

The maximum term for data retention is five years.

The joint data controllers are Member Banks of the Confirma Database Regulations, and the data processor is Confirma Sistemas de Información, S.L., with address at Avda. de la Industria 18, TRES CANTOS (28760) MADRID. Requesting persons may consult the list of current Bank signatories to the Confirma Database Regulations on the website www.confirmasistemas.es.

The Confirma Database is accessible to banks that are signatories of its Regulations and that, in their field of activity, could be subject to fraud during the formalisation of agreements.

The Member Bank signatories of the Confirma Database Regulations may consult the data reported to the Confirma Database. No transfer of data to a third-party country or international organisation is envisaged.

In accordance with the data protection regulations in force, data subjects may exercise their rights of access, rectification, erasure, objection, restriction to processing, not to be subject to a legally binding decision based solely on automated processing, and portability, by contacting the data processor, CONFIRMA SISTEMAS DE INFORMACIÓN, S.L., at the above address. Data subjects may also exercise their right to file a claim with the Supervisory Authority.

CONFIRMA SISTEMAS DE INFORMATION, S.L., has appointed a Data Protection Officer who can be contacted via email dpo@confirmasistemas.es for requests regarding privacy related to the Confirma Database.”

With regard to the EMAILAGE Database, please note that the company Emailage Ltd., is established in the United Kingdom. Emailage Ltd., is also the data controller for your personal data and shall use it for the purposes set out in its privacy policy. You can exercise your data protection rights with Emailage at privacy@emailage.com.

• Portfolio purchase companies: We may transfer existing debts to portfolio purchase companies in accordance with the procedures, rights and guarantees established and provided for by the applicable regulations. The said transfer will involve reporting the following categories of data relating to you to the portfolio purchase company (which will act as a separate data controller): contact and identification details; financial and insurance data; information on goods and services transactions; as well as any data that we may obtain within the framework of the contractual relationship with you. The lawful basis for carrying out the aforementioned transfer of data is our legitimate interest in the management of our Customers’ debt portfolio and the sale thereof to third parties in order to obtain a financial profit, in accordance with Article 6.1.f) of the GDPR. The portfolio purchase company will process your personal data in accordance with its own privacy policy. In any case, we will provide you with the details of the portfolio purchase company at the time of the debt transfer.
• Credit reference files. In the event of default, we shall send the data to CIRBE and to credit reference files (ASNEF Database and BADEXCUG Database), complying with the procedures and safeguards established at all times and recognised by the laws in force.
• Companies of the Santander Group. We shall share your data with companies of the Santander Group (in accordance with Article 42 of the Commercial Code), provided that you have given us your prior express consent, in order to allow the latter to offer you their products and services that could be relevant to you.
• Service providers and subcontractors: we will collaborate with third-party service providers which may have access to your personal data, and process them on our behalf, as a consequence of the services they provide us. We follow strict criteria in selecting our service providers so as to comply with the corresponding data protection requirements and obligations, and we undertake to sign the corresponding data processing agreements with them, whereby we will impose them, among others, the following obligations: to apply appropriate technical and organisational measures; to process the personal data for the agreed purposes and only in accordance with our documented instructions; and to delete or return to us the data once the provision of the services has been completed or terminated.

In particular, we will outsource the provision of services by third-party service providers which are part of the following sectors, among others: logistic services, legal advice, private valuation services, supplier certification, multidisciplinary professional service companies, maintenance-related companies, technology service providers, IT service providers, instant messaging service providers, and call centre companies.

• Providers that access or process your data outside the European Union: we may transfer your data internationally within the framework of some of the above-mentioned services offered by third-party providers. The purpose thereof will always be the maintenance and management of the contractual relationship you have with us or the prevention of fraudulent actions or transactions. These transfers are made both to countries that offer an adequate level of protection, comparable to that of the European Union, and also to countries without such a level. In the latter case, we use several mechanisms established by applicable regulations to comply with all safeguards when dealing with your personal data, such as standard contractual clauses or certification mechanisms. You can obtain more information about any international data transfers we carry out by sending an email to privacidad.es@zinia.com.

7. Your data protection rights

You have the following rights, which you can exercise at any time:

• Right of access: you have the right to obtain know whether or not Openbank processes personal data relating to you and, if so, to access such data.
• Right to data portability: you have the right to receive a copy of the personal data you have provided us, in a readable, structured and commonly used format, and also to request its transfer to another institution.
• Right to rectification: you have the right to request that inaccurate data be corrected.
• Right to erasure: you have the right to request erasure of your data when, among other things, they are no longer necessary for the purpose for which they were provided.
• Right to object: under certain circumstances, you can object to the processing of your personal data. If you object, Openbank will stop processing the data, except where there are compelling legitimate reasons for doing so, or for the exercising or challenging of possible claims.
• Right to restriction of processing: under certain circumstances laid down in the applicable data protection legislation, you can request that the processing of your data be restricted.
• Right to withdraw your consent: you are entitled, at any time and without providing specific reasons, to withdraw the consent you previously and specifically provided. The withdrawal of the consent will not affect the lawfulness of the data processing activities carried out based on that consent prior to its withdrawal.
• The right not to be subject to exclusively automated decisions: in the event that you have consented to the profiling and that this it is done through an exclusively automated process, you can request the intervention of one of our analysts, express your point of view and challenge the decisions made on the basis of said profiling.

You may exercise the aforementioned rights through the following channels:

• Email address: privacidad.es@zinia.com.
• Postal address: Privacy, Open Bank, S.A., Plaza de Santa Bárbara, 2, 28004 Madrid, España.
• Location: Plaza de Santa Bárbara, 2, 28004 Madrid, España.
• Telephone number: +34 910 870 271.

Finally, you can submit a claim to Openbank and/or the Spanish Data Protection Authority (the supervisory authority competent in the field of data protection), particularly if you have not been satisfied with the process of exercising your rights, by writing to the above-mentioned address or via the website www.aepd.es. If you live in an EU member state, other than Spain, you can also directly contact your national data protection supervisory authority.

8. Keeping your data up to date

To enable us to communicate with you, please ensure that all the information you provide for our databases is true, complete, accurate and completely up to date.

If the personal information you have provided us, particularly your postal address, email address and telephone number (landline and mobile) has changed, we kindly ask you to immediately inform us through any of the channels referred to in Section 7.

In the event that you do not notify us of such changes, you acknowledge and agree that all communications sent by us to the postal address or email address or to the contact telephone numbers that feature in our filing systems are valid, binding and in full force and effect.

9. Use of cookies

At Openbank, we use cookies, for example, to remember who you are when you log in to your Customer Area and to customise content that is relevant to you based on your browsing habits.

When you visit the Zinia website, we shall inform you about the cookies we use, and you shall be able to configure the analytics, advertising and personalisation cookies you use when browsing the Zinia website. You may refer to our Cookie Policy for more information.

At Openbank, we use cookies, among others, to remember who you are when you access your Customer Area or to customise content that may be of interest to you based on your browsing habits.

When you visit the Zinia website, we will inform you about the cookies we use, and you can configure the analysis, advertising and personalisation cookies used when browsing the Zinia website. You can read our Cookie Policy for more information.

10. Amendments to the Privacy Policy

We are committed to keeping this Privacy Policy updated to reflect any new developments that occur in relation to the scope of the processing of your personal data. As such, it is important that you take the time to read and understand this Policy. We will notify you of any amendments made to this Privacy Policy by email.

In the event of any dispute regarding or discrepancy between the Spanish and the English version of this Privacy Policy, the Spanish version shall take precedence.

You can download our Privacy Policy here.