Privacy Policy

This privacy policy (hereinafter, the “Privacy Policy” or the “Policy”) is intended to regulate and provide information on the processing of personal data carried out by Open Bank, S.A., (hereinafter, “Openbank”) in relation to the service ‘Flexible Payment by Zinia By Santander’ (hereinafter, the “Service”).

This Policy applies to any individual whose data are processed in connection with the Service, including potential customers, existing customers, former customers or third parties involved, such as guarantors and authorised parties, etc.

This Policy provides information regarding the categories of personal data we process, the means through which we have obtained your personal data, the purposes for which we collect and process your personal data, the lawful basis for such processing, the recipients of the data, the duration for which it will be stored, the rights granted to you under the regulations regarding your personal data, as well as any other information relevant to privacy that we consider necessary to provide to ensure transparency at all times.

Please note that, throughout your relationship with us, in addition to providing you with this Privacy Policy, we will inform you, separately and additionally, of certain data processing activities that may take place.

We kindly ask you to take the time to read and fully understand its content. If you have any queries, please contact our Data Protection Officer, whose contact details are provided below.

2. Who is the data controller responsible for your data?

In accordance with Article 4.7 of the General Data Protection Regulation (GDPR), the data controller is:

Open Bank, S.A.

Plaza de Santa Bárbara, 2, 28004, Madrid.

For any matter related to data protection, please contact the Data Protection Officer by sending an email to privacidad.es@zinia.com

3. What data do we process and how do we obtain it?

In relation to the Service and your relationship with us, we will process the following categories of data:

Identification data: Tax Identification Number/National ID number; full name; address; handwritten or electronic signature/fingerprints; image/voice; Social Security number; telephone number; email address; IP address; and biometric data.
Data relating to your personal characteristics: marital status; native language; physical characteristics; family information; date of birth; place of birth; age; and sex and nationality.
Data relating to social circumstances: licences, permits or authorisations; membership with clubs or associations; hobbies and lifestyle; property and possessions; family situation and housing characteristics.
Sensitive data: health data or data relating to the commission of criminal offences, where applicable.
Academic and professional data: training and qualifications; student record; professional experience; and membership of professional associations.
Data relating to employment: profession, job, non-financial payslip data and employee history.
Data relating to commercial information: activities and businesses; commercial licences; subscription to publications; and artistic, literary or scientific works.
Economic, financial and insurance data: income and revenue; tax deductions; investments and assets; information on insurance, mortgages, and loans taken out; guarantees; banking information, subsidies and benefits; pension and retirement plans; credit history; financial payroll data; and credit card.
Data on transactions of goods and services: compensation or indemnities; financial transactions; and goods and services received or supplied.

We process the personal data that we receive directly from you, for example, through recruitment application forms, as well as personal data obtained from internal sources, such as: (i) data derived from our contractual relationship with you; (ii) data obtained as a result of your interaction through our website and/or app; and (iii) inferred data that we deduce and/or obtain from information you have previously provided to us (such as when we create profiles).

Similarly, in addition to the above personal data, as explained in more detail below, we will process personal data about you that we obtain from the external sources described below, complying with the procedures, rights and guarantees established at all times by current legislation:

Public Administration bodies, such as the Ministry of Finance, the General Treasury of Social Security and the AEAT.
Registers and publicly accessible sources, such as the Telecommunications Number Register of the CNMC, the National Statistics Institute, and the Public Insolvency Register, where various procedural and insolvency rulings and/or out-of-court agreements concerning insolvent debtors may be consulted.
The following databases: (i) ASNEF-Equifax Servicios de Información sobre Solvencia y Crédito, S.L. Database (hereinafter, the “ASNEF Database”) and (ii) Experian Bureau de Crédito, S.A. database (hereinafter, the “BADEXCUG Database”) from which we will obtain information regarding your creditworthiness and any potential outstanding debts.
Credit information databases, such as the Central Credit Register of the Bank of Spain (hereinafter, the “CIRBE”), a public service established under Law 44/2002 of 22 November on Financial System Reform Measures, which provides risk data necessary for banks to carry out their financial activities. In accordance with the aforementioned regulation, Openbank is entitled to obtain reports on the risks of individuals or legal entities recorded in the CIRBE, provided that they have applied for a loan or any other risk-related operation, have personally guaranteed such an operation, or appear as liable parties or guarantors in bills of exchange or credit instruments whose acquisition or negotiation has been requested from Openbank. To obtain the aforementioned CIRBE information, we will ask for your authorisation in order to demonstrate that we have informed you accordingly, as required by the applicable regulations.
Fraudulent data detection databases that we consult, such as the CONFIRMA and ThreatMetrix databases.
Third-party companies to which you have given your consent to share your data with Openbank, or that otherwise lawfully transfer your data to Openbank in accordance with applicable legislation, such as third-party companies with which we collaborate to offer you more favourable terms (e.g., incentives, discounts) or to provide you with services, as well as other Santander Group banks of which you are a customer.
Amazon EU S.A.R.L. as described in section 4.1 of this policy.

4. How do we process your personal data?

Depending on your relationship with Openbank – ranging from simply expressing interest in one of our products or services without actually engaging, to becoming an Openbank customer and taking out some of the products or services we offer–, we will carry out different types of processing of your personal data. The scope of each type of processing, specifying the categories of data involved, the purposes of the processing, and the applicable legal basis, is set out below.

As the Service consists of providing a financial solution for the purchase of a product on the website of Amazon EU S.A.R.L., (hereinafter, “Amazon”), the customer’s Flexible Payment application for the purchase of such product will always be initiated on the Amazon website/app.

To process the application and manage the Service, given its association with the purchase of a product on Amazon, the latter, as an independent controller, will share the following personal data with us:

Full name.
Postal address.
Email address.
Phone number.
Loan application identifiers assigned to the customer and the necessary technical identifiers for the process.
Details of the selected loan.
Additional information from Amazon, such as the customer’s categorisation for fraud prevention purposes; regarding the product, its name, category, brand, price, and quantity; the delivery address; and any other information agreed upon and necessary for the Service.
In the event of returns or cancellations, the amounts involved and the status of the process.

Likewise, Openbank will share the following personal data with Amazon, as necessary for the maintenance and management of the Service:

Loan application identifiers assigned to the customer and the necessary technical identifiers for the process.
Details of the selected loan.
Decision regarding the provision of the Service or any alternative methods.
Information about the purchased product.
In the event of returns or cancellations, the amounts involved and the status of the process.

The lawful basis for this processing is:

Proper performance of the contract. Application, at your request, of pre-contractual measures and the execution and fulfilment of our contractual obligations in relation to the Service.

4.2. Provision of the Service

Openbank will process your data for the establishment and management of the contractual relationship with you as a customer of the Service, including registration, acceptance of terms and conditions, contract signing, customer service, and any management related to the relationship between the parties.

The lawful basis for this processing is:

Proper performance of the contract. Application, at your request, of pre-contractual measures and the execution and fulfilment of our contractual obligations in relation to the Service.

4.3. Zinia User

As a Zinia user, Openbank processes your data to maintain your profile on Zinia and to provide you with all the services, in accordance with its terms and conditions.

The lawful basis for this processing is:

Proper performance of the contract.

The categories of personal data that Openbank will process to carry out the purpose described above are as follows: identifying data; and economic, financial, and insurance data.

4.4. Information Validation

4.4.1. Identity Verification

In compliance with anti-money laundering and counter-terrorism financing regulations, as well as for the implementation of fraud prevention measures, Openbank will process your personal data to verify your identity.

To this end, during the process we will request that you provide a photograph of your identification document so that we can verify that the information provided is correct and matches the details you have submitted. For this purpose, an automated procedure will be used, in accordance with Article 22 of the GDPR, through which the contract will be rejected if the details on the identification document do not match the information provided by the customer or the data held in our systems.

The logic applied to this decision involves verifying that the information provided by the customer during the process matches the details on the ID document, such as the first and last name. This information will subsequently be subject to fraud prevention procedures, as described in the following section.

The lawful basis for this processing is:

Proper performance of the contract. Application, at your request, of pre-contractual measures and the execution and fulfilment of our contractual obligations in relation to the Service.
Legal obligation. Specifically, Openbank will reliably identify you to comply with Law 10/2010 on Anti-Money Laundering and Counter-Terrorism Financing, Directive (EU) 2018/843 of the European Parliament and of the Council and Royal Decree-Law 7/2021 on the transposition of European Union directives and other applicable regulations on Anti-Money Laundering and Counter-Terrorism Financing.

The categories of personal data that Openbank will process to carry out the purposes described above are as follows: identifying data; and information relating to your personal characteristics.

Additionally, with the goal of reliably identifying you in accordance with anti-money laundering and counter-terrorist financing regulations, Openbank may provide you with the following identification methods:

a) Bizum

Openbank will process the data obtained through the Bizum service and provided by the company you choose to make the transfer to, in order to reliably identify you.

The lawful basis for this processing is:

Proper performance of the contract. Application, at your request, of pre-contractual measures and the execution and fulfilment of our contractual obligations in relation to the Service, in compliance with anti-money laundering and counter-terrorist financing regulations.

The categories of personal data that Openbank will process to carry out the purposes described above are as follows: identifying data; IBAN; information relating to your personal characteristics.

b) Account aggregation service or account information service of Tink AB

Openbank will process the data obtained through these services, provided by Tink AB (acting as an independent data controller) and by the bank you choose, to reliably identify you. This identity verification will be carried out using the account number you have linked through Tink.

The lawful basis for this processing is:

Proper performance of the contract. Application, at your request, of pre-contractual measures and the execution and fulfilment of our contractual obligations in relation to the Service, in compliance with anti-money laundering and counter-terrorist financing regulations.

The categories of personal data that Openbank will process to carry out the purposes described above are as follows: identifying data; IBAN; and information relating to your personal characteristics.

c) Video self

Openbank will process your personal data, including your voice and image, to reliably identify you using the video selfie method, through a facial recognition procedure that involves the processing of biometric data.

The lawful basis for this processing is:

The explicit consent you have given us to process this data.

The categories of personal data that Openbank will process to carry out the purposes described above are as follows: identifying data; and information relating to your personal characteristics.

d) Payment

When a payment is made during the process, Openbank will process the data related to the payment to reliably identify you.

The lawful basis for this processing is:

Proper performance of the contract. Application, at your request, of pre-contractual measures and the execution and fulfilment of our contractual obligations in relation to the Service, in compliance with anti-money laundering and counter-terrorist financing regulations.

The categories of personal data that Openbank will process to carry out the purposes described above are as follows: identifying data; and economic and financial data.

4.4.2. Account ownership verification

When you are about to enter into a contract with a third party that involves a payment via direct debit or current account, Openbank will process your data to verify that you are the account holder. This verification will be carried out using the account aggregation or account information services of Tink AB (acting as an independent data controller), which receives this information from the bank you select.

The lawful basis for this processing is:

Proper performance of the contract. When setting up the direct debit, this verification must be carried out.

The categories of personal data that Openbank will process are: identifying data.

4.4.3. Verification of the data provided

In compliance with the accuracy principle (Article 5 (1)(d) of the GDPR), Openbank must ensure that the data it holds about you is accurate and, where necessary, up to date; as well as apply fraud prevention measures. Therefore, during the process, we will validate some of the data you provide, such as your phone number or email address, and during your relationship with us, we may ask you to review and update the information in your Customer Area.

The lawful basis for this processing is:

The bank’s legitimate interest in confirming that the information provided is accurate and corresponds to you.

The categories of personal data that Openbank will process to carry out the purposes described above are as follows: identifying data; and information relating to your personal characteristics.

4.5. Analysis

4.5.1. Risk analysis and fraud prevention and detection

At Openbank, we are legally required to take the necessary measures to prevent and detect fraud, and we are committed to doing so to protect our customers against potential fraudulent or criminal activities, such as identity or password theft.

Accordingly, during the application process, we will check for signs of fraudulent activity using tools provided by companies specialising in fraud prevention. Through a process involving automated decision-making, we assess the data and information provided during your application to detect and prevent potentially fraudulent activity. We will also carry out various checks, such as verifying your identity and identifying any inconsistencies in the information provided, before you enter into a contract with us.

The consequence of these automated decisions is that, based on the analysis carried out, we will determine whether the identifying data provided is reliable and, therefore, whether we can proceed with your application to subsequently carry out a creditworthiness assessment.

To do this, we will use the data you provide (such as your email domain, age, and variables associated with the application you are making, as well as other variables and metadata related to the devices you use to submit your application, the browser you use, or the operating system); internal data from Openbank, including information we hold about you, such as your previous use of our services and data related to the device you use to request the Service; data from external sources (fraud prevention tools and service providers we consult and collaborate with, as explained in this section); information from public records, such as the Telecommunications Number Registry of the CNMC; and information shared with us by Amazon, as the data controller, regarding your purchase (product, category, brand, price, quantity, and delivery address) and their assessment of you as their customer in relation to “Fraud Prevention and Credit Risk.” For more information, please read Amazon’s Privacy Policy here or contact them directly.

We will determine whether or not you pose a fraud risk when our processing shows that your behaviour indicates possible fraudulent conduct, that it is inconsistent with your previous use of our services, or that you have attempted to hide your true identity. If you are not approved under the automated decisions described in this section, you shall not be given access to the Service.

In certain cases where an attempted fraud or suspected fraudulent activity is detected, the data will be used to proactively block the operation and, if necessary, to terminate the business relationship with the customer.

We have several control mechanisms in place to ensure that our automated decisions are correct. These mechanisms include ongoing testing and review of our decision models and exhaustive documentation of rejected applications and the rationale behind such decisions. If you have any concerns about the outcome, you can contact us and one of our analysts shall personally intervene to determine if the procedure was properly performed. You may also object in accordance with the following instructions.

Under the data protection law, you have the right to object to any automated decision with legal consequences or decisions that could otherwise significantly affect you. In this case, you can do this by sending an email to privacidad.es@zinia.com. Upon receiving your application, we will review the decision, taking into account any additional information and circumstances you may provide.

To carry out this processing, we will exchange information with third parties (including personal data) to the extent necessary to detect and prevent fraud, with the following third parties:

a. Emailage

We use the “Emailage” service provided by LexisNexis Risk Solutions (Europe) Limited (hereinafter, “LexisNexis”), which acts as the data controller. You can find more information on how they process your data in their privacy policy. You can exercise your data protection rights with respect to LexisNexis here.

We will process your email address and IP address through Emailage to generate a fraud risk rating. For this purpose, LexisNexis compares and evaluates the supplied data points with associated metadata (email data, IP geolocation data) and previous customer queries and fraud indicators provided to the LexisNexis global fraud network.

By using our fraud risk score alongside other checks we may carry out, we can assess the risk associated with the application or transaction and make decisions in an effort to detect and prevent fraud.

b. Threatmetrix

We use the “ThreatMetrix” service provided by LexisNexis, acting as a data processor on behalf of Openbank.

This service assists us in our fraud prevention processes by creating a device ID and determining the unique characteristics of the device (device fingerprints).

Device fingerprint data: IP address, location data, the start, end, and duration of web pages visited during the session, and other device information (language and country settings, screen information, colour depth, and information about installed browsers, plug-ins, software, and versions).

Transaction data: Title, first name, last name, and maiden name, date of birth, email address, phone number, and address (street, house number, postcode), as well as the amount of the funds requested.

The data mentioned above is stored and processed in order to prevent misuse and fraud, as described above.

c. CONFIRMA database.

This database is owned by Confirma Sistemas de Información, S.L. The data we share with them consists of information on goods and services transactions, which allows the generation of alerts and indicators to prevent potentially fraudulent activity related to these operations, for subsequent analysis. With regard to the CONFIRMA Database, we are required to inform you of the following:

“The requesting persons are informed that the data of this request is reported to the Confirma Database, the purpose of which is to compare requests and transactions registered in the Database by the participating banks in order to detect possible fraud when signing up. This purpose implies, among others, assessing the probability of fraud from the request. The lawful basis for the processing of personal data is the legitimate interest of the joint data controllers to prevent fraud (Recital 47 GDPR), in order to avoid potential negative economic consequences and possible legal infringements by the requesting persons. Consulting the Confirma database is suitable for the purpose sought, and proportionate relative to the benefit obtained by the joint data controllers and the impact on the privacy of the requesting persons. In addition, the data processing falls within the reasonable expectations of the data subjects as it is a common practice and occurs within the framework of a contract application. To prevent damage and negative consequences for requesting persons, technical and organisational measures have been adopted to reinforce the confidentiality and security of this information.

The maximum term for data retention is five years.

The joint data controllers are Member Banks of the Confirma Database Regulations, and the data processor is Confirma Sistemas de Información, S.L., with address at Avda. de la Industria 18, TRES CANTOS (28760) MADRID. Requesting persons may consult the list of current Bank signatories to the Confirma Database Regulations at the website www.confirmasistemas.es.

The Confirma Database is accessible to banks that are signatories of its Regulations and that, in their field of activity, could be subject to fraud during the formalisation of contracts.

The Member Bank signatories of the Confirma Database Regulations may consult the data reported to the Confirma Database. No transfer of data to a third-party country or international organisation is envisaged.

In accordance with the data protection regulations in force, data subjects may exercise their rights of access, rectification, erasure, objection, restriction on processing, not to be subject to a legally binding decision based solely on automated processing, and portability, by contacting the data processor, CONFIRMA SISTEMAS DE INFORMACIÓN, S.L., at the above address. Data subjects may also exercise their right to file a claim with the Supervisory Authority.

CONFIRMA SISTEMAS DE INFORMATION, S.L., has appointed a Data Protection Officer who can be contacted via email dpo@confirmasistemas.es, for privacy-related requests concerning the Confirma Database.”

For the analyses we carry out, we use the information you provide during the registration process, such as your email domain, age, and variables associated with the application you are submitting, as well as other variables and metadata related to the devices you use to submit your application, the browser you use, or the operating system. We also use information from publicly accessible sources obtained from the INE, specifically income data based on your postcode, using household income statistics. Information last updated: 2023.

In addition, we may consult and obtain information from public records such as the public number registry (hereinafter, the “Telecommunications Number Registry”) of the National Securities Market Commission (CNMV) created under Royal Decree 2296/2004, of 10 December, approving the Regulation on electronic communications markets, network access and numbering. This registry contains information on which operator each assigned phone number corresponds to. If we verify in the Telecommunications Number Registry that your phone number is assigned to certain telecommunications operators, we will consider this as one of the factors which, together with others, could allow us to infer the existence of certain behaviours or patterns indicative of potentially fraudulent activity. These factors will be assessed collectively when determining whether to grant a product or service.

Please note that, as we are subject to anti-money laundering and counter-terrorist financing regulations, we will use the relevant information detailed in this section to prevent money laundering and terrorist financing, and to take the appropriate due diligence and reporting measures in accordance with the aforementioned regulations. This is because, in order to comply with the regulations, we must analyse and consider any complex, unusual, or economically unjustified behaviour that may indicate a potential offence against assets or the socio-economic order, such as fraud or scams in general.

The lawful basis for this processing is:

Proper performance of the contract. Application, at your request, of pre-contractual measures and the execution and fulfilment of our contractual obligations in relation to the Service, in accordance with Article 22 (1)(a) of the GDPR.
Legal obligation. In particular, Openbank will carry out this processing in compliance with Decision (EU) 2016/456 of the European Central Bank, of 4 March 2016, regarding the conditions governing the investigations carried out by the European Anti-Fraud Office within the European Central Bank in the fight against fraud, corruption and any illegal activity affecting the financial interests of the Union (ECB/2016/3) (consolidation) (OJEU of 30 March) and Law 10/2010 of 28 April on Anti-Money Laundering and Counter-Terrorism Financing.

The categories of personal data that Openbank will process to carry out the purposes described above are as follows: identifying data; information relating to your personal characteristics; economic, financial, and insurance data; device data (IP address, location, websites visited, and other device information such as language, country, installed browsers, software versions, etc.); and unique identifiers, as explained throughout this section.

4.5.2. Creditworthiness analysis

We will process your personal data, obtained through Amazon, provided directly by you, and obtained from external sources explained below, in order to analyse and manage the approval of the provision of the Service and, if the Service is ultimately provided, to fulfil the obligations arising from it and maintain the contractual relationship with you.

In this way, submitting a Service application entails that Openbank will cross-check and profile your data according to the behavioural and risk models we have designed to predict your risk of default and thereby prevent situations that could be detrimental both to Openbank and to you (due to the risk of over-indebtedness)—in line with responsible lending regulations—and in compliance with the procedures, guarantees, and rights established by applicable law at all times. These obligations will remain in effect throughout the entire contractual relationship with our customers.

Accordingly, when you apply for the Service, as well as for its ongoing monitoring, we will use the aforementioned models to carry out profiling and assess your creditworthiness and financial capacity based on data obtained through Amazon, data provided directly by you or obtained from our internal sources, and information obtained from the following external sources:

ASNEF Database and BADEXCUG Database, which contain data on the non-fulfilment of financial obligations.
CIRBE, a public database, collects the information on loans, credits (direct risk), guarantees, and collateral (indirect risk) that each reporting bank holds with its customers.
Public Administration bodies such as the Tax Agency, the Basque Country Tax Authority and the Navarre Tax Authority.
Public registry of the INE: list of municipalities and codes by provinces as of 01/01/2010; official population figures resulting from the review of the Municipal Register as of 1 January 2022; and census section mapping and street maps from the 2022 Electoral Census.
Autonomous Body National Geographic Information Centre, regulated by Royal Decree 310/2021.

Specifically, the categories of data we will obtain from these external sources are: information on your creditworthiness and potential delinquency; credit information; and geo-residential and sociodemographic information (obtained from postcode and province, including population and income data).

In addition, please note that, as part of the correct performance of the contract, during the Service application process, we may request sufficient evidence of your declared income. For this purpose, we can provide you with two options:

Submission of evidence through the account aggregation service of Tink AB (hereinafter, “Tink”). Please note that Tink will also process your data as a data controller and will transfer it to Openbank according to your instructions and in accordance with its privacy policy. Thus, through the accounts you have linked (external sources), we will obtain the following categories of data: your balances across different asset and liability products at other financial institutions; and the transactions on these accounts (including information on dates, amounts, descriptions, the sender of the transfer, and the recipient).
Submission of evidence through access to the General Treasury of Social Security (hereinafter, the “TGSS”). Openbank will provide you with a simple system to access the TGSS and provide us with the information held by the TGSS, including your employment history and/or contribution records, thereby allowing us to verify your employment status.

The logic applied to this automated profiling will involve analysing the amount of the requested loan and its term, together with the data obtained from the information sources mentioned above (both internal and external), in order to determine whether you will be able to meet the repayment of the requested loan and to assess the risk of over-indebtedness.

By combining all information sources and the analytical capabilities of our behavioural and risk models, it is possible, through a profiling process, to infer the payment behaviour of the personal loan applicant. This ensures that the customer’s repayment capacity is sufficient to cover the instalments arising from the requested amount and term, leaving an adequate remainder to meet their basic needs.

Please note that, as a result of this profiling, we may also approve or deny your Service application, for example, if we determine that, given your current indebtedness, you are unable to manage the repayment of future debts. If your application is denied, you will be duly informed, with specific notice provided if the denial is solely due to an existing debt with another entity recorded in a credit information system.

You may request information about the result of said profiling in order to receive an explanation as to the decision made, express your point of view regarding said decision, object to the result of the profiling, and request involvement from the responsible team within Openbank to review the decision made as a result of the profiling. You may submit any additional documentation you consider necessary for this purpose.

The lawful basis for this profiling includes the following:

Proper performance of the contract. Application, at your request, of pre-contractual measures and the execution and fulfilment of our contractual obligations if you ultimately take out the loan.
Legal obligation. In compliance with the Guidelines on Loan Origination and Monitoring issued by the European Banking Authority and adopted by the Bank of Spain (EBA/GL/2020/06), Order EHA/2899/2011, of 28 October, on transparency and protection of banking service customers and Circular 5/2012, of 27 June, of the Bank of Spain, to credit institutions and payment service providers, regarding transparency of banking services and responsibility in loan granting.

4.6.1. Storing data for use in future product and service applications with Zinia

If you consent, we will store and use your data to facilitate future applications for products and services with Zinia.

The lawful basis for this processing is:

The explicit consent you have given us to process this data. Please note that, if you change your mind, you may withdraw the consent you have given us through the Zinia Customer Area, as indicated in section 11, “What rights do you have regarding the processing of your personal data?”.

4.6.2. Storing payment method data for future operations with Zinia

If you consent, we will store the necessary information about the payment methods you provide, such as card numbers or IBANs, to help you select them for future transactions or service applications with Zinia, thereby simplifying and speeding up these processes.

The lawful basis for this processing is:

The explicit consent you have given us to process this data. Please note that, if you change your mind, you may withdraw the consent you have given us through the Zinia Customer Area, as indicated in section 11, “What rights do you have regarding the processing of your personal data?”.

The categories of personal data that Openbank will process to carry out the purposes described above are as follows: identifying data; and economic, financial, and insurance data.

4.7. Direct debit and card payment

Openbank will process your data to manage and execute the direct debit orders you issue and to handle the card payments you make. Prior to the payment, Openbank will verify that you are the account holder of the current account selected for the direct debit.

The lawful basis is:

Proper performance of the contract. Execution of direct debit orders and card payments.

The categories of personal data that Openbank will process to carry out the purposes described above are as follows: identifying data; IBAN; and card data.

Please note that the card payment initiation service is managed by Stripe, Inc., which acts as an independent data controller and will provide you with information on its data processing separately.

4.8. Openbank general processing

4.8.1. Anti-money laundering and counter-terrorism financing

Openbank, as a bank, is required to comply with Law 10/2010, of 28 April, on anti-money laundering and counter-terrorism financing, and consequently must process your personal data for this purpose, including, but not limited to, the following activities:

Reporting, on a monthly basis, to the Financial Holdings Database, the identifying data of our customers (or that of their representatives or proxies in the case of legal-person customers) and authorised parties regarding the opening or cancellation date of accounts. The above data will form part of this Database, which is managed by the Secretariat of State for the Economy and Business Support. Please note that, in accordance with Article 23 of the GDPR and Article 32 of Law 10/2010 on Anti-Money Laundering and Counter-Terrorism Financing, the rights set out in Articles 15 to 22 of the GDPR do not apply to files and processing of personal data created and managed by the Executive Service of the Commission for the Prevention of Money Laundering and Monetary Offences (hereinafter, “SEPBLAC”) for the fulfilment of the functions conferred on it by this Law.
Providing information on payment transactions and other necessary data, in compliance with the aforementioned regulations, to authorities or official bodies, including those both within and outside the European Union, as part of efforts to combat terrorist financing and serious organised crime, and to prevent money laundering. Of particular relevance, for these purposes, is the exchange of information between SEPBLAC and the Spanish Tax Agency, fully in accordance with the provisions of Articles 94.4 and 95.1 (i) of Law 58/2003, of 17 December, General Taxation Law.
Consultation of external databases for the purpose of anti-money laundering and counter-terrorism financing compliance. For this, available data is checked against the information in external databases, various alerts on banking transactions are established and analysed, and the appropriate measures are applied in accordance with applicable regulations.
Verify whether you are a person with public responsibilities or a politically exposed person, and, if so, apply enhanced due diligence measures in the business relationships or transactions we conduct with you.
Verify the accuracy of the information and documents you provide in order to ascertain the nature of your professional or business activity and the source of funds, and to provide them to authorities or official bodies in other countries, both within and outside the European Union, as well as to other companies within the Santander Group, within the framework of combating the financing of terrorism and serious organised crime, and preventing money laundering.
To reliably verify your identity using a valid ID document. To do so, we will store your identification document (including your image) and, if necessary, display it through any means, formats and media, for the sole purpose of verifying your identity when necessary to comply with the contract signed with you in your capacity as customer (as is the case when a claim is filed) and to meet the requirements of the competent authorities and/or comply with our legal obligations.
For the above purpose, as part of the verifiable verification of your identity, we will check that the information you provide matches the information contained in the official documents we hold (for example, your National ID number. If there is any discrepancy, we will update the information in our database or contact you to request further information in order to have the data up to date (for example, if the address on your National ID number does not match the one provided in the form, we will contact you to provide evidence of your current address).
Ongoing monitoring of the relationship maintained with customers, in compliance with anti-money laundering regulations, which includes:
- monitoring of transactions carried out with the aim of ensuring they are consistent with the information we hold about the customer in our systems and the risk assigned;
- verification of the source of the funds; and;
- monitoring of the documents and information available on the bank’s customers and requesting updates for those considered necessary.
In relation to the above points, where applicable, for example if the customer does not provide updated documents within a reasonable period, the data will be processed to block the customer’s operations. This block may affect both products and services taken out and engaged and the possibility of taking out or engaging new products and services with Openbank and or terminate the business relationship with the customer.

In accordance with anti-money laundering and counter-terrorism financing regulations, and with the aim of taking the appropriate due diligence and reporting measures, we will analyse and take into account any complex, unusual, or economically unjustified conduct, as well as any conduct or information we hold that may indicate a possible offence against wealth or the socio-economic order.

Additionally, in order to verify your identity in a reliable manner, we provide you with the procedures described in section 4.5. Validation of your identity.

The lawful basis for this processing is:

Legal obligation. In particular, Openbank will carry out this processing to comply with Law 10/2010 on anti-money laundering and counter-terrorism financing, Directive (EU) 2018/843 of the European Parliament and of the Council and Royal Decree-Law 7/2021 on the transposition of European Union directives and other applicable regulations on anti-money laundering and counter-terrorism financing.

The categories of personal data that Openbank will process to carry out the purposes described above are as follows: identifying data; biometric data derived from the facial recognition techniques used in the unattended call identification procedure; information relating to your personal characteristics; employment data; economic, financial, and insurance data; data on transactions of goods and services; data indicated in the fraud detection and prevention section; and sensitive data such as data relating to the commission of criminal offences (for example, data appearing in police and judicial reports we may receive relating to any possible offence against wealth or the socio-economic order).

4.8.2. Debt recovery and payment

We will manage the collection of any debts you may incur with us in order to resolve any potential defaults, as well as to help you avoid inconveniences and the payment of additional interest and charges, by contacting you through the various channels available at the bank, including post, telephone, SMS, instant messaging applications, email, web push, pop-ups, or any other electronic or telematic means available at any given time. We reserve the right to send you such notifications by recorded post or with acknowledgement of receipt, applying the appropriate identification measures.

Accordingly, we will process your data for the following purposes (among others):

To inform you of the existence of the non-payment, to secure its settlement, and to carry out any early collection efforts or transfer the management of the debt collection to a specialist agency.

The lawful basis for this processing is:

Proper performance of the contract.

The categories of personal data that Openbank will process to carry out the purpose described above are as follows: identifying data; and economic, financial, and insurance data.

4.8.3. Data sharing with third-party institutions

4.8.3.1. Data sharing with Santander Group banks

We will share personal data with other companies within the Santander Group of which we are a part (as provided for in Article 42 of the Commercial Code), along with any relevant transaction information, for the following purposes:

To comply with our legal obligations regarding the prevention of financial crime.
To enable Santander Group companies to comply with their legal obligations regarding anti-money laundering and counter-terrorism financing.
To enable Santander Group companies to fulfil their regulatory reporting obligations to supervisory authorities (European central bank or the SEPBLAC).

The lawful basis for this processing is:

Legal obligation. Specifically, Openbank will carry out this processing to comply with (i) our obligations for the prevention of financial crime, in particular as established in Directive 2015/849 and the Delegated Regulation of the European Union (EU) 2019/758; (ii) our obligations with regards to anti-money laundering and counter-terrorism financing; and (iii) mandatory reporting to the competent supervisory authorities.

4.8.3.2. Reports

As a banking institution, we are required to submit certain reports to various public bodies, such as the Spanish Tax Agency (AEAT) and the competent tax authorities of other countries, the Bank of Spain, the European Central Bank, SEPBLAC, among others.

Therefore, your personal data will be processed for the purpose of preparing these reports in accordance with the provisions of the applicable regulation.

The lawful basis for this processing is:

Legal obligation. Openbank will carry out this data processing to comply with the regulations applicable to it, such as, for example, in the case of tax authorities, to comply with the Foreign Account Tax Compliance Act (FATCA); and, in the case of SEPBLAC, to comply with Directive (EU) 2015/849 and Delegated Regulation (EU) 2019/758.

4.8.3.3. Reporting information to CIRBE

As a financial institution, we must comply with the legal obligations applicable to the financial system and we will process your data for the following purpose:

To report to CIRBE the risks associated with your banking transactions based on the number of loans you have requested, as well as the amounts involved, their recoverability, and, where applicable, any defaults on your part, such as failure to repay a credit or loan within the agreed term. By way of example, if you requested a loan of €3,000, to be repaid within 48 months, we will report this circumstance to CIRBE as well as any failure to pay any of the loan instalments. The purpose of such reporting is to allow other financial institutions to consult CIRBE and, based on the information shown there regarding your financial transactions and the risks inherent to them, assess your appropriateness as a customer in the event that you request any type of loan or financial product.

The lawful basis for this processing is:

Legal obligation. Specifically, Openbank will carry out this processing to comply with the legal obligations applicable to the financial system and, in particular, Law 44/2002 on Financial System Reform.

The personal data categories that Openbank will process for the purposes described above are the following: identifying information and information on goods and services transactions.

4.8.3.4. Reporting non-payment to credit information databases

In the event of any non-payment on your part during your contractual relationship with Openbank, amounting to at least €50 (provided that the debt is certain, due and payable), we will process your personal data for the purpose of:

Reporting such non-payment to the ASNEF Database. You can access additional information about the data processing carried out by this database via the above link.
Reporting such non-payment to the BADEXCUG Database. You can access additional information about the data processing carried out by this database via the above link.

Such disclosures comply with the procedures, rights and guarantees established and recognised at all times by the legislation in force.

Openbank and each of the systems will act as joint controllers of the processing of your data, which will be processed for the purpose of maintaining a record of any non-payments and may be consulted by third-party banks with which you have a contractual relationship (financial institutions, utility companies, telecommunications providers, etc.).

You may exercise your data protection rights by contacting Openbank or each of the databases indicated. For any claim regarding the existence, age, or amount of the debt, you should contact Openbank.

Please note that the data will be kept in the database for a maximum of five (5) years, unless the debt is settled before this term.

The lawful basis for this processing is:

Our legitimate interest in preventing non-payment situations that may be of detriment to us and in carrying out proper monitoring of such situations, as well as the legitimate right of third-party banks to be aware of any non-payments in order to prevent over-indebtedness, and to protect the integrity and stability of the financial and banking system. You will not be able to object to this processing, as there are compelling reasons for its execution, and it is subject to the provisions of Article 20 of Organic Law 3/2018, of 5 December, on the Protection of Personal Data and guarantee of digital rights.

The categories of personal data that Openbank will process to carry out the purposes described above are as follows: identifying data; and data relating to any non-payments or debts you have incurred.

4.8.4. Access to the device

When using the Openbank app or carrying out certain transactions via an electronic device, in addition to the processing described above, we will also use the data you provide for other purposes.

Thus, for certain processes, you will have the option to authorise us to access your device’s camera or files; for example, when we request your National ID number, you can provide it by allowing us to use your camera to photograph it.

Additionally, if you authorise it, you will be able to access your personal area in the app and verify your identity using biometric recognition systems, such as your fingerprint. The lawful basis for this processing is:

Your prior and informed consent. Please note that, if you change your mind, you may withdraw your consent as indicated in section 11 “What rights do you have in relation to the processing of your personal data?”.

The categories of personal data that Openbank will process to carry out the purpose described above are as follows: identifying information and any other data you may provide to us through these means.

4.8.5. Recording your voice and/or image and electronic conversations held with you

Throughout your contractual relationship with Openbank, there may be situations in which we record your voice and/or image and electronic conversations we have with you relating to operations and queries. In such situations—of which you will be informed, in advance and expressly, when they occur—we will store the telephone and/or electronic conversation for the following purposes:

To conduct an internal audit of the quality of the service.
To use the recording as proof of the instructions received and/or the service provided —both in and out of court— if necessary.
Design and training of models.

The lawful basis for this processing is:

Our legitimate interest in recording your voice, as well as the electronic conversations we have stored to: (i) be able to audit the quality of our services and thus improve them and make them more efficient; and (ii) respond to information requests from the competent authorities or use the recordings as evidence in court.
Our legitimate interest in designing, creating and offering innovative and efficient financial products and services to our customers based on the different behaviour and risk models created by our algorithms.

The personal data categories that Openbank will process to carry out the purposes described above are as follows: identifying information; economic, financial and insurance information; and data and information necessary to audit the quality of our services.

4.8.6. Capturing images through video surveillance systems at our branches

When you access one of our branches, we will capture images of you through our video surveillance systems. We will process your images captured through video surveillance systems for the following purpose:

To safeguard the integrity of our customers, as well as that of our assets and premises.

The lawful basis for this processing is:

Legal obligation. The legal obligation relating to the installation of image-capture and registration systems in banking establishments and branches, under the provisions of Organic Law 4/2015, of 30 March, on the protection of Citizen Security, Royal Decree 2364/1994, of 9 December, which approves the Private Security Regulations and Order INT/317/2011, of 1 February, on private security measures.

The categories of personal data that Openbank will process to carry out the purposes described above are as follows: identifying data (images).

4.8.7. Incident analysis and resolution

We also process your personal data to manage any incidents that may occur when using the Openbank website or app, as well as its various services and products, covering both their detection and their management and resolution.

The lawful basis for this processing is:

Our legitimate interest in detecting and resolving incidents to provide an adequate service.

The categories of personal data that Openbank will process to carry out the purpose described above are as follows: identifying data, economic, financial, and insurance data, as well as your IP address.

4.8.8. Data anonymisation

Openbank will process your data for the purpose of anonymising it (a procedure through which the information is disassociated from the individual’s identity such that, based on this anonymised information, it is not possible to identify the individual to whom it relates).

This anonymised information will be used to prepare various reports or statistics for the different analyses that the bank may require.

The lawful basis for this processing is:

Our legitimate interest in understanding and analysing the behaviour of our customers.

The categories of personal data that Openbank will process to carry out the purpose described above are as follows: identifying data.

4.8.9. Risk and behavioural model design and training

For Openbank, to know and understand the needs for financial and banking products and services, as well as the creditworthiness and consumption habits of our customers. Therefore, we will carry out pseudonymisation and/or anonymisation procedures on your personal data that we will use to design and train algorithms, allowing us to create different behaviour and risk models, which we will subsequently use to carry out profiling activities on active customers. In particular, to design and train our behaviour and risk models, we use pseudonymised and/or anonymised personal and financial information from our own sources and external sources, such as:

Information we hold about you derived from the documentation you have provided and from your contractual relationship with us (such as your transactions).
Information appearing in Openbank’s databases related to your behaviour during operations undertaken with us.
Information held in credit default files to which we have access, such as the ASNEF Database and the BADEXCUG Database.
Statistical information on income data based on the postcode corresponding to where you reside, obtained from the INE, specifically using statistical data on household income. Information last updated: 2020.
Third-party cookies for the development and improvement of products, which use information about your device and browsing behaviour, provided you have given your consent for their use on our website.

Additionally, in some of the models used, the following information is utilised:

Information from the National and regional Cadastre.
Information about companies obtained from BORME (Official Gazette of the Companies Registry) and about self-employed professionals obtained from CAMERDATA.
Lists of retailers, shopping centres and outlets.
Data on various urban planning variables and measures derived from geographic and cartographic information; data on accessibility to various points of interest.
Statistical and aggregated data on consumer profiles obtained from surveys conducted by AIMC Marcas, Estudio General de Medios, or Research Now.

While your personal data will be used to design and train our behavioural and risk models, this processing—linked exclusively to such design and training—will not have any individualised legal consequences on you and, when training the model, at no time will we use your identifying personal data.

Subsequently, and in other processing of your personal data described in previous sections of this Policy, we may use these behavioural and risk models to compare our customer database against them, to profile our customers for marketing purposes (sending advertising); to analyse and assess their level of risk and creditworthiness and their propensity to take out any of our products as well as for their authorisation; to detect and prevent potential fraud attempts; and for anti-money laundering and counter-terrorism financing compliance. Likewise, depending on the behaviour and risk model we use, we may use internal and/or external sources depending on: (i) the credit product you apply to take out; and (ii) if you are already an existing Openbank customer. The reason for which the profiling level is different depending on whether or not you are an existing Openbank customer is because, if you are a customer, we already have information on you sourced from the contractual relationship that allows us to predict your risk of default without consulting external sources.

We would also like to inform you that at Openbank we have a control model that ensures the quality of the information of the algorithms used for the design of our behaviour and risk models.

The lawful basis for this processing is:

Our legitimate interest in designing, creating, and offering innovative and efficient financial products and services to our customers based on the various behavioural and risk models generated by our algorithms, as well as to analyse and assess our customers’ level of risk and creditworthiness; to detect and prevent potential fraud attempts; and for anti-money laundering and counter-terrorism financing compliance.

The personal data categories that Openbank will process for the purpose described above are as follows: economic, financial and insurance information; information on goods and services transactions; as well as information on creditworthiness obtained from external sources such as CIRBE, ASNEF Database, BADEXCUG Database; other statistical information about income data based on the postcode for your place of residence obtained from the INE; and other metadata such as data from your device when you connect.

4.8.10. Sending messages related to your products and services and other alerts

We will process your data to send you notifications and correspondence via postal mail, email, web push, SMS, our app, and/or our website for the following purposes:

To notify you of certain circumstances related to the Service.
To send financial fraud prevention notifications and security alerts.
If you are no longer an Openbank customer, we will also process the necessary data to send you correspondence we are legally required to provide.

You can activate/deactivate and even configure some of the notifications as you wish by adjusting the settings in the “Notifications” section of the app’s main menu, or in the “Notifications” section of your Customer Area on our website. In certain cases, we reserve the right to send these notifications via a specific medium when the use of that medium is necessary to achieve the intended purpose.

The lawful basis for this processing is:

Proper performance of the contract. We may send you notifications regarding the Service.
Our legitimate interest in sending you notifications aimed at fraud prevention and security.
Legal obligation to provide you with certain documents or information during the applicable period, including after your relationship with us has ended.

The personal data categories that Openbank will process to carry out the purposes described above are as follows: identifying information; economic, financial and insurance information.

4.8.11. Satisfaction surveys and market research

Openbank will process the personal data associated with the use of the products and services you have taken out or engaged in order to conduct customer satisfaction surveys via email, SMS, telephone or other channels, market studies or internal statistics, and prepare commercial reports to better understand the consumer habits of our customers, and thus be able to internally assess the design, creation and improvement of new products that may be of interest to our customers or enter into business agreements with third parties. If possible, we will anonymise your personal data to conduct our surveys and market research.

Within the framework of the aforementioned activities, among others, we will conduct satisfaction surveys following the Net Promoter Score (NPS) methodology, in order to identify whether our customers would recommend Openbank’s products, for which purpose your personal data may be shared with the third party managing the survey.

The lawful basis for this processing is:

Our legitimate interest in using data obtained through surveys, market research, internal statistics or business reports to improve our products and the provision of services to customers.

The personal data categories that Openbank will process for the purpose described above are the following: identifying information; economic, financial and insurance information; and browsing data.

4.8.12. Addressing your requests for information on social media

When you make use of our social media channels such as Facebook, Twitter or Instagram to request information from us or to make an enquiry, we will process your personal data using specialised tools, for the following purpose:

To streamline and optimise the answers to your questions made through social media. Please note that when you use our social media channels, the processing of your personal data will also be subject to the provisions of the privacy policy of the corresponding social media company through which you request information or make an enquiry.
Likewise, we will analyse the interactions (comments or posts) related to Openbank that you submit via different social media channels to internally determine what improvements can be implemented in our operations and the products and services we offer our customers. Thus, in the event that a large number of customers complain on social media about a specific onboarding step, we will take into account these complaints to improve the problems mentioned by users on social media; or if many customers liked a promotion and expressed this on social media, we can launch this promotion again after a while.

The lawful basis for this processing is:

Our legitimate interest in being duly able, in the quickest and most attainable way, to address enquiries from our customers submitted to us through social media, as well as offering an efficient and simple operation and products which are adapted to the expectations and needs of our customers.

The categories of personal data that Openbank will process to carry out the purpose described above are as follows: identifying data.

4.8.13. Campaigns, prize draws and promotions

Whether or not you are an Openbank customer, we will process your data when you participate in prize draws and promotions or attend events we organise, in order to manage your participation or attendance (including verifying compliance with the requirements to enter into the draw/promotion and, where applicable, notifying you and delivering the prize if you are a winner).

We may also process the data to comply with our legal obligations in the event that you win and we are required to apply a tax withholding on the prize. Data will only be reported to the Spanish Tax Agency for tax purposes.

The lawful basis for this processing is:

Proper performance of the contract. Compliance with our contractual obligations to you when you accept the terms and conditions to participate in campaigns, promotions, or prize draws, or when you request to attend the corresponding event.
Legal obligation. Compliance with tax obligations.

The categories of personal data that Openbank will process to carry out the purpose described above are as follows: identifying data; information relating to your personal characteristics; employment data; economic, financial and insurance data; and data relating to transactions of goods and services.

4.8.14. Marketing

We will process your personal data for sending marketing. The scope and purposes of such processing, as well as the lawful basis and the categories of personal data processed, are described in more detail below:

4.8.14.1. Sending marketing about our own products and services, as well as those related to the contractual purpose, based on our legitimate interest and using profiles created from internal data sources (direct marketing) (automated decision-making)

Once you sign up to our Services, your personal data shall be used to send you marketing about Openbank products and services, including those you have already taken out (for example, information about our loans and credits or cards). Such marketing may be sent by automated and non-automated means (by mail, telephone, SMS, instant messaging apps, email, web push, pop-up or any other electronic or telematic means available at any time), and shall be relevant to you based on information obtained from our internal sources, from which we shall perform profiling according to your behavioural patterns.

The marketing referred to in this section includes advertisements that we shall display whenever you log in to Zinia, about functionalities, products and services that we think could be relevant to you based on the services you have signed up to.

The goal we pursue with the creation of these profiles is to be able to carry out an analysis related to your economic and personal characteristics, based solely on the search for information from internal sources, in order to determine which related products and services best suit your situation based on two variables: your willingness to take out the product and the probability of the transaction being approved.

The creation of the profile will result from an automated decision, in which the following logic will be applied: we will process the information you provide to determine your payment behaviour, the customer segment or segments to which you belong -according to our internal classification criteria and the periodic fulfilment of your contractual obligations. This activity may lead us to make a decision not to offer you certain products or services, depending on the risk that the bank estimates and the rating resulting from the analysis of the information obtained.

In addition, we will process your personal data to analyse your behaviour regarding the impact and success of our commercial campaigns.

If you wish, you may object to receiving this type of personalised advertising, following the instructions in section 11. However, please note that, in any case, you shall continue to receive generic advertisements that will not be based on your interests or preferences and, depending on your privacy preferences, you may also receive other types of advertising.

Likewise, as this processing is carried out based on automated decision-making, you have the right to request an explanation regarding the decision made, to exercise your right not to be subject to a decision based solely on automated processing, requesting the involvement of one of our analysts, to express your point of view on the decision made based on profiling, and to object to it.

The lawful basis for this processing is:

Our legitimate interest in promoting and offering our products and services, by sending general messages or messages adapted to your personal characteristics. Openbank’s main interest in carrying out this data processing is to maintain our relationship with you by offering new products and improving the terms and conditions of the products and/or services you have signed up to, and offering you information about Openbank and its products that could be relevant to you. We consider that the aforementioned data processing activities do not constitute an impediment to the normal exercise of your rights and freedoms, as they are considered normal practice within the business sector, so we understand that the receipt of this type of correspondence shall not be detrimental to your expectations. We also undertake to use the least harmful means to carry out such data processing activities.

Prior to sending marketing messages based on legitimate interest, a check will be carried out against the advertising exclusion systems Robinson List and the StopPublicidad List of the Spanish Association of Digital Economy (Adigital) to ensure that you have not expressed your opposition to receiving marketing.

The lawful basis for this processing is:

Legal obligation, in accordance with the provisions of Article 23.4 LOPDGDD.

The categories of personal data that Openbank will process to carry out the purpose described above are as follows: identifying data.

4.8.14.2. Sending marketing about our own products and services based on information obtained from and profiling with internal and external sources (automated decision).

As long as you have given us your express prior consent, we may send you relevant marketing about Openbank products and services (for example, marketing about our loans, credit or cards), while our contractual relationship remains valid. Such marketing may be sent by automated and non-automated means (by post, telephone, SMS, instant messaging apps, email, web push, pop-up or any other electronic or telematic means available at any time) and shall take into account the analysis of your Customer commercial profile.

The goal we pursue with the creation of these profiles is to be able to carry out an analysis related to your economic and personal characteristics, in order to determine which products marketed by this bank best suit your situation based on two variables: your willingness to take out the product and the probability of the transaction being approved.

This profile will be created from the analysis of your behavioural and risk patterns, from internal sources such as payment details, as well as the information obtained from external sources.

The profile shall be created through an automated decision, in which the following logic shall be applied. We shall process the information you provide to determine your payment behaviour, the customer segment or segments to which you belong—according to our internal classification criteria—and the periodic fulfilment of your contractual obligations. This activity may lead us to make a decision not to offer you certain products or services, depending on the risk we estimate and the rating determined following analysis of the information obtained.

It is important that you understand that this data processing activity is limited to the aforementioned purpose, which is to recommend Openbank products and services to you based on data obtained from internal and external sources.

The lawful basis for this processing is:

Your prior informed consent. You can withdraw the consent provided to Openbank at any time through the channels provided for in section 11 of this Privacy Policy.

The categories of personal data that Openbank will process to carry out the purpose described above are as follows: identifying data; economic, financial, and insurance data; commercial data; data on the goods and services acquired; information relating to your personal characteristics; employment data; unique identifiers; as well as data on transactions, creditworthiness, and potential delinquency, and geographic data obtained from the following external sources: ASNEF and BADEXCUG databases, digital maps of Here Global B.V., OpenStreetMap.

4.8.14.3. Sending marketing about third-party products and services based on profiling with internal and external sources (automated decision).

Provided you have given us your prior express consent, Openbank may send you relevant marketing about third-party products and services (for example, marketing about promotions or discounts offered by such third parties). Such marketing may be sent by automated and non-automated means (by post, telephone, SMS, instant messaging apps, email, web push, pop-up or any other electronic or telematic means available at any time) and shall take into account the analysis of your Customer commercial profile.

The marketing referred to in this section includes advertisements that we shall display whenever you log in to Zinia, about functionalities, products and services offered by third-party companies. If you wish, you may object to receiving this type of personalised advertising, following the instructions in section 11. However, please note that, in any case, you shall continue to receive generic advertisements that will not be based on your interests or preferences and, depending on your privacy preferences, you may also receive other types of advertising.

With regard to third-party companies from which we shall send you marketing about products and services, please note that such companies carry out their business activity in – but not limited to – the following sectors: financial, insurance, leisure and tourism, entertainment, telecommunications, information society, retail, luxury, health, food and beverage, automotive, hospitality, department stores, energy, real estate and security services, among others.

The goal we pursue with the creation of these profiles is to be able to carry out an analysis related to your economic and personal characteristics, in order to determine which products marketed by such third-party companies best suit your situation based on two variables: your willingness to take out the product and the probability of the transaction being approved.

This profile shall be created from analysing your behavioural and risk patterns. So, for example, if the information we have about you shows that you are interested in technology products, we shall send you marketing about products offered by companies in this sector. We also use other internal sources, such as payment details, as well as information obtained from external sources.

The profile shall be created through an automated decision, in which the following logic shall be applied. We shall process the information you provide to determine your payment behaviour, the customer segment or segments to which you belong—according to our internal classification criteria—and the periodic fulfilment of your contractual obligations. This activity may lead us to make a decision not to offer you certain products or services, depending on the risk we estimate and the rating determined following analysis of the information obtained.

It is important that you understand that this data processing activity is limited to the aforementioned purpose, which is to recommend third-party products and services to you.

The lawful basis of this data processing is obtaining your prior informed consent. You can withdraw the consent provided to Openbank at any time through the channels provided for in section 11 of this Privacy Policy.

The sources from which we shall obtain the data, as well as the categories of personal data we collect from such sources, are listed in section 3. Please note that if you already have another contractual relationship with Openbank before entering into the buy now, pay later transaction, we shall also process – for the purposes described in this section – the personal data relating to you that we have obtained in the context of the said relationship, given that Zinia and Openbank are, in fact, the same data controller.

4.8.14.4. Transferring data to other companies of the Santander Group for sending marketing and promotional offers about their products and services.

Provided that you have given us your prior express consent, Openbank may transfer your personal data to other companies of the Santander Group in order to allow them to offer you their products and services that could be relevant to you.

The companies to which we may transfer your personal data are those of the Santander Group (in accordance with Article 42 of the Commercial Code).

Such marketing may be sent by automated and non-automated means (by post, telephone, SMS, instant messaging apps, email, web push, pop-up or any other electronic or telematic means available at any time) and shall take into account the analysis of your Customer commercial profile, based on the information provided to such third parties.

This profile shall be created from analysing your behavioural and risk patterns, other internal sources such as payment details, as well as information obtained from external sources.

It is important that you understand that this data processing is limited to the aforementioned purpose, which is to transfer your personal data to other companies of the Santander Group so that they can offer you other products and services of the Santander Group.

4.8.15. Handling legal claims, requests from competent authorities, and safeguarding Openbank’s legal rights

We will process the personal data necessary to: (i) assist you or persons acting on your behalf in exercising your rights; (ii) manage and respond to requests from competent authorities and bodies (both judicial and extrajudicial), such as information requests in the course of judicial investigations; and (iii) assert and exercise our own defence in response to claims—whether in or out of court—initiated by Openbank or by you.

The lawful basis for this processing is:

Legal obligation. Specifically, these include the various obligations to respond to requests from competent authorities, resolve claims from data subjects in accordance with Regulation (EU) No. 524/2013 of the European Parliament and of the Council of 21 May 2013, on dispute resolution and comply with regulations governing the transparency of banking operations and customer protection, as well as personal data protection legislation, among others.
Our legitimate interest in responding to different legal, administrative or judicial claims, processing them and exercising any legal action we deem appropriate, as well as defending us from those that could be directed against the company, per our right to effective judicial protection.

The categories of personal data that Openbank will process to carry out the purpose described above are as follows: identifying data; economic, financial, and insurance data; and any data necessary to resolve the claim submitted or respond to the request from the competent authority.

4.8.16. Audits and verification of compliance

We will process your data related to the performance of the internally implemented compliance verification controls, as well as in the context of different audits.

The lawful basis for this processing is:

Legal obligation. Such as auditing accounts.
Our legitimate interest in verifying the suitability of our processes, in order to comply with legal obligations and internal quality standards for the identification, control and mitigation of legal or operational risks.

Please note that this information may be accessed by third parties providing the audit service for these purposes.

The categories of personal data that Openbank will process include all personal data to which it has access.

4.8.17. Complaints channel

Openbank will process your personal data for the purpose of investigating the matters brought to our attention through the internal complaints channel. The lawful basis for this processing is:

Compliance with a legal obligation, set out in Law 2/2023, of 20 February, regulating the protection of individuals reporting regulatory violations and combating corruption.

The categories of personal data that Openbank will process to carry out the purpose described above are as follows: identifying data; information relating to your personal characteristics; data on social circumstances; sensitive data; academic and professional data; employment data; economic, financial, and insurance data; and any other information made available to us that is necessary for the investigation.

4.8.18. Wills, bankruptcy proceedings, and acceptance of powers of attorney

Whether you are a customer or not, we will process your personal data for the following purposes: (i) to handle probate matters at Openbank (managing the issuance of certificates of position and the request for change of ownership of positions due to succession); (ii) to take the necessary measures if a customer is in bankruptcy proceedings; and (iii) to validate any powers of attorney you have submitted and manage the request to which they are attached.

The lawful basis for this processing is:

Proper performance of the contract. To process and complete the requests you submit.
Our legitimate interest in understanding the customer’s financial situation and taking appropriate measures.

The categories of personal data that Openbank will process to carry out the purpose described above are as follows: identifying data; and economic, financial, and insurance data.

4.8.19. Custody of documentation and correspondence

We will process your personal data to safeguard any documents and exchanges of information necessary to establish or maintain the contractual relationship, to provide you with the relevant services, as well as for any request you may make, even if you are not our customer. For example, as a legal requirement, we will retain the contract you sign with us for the applicable period.

The lawful basis for this processing is:

Proper performance of the contract. Applying, where requested by you, pre-contractual measures and executing and fulfilling our contractual obligations in relation to the product you take out with Openbank.
Legal obligation. In particular, Openbank will carry out this processing to comply with the legal obligations applicable to banks, among others.

The categories of personal data that Openbank will process to carry out the purpose described above are as follows: identifying data; and economic, financial, and insurance data.

5. Use of cookies

At Openbank, we use cookies and trackers, among others, to remember who you are when you access your Customer Area or for analytical purposes.

When you visit the Zinia website or app, we will inform you about the cookies or similar technologies we use. You can manage analytical cookies, behavioural advertising cookies, and those used for product development and enhancement while browsing Zinia or using our app. You can consult our Website Cookie Policy or App Cookie Policy for more information.

6. How long are your data stored?

At Openbank, we will keep your data as long as is required for the purpose for which your data was collected and, subsequently, we will keep it blocked for the legally-established retention periods or statutory limitation periods. Once, if applicable, these periods have elapsed, we will proceed with the destruction or complete anonymisation of the data.

Blocking means that Openbank will not carry out any data processing other than retaining the data for the purpose of making it available to the competent public authorities, judges and courts, or the Public Prosecutor; and for addressing any potential liabilities arising from the contractual relationship with you or related to the processing of the data.

In particular, if you are a customer, we will process your data for as long as you maintain the contractual relationship with us. Once this relationship has ended, as a general rule, we will keep your personal data blocked. Please note that some actions provided for under consumer law, such as the action for cessation or the action for a declaration of nullity, are not subject to limitation periods.

For applications that you carry out that do not lead to establishing a contractual relationship, we will keep your data for the amount of time we deem reasonable, to avoid duplicating your steps and in the event we have to defend ourselves against any claim for any use we made of your data. We will then proceed to delete the data.

Openbank may disclose your personal data to the following recipients based on our legitimate interests, the legal obligations with which we are required to comply and/or the products you have taken out:

Amazon: in connection with the request and use of the Service, Openbank will exchange personal data with Amazon, as stated in section 4 of this Policy. This includes the exchange of data between Openbank and Amazon necessary for establishing the agreement for the provision of the Service, and for communicating the approval of the Service request to Amazon so that the sale and purchase of products can be managed. Amazon will also act as a data processor on behalf of Openbank for part of the process, during which it will follow our instructions.
We will share your personal data with the competent public authorities, official bodies, banking and financial supervisory and regulatory bodies, and tax authorities that require it, in order to comply with the regulations applicable at any given time in the banking and financial sector, legislation on anti-money laundering and counter-terrorism financing, and consumer protection laws, as described in section 4.8.3 of the Policy.
In the event of non-payment, we will send the data to credit default files (ASNEF Database and the BADEXCUG Database), complying with the procedures and guarantees established at all times and recognised by current legislation, as described in section 4.8.3. of the Policy.
We will share your data with companies within the Santander Group (within the meaning of Article 42 of the Commercial Code) to comply with their internal regulations on financial crime prevention, their legal obligations for anti-money laundering, and regulatory reporting to supervisory authorities, as described in section 4.8.3 of the Policy.
We will share your data with LexisNexis Risk Solutions (Europe) Limited y Confirma Sistemas de Información, S.L., in order to detect and prevent potential fraud attempts, complying with and respecting the procedures, rights and guarantees that the legislation in force establishes and grants you at all times.
Similarly, at Openbank we work with third-party service providers who may have access to your personal data, but will process it on our behalf and under our instructions as data processors, always in accordance with our directions and solely for the purpose of providing the services that we may have engaged from them in each case.

Specifically, at Openbank we engage third-party service providers working in, but not limited to, the following sectors: logistics services, legal advisory services, supplier certification, multidisciplinary professional services firms, hosting companies, maintenance-related companies, technology service providers, IT service providers, physical security companies, instant messaging service providers, infrastructure management and maintenance companies, call centre service providers, and monitoring companies.

In any case, Openbank follows strict criteria for the selection of third-party service providers in order to comply with our data protection obligations, and we undertake to enter into the corresponding data processing contract with them, imposing, inter alia, the following obligations: to implement appropriate technical and organisational measures, to process personal data for the agreed purposes and in accordance with our documented instructions only, and to delete or return the data to us upon completion of the services.

8. International data transfers

We transfer your data internationally only within the framework of some of the above-mentioned services by third-party providers.

The purpose thereof will always be the maintenance and management of the contractual relationship you have with us or the prevention of fraudulent actions or transactions.

These transfers are made both to countries that offer an adequate level of protection, comparable to that of the European Union, and also to countries without such a level. In the latter case, you do not have to worry. Openbank uses various mechanisms established by regulations to comply with all guarantees when dealing with your personal data, such as standard contractual clauses or certification mechanisms.

You can consult the international data transfers we carry out, either directly or through the subcontracting of some of our providers, here, or by writing to privacidad.es@zinia.com.

9. Obligation to disclose personal data

Please note that the data marked as “mandatory” in each form are required for the proper establishment or performance of your pre-contractual or contractual relationship with Openbank. As such, failure to provide this data will prevent us from being able to accept your application or provide you with our services.

10. Are automated decisions made?

Openbank will make automated decisions in accordance with Article 22 of the GDPR in the processes described in section 4 of the Policy.

Please remember that, in such cases, you have the right to request an explanation of the decision made, to exercise your right not to be subject to solely automated decisions by requesting the intervention of one of our analysts, to express your viewpoint regarding the decision based on profiling, and to challenge it. You may submit any additional documentation you consider necessary for this purpose.

11. What are your rights regarding the processing of your personal data?

You have and can exercise the following rights:

Right of access: you have the right to obtain confirmation as to whether Openbank is processing personal data concerning you, and, if so, to access that data.
Right to data portability: you have the right to receive the personal data you have provided to us in a commonly used and readable, structured format and to transfer them to another bank.
Right to rectification: you have the right to request data rectification when inaccuracies are detected.
Right to erasure: you may request the erasure of data when, amongst other reasons, it is no longer necessary for the purposes for which you provided such data.
Right to object: in certain circumstances, you may object to certain processing of your personal data (such as objecting to marketing carried out by electronic means). In such a case, Openbank will immediately cease such data processing, in accordance with the applicable regulations.
Right to restrict processing: in certain circumstances established by current data protection regulations, you may request a restriction on the processing of your data.
Right to withdraw your consent: you can withdraw any consent you have given at any time. Withdrawal of consent will not affect the lawfulness of the processing based on the consent prior to its withdrawal.
Right not to be subject to a decision based solely on automated processing: if you have authorised profiling and it is carried out entirely by an automated procedure, you may request the personal involvement of one of our analysts, express your point of view and challenge decisions based on such profiles. You may submit any additional documentation you consider necessary for this purpose.

You may exercise the above-mentioned rights through the following channels:

Website: from the “Personal details” section of your customer profile.
Email address: es@zinia.com
Postal address: “Open Bank, S.A.”, Plaza de Santa Bárbara, 2, 28004, Madrid.
Contact Centre: 910 87 02 75.

Finally, you may file a claim with Openbank and/or the Spanish Data Protection Agency (as the Supervisory Authority responsible for data protection), especially when you are not satisfied with the exercising of your rights, by writing to the address above, if writing to Openbank, or to C/ Jorge Juan, 6. 28001 – Madrid, if writing to the Spanish Data Protection Agency; or through the website at www.aepd.es.

12. Do you need to keep your data up to date?

In order to be able to communicate with you properly, as well as be able to correctly provide you with the services you have engaged, you undertake to ensure that all the information you provide us with is correct, complete, exact and duly updated, assuming any liability that may arise from having provided us with incorrect, erroneous or inaccurate information.

Therefore, if you change any of the personal details you have given us, especially your postal address, email address and contact telephone numbers (landline and mobile), please inform us as soon as possible by calling the Contact Centre: +34 910 870 275, updating your information directly in your “Personal details” section of your Openbank profile or emailing us at es@zinia.com. In some cases, we may need to ask you for some additional documentation or proof.

In the event that you do not inform us of these possible changes, you assume that the correspondence we have sent to your postal or email address, as well as to the contact telephone numbers in our files, must be considered valid, binding and fully effective.

13. Adherence to codes of conduct

Openbank is a member of the Code of Conduct for Data Protection in Advertising Activities of the Association for the Self-Regulation of Marketing (hereinafter, “SELF-REGULATION”), accredited by the Spanish Data Protection Agency and, therefore, is subject to its extrajudicial complaint resolution system for matters related to data protection and advertising, available to interested parties here. Please note that the language of mediation is Spanish and, in exceptional cases, English.

14. Changes to the Privacy Policy

At Openbank, we are committed to keeping this Privacy Policy up to date in order to collect any new information that may arise in relation to the scope of the processing that we carry out on your personal data. For this reason, it is important that you regularly spend time reading and making sure you understand it. Any significant changes we may need to make will be notified to you in advance through the most appropriate channels, such as our website or app, a personalised message in your Customer Area, or your personal email address, ensuring that you can stay fully informed at all times.

V202501

You can download this Privacy Policy here.

Índice

1. Introduction and scope of application

2. Who is the Data Controller?

3. What information do we collect from you and how do we obtain it?

4. Data processing activities we carry out

5. How long do we keep your personal data for?

6. Who will your personal data be shared with?

7. Your data protection rights

8. Keeping your data up to date

9. Use of cookies

10. Amendments to the Privacy Policy

Last updated: December 2023

1. Introduction and scope of application

The purpose of this privacy policy (hereinafter, the "Privacy Policy" or the "Policy"), in accordance with Regulation (EU) 679/2016 of 27 April 2016, approving the General Data Protection Regulation (hereinafter, the "GDPR"), Organic Law 3/2018 of 5 December, on the Protection of Personal Data and the Guarantee of Digital Rights (hereinafter, the “LOPDGDD”), and other applicable implementing data protection legislation, is to regulate and provide information about the processing carried out by Open Bank, S.A., (hereinafter “Openbank” or “we”) of personal data of customers (hereinafter, “you” or the “Customer”) when, upon purchasing from a merchant, they use any of the services managed by Openbank under its registered trademark “Zinia” (hereinafter, the “Service”).

This Policy provides you with information about the categories of personal data we process, the means by which we obtain your personal data, the purposes for which we collect and process your personal data, the legitimate basis for such processing, the data recipients, the applicable data retention periods and the rights granted to you by the regulations in relation to your personal data.

Please take a few minutes to read and properly understand its contents. If you have any questions, please contact our Data Protection Officer, whose contact details can be found below.

2. Who is the Data Controller?

“Open Bank, S.A.”, operating through its registered trademark, Zinia.

Business address: Plaza de Santa Bárbara, 2, 28004 Madrid, Spain.

Email address for contacting the Data Protection Officer: privacidad.es@zinia.com.

3. What information do we collect from you and how do we obtain it?

We process the categories of personal data listed below. The data we indicate in each of the forms as "mandatory" are necessary for the proper undertaking of your relationship with Openbank. If we do not receive this information, we will not be able to process your request or provide you with the Service.

Contact and identification details: first name and surname, invoicing and delivery address, mobile phone number, fingerprints, email address, and country of residence.
Economic, financial and insurance data: data related to the price of the products you purchase, data related to the payment of your purchase (such as bank account, bank name and branch, debit card number), data related to arrears, solvency and debt history, as well as to orders pending payment, and information about negative payment history and previous credit approvals.
Data on the goods and services purchased: data related to the product you purchase, such as the item, model, price, and tracking number.
Device data: IP address, language settings, browser settings, time zone, operating system, platform, screen resolution, login via the different devices you use and other similar device settings.
Personal details: date of birth, age, sex and nationality.
Unique identifiers: data collected from the cookie ID, device ID, recorded voice calls, chat conversations and email correspondence.
Employment data: position and contact details of contact persons acting as legal representatives of the businesses we collaborate with.
Special categories of personal data: data that reveals health information and information related to sanctions lists.
Data about politically exposed persons and sanction lists: sanction and PEP lists contain information such as the name, date of birth, place of birth, occupation or position of a person included on the respective list as well as why he or she features on it.

In addition to the data you provide us with directly, for example, through the various forms for requesting information, we will also process other data relating to you that we may obtain from our internal sources, such as:

The personal data that we obtain from the contractual relationship we have with you with respect to the provision of the Services.
The personal data we obtain as a result of your interaction through our website or our app.
The inferred data that we deduce or obtain from the data you have previously provided us with (when we create profiles).
Given that Zinia and Openbank are, in fact, the same data controller, the personal data related to you that we may obtain in the context of a contractual relationship that you maintain with Openbank, apart from the Services that we provide to you under the trademark, Zinia.

Similarly, as explained in more detail below, we shall process additional data about you that we obtain from the external or publicly available sources listed below, complying with the procedures, rights and guarantees established at all times by the laws in force:

Business where you make your purchase.
Public Administration bodies, such as the Ministry of Finance or the Bank of Spain. In this case, the data obtained will be purely statistical in nature.
Publicly available sources, such as public registries (for example, the Spanish National Statistics Institute, the Trade Registry and the Cadastre). In this case, the data obtained will also be purely statistical in nature.
Credit reference files, such as the database of Asnef-Equifax Servicios de Información sobre Solvencia y Crédito, S.L. (hereinafter, the “ASNEF Database”) and that of Experian Bureau de Crédito, S.A. (hereinafter, the “BADEXCUG Database”); and credit reference files such as the Central Credit Register of the Bank of Spain (Central de Información de Riesgos del Banco de España, CIRBE) (hereinafter, “CIRBE”).
Fraudulent data detection databases, such as the database of Confirma Sistemas de Información, S.L. (hereinafter, the “CONFIRMA Database”) and the database of Emailage Ltd. (hereinafter, the “EMAILAGE Database”).
Third-party companies to which you have given your consent for the transfer of your data to Openbank, or which otherwise lawfully transfer your data in accordance with the laws in force.

4. Data processing activities we carry out

	Processing of personal data	Purposes of the data processing activity. What we do and why	Categories of personal data processed	Legal basis for the data processing	Termination of the data processing purpose
1	User/Customer registration management	Managing customer interactions in accordance with the terms and conditions of the Service, including registration and communication of relevant information	Internal sources: Contact and identification details. External sources: (i) Business where you purchase the product. In particular, the categories of data we obtain from the aforementioned external source are: (a) Financial and insurance data. (b) Information on goods and services transactions.	Performance of the contract and adequate provision of the Services, in accordance with Article 6.1 b) of the GDPR.	When the contractual relationship with us ends.
2	Verifying the Customer’s identity when requesting a transaction See Section 4.1 for more information.	Confirmation of your identity and verification that the details you have provided us with are correct. We also aim to prevent criminal activity.	Internal sources: Contact and identification details.	Legal obligation of Article 5 of the GDPR (principle of transparency), according to Article 6.1 c) of the GDPR.	When we validate the data.
3	Conducting a risk analysis on fraud prevention and detection See Section 4.2 for more information.	Analysis of potentially fraudulent activities in the context of Customer registration management in order to prevent potential fraudulent requests, for the duration of the relationship with Openbank (involves automated decision-making).	Internal sources: Contact and identification details. Personal details. Financial and insurance data. Device data. Unique identifiers. External sources: (i) Business where you purchase the product. (ii) Fraud detection databases during registration: CONFIRMA Database and EMAILAGE Database. In particular, the categories of data we obtain from the aforementioned external sources are: (a) Information on goods and services transactions. (b) EMAILAGE Database. We shall process your email address and IP address using the service provided by Emailage Ltd. in order to generate a fraud risk score. Accordingly, Emailage Ltd. checks and evaluates the data points provided against the associated metadata (email data, IP geolocation data) and previous customer queries and fraud indicators sent to the global fraud network of Emailage Ltd. Using our fraud risk score along with other checks we may perform, we may assess the risk associated with the request or transaction and make decisions in an effort to detect and prevent fraud. (c) CONFIRMA Database. We receive information that allows us to generate alerts and indicators to prevent possible fraudulent activities linked to the transactions, for further analysis.	Our legitimate interest in preventing fraudulent activities and the protection of existing Customers and their business, as well as society, by preventing and combating potential crimes such as identity theft, in accordance with Article 6.1 f) of the GDPR.	Upon completing the fraud detection analysis and at the end of the contractual relationship with us.
4	Transferring data to third parties for fraud prevention purposes See Sections 4.2 and 6 for more information.	Transfer of Customer data to the following third parties to detect and prevent potential fraud attempts, complying with and respecting the procedures, rights and safeguards established and recognised at all times by the laws in force. (i) EMAILAGE Database. Emailage Ltd., established in the United Kingdom, also acts as data controller when processing your personal data. It shall use your personal data for the purposes set out in its privacy policy. You can exercise your data protection rights with Emailage Ltd. at DPO@lexisnexisrisk.com. (ii) CONFIRMA Database. We shall send your data to the CONFIRMA Database with which we are associated. CONFIRMA acts as data processor, while all other entities associated with the CONFIRMA Database act as joint data controllers. You can contact the data protection officer for data protection requests associated with the CONFIRMA Database at: dpo@confirmasistemas.es.	Internal sources: Contact and identification details. Financial and insurance data. External sources: (i) EMAILAGE Database. (ii) CONFIRMA Database.	Our legitimate interest in preventing fraudulent activities and the protection of existing Customers and their business, according to Article 6.1 f) of the GDPR.	When the transfer is made to the third party.
5	Data transfer to other Santander Group companies in order to send marketing See Section 4.4 for more information.	Transfer of Customer data to other Santander Group companies (according to the definition of the group of companies as provided for in Article 42 of the Commercial Code), so that such companies can send you marketing about their products and services through different channels (including electronic channels).	Internal sources: Contact and identification details. Financial and insurance data. Information on goods and services transactions.	Prior informed consent, obtained in accordance with Article 6.1 a) of the GDPR.	When consent is withdrawn.
6	Addressing queries and exercising data protection rights	Handling, managing and resolving requests relating to customers, data subjects and other data controllers exercising their GDPR rights, as well as complaints submitted directly by the data subject to Openbank or through the corresponding supervisory authorities.	Internal sources: Contact and identification details. Financial and insurance data. Information on goods and services transactions. Commercial data.	Our legal obligation, as data controllers, to comply with the obligations established in Articles 15 to 22 of the GDPR, in accordance with Article 6.1 c) of the GDPR.	When the exercise of rights is fulfilled.
7	Debt collection	Managing the collection of Customer debts taken out by the Customer with us.	Internal sources: Contact and identification details. Financial and insurance data.	Performance of the contract and adequate provision of the Services, in accordance with Article 6.1 b) of the GDPR.	When the debt taken out with us is repaid.
8	Portfolio sale See Section 6 for more information.	Selling the debt portfolio of Openbank Customers to third-party companies in order to obtain a benefit from debt defaults.	Internal sources: Contact and identification details. Financial and insurance data. Information on goods and services transactions.	Legitimate interest of Openbank in managing the debt portfolio of Customers and selling it to third parties in order to obtain a financial benefit, as per Article 6.1(f) GDPR	When we transfer the outstanding debt to external companies.
9	Processing of financial data	Maintenance of accounting and administrative procedures provided for in the accounting regulations and to comply with the applicable laws in force. Generation of reports and/or communications on personal data to the different supervisory bodies (Bank of Spain). Archiving and accounting in accordance with the accounting regulations.	Internal sources: Contact and identification details. Financial and insurance data.	In complying with our legal obligation to keep accounting and administrative records, and to comply with the reporting obligations with the corresponding financial supervisory and anti-money laundering authorities (Law 44/2002 of the Financial System; and Law 10/2010 on the prevention of money laundering and terrorist financing), according to Article 6.1 c) of the GDPR.	When the contractual relationship with us ends.
10	Transfer of data by the business where the Customer makes their purchase to Openbank See Section 4.3 for more information.	Transfer of information by the business where the Customer purchases the product.	External sources: (i) Business where you purchase the product. In particular, the categories of data we obtain from the aforementioned external source are: (a) Contact and identification details. (b) Financial and insurance data. (c) Information on goods and services transactions.	Performance of the contract and adequate provision of the Services, in accordance with Article 6.1 b) of the GDPR.	When the purchase is made.
11	Customer email validation	Confirmation of the email provided by the Customer and verification of whether the data provided is correct, as well as to ensure the quality of the data.	Internal sources: Contact and identification details.	Performance of the contract and adequate provision of the Services, in accordance with Article 6.1 b) of the GDPR.	After completing the validation.
12	Sending alerts for fraud prevention purposes	Sending alerts to verify your identity or to prevent attempted fraud or detected fraudulent activities, during the purchasing process and also after you have completed the purchasing process, and provided you are our Customer.	Internal sources: Contact and identification details. Personal details. Financial and insurance data.	Our legitimate interest in preventing fraudulent activities and the protection of existing Customers and their business, according to Article 6.1 f) of the GDPR.	When the contractual relationship with us ends.
13	Satisfaction surveys and market research	Calls to Customers to conduct satisfaction and other surveys, market research and internal statistics to prepare commercial reports to better understand the consumption habits of our Customers; thereby allowing us to internally assess the design, creation and improvement of new products that may be of interest to our Customers or to reach commercial agreements with third parties.	Internal sources: Contact and identification details. Financial and insurance data. Unique identifiers.	Our legitimate interest in using data obtained through surveys, market research, compiling internal statistics or business reports to improve our products and the provision of services to Customers, according to Article 6.1.f) of the GDPR.	After completing the survey or market research.
14	Guaranteeing network and information security	Guaranteeing the security of the network and information of Openbank. Processing is necessary to achieve the specific purpose. The legitimate interest prevails over the Customer’s right to object.	Internal sources: Contact and identification details. Financial and insurance data. Unique identifiers.	Our legitimate interest in protecting our own network and information security system to protect our business and services, according to Article 6.1 f) of the GDPR.	When the contractual relationship with us ends.
15	Processing data of vulnerable Customers	Only if you have asked us to do so and based on your prior informed consent, we will process data relating to your disability or situation of vulnerability in order to provide you with the Service adapted to your personal needs and circumstances. For example, if you have a hearing or visual impairment, we can arrange for special assistance if so required.	Internal sources: Contact and identification details. Special categories of personal data. Financial and insurance data.	Prior informed consent, obtained in accordance with Article 6.1 a) of the GDPR.	When the contractual relationship with us ends or when you withdraw your consent.
16	Anonymisation of personal data	Anonymisation of your personal data to improve our services and products and analyse consumer behaviour, generate statistics and reports for economic analysis, or the analysis of trends or payment volumes in certain regions or certain industries, and for product development and testing, to improve our risk and credit models, as well as to design our Services. If possible, we shall first anonymise the data before carrying out such activities, to ensure that no personal data shall be processed later.	Internal sources: Contact and identification details. Financial and insurance data. Commercial data. Information on goods and services transactions. Personal details. Employment data. Unique identifiers.	Our legitimate interest in the use of anonymised Customer data to improve our products and the provision of Services to Customers, according to Article 6.1 f) of the GDPR.	When the contractual relationship with us ends.
17	Profiling with internal data to understand which of the Openbank products and services could be of interest to you, and then offering and sending marketing about such products and services See Section 4.4 for more information.	Analysis and profiling related to your financial and personal characteristics, based solely on the consultation of information from internal sources, based on customer segmentation, in order to determine which of our products and services best suit you or your interests, so that we can later offer you those products and services and send you related marketing.	Internal sources: Contact and identification details. Financial and insurance data. Commercial data. Information on goods and services purchased. Personal details. Employment data. Unique identifiers.	Our legitimate interest in keeping our Customers informed about products and services that could be of interest to them based on products and services previously taken out, according to Article 6.1.f) of the GDPR.	When the contractual relationship with us ends.
18	Profiling with internal, external and publicly available data to determine which third-party products and services could be of interest to you, and then sending marketing about such products and services See Section 4.4 for more information.	Analysis and profiling related to your financial and personal characteristics, based on data obtained from internal, external and publicly available sources, in order to determine which of our third-party products and services best suit you, so that we can later send you marketing related to those products and services.	Internal sources: Contact and identification details. Financial and insurance data. Commercial data. Information on goods and services purchased. Personal details. Employment details. Unique identifiers. External sources: (i) OpenStreetMap. (ii) HERE Global, B.V. digital maps In particular, the categories of data we obtain from the aforementioned external sources are: (a) Information related to geographic data, such as street maps.	Prior informed consent, obtained in accordance with Article 6.1 a) of the GDPR.	When consent is withdrawn.
19	Profiling with internal and external data and publicly available data to analyse the pre-approval of Openbank products, and sending marketing	At Openbank’s discretion, profiling data subjects based on data obtained from internal, external and publicly available sources, to analyse the potential pre-approval of products and then send marketing	Internal sources: Contact and identification details. Financial and insurance data. Commercial data. Personal details. Employment data. Unique identifiers. External sources: (i) Business where you purchase the product. (ii) Credit reference files: ASNEF Database and BADEXCUG Database. (iii) HERE Global, B.V. digital maps (iv) OpenStreetMap. In particular, the categories of data we obtain from the aforementioned external sources are: (a) Information on goods and services transactions. (b) Information on creditworthiness and potential default. (c) Information related to geographic data, such as street maps.	Prior informed consent, obtained in accordance with Article 6.1 a) of the GDPR.	When the contractual relationship with us ends or consent is withdrawn.
20	Legal, administrative, and judicial claims	Processing of claims relating to the Service provided.	Internal sources: Contact and identification details. Financial and insurance data.	Legal obligation, according to 6.1 c) of the GDPR.	When the claim has been processed.
21	Customer service helpline	Handling of calls made to the Customer care service and the management and resolution of queries it receives.	Internal sources: Contact and identification details. Financial and insurance data. Unique identifiers. Commercial data.	Legal obligations established under Law 44/2002 on the financial system and Order ECO/734/2004, of 11 March, regulating customer services of banking institutions, according to Article 6.1 c) of the GDPR.	When the call has been handled.
22	Legal/contractual communications	Sending communications to Customers in order to provide accurate and updated information regarding their relationship, such as amendments to the Terms and Conditions or the Privacy Policy, account closing, refund, payment letters	Internal sources: Contact and identification details. Financial and insurance data.	Performance of the contract and adequate provision of the Services, in accordance with Article 6.1 b) of the GDPR. Legal obligation to keep our Customers informed of any amendments to the Terms and Conditions governing the Services as well as to this Privacy Policy, according to Article 6.1 c) of the GDPR.	When the contractual relationship with us ends.
23	Approving the Customer’s registration via a creditworthiness check See Sections 4.3 and 6 for more information.	Creditworthiness check of the prospective Customer, based on fully automated decisions, in order to approve the provision of the Service.	Internal sources: Contact and identification details. Financial and insurance data. External sources: (i) Business where you purchase the product. (ii) Credit reference files: ASNEF Database and BADEXCUG Database. (iii) Mosaic (statistical database of the provider company Experian Bureau de Crédito, S.A. containing statistical geo-domicile information). (iv) Public registries such as the Spanish National Statistics Institute (2011 Census and 2021 Household Budget Survey), the Trade Registry (Official Gazette of the Trade Registry) and the Cadastre. The Cadastre is a Spanish database containing information on urban real property throughout the territory of Spain. In this section, we refer to the Cadastre as the aggregate of the national land registry of Spain and that of the autonomous communities (Navarre, Biscay, Guipuzcoa and Álava). The unprotected information of the Cadastre, that is, the graphic and alphanumeric information on real property – other than the identification details and domicile of the owners, and the cadastral values – is publicly available (Articles 51 and 52 of Royal Legislative Decree 1/2004, of 5 March, approving the consolidated text of the Law on the Real Property Cadastre). The General Directorate of the Cadastre makes this information publicly available under the principles of the Law on re-use of public sector information. (v) Bank of Spain (Survey of Household Finances – Data published in 2020). This information is publicly available under Law 37/2007, of 16 November, on re-use of public sector information, and its implementing regulations. (vi) Fichero de Camerdata, S.A., from the census prepared by the Spanish Chamber of Commerce. (vii) HERE Global, B.V. digital maps (viii) Surveys with anonymised information conducted by market research companies, such as those of the AIMC (Asociación para la Investigación de Medios de Comunicación [Partnership for Media Research]), namely AIMC Marcas [AIMC Brands] or the EGM (Estudio General de Medios [General Media Study]). (ix) Real property portals (such as Idealista or Fotocasa). (x) Global interconnected network of mobile phone operators (3G Telecommunications Ltd). In particular, the categories of data we obtain from the aforementioned external sources are: (a) Information on goods and services transactions. (b) Information on creditworthiness and potential default. (c) Information associated with postal addresses (for example, geo-domicile and socio-demographic information; property characteristics; information about the environment; urban variables; nearby points of interest). (d) Statistical data on banking and insurance products taken out by families based on their income type and level. (e) Consumer profiles. (f) Statistical data obtained from the real property offers. (g) Validation of mobile phone numbers and technical metadata associated with such numbers (for example, whether or not the number is active; country in which the number was originally registered).	Performance of the contract and adequate provision of the Services, in accordance with Article 6.1 b) of the GDPR.	When the contractual relationship with us ends.
24	Debt repayment	Management of debt repayment by the Customer, depending on the arrangement chosen.	Internal sources: Contact and identification details. Financial and insurance data.	Performance of the contract and adequate provision of the Services, in accordance with Article 6.1 b) of the GDPR.	When the Customer repays the debt.
25	Call recording	Recording and safekeeping of telephone calls and messages on different media provided for this purpose.	Internal sources: Contact and identification details.	Our legitimate interest in voice recording is to be able to audit the quality of our Services and thus improve them and respond to information requests from the competent authorities or use the recordings as evidence in court, according to Article 6.1 f) of the GDPR.	When the call ends.
26	Quality and service metrics	Calculation of quality indicators to better understand the level of quality offered during the provision of the Services and thus be able to internally evaluate the quality standards and improvements that should be applied.	Internal sources: Contact and identification details. Financial and insurance data. Unique identifiers. Commercial data.	Our legitimate interest in measuring our quality standards to improve our products and the provision of Services to Customers, according to Article 6.1 f) of the GDPR.	When the contractual relationship with us ends.
27	Claims related to the products acquired	Management of your complaints relating to the product acquired, as well as coordinating complaints with the business where you made your purchase.	Internal sources: Contact and identification details. Financial and insurance data. Information on goods and services transactions. External sources: (i) Business where you purchase the product. In particular, the categories of data we obtain from the aforementioned external source are: (a) Information on goods and services transactions.	Legal obligation to address and process claims received from Customers, according to Article 6.1 c) of the GDPR.	When the claim has been processed.
28	External audit	Verification of compliance with the applicable regulations regarding external audits. Processing of Customer data for audit samples.	Internal sources: Contact and identification details. Financial and insurance data.	Legal obligation, according to article 6.1 c) of the GDPR. External companies that provide the audit service could require access to this information for the aforementioned purposes.	Upon completion of the external audit.
29	Internal audit	Verification of compliance with the applicable regulations and our internal policies. Its execution may require testing involving access to the Customer’s databases.	Internal sources: Contact and identification details. Financial and insurance data.	Our legitimate interest in verifying the suitability and adaptation of our processes, in order to comply with the legal obligations and internal quality standards for the identification, control and mitigation of legal or operational risks, according to Article 6.1 f) of the GDPR.	Upon completion of the compliance control or audit.
30	Responding to your requests on social media and social media analytics See Section 6 for more information.	Response to requests sent to us by Customers through our social media platforms and analysis of their interactions with Zinia on such platforms by monitoring behaviour through listening, classifying, linking and tracking. For social media analytics, we transfer Customer data to the United States.	Internal sources: Contact and identification details. Unique identifiers.	Our legitimate interest in effectively managing requests sent to us by Customers on social media, as well as providing the Services simply and efficiently, and adapting our products to meet their needs and expectations, according to Article 6.1 f) of the GDPR.	When the request is resolved.
31	Prize draws and competitions	Data collection from competitions, prize draws and cultural offers, among others, to carry out commercial activities.	Internal sources: Contact and identification details.	Prior informed consent, obtained in accordance with Article 6.1 a) of the GDPR.	When the competition has ended.
32	Reporting information to credit reference files See Section 6 for more information.	In the event you default during the contractual relationship with us, information about such default is reported to credit reference files.	Internal sources: Contact and identification details. Financial and insurance data. Information on goods and services transactions.	Our legitimate interest in preventing default situations that are detrimental to us, and adequately controlling them, as well as the legitimate right of external financial institutions to be duly informed of any default when processing new applications for financing, according to Article 20 of the LOPDGDD, all according to Article 6.1 f) of the GDPR.	When the debt has been repaid in full.
33	Reporting information to the Spanish Tax Agency (Agencia Estatal de Administración Tributaria, AEAT) (hereinafter, the “AEAT”)	Reporting required tax information to the AEAT.	Internal sources: Contact and identification details. Financial and insurance data. Information on goods and services transactions.	We carry out this processing in order to comply with our legal obligations, according to Article 6.1 c) of the GDPR.	When the contractual relationship with us ends.
34	Reporting information to CIRBE See Section 6 for more information.	Reporting banking transaction risks to CIRBE based on the number of transactions that you have requested, as well as the amounts associated with them, their recoverability and, if applicable, defaults such as payment arrears. The purpose of such reporting is to allow other banking institutions to consult CIRBE and, based on the information indicated there on the financial transactions of Customers and the risks inherent thereto, they may assess appropriateness as a customer in the event of any type of loan or financial product being requested.	Internal sources: Contact and identification details. Information on goods and services transactions.	In particular, we carry out this processing to comply with the legal obligations applicable to the financial system and, in particular, Law 44/2002 on Reform of the Financial System, according to Article 6.1 c) of the GDPR.	When the contractual relationship with us ends.
35	Consulting advertising opt-out systems	Use of the Adigital Robinson List Service when we send you marketing and we have not obtained your valid consent to do so, in order to no longer contact you if you are included in the List. See the Adigital Privacy Policy for more information.	Internal sources: Contact and identification details.	We carry out this processing to comply with the obligation of Article 23.4 of the LOPDGDD, provided that marketing is to be sent to recipients from whom consent has not been obtained, according to Article 6.1 c) of the GDPR.	When the contractual relationship with us ends.
36	Risk and behavioural model design and training See Section 4.5 for more information.	It is important that we have a solid understanding of the need for financial and banking products and services, as well as the creditworthiness and consumption habits of our Customers. Therefore, we carry out pseudonymisation and/or anonymisation procedures on the personal data that we use to design and train algorithms, allowing us to create different behavioural and risk models, which we shall then use to carry out profiling activities on active Customers.	Internal sources: Contact and identification details. Financial and insurance data. Information on goods and services transactions. External sources: (i) Spanish National Statistics Institute. (ii) Ministry of Finance. (iii) HERE Global, B.V. digital maps In particular, the categories of data we obtain from the aforementioned external sources are: (a) Income data based on the postcode corresponding to where you reside, obtained from the Spanish National Statistics Institute website, specifically using statistical data on household income. Information last updated: 2018 (b) The average disposable income and average default for your postcode (Ministry of Finance, last updated: 2018). (c) Information related to geographic data, such as street maps.	Our legitimate interest in designing, creating and offering innovative and efficient financial products and services to our Customers based on the different behavioural and risk models created by our algorithms, according to Article 6.1.f) of the GDPR.	After designing and training the models.
37	Monitoring of our correspondence with Customers for analytical purposes	Monitoring how Customers interact with the different correspondence we send them, in order to analyse how our Services function. Accordingly, if Customers receive an email from Zinia, we can find out if they have opened it, as well as other information associated with the email.	Internal sources: Contact and identification details. Metadata related to the correspondence sent, such as the time at which an email is opened.	Our legitimate interest in determining if Customers are interested in our correspondence, and whether we should improve it, or in understanding how we can improve our Customers’ experience through the different communication channels according to their needs and interests. For example, by analysing if they are more receptive through the telephone channel than by email, according to Article 6.1.f) of the GDPR.	When the contractual relationship with us ends.
38	Sending notifications via the Zinia website and app	Sending notifications via email, web push, SMS, the Zinia app and/or website for the following purposes: (i) To notify about certain circumstances that could occur with the Services signed up to (an example would be notifications about declined transactions). (ii) To send financial fraud prevention notifications and security alerts.	Internal sources: Contact and identification details.	Performance of the contract and adequate provision of the Services, in accordance with Article 6.1 b) of the GDPR. Our legitimate interest in sending notifications aimed at preventing financial fraud, as well as security alerts, according to Article 6.1.f) of the GDPR.	When the contractual relationship with us ends.
39	Sending information about products and services that you find relevant through social media	To show advertisements directed specifically at you regarding our products or services that are similar to those already taken out with us and that could be of interest to you, if you are registered on any social media platform. In order to carry out these activities, we use tools that social media companies have developed specifically for such purposes (such as Facebook Custom Audiences). The social media platforms themselves provide, according to their privacy policies, information on how they process data using these tools for which we act as joint data controllers. By using these tools, we conduct segmentation based on users’ interests and, therefore, if you are a social media user and are classified under our selected audience, you could receive advertising from Openbank. In these cases, we will only perform audience segmentation, but we will not have access to the final users receiving the advertising. Therefore, in order to object to receiving such messages, you must contact the social media platform that sent you the advertising.	Internal sources: Contact and identification details. Financial and insurance data.	Our legitimate interest in sending marketing about our products and/or services through different channels, according to Article 6.1.f) of the GDPR. Notwithstanding the foregoing, whenever, based on the use of the different tools that social media platforms have developed, the Customer is subject to extensive profiling, we shall check that the tool has requested prior express consent from users in order to carry out the processing described herein, and to be able to send them information about relevant products and services.	When the contractual relationship with us ends.
40	Use of cookies See Section 9 for more information.	Storage of user browsing data for analytics or metrics, preferences or personalisation, and advertising based on behavioural patterns, as provided in our Cookie Policy.	Internal sources: Contact and identification details.	Prior informed consent, obtained in accordance with Article 6.1 a) of the GDPR.	When consent is withdrawn.
41	Click & Collect	Your request, through the merchant website, to collect the purchase at store locations.	Internal sources: Contact and identification details. Financial and insurance data.	Performance of the contract and adequate provision of the Services, in accordance with Article 6.1 b) of the GDPR.	When the purchase is collected.
42	Point of sale	The Customer’s request to make the purchase at store locations.	Internal sources: Contact and identification details. Financial and insurance data.	Performance of the contract and adequate provision of the Services, in accordance with Article 6.1 b) of the GDPR.	When the purchase is collected.
43	Anti-money laundering and counter-financing of terrorism	Verification of the information provided and prevention of criminal activities. Verifying if the end user of the Service, or the person acting as legal representative or proxy of a merchant, is a publicly or politically exposed person and, if so, applying enhanced due diligence measures in the business relationships or transactions we carry out with you. Includes automated decision-making.	Internal sources: Contact and identification details. External sources: (i) External sanctions lists and PEP lists.	Compliance with Law 10/2010, on the Prevention of Money Laundering and Terrorist Financing; and Royal Decree 304/2014, of 5 May, approving Regulation of Law 10/2010, according to Article 6.1.c) of the GDPR.	When the contract with us is terminated or, in the case of proxies and legal representatives, when you cease to represent them.
44	Processing the data of proxies or legal representatives of legal institutions or of self-employed persons	For people who work in a self-employed capacity or represent a merchant interested in collaborating with us, we shall process their contact details, as well as those related to the position they hold and, in general, the information necessary to contact them. Under no circumstances shall we use the personal data we hold in order to establish an individual relationship with such people.	Internal sources: Contact and identification details.	Proper execution and performance of the agreement with the merchants with which we collaborate, according to Article 6.1 f) of the GDPR and in accordance with Article 19 of the LOPDGG [sic: LOPDGDD], on the processing of contact details, individual business owners and independent professionals.	When the contract between the merchant and us ends or when the individual ceases to act as a representative of the company.

In addition to the information provided in the table above relating to all data processing that we carry out, in Sections 4.1 to 4.5 below, a more detailed explanation is provided below of some of the processing activities that we consider particularly important, including, where applicable, information on the logic applied to automated data processing and the potential consequences of such processing.

4. 1. Validation of the Customer’s identity when requesting a transaction (automated decision)

When you request a financed payment from Openbank, we must verify and validate your identity, for which purposes we will adopt the measures we consider necessary. In particular, we will ask you for a copy of your national ID document and verify its validity through an automated mechanism.

Accordingly, we will store a copy of the document (including your image) and, if necessary, view it using any means, formats and media, for the sole purpose of verifying your identity whenever necessary in order to comply with the contract signed with you in your capacity as Customer (as is the case whenever a claim is filed) and to meet the requirements of the competent authorities and/or comply with our legal obligations.

We will carry out the aforementioned verification by means of an automated decision, the logic of which consists of capturing and processing the document image in order to perform a recognition analysis upon it and subsequently validate it.

You have the right to request an explanation of the decision made, to exercise your right not to be subject to a decision based solely on automated processing, requesting the involvement of one of our analysts, to express your point of view on the decision made based on profiling, and to object to it.

The legal basis of this processing is our legal obligation to ensure the accuracy of information as stipulated in Article 5 of the GDPR, in accordance with Article 6.1 (c) of the GDPR.

The categories of personal data we use in the framework of this processing are listed in Section 4.

4. 2. Fraud detection and prevention (automated decision)

We have the obligation and goal to prevent fraud and protect you and all our other Customers against potential fraudulent behaviour, such as identity theft or password theft.

If you are not yet a Zinia/Openbank customer, before you enter into a contractual relationship with us, we will perform different analyses to prevent fraudulent transactions, such as verifying your identity and detecting possible inconsistencies in the information provided. If we detect any irregularity when opening the account, we shall proceed to block the operation until the situation is clarified.

Our analyses involve using information that you provide to us during the registration process or that is transferred to us by the merchant through your request, such as: your name and surname, email address, telephone number and other variables associated with the request that you are making, as well as metadata associated with your request related to the devices from which you request the account opening, or the browser you use.

Likewise, we will share some of your personal data with third-party service providers that help us detect and prevent possible fraud attempts, at all times complying with and respecting the procedures, rights and guarantees that the laws in force establish and grant you. The information we share with these third parties includes some of the information you provide when you register as a Customer, such as your email address, as well as information related to your browsing, such as the IP address of your device. You can find details about the third parties we use to help us detect and prevent fraudulent transactions in Section 6.

Accordingly, when you request the Service, we will apply automated decisions that will significantly affect you, applying the following logic. We will process the information you provide us with during your request in order to make the decision on whether or not to provide you with our Services, or to determine if your use of our Services poses a fraud risk. We will analyse your user behaviour profile using specialised fraud prevention tools and compare this data to our internally established risk criteria.

The consequence that these automated decisions will have for you is that, based on the analysis carried out, we will decide if the identification data provided is robust and, therefore, we can continue with your application to subsequently perform an analysis of your creditworthiness. To do this, we will use the data you provide us with, as well as data from external sources (the fraud prevention tools and service providers we consult and collaborate with) and own internal Openbank information, including information we hold about you, such as data about your previous use of our Services and data related to the device you use to request the Service.

We will decide whether or not you pose a fraud risk when our processing shows that your behaviour indicates possible fraudulent conduct, that it is inconsistent with your previous use of our Services, or that you have attempted to hide your true identity. If you are not approved under the automated decisions described in this section, you will not be given access to the Service.

We have several control mechanisms in place to ensure that our automated decisions are correct. These mechanisms include ongoing testing and review of our decision models and exhaustive documentation of rejected applications and the rationale behind such decisions. If you have any concerns about the outcome, you can contact us and one of our analysts will personally determine if the procedure was properly performed. You may also object in accordance with the following instructions.

Under the data protection law, you have the right to object to any automated decision with legal consequences or decisions that could otherwise significantly affect you. In this case, you can do this by emailing privacidad.es@zinia.com. Upon receiving your request, we will proceed to review the decision, taking into account any additional information and circumstances you may provide us with.

The legal bases of this processing is: (i) our legitimate interest in preventing fraud (Recital 47 of the GDPR and Legal Report 195/2017 of the Spanish Data Protection Agency) and preventing harm to our customers; and (ii) compliance with other legal obligations: in particular, we will carry out this processing in accordance with Decision (EU) 2016/456 of the European Central Bank, of 4 March 2016, concerning the terms and conditions for European Anti-Fraud Office investigations of the European Central Bank, in relation to the prevention of fraud, corruption and any other illegal activities affecting the financial interests of the Union (ECB/2016/3) (recast) (OJEU of 30 March).

The sources from which we obtain the data, as well as the categories of personal data we collect from such sources, are listed in Section 4. Please note that if you already have a contractual relationship with Openbank before entering into the buy now, pay later transaction, we will also process – for the purposes described in this section – the personal data relating to you that we have obtained in the context of said relationship, given that Zinia and Openbank are, in fact, the same data controller.

See Section 6 for more information about the entities with which we share information in connection with profiling during automated decisions.

4. 3. Transferring data between the merchant where the Customer makes the purchase and Openbank, and approval of the transaction by analysing their creditworthiness (automated decision).

When you request the Service, the business where you make a purchase will transfer to us certain personal data relating to you so that we can provide you with the Service.

We need to process the personal data: (i) received from the business; (ii) provided directly by you; and (iii) collected by Openbank from external sources (such as other third parties and public sources), in order to analyse and manage the approval of the provision of the Service and, if the Service is ultimately provided, to comply with the obligations derived from it and maintain the contractual relationship with you.

Accordingly, we will assess your creditworthiness to predict if you will be able to afford to pay for the products and prevent a potential default on the debt, thereby avoiding situations that could be detrimental to both you and Openbank.

The logic that governs the analysis we carry out to approve the provision of the Service is based on the analysis of both the information you have provided us with and your purchase and payment history, as well as that obtained from the external sources listed in Section 4 that provide us with information related to your identity and financial situation. The aforementioned data and analytical capabilities of our risk models allow us to automatically determine if you are able to pay for the buy now, pay later product, thus allowing us to approve or reject your request.

The legal basis of this profiling is the correct performance of the contract, in particular, the application – at your request – of pre-contractual measures and the execution and fulfilment of our contractual obligations in the event of you ultimately signing up to our Services.

The sources from which we obtain the data, as well as the categories of personal data we collect from such sources, are listed in Section 4. Please note that if you already have another contractual relationship with Openbank before entering into the buy now, pay later transaction, we also process – for the purposes described in this section – the personal data relating to you that we have obtained in the context of the said relationship, given that Zinia and Openbank are, in fact, the same data controller.

4. 4. Marketing

As part of the aforementioned data processing, we will process your personal data for the purpose of sending marketing. The scope and purposes of such processing, as well as the lawful basis and the categories of personal data processed, are described in more detail below:

Sending marketing about our own products and services and those related to the purpose of the contract based on our legitimate interest and based on profiling with data from internal sources (direct marketing) (automated decision).

Once you sign up to our Services, your personal data will be used to send you marketing about Openbank products and services, including those you have already taken out (for example, communications about our loans, credits or cards). Such marketing may be sent by automated and non-automated means (by mail, telephone, SMS, instant messaging apps, email, web push, pop-up or any other electronic or telematic means available at any time) and will be relevant to you based on information obtained from our internal sources, from which we perform profiling according to your behavioural patterns.

The marketing referred to in this section includes advertisements that we display whenever you log in to Zinia, about functionalities, products and services that we think could be relevant to you based on the Services you have signed up to. If you wish, you may object to receiving this type of personalised advertising, following the instructions in Section 7. However, please note that, in any case, you will continue to receive generic advertisements that will not be based on your interests or preferences and, depending on your privacy preferences, you may also receive other types of advertising.

The profile will be created through an automated decision, to which the following logic will be applied. We will process the information you provide to determine your payment behaviour, the customer segment or segments you belong to -according to our internal classification criteria- and the periodic fulfilment of your contractual obligations. This activity may lead us to make a decision not to offer you certain products or services, depending on the risk that the bank estimates and the rating resulting from the analysis of the information obtained.

In addition, we will process your personal data to analyse your behaviour regarding the impact and success of our commercial campaigns.

This data processing will be carried out while your contractual relationship with Openbank is valid, unless you tell us otherwise through the channels provided for in Section 7 of this Privacy Policy.

Likewise, since this processing is carried out based on automated decision-making, you have the right to request an explanation regarding the decision made, to exercise your right not to be subject to a decision based solely on automated processing, requesting the involvement of one of our analysts, to express your point of view on the decision made based on profiling, and to object to it.

The legal basis of this data processing is our legitimate interest in promoting and offering our products and services by sending general or personalised correspondence. Openbank’s main interest in carrying out this data processing is to maintain our relationship with you by offering new products and improving the terms and conditions of the products and/or services you have signed up to, and offering you information about Openbank and its products that could be relevant to you. We consider that the aforementioned data processing activities do not constitute an impediment to the normal exercise of your rights and freedoms, as they are considered normal practice within the business sector, so we understand that the receipt of this type of correspondence will not be detrimental to your expectations. We also undertake to use the least harmful means to carry out such data processing activities.

The categories of personal data we use in the framework of this processing are listed in Section 4. Please note that if you already have another contractual relationship with Openbank before entering into the buy now, pay later transaction, we also process – for the purposes described in this section – the personal data relating to you that we have obtained in the context of the said relationship, given that Zinia and Openbank are, in fact, the same data controller.

Sending marketing about our own products and services based on information obtained from and profiling with internal and external sources (automated decision).

As long as you have given us your express prior consent, we may send you relevant marketing about Openbank products and services (for example, marketing about our loans, credit or cards), while our contractual relationship remains valid. Such marketing may be sent by automated and non-automated means (by post, telephone, SMS, instant messaging apps, email, web push, pop-up or any other electronic or telematic means available at any time) and will take into account the analysis of your Customer commercial profile.

The marketing referred to in this section includes advertisements that we display whenever you log in to Zinia, about functionalities, products and services that we think could be relevant to you based on the Services you have signed up to. If you wish, you may object to receiving this type of personalised advertising, following the instructions in Section 7. However, please note that, in any case, you shall continue to receive generic advertisements that will not be based on your interests or preferences and, depending on your privacy preferences, you may also receive other types of advertising.

This profile will be created following an analysis of your behavioural and risk patterns, from internal sources such as payment details, as well as the information obtained from external sources.

The profile will be created through an automated decision, in which the following logic will be applied. We will process the information you provide to determine your payment behaviour, the customer segment or segments to which you belong—according to our internal classification criteria—and the periodic fulfilment of your contractual obligations. This activity may lead us to make a decision not to offer you certain products or services, depending on the risk we estimate, and the rating determined following analysis of the information obtained.

The legal basis of this data processing is obtaining your prior informed consent. You can withdraw the consent provided to Openbank at any time through the channels provided for in Section 7 of this Privacy Policy.

The sources from which we obtain the data, as well as the categories of personal data we collect from such sources, are listed in Section 4. Please note that if you already have another contractual relationship with Openbank before entering into the buy now, pay later transaction, we also process – for the purposes described in this section – the personal data relating to you that we have obtained in the context of the said relationship, given that Zinia and Openbank are, in fact, the same data controller.

Sending marketing about third-party products and services based on profiling with internal and external sources (automated decision).

Provided you have given us your prior express consent, Openbank may send you relevant marketing about third-party products and services (for example, marketing about promotions or discounts offered by such third parties). Such marketing may be sent by automated and non-automated means (by post, telephone, SMS, instant messaging apps, email, web push, pop-up or any other electronic or telematic means available at any time) and will take into account the analysis of your Customer commercial profile.

The marketing referred to in this section includes advertisements that we display whenever you log in to Zinia, about functionalities, products and services offered by third-party companies. If you wish, you may object to receiving this type of personalised advertising, following the instructions in Section 7. However, please note that, in any case, you shall continue to receive generic advertisements that will not be based on your interests or preferences and, depending on your privacy preferences, you may also receive other types of advertising.

With regard to third-party companies from which we will send you marketing about products and services, please note that such companies carry out their business activity in – but not limited to – the following sectors: financial, insurance, leisure and tourism, entertainment, telecommunications, information society, retail, luxury, health, food and beverage, automotive, hospitality, department stores, energy, real estate and security services, among others.

The goal we pursue with the creation of these profiles is to be able to carry out an analysis related to your economic and personal characteristics, in order to determine which products marketed by such third-party companies best suit your situation based on two variables: your willingness to take out the product and the probability of the transaction being approved.

This profile will be created following the analysis of your behavioural and risk patterns. So, for example, if the information we have about you shows that you are interested in technology products, we shall send you marketing about products offered by companies in this sector. We also use other internal sources, such as payment details, as well as information obtained from external sources.

It is important that you understand that this data processing activity is limited to the aforementioned purpose, which is to recommend third-party products and services to you.

The sources from which we obtain the data, as well as the categories of personal data we collect from such sources, are listed in Section 4. Please note that if you already have another contractual relationship with Openbank before entering into the buy now, pay later transaction, we will also process – for the purposes described in this section – the personal data relating to you that we have obtained in the context of the said relationship, given that Zinia and Openbank are, in fact, the same data controller.

Transferring data to other companies of the Santander Group for sending marketing and promotional offers about their products and services.

The companies to which we may transfer your personal data are those of the Santander Group (in accordance with Article 42 of the Commercial Code).

Such marketing may be sent by automated and non-automated means (by post, telephone, SMS, instant messaging apps, email, web push, pop-up or any other electronic or telematic means available at any time) and will take into account the analysis of your Customer commercial profile, based on the information provided to such third parties.

This profile will be created following the analysis of your behavioural and risk patterns, other internal sources such as payment details, as well as information obtained from external sources.

The categories of personal data we use in the framework of this processing are listed in Section 4. Please note that if you already have another contractual relationship with Openbank before entering into the buy now, pay later transaction, we will also process – for the purposes described in this section – the personal data relating to you that we have obtained in the context of the said relationship, given that Zinia and Openbank are, in fact, the same data controller.

4. 5. Risk and behavioural model design and training

It is important to us that we have a solid understanding of the needs for products and services, as well as the creditworthiness and consumption habits of our active Customers. Therefore, we will carry out pseudonymisation and/or anonymisation procedures on your personal data that we will use to design and train algorithms, allowing us to create different behavioural and risk models, which we will then use to carry out profiling activities on active Customers. Specifically, in order to design and train our behavioural and risk models, we use pseudonymised and/or anonymised personal and financial information from both our own sources as well as external sources.

While your personal data will be used to design and train our behavioural and risk models, this processing linked exclusively to such design and training will not have any individualised legal consequences on you and, upon training the model, at no time will we use your identifying personal data.

Subsequently, and in other cases of personal data processing as explained in previous sections of this Policy, we will be able to use these behavioural and risk models to compare with our Customer database, to profile our Customers, both for marketing purposes (sending advertising) and to analyse and assess your level of risk and creditworthiness and your propensity to take out any of our products.

We also have a control model at Openbank that ensures the quality of the information of the algorithms used for designing our behavioural and risk models.

The legal basis of this processing is our legitimate interest in designing, creating and offering innovative and efficient financial products and services to our Customers based on the different behavioural and risk models created by our algorithms.

The sources from which we obtain the data, as well as the categories of personal data we collect from such sources, are listed in Section 4. Please note that if you already have another contractual relationship with Openbank before entering into the buy now, pay later transaction, we will also process – for the purposes described in this section – the personal data relating to you that we have obtained in the context of the said relationship, given that Zinia and Openbank are, in fact, the same data controller.

5. How long do we keep your personal data for?

Openbank will keep your data for as long as required to undertake the purpose for which they were collected and, subsequently, they will be blocked for the corresponding retention period provided for by law or as per the statute of limitations. After these periods, where applicable, Openbank will destroy or completely anonymise the data.

The blocking of your data implies Openbank refraining from carrying out any processing of your data. However, your data will be retained for the purpose of making them available to the competent public administrations, judges, courts and tribunals or the Public Prosecutor's Office in relation to any liability that may arise from the contractual relationship held with you or relating to the processing of such data.

Furthermore, if you are a customer, we will process your data until your contractual relationship with Openbank terminates. After said termination, as a general rule, we will keep your personal data blocked. Please note that some actions provided for by consumer law, such as injunctions or actions for declaration of nullity, are not subject to any statute of limitations.

6. Who will your personal data be shared with?

Authorities: to those third parties to whom we are legally obliged to provide information, such as public bodies, tax authorities, courts and tribunals.
Anti-fraud service providers: Emailage Ltd. and Confirma Sistemas de Información, S.L. in order to detect and prevent potential fraud attempts, complying with and respecting the procedures, rights and guarantees that the laws in force establish and grant you at all times.

With regard to the CONFIRMA Database, we are required to inform you of the following:

“The requesting persons are informed that the data of this request is reported to the Confirma database, the purpose of which is to compare requests and transactions registered in the database by the participating banks in order to detect possible fraud when signing up. This purpose implies, among others, assessing the probability of fraud from the request. The lawful basis for the processing of personal data is the legitimate interest of the joint data controllers to prevent fraud (Recital 47 GDPR), in order to avoid potential negative economic consequences and possible legal infringements by the requesting persons. Consulting the Confirma database is suitable for the purpose sought, and proportionate relative to the benefit obtained by the joint data controllers and the impact on the privacy of the requesting persons. In addition, the data processing falls within the reasonable expectations of the data subjects as it is a common practice and occurs within the framework of taking out a product/service or during the contractual relationship. To prevent damage and negative consequences for requesting persons, technical and organisational measures have been adopted to reinforce the confidentiality and security of this information.

The maximum term for data retention is five years.

The Confirma Database is accessible to banks that are signatories of its Regulations and that, in their field of activity, could be subject to fraud during the formalisation of agreements.

In accordance with the data protection regulations in force, data subjects may exercise their rights of access, rectification, erasure, objection, restriction to processing, not to be subject to a legally binding decision based solely on automated processing, and portability, by contacting the data processor, CONFIRMA SISTEMAS DE INFORMACIÓN, S.L., at the above address. Data subjects may also exercise their right to file a claim with the Supervisory Authority.

CONFIRMA SISTEMAS DE INFORMATION, S.L., has appointed a Data Protection Officer who can be contacted via email dpo@confirmasistemas.es for requests regarding privacy related to the Confirma Database.”

With regard to the EMAILAGE Database, please note that the company Emailage Ltd., is established in the United Kingdom. Emailage Ltd., is also the data controller for your personal data and shall use it for the purposes set out in its privacy policy. You can exercise your data protection rights with Emailage at privacy@emailage.com.

Portfolio purchase companies: We may transfer existing debts to portfolio purchase companies in accordance with the procedures, rights and guarantees established and provided for by the applicable regulations. The said transfer will involve reporting the following categories of data relating to you to the portfolio purchase company (which will act as a separate data controller): contact and identification details; financial and insurance data; information on goods and services transactions; as well as any data that we may obtain within the framework of the contractual relationship with you. The lawful basis for carrying out the aforementioned transfer of data is our legitimate interest in the management of our Customers’ debt portfolio and the sale thereof to third parties in order to obtain a financial profit, in accordance with Article 6.1.f) of the GDPR. The portfolio purchase company will process your personal data in accordance with its own privacy policy. In any case, we will provide you with the details of the portfolio purchase company at the time of the debt transfer.
Credit reference files. In the event of default, we shall send the data to CIRBE and to credit reference files (ASNEF Database and BADEXCUG Database), complying with the procedures and safeguards established at all times and recognised by the laws in force.
Companies of the Santander Group. We shall share your data with companies of the Santander Group (in accordance with Article 42 of the Commercial Code), provided that you have given us your prior express consent, in order to allow the latter to offer you their products and services that could be relevant to you.
Service providers and subcontractors: we will collaborate with third-party service providers which may have access to your personal data, and process them on our behalf, as a consequence of the services they provide us. We follow strict criteria in selecting our service providers so as to comply with the corresponding data protection requirements and obligations, and we undertake to sign the corresponding data processing agreements with them, whereby we will impose them, among others, the following obligations: to apply appropriate technical and organisational measures; to process the personal data for the agreed purposes and only in accordance with our documented instructions; and to delete or return to us the data once the provision of the services has been completed or terminated.

In particular, we will outsource the provision of services by third-party service providers which are part of the following sectors, among others: logistic services, legal advice, private valuation services, supplier certification, multidisciplinary professional service companies, maintenance-related companies, technology service providers, IT service providers, instant messaging service providers, and call centre companies.

Providers that access or process your data outside the European Union: we may transfer your data internationally within the framework of some of the above-mentioned services offered by third-party providers. The purpose thereof will always be the maintenance and management of the contractual relationship you have with us or the prevention of fraudulent actions or transactions. These transfers are made both to countries that offer an adequate level of protection, comparable to that of the European Union, and also to countries without such a level. In the latter case, we use several mechanisms established by applicable regulations to comply with all safeguards when dealing with your personal data, such as standard contractual clauses or certification mechanisms. You can obtain more information about any international data transfers we carry out by sending an email to privacidad.es@zinia.com.

7. Your data protection rights

You have the following rights, which you can exercise at any time:

Right of access: you have the right to obtain know whether or not Openbank processes personal data relating to you and, if so, to access such data.
Right to data portability: you have the right to receive a copy of the personal data you have provided us, in a readable, structured and commonly used format, and also to request its transfer to another institution.
Right to rectification: you have the right to request that inaccurate data be corrected.
Right to erasure: you have the right to request erasure of your data when, among other things, they are no longer necessary for the purpose for which they were provided.
Right to object: under certain circumstances, you can object to the processing of your personal data. If you object, Openbank will stop processing the data, except where there are compelling legitimate reasons for doing so, or for the exercising or challenging of possible claims.
Right to restriction of processing: under certain circumstances laid down in the applicable data protection legislation, you can request that the processing of your data be restricted.
Right to withdraw your consent: you are entitled, at any time and without providing specific reasons, to withdraw the consent you previously and specifically provided. The withdrawal of the consent will not affect the lawfulness of the data processing activities carried out based on that consent prior to its withdrawal.
The right not to be subject to exclusively automated decisions: in the event that you have consented to the profiling and that this it is done through an exclusively automated process, you can request the intervention of one of our analysts, express your point of view and challenge the decisions made on the basis of said profiling.

You may exercise the aforementioned rights through the following channels:

Email address: privacidad.es@zinia.com.
Postal address: Privacy, Open Bank, S.A., Plaza de Santa Bárbara, 2, 28004 Madrid, España.
Location: Plaza de Santa Bárbara, 2, 28004 Madrid, España.
Telephone number: +34 910 870 271.

Finally, you can submit a claim to Openbank and/or the Spanish Data Protection Authority (the supervisory authority competent in the field of data protection), particularly if you have not been satisfied with the process of exercising your rights, by writing to the above-mentioned address or via the website www.aepd.es. If you live in an EU member state, other than Spain, you can also directly contact your national data protection supervisory authority.

8. Keeping your data up to date

To enable us to communicate with you, please ensure that all the information you provide for our databases is true, complete, accurate and completely up to date.

If the personal information you have provided us, particularly your postal address, email address and telephone number (landline and mobile) has changed, we kindly ask you to immediately inform us through any of the channels referred to in Section 7.

In the event that you do not notify us of such changes, you acknowledge and agree that all communications sent by us to the postal address or email address or to the contact telephone numbers that feature in our filing systems are valid, binding and in full force and effect.

9. Use of cookies

At Openbank, we use cookies, for example, to remember who you are when you log in to your Customer Area and to customise content that is relevant to you based on your browsing habits.

When you visit the Zinia website, we shall inform you about the cookies we use, and you shall be able to configure the analytics, advertising and personalisation cookies you use when browsing the Zinia website. You may refer to our Cookie Policy for more information.

At Openbank, we use cookies, among others, to remember who you are when you access your Customer Area or to customise content that may be of interest to you based on your browsing habits.

When you visit the Zinia website, we will inform you about the cookies we use, and you can configure the analysis, advertising and personalisation cookies used when browsing the Zinia website. You can read our Cookie Policy for more information.

10. Amendments to the Privacy Policy

We are committed to keeping this Privacy Policy updated to reflect any new developments that occur in relation to the scope of the processing of your personal data. As such, it is important that you take the time to read and understand this Policy. We will notify you of any amendments made to this Privacy Policy by email.

In the event of any dispute regarding or discrepancy between the Spanish and the English version of this Privacy Policy, the Spanish version shall take precedence.

You can download our Privacy Policy here.

Privacy Policy

1. Introduction – scope of application

2. Who is the data controller responsible for your data?

3. What data do we process and how do we obtain it?

4. How do we process your personal data?

4.1. Sharing data with Amazon

4.2. Provision of the Service

4.3. Zinia User

4.4. Information Validation

4.4.1. Identity Verification

4.4.2. Account ownership verification

4.4.3. Verification of the data provided

4.5. Analysis

4.5.1. Risk analysis and fraud prevention and detection

4.5.2. Creditworthiness analysis

4.6. Storing data with your consent

4.6.1. Storing data for use in future product and service applications with Zinia

4.6.2. Storing payment method data for future operations with Zinia

4.7. Direct debit and card payment

4.8. Openbank general processing

4.8.1. Anti-money laundering and counter-terrorism financing

4.8.2. Debt recovery and payment

4.8.3. Data sharing with third-party institutions

4.8.3.1. Data sharing with Santander Group banks

4.8.3.2. Reports

4.8.3.3. Reporting information to CIRBE

4.8.3.4. Reporting non-payment to credit information databases

4.8.4. Access to the device

4.8.5. Recording your voice and/or image and electronic conversations held with you

4.8.6. Capturing images through video surveillance systems at our branches

4.8.7. Incident analysis and resolution

4.8.8. Data anonymisation

4.8.9. Risk and behavioural model design and training

4.8.10. Sending messages related to your products and services and other alerts

4.8.11. Satisfaction surveys and market research

4.8.12. Addressing your requests for information on social media

4.8.13. Campaigns, prize draws and promotions

4.8.14. Marketing

4.8.14.1. Sending marketing about our own products and services, as well as those related to the contractual purpose, based on our legitimate interest and using profiles created from internal data sources (direct marketing) (automated decision-making)

4.8.14.2. Sending marketing about our own products and services based on information obtained from and profiling with internal and external sources (automated decision).

4.8.14.3. Sending marketing about third-party products and services based on profiling with internal and external sources (automated decision).

4.8.14.4. Transferring data to other companies of the Santander Group for sending marketing and promotional offers about their products and services.

4.8.15. Handling legal claims, requests from competent authorities, and safeguarding Openbank’s legal rights

4.8.16. Audits and verification of compliance

4.8.17. Complaints channel

4.8.18. Wills, bankruptcy proceedings, and acceptance of powers of attorney

4.8.19. Custody of documentation and correspondence

5. Use of cookies

6. How long are your data stored?

7. With whom do we share your personal data?

8. International data transfers

9. Obligation to disclose personal data

10. Are automated decisions made?

11. What are your rights regarding the processing of your personal data?

12. Do you need to keep your data up to date?

13. Adherence to codes of conduct

14. Changes to the Privacy Policy

1. Introduction and scope of application

2. Who is the Data Controller?

3. What information do we collect from you and how do we obtain it?

4. Data processing activities we carry out

4. 1. Validation of the Customer’s identity when requesting a transaction (automated decision)

4. 2. Fraud detection and prevention (automated decision)

4. 3. Transferring data between the merchant where the Customer makes the purchase and Openbank, and approval of the transaction by analysing their creditworthiness (automated decision).

4. 4. Marketing

4. 5. Risk and behavioural model design and training

5. How long do we keep your personal data for?

6. Who will your personal data be shared with?

7. Your data protection rights

8. Keeping your data up to date

9. Use of cookies

10. Amendments to the Privacy Policy