Privacy Policy

Index

1. Introduction

2. Who is the data controller?

3. What information do we collect from you and how do we obtain it?

4. Data processing activities we carry out

5. Fraud prevention

6. Transfer of data from the shop to Openbank and invoice purchase approval for the execution of the contract.

7. Commercial and marketing communications

8. How long do we keep your personal data for?

9. To whom will your personal data be communicated?

10. Your data protection rights

11. Keep your data up to date

12. Cookies

13. Changes to the Privacy Policy

1. Introduction

The purpose of this privacy policy (hereinafter, "Privacy Policy" or "Policy") is to regulate and provide information about the processing carried out by Openbank S.A, of personal data (hereinafter “Openbank” or “We”) of customers (hereinafter, “You” or the “Customer”) who sign up for the “buy now, pay later” service (hereinafter, the “Service“), in accordance with EU Regulation 679/2016, approving the General Data Protection Regulation ("GDPR") and other applicable implementing data protection legislation. The Service is run by Zinia (hereinafter, “Zinia”), a registered trademark of Openbank.

This Policy provides you with information about the categories of personal data we process, the means by which we have obtained your personal data, the purposes for which we collect and process your personal data, the legitimate bases for such processing, the recipients of the data, the data retention period and the rights granted to you by regulations concerning your personal data.

Please take a few minutes to read and understand its contents correctly. If You have any questions, please contact our Data Protection Officer, whose contact details can be found below.

2. Who is the data controller?

“Open Bank, S.A.”, operating through its registered trademark Zinia.

Plaza de Santa Bárbara 2, 28004 Madrid, Spain

Email address to contact the Data Protection Officer: privacy.nl@zinia.com

3. What information do we collect from you and how do we obtain it?

We will process the categories of personal data detailed below that we obtain directly from you through the various forms for requesting information and/or engaging the Service that we offer, or from third parties such as the shop where you make your purchase, credit reporting agencies or public sources. Please note that the data we specify in each of the forms as "mandatory" are necessary for the proper execution of the pre-contractual or contractual relationship with Openbank. Thus, failure to provide them will prevent us from attending to your request or providing you with the Service.

Contact and identification data: name and surname, billing and shipping address, mobile phone number, fingerprint, cookie ID, email address, country of residence.
Economic, financial and insurance data: data related to the price of the goods you purchase, data related to the payment of your purchase (such as bank account, bank name and branch, or payment through IDEAL), data related to arrears, solvency and debt history, pending payment orders., information regarding negative payment history and previous credit approvals.
Data on the goods and services purchased: data related to the product you purchase, such as item, model, price and delivery tracking number.
Device data: IP address, language settings, browser settings, time zone, operating system, platform, screen resolution, login activity through the different devices you use, and other similar information related to device settings.
Data about your personal characteristics: date of birth, age, sex, nationality.
Unique identifiers: data collected from cookie ID, device ID, fingerprint, recorded voice calls, chat conversations and email correspondence.
Employment data: position of the contact persons acting as legal representatives of the shops we collaborate with.
Special categories of personal data: data that reveals information about health and information related to sanction lists.
Data about politically exposed persons and sanction lists: Sanctions and PEP lists contain information such as name, date of birth, place of birth, occupation or position, and the reason why the person is on the list.

In addition to the above data that you provide directly through the various forms for requesting information and/or engaging the Service or which we collect from third parties such as the shop where you make your purchase or credit reporting agencies, we will process other data about you that we obtain from internal sources such as: (i) the data we obtain derived from the contractual relationship we hold with you; (ii) the data we obtain as a result of your interaction through our website/app; and (iii) inferred data that we deduce and/or obtain from data that you have previously provided (as is the case when we create profiles).

4. Data processing activities we carry out

	Data processing activity	Purpose of the data processing activity. What we do and why we do it	Categories of personal data processed	Legal basis for the data processing	The purpose of the processing ends
1	User/Customer registration management.	Management of the interaction with the Customer according to the T&C of the Service, including the registration and communication of related information.	From you: Identification data: your contact details, such as email address and phone number.	Adequate execution and performance of the service provision agreement you have entered into with Openbank, as per article 6.1b) GDPR.	When the contract between You and Openbank terminates.
2	Conduct a fraud risk analysis.	Analysis of potential fraudulent activities as part of the user registration management in order to prevent fraudulent registration applications (automated decision).	From you: Identification data: your name, email address, billing and shipping address, mobile phone number. Data related to your personal characteristics: date of birth. From third parties: profile information and other data from social media platforms and publicly available sources.	Legitimate interest of Openbank in preventing fraudulent activities and protecting existing customers and its business, as per article 6.1f) GDPR.	When the fraud assessment is performed.
3	Data transfer to third parties for fraud prevention.	We will transfer your data to Emailage Ltd, to detect and prevent possible fraud attempts, complying with and respecting the procedures, rights and guarantees that the current legislation establishes and recognises at all times. Emailage also acts as a Controller when processing your personal data and will use it for the purposes established in its privacy policy. You can exercise your rights regarding data protection against Emailage at DPO@lexisnexisrisk.com	Identification data: personal data such as name, email address, IP address, postal address. Data about your personal characteristics: date of birth, age, and sex.	Legitimate interest of Openbank in preventing fraudulent activities and protecting existing clients and its business, as per article 6.1f) GDPR.	When the transfer to the third party is performed.
4	Enquiries and exercise of data protection rights.	Attend to, manage and resolve requests to exercise GDPR rights submitted by Customers, data subjects and other data controllers, as well as complaints submitted directly by the data subject to Openbank or through the corresponding control authorities.	Identification data: your contact details such as your email address and telephone number. Data related to personal characteristics: your date of birth, sex.	As per article 6.1 c) of GDPR, the legal obligation of Openbank as data controller to comply with obligations set forth in articles 15-22 of GDPR.	When the exercise of data protection rights is executed.
5	Debt collection	Managing the collection of Customers' debts with Openbank.	Contact and identification data: name and surname, billing and shipping address, mobile phone number, email address, Economic, financial and insurance data: data related to the price of the goods you purchase, data related to arrears, solvency and debt history, pending payment orders. Data on the goods and services purchased: data related to the product you purchase, such as item, model, price and delivery tracking number. Data related to personal characteristics: date of birth, and sex.	Adequate execution and performance of the service provision agreement you have entered into with Openbank, as per article 6.1b) GDPR.	When you settle the debt you have with Openbank.
6	Selling debt portfolio.	Selling Openbank Cutomers' debt portfolios to third-party companies in order to obtain a return on default debts.	Contact and identification data: name and surname, billing and shipping address, mobile phone number, email address, Economic, financial and insurance data: data related to the price of the goods you purchase, data related to arrears, solvency and debt history, pending payment orders. Data on the goods and services purchased: data related to the product you purchase, such as item, model, price and delivery tracking number. Data related to personal characteristics: date of birth, and sex.	Legitimate interest of Openbank in managing its clients debt portfolio and selling it to third parties in order to obtain a return as per article 6.1 f) GDPR	When we transfer the outstanding debt to third-party companies.
7	Financial data processing.	Maintain accounting and administrative procedures as required by accounting law in compliance with applicable law. Generation of reports and/or communication of personal data to the different supervisory bodies (Bank of Spain). Filing and accounting in accordance with accounting legislation.	Contact and identification data: name and surname, billing and shipping address, mobile phone number, email address. Economic, financial and insurance data: data related to the price of the goods you purchase, data related to arrears, solvency and debt history, pending payment orders. Data on the goods and services purchased: data related to the product you purchase, such as item, model, price and delivery tracking number. Data related to your personal characteristics: date of birth, and sex.	As per article 6.1 c) of GDPR, legal obligation of Openbank to keep accounting and administrative records and comply with reporting obligations with the corresponding financial and anti-money laundering supervisory authorities as per Spanish Act 44/2002 of Financial System and Spanish Act 10/2010 for the prevention of money laundering and terrorist financing.	When the contract between you and Openbank terminates.
8	Transfer of data from the shop to Openbank, and invoice purchase approval for the execution of the contract. See section 6 for further information.	The shop's right to charge for your purchase is transferred to Openbank (Selling of invoice) Approval of customer registration based on 'buy now, pay later' analysis of the creditworthiness of a potential customer based solely on automated decisions to approve the purchase and sale of the invoice.	From you: Identification data: your contact details such as email address and telephone number. Internal data related to previous 'buy now, pay later' applications. From other sources: Economic, financial and insurance data: data related to arrears, solvency, and debt history, pending payment order, information about negative payment history and previous credit approvals. From the shop where you make your purchase: Data on the goods and services purchased: data related to the product you purchase, such as item, model, price and delivery tracking number. Device data: IP address, fingerprint, language settings, browser settings, time zone, operating system, platform, screen resolution and other similar information related to device settings. Data related to personal characteristics: data of birth. Data obtained from external sources: Experian databases: we obtain external information to ensure that consumers take out credit that suits their financial situation and circumstances. The information is collected from different sources such as: negative registrations from telcos, e-commerce businesses, utilities and debt collection agencies (DCA), bankruptcies as well as Natural Persons Debt Restructuring Act (WSNP) registrations, or information that comes from Experian customers. You can obtain more information at: https://www.experian.nl/consumenten-informatie/privacyverklaring-consumenten Public sources: From CIR – Central Insolventieregister [Central Insolvency Register]: we obtain details of bankruptcies, suspension of payments and debt restructuring of natural persons, which are kept in the local registers of the various courts. All insolvency data published after 1 January 2005 can be consulted up to six months after the insolvency has ended. You can find more information via the following link: https://www.rechtspraak.nl/Registers/paginas/toelichting-insolventieregister.aspx From the Centraal curatele en bewindregisters, we check whether an individual is under administration or guardianship to prevent unwanted agreements. You can find more information via the following link: https://www.rechtspraak.nl/Registers/paginas/toelichting-insolventieregister.aspx From Overlijdensregister, we verify your identity to avoid unwanted agreements and contacts. You can find more information via the following link: https://www.overlijdensregister.nl/ . From other third parties such as Post NL , Messagebird and Kadaster, which allow us to check your address and phone number. You can find more information about Post NL at https://www.postnl.nl/; Messagebird at: https://www.messagebird.com/legal/privacy; and Kadaster at: https://www.kadaster.com/privacy.	Adequate execution and performance of the service provision agreement you have entered into with Openbank, as per article 6.1b) GDPR.	When the purchase takes place.
9	Phone and email validation.	Data processing to confirm phone numbers and emails and to check if the data provided is correct, as well as to ensure data quality.	Identification data: your email or phone number.	Adequate execution and performance of the service provision agreement you have entered into with Openbank, as per article 6.1b) GDPR.	When the validation has been completed.
10	Sending communications to prevent fraud.	During the contractual process, and once you have become an Openbank customer, we will send you communications in order to verify your identity or prevent fraud attempts or detected fraudulent activities.	Identification data: name, surname and email address.	Legitimate interest of Openbank in preventing fraudulent activities and protecting existing clients and its business, as per article 6.1f) GDPR.	When the contract between you and Openbank terminates.
11	Customer satisfaction surveys and market research.	Calls to Customers to conduct satisfaction surveys, as well as conducting surveys, market research or internal statistics and preparation of commercial reports to better understand the consumption habits of our Customers and thus be able to internally assess the design, creation and improvement of new products that may be of interest to our Customers or reach commercial agreements with third parties.	Identification data: name, surname, email and mobile phone. Economic, financial and insurance data: data related to the purchase. Data on the goods and services purchased: data related to the product you purchase, such as item, model, price and delivery tracking number	Legitimate interest of Openbank interest in using the data obtained through surveys, market research, internal statistics or commercial reports to improve our products and the provision of services to Customers as per article 6.1f) GDPR.	When the contract between You and Openbank terminates.
12	Ensure network and service information security.	Ensure security of the Openbank network and information. The processing is necessary to fulfil the specific purpose and the legitimate interest prevails over the Customer's right to object.	Identification data: unique identifier Data related to the contractual relationship.	Legitimate interest of Openbank in protecting its network and information security system to protect its business and services as per article 6.1f) GDPR.	When the contract between You and Openbank terminates.
13	Processing of vulnerable Customer data in relation to disability.	Only if you have asked us to do so and based on your prior informed consent, we will process data related to your disability or situation of vulnerability in order to provide you with the Service in a manner that is adapted to your personal needs and circumstances. For instance, we can arrange for special assistance if you require so due to hearing or vision problems.	Identification data: name, surname and email address. Special categories of personal data: health-related data.	Prior informed consent obtained from you as per article 6.1a) GDPR.	When the contract between You and Openbank terminates.
14	Personal data anonymisation.	Anonymisation of your personal data in order to improve our Services and products and to analyse consumer behaviour, create statistics and reports for market analysis or the analysis of payment trends or volumes in certain regions or industries and for the development and testing of products, in order to optimise our risk and credit models and to design our services (if possible, we will first anonymise the data prior to carrying out such activities, to ensure that no personal data will be processed later).	Contact and identification data: name and surname, billing and shipping address, mobile phone number, email address, Economic, financial and insurance data: data related to the price of the goods you purchase, data related to arrears, solvency and debt history, pending payment orders. Data on the goods and services purchased: data related to the product you purchase, such as item, model, price and delivery tracking number. Data related to your personal characteristics: date of birth; and sex.	Legitimate interest of Openbank in using customers’ anonymised data to improve our products and the provision of Services to Customers as per article 6.1f) GDPR.	When the contract between You and Openbank terminates.
15	Sending commercial communications about Openbank products.	Sending of commercial communications through various means, including electronic means, with information about Openbank products and services based on customer segmentation. For further info, please see Section 7 of this Policy.	Identification data: name, surname, email address or mobile phone number. Economic, financial and insurance data: data related to arrears, solvency and debt history, pending payment orders. Information about negative payment history and previous credit approvals and Data on the goods and services purchased: data related to the product you purchase.	Legitimate interest of Openbank in keeping its Customers updated about products and services that may be of their interest based on previous products and services taken out or engaged as per article 6.1f) GDPR.	When the contract between You and Openbank terminates.
16	Profiling activities with internal sources to understand which of our products and services could be of your interest in order to, at a later stage, offer you those products and send corresponding commercial communications.	Analysis and profiling related to your economic and personal characteristics, based solely on the consultation of information from internal sources, in order to determine which of our own products and services are best adapted to your situation and/or interest based on two variables: your willingness to take out the product and the likelihood of approving your application. For further info, please see Section 7 of this Policy.	Identification data: name, surname, email address or mobile phone number. Economic, financial and insurance data: data related to arrears, solvency and debt history, pending payment orders. Information about negative payment history and previous credit approvals. Data on the goods and services purchased: data related to the product you purchase.	Legitimate interest of Openbank in promoting and offering its products and services to its customers; in particular, those adapted to its customers' personal characteristics - communications as per article 6.1f) GDPR.	When the contract between You and Openbank terminates.
17	Profiling with internal data and external data to decide which type of marketing of third-party products we offer.	Analysis and profiling related to your economic and personal characteristics, based solely on the consultation of information from internal and external sources, in order to determine which third-party products and services are the best fit for you. For further info, please see Section 7 of this Policy.	From you and from external sources: Identification data: name, surname, email address or mobile phone number. Economic, financial and insurance data: data related to arrears, solvency and debt history, pending payment orders, information about negative payment history and previous credit approvals. Data on the goods and services purchased: data related to the product you purchase and data related to payment, other personal data such as information obtained from the death register or related to personal circumstances, such as information about whether an individual is under administration or guardianship to prevent unwanted agreements. For further info, please see Section 7 of this Policy.	Prior informed consent obtained from you as per article 6.1a) GDPR.	When the contract between you and Openbank terminates.
18	Profiling with internal and external data to decide which type of marketing of our products we offer.	Sending commercial communications of Openbank products profiling you with internal and external sources. For further info, please see Section 7 of this Policy.	Data obtained from you and external sources: Identification data: name, surname, email address or mobile phone number. Economic, financial and insurance data: data related to arrears, solvency and debt history, pending payment orders, information about negative payment history and previous credit approvals. Data on the goods and services purchased: data related to the product you purchase and data related to payment, other personal data such as information obtained from the death register or related to personal circumstances such as information about whether an individual is under administration or guardianship to prevent unwanted agreements. For further info, please see Section 7 of this Policy.	Prior informed consent obtained from you as per article 6.1a) GDPR.	When You withdraw your consent.
19	Data transfer to other companies within the Santander Group for commercial communication purposes.	Transfer Customer data to other companies within the Santander Group (as per the definition of Group of Companies set forth in article 42 of the Spanish Commercial Code and which can be consulted here, so said companies can send you commercial communications about their products and services through various means (including electronic means). For further info, please see Section 7 of this Policy.	Data obtained from you and from external sources Identification data: name, surname, mail address or mobile phone. Economic, financial and insurance data: data related to arrears, solvency and debt history, pending payment orders, information about negative payment history and previous credit approvals. Data on the goods and services purchased: data related to the product you purchase and data related to payment, other personal data such as information obtained from the death register or related to personal circumstances such as information about whether an individual is under administration or guardianship to prevent unwanted agreements. For further info, please see Section 7 of this Policy.	Prior informed consent obtained from you as per article 6.1a) GDPR.	When you withdraw your consent.
20	Profiling with internal and external data behavioural and fraud scoring.	Profiling data subjects with information obtained from internal sources in addition to external sources in order to analyse the behaviour of the Customer and to prevent possible fraud situations.	From you: Identification data: name and email address. From third parties: Profile: information from social media platforms and publicly available sources.	Prior informed consent obtained from you as per article 6.1a) GDPR.	When the contract between you and Openbank terminates.
21	Legal, administrative and judicial complaints.	To handle the complaints of different parties according to the service provided.	Contact and identification data: name and surname, billing and shipping address, mobile phone number, email address, Economic, financial and insurance data: data related to the price of the goods you purchase, data related to arrears, solvency and debt history, pending payment orders. Data on the goods and services purchased: data related to the product you purchase, such as item, model, price and delivery tracking number. Data about your personal characteristics: date of birth; and sex.	Legal obligation as per 6.1 c) of GDPR.	When the complaint has been handled.
22	Customer service for calls from users.	Attend to calls made to the customer service and management and resolution of enquiries.	Contact and identification data: name and surname, billing and shipping address, mobile phone number, email address. Economic, financial and insurance data: data related to the price of the goods you purchase, data related to arrears, solvency and debt history, pending payment orders. Data on the goods and services purchased: data related to the product you purchase, such as item, model, price and delivery tracking number. Data about your personal characteristics: sex.	Legal obligation as per art 6.1 c) of GDPR in connection with legal obligations set forth in Spanish Act 44/2002 of Financial System and Order ECO/734/2004, of 11 march regulating customer services in financial institutions.	When the call has been handled.
23	Legal/contractual communications	Sending of communications to Customers based on the contractual relationship in order to provide accurate and updated information related to the contractual relationship, such as change of terms and conditions or the privacy policy, closing of accounts, refunds, payment letters.	Identification data: name, surname, email address and mobile phone number. Economic, financial and insurance data: data related to the contractual relationship.	Adequate execution and performance of the service provision agreement you have entered into with Openbank, as per article 6.1b) GDPR. Legal obligation to keep our Customers updated of any changes to the T&C governing the Services, as well as this Privacy Policy, as per article 6.1 c) GDPR	When the contract between you and Openbank terminates.
24	Debt payment with different payment methods.	Payment of the debt by the Customer.	Identification data: name and surname, economic, financial and insurance data, bank account, bank name and branch, or payment through IDEAL.	Adequate execution and performance of the service provision agreement you have entered into with Openbank, as per article 6.1b) GDPR.	When you pay off the debt.
25	Call recording.	Recording and safekeeping of telephone calls and communication registers through different means provided for this purpose.	Contact and identification data: name and surname, billing and shipping address, mobile phone number, email address. Economic, financial and insurance data: data related to the price of the goods you purchase, data related to arrears, solvency and debt history, pending payment orders. Data on the goods and services purchased: data related to the product you purchase, such as item, model, price and delivery tracking number. Data about your personal characteristics: voice, date of birth, and sex.	Adequate execution and performance of the service provision agreement You have entered into with Openbank, as per article 6.1b) GDPR.	When the telephone call between you and Openbank terminates.
26	Quality and service metrics.	Conducting quality metrics to better understand the level of quality reached during the provision of the services and thus be able to internally assess quality standards and improvements to be made.	Contact and identification data: name and surname, billing and shipping address, mobile phone number, email address. Economic, financial and insurance data: data related to the price of the goods you purchase, data related to arrears, solvency and debt history, pending payment orders. Data on the goods and services purchased: data related to the product you purchase, such as item, model, price and delivery tracking number. Data about your personal characteristics: sex.	Legitimate interest of Openbank in measuring its quality standards to improve our products and the provision of Services to Customers as per article 6.1f) GDPR.	When the contract between you and Openbank terminates.
27	Complaints related to the products taken out.	Manage complaints from Customers, related to the product taken out, and coordinate complaints with the shop where the purhcase was made.	Contact and identification data: name and surname, billing and shipping address, mobile phone number, email address. Economic, financial and insurance data: data related to the price of the goods you purchase, data related to arrears, solvency and debt history, pending payment orders. Data on the goods and services purchased: data related to the product you purchase, such as item, model, price and delivery tracking number. Data about your personal characteristics: date of birth, and sex.	Legal obligation to attend to and manage complaints received from Customers as per article 6.1 C) GDPR	When the complaint has been handled.
28	Identity verification	Data processing to confirm your identity and check whether the data that you have provided to us are correct. You must confirm your email and mobile phone number by entering a code that is sent to your mobile.	Identification data: mobile phone number and email.	As per article 6.1 c) of GDPR legal obligation, Art 5. d) of GDPR, principle of accuracy.	When we verify your data.
29	Respond to your requests on social media.	When you use our social media pages, we will process your data to respond to your requests and to analyse your interactions with Zinia.	Identification data: Information related to your social media profile and email address.	Our legitimate interest in properly handling the requests you send us on social media, as well as in offering the Services in a simple and efficient manner and adapting our products in a way that suits your needs and expectations, as per article 6.1f) GDPR. .	When the request between you and Openbank is resolved.
30	Control and compliance audits	Data processing related to the execution of the compliance verification controls implemented internally, as well as within the framework of different audits.	Any data about you yhat we may have access to.	Our legitimate interest in verifying the suitability and adequacy of our processes in order to comply with legal obligations and internal quality standards for the identification, control and mitigation of legal or operational risks. Keep in mind that this information may be accessed by third-party companies that provide the auditing service for these purposes.	When the control or the compliance audit terminates.
31	Prevent money laundering or terrorist financing operations at Openbank, which includes automated decision-making.	Carry out a verification of the information provided and prevent criminal activities. Verify that the end user of the Service, or the individual acting as the legal representative or proxy of a shop, is a publicly or politically exposed person and if so, apply enhanced measures of due diligence in the business relationships or transactions that we carry out with you.	From you: name, surname, date of birth, nationality and country of residence. From other sources: information form external sanction lists and PEPs lists.	Comply with the regulation: Article 6.1.c) of the General Data Protection Regulation (GDPR). Law 10/2010, on the Prevention of Money Laundering and Terrorist Financing and Royal Decree 304/2014, of May 5, approving the Regulations of Law 10/2010.	When the contract between you and Openbank terminates, or, in the case of proxies and legal representatives, when the representation ceases.
32	Processing of the details of proxies or representatives of legal entities or related to self-employed professionals	If you are self-employed or represent a shop which is interested in collaborating with us, we will process your contact details as well as those relating to the position you hold and, in general the data necessary to contact you. Under no circumstances will we use the personal data we hold to establish a relationship with you at an individual level.	Contact and identification data: name and surname, mobile phone number, email address.	Adequate execution and performance of the agreement with the shops we collaborate with, as per article 6.1f) GDPR.	When the contract between the shop and Openbank terminates or when you stop acting as a representative of the company.

In addition to the information provided in the table above of all the data processing activities we carry out, you may find a more detailed explanation of some the processing activities we consider particularly relevant, including information about external data sources, the logic involved in automated data processing and the potential consequences of such processing, as follows:

5. Fraud prevention

We have the obligation and aim to avoid fraud and protect you and the rest of our customers against possible fraudulent behaviour.

To this end, when you request the Service, we will make automated decisions that significantly affect you. This means that profiling is performed based on automated processing of your data before the decision is made. The profiling is carried out to evaluate the information provided during your application in order to make the decision of whether or not to grant credit, or to assess whether your use of our services involves a risk of fraud. We profile your user behaviour using specialised fraud-prevention tools and compare this data on behaviours and conditions to our internally established risk criteria.

The consequence of these automated decisions for you is that based on the analysis carried out, we will decide if we are able to preliminarily approve your application to use the Service. We use the data you provide, as well as data from external sources and Openbank's own internal information, which includes information we have about you, including your previous use of our services and data related to the device you use to request the Service.

We decide whether you pose a risk of fraud if our processing shows that your behaviour indicates possible fraudulent conduct, that your behaviour is not consistent with your previous use of our services, or that you have attempted to conceal your true identity. Automated decisions whereby we assess whether you constitute a fraud risk are based on information you have provided yourself, data from fraud prevention tools and service providers that we use and collaborate with, and Openbank's own internal information.

The personal data categories used in each decision are described in section 4. See section 9 for more information about whom we share information with as regards profiling during automated decisions.

If you are not approved under the automated decisions described in this section, you will not have access to the Service. We have several control mechanisms in place to ensure that our automated decisions are appropriate. These mechanisms include ongoing testing and review of our decision models and thorough documentation of rejected applications and the reasoning behind those decisions. If you have any concern about the outcome, you can contact us, and one of our analysts will determine whether the procedure was performed appropriately. You can also object in accordance with the following instructions:

Under data protection legislation, you have the right to object to any automated decision with legal consequences or decisions that can otherwise significantly affect you. In this case, you can do so by sending an email to privacy.nl@zinia.com . Upon receipt of your request, we will proceed to review the decision, taking into account any additional information and circumstances that you may provide.

6. Transfer of data from the shop to Openbank and invoice purchase approval for the execution of the contract.

When you request the Service, we need to process personal data provided directly from you to the shop where you are making your purchase, or collected by Openbank from external sources such as third parties and publicly available sources. The personal data categories used in each decision are described in section 4.

We process your data to analyse the sale of the invoice and manage the derived contractual obligations, to maintain the contractual relationship with you and send you marketing communications related to the product. Additionally, the processing helps us assess your solvency and predict if you can afford the payment of the goods purchased, in order to prevent a possible default on the debt.

The logic behind the analysis we carry out to approve the sale of the invoice is based on the analysis of the information that you have provided, such as your purchase history and payments together with the external sources listed in section 4 that provide us with information related to your identity and financial situation. The aforementioned data and the analytical properties of our risk models enable us to automatically infer if you would be able to afford the payment of the 'buy now, pay later' product, which consequently allows us to approve or deny your request.

If we deny your request, you have the right to request an explanation about the decision made, and exercise your right to not be subject to exclusively automated decisions by requesting action by one of our analysts, express your point of view and contest the decisions made on the basis of this profiling.

7. Commercial and marketing communications

As part of the aforementioned data processing activities, we will process your personal data for marketing purposes. The scope and purposes of such data processing as well as the legal basis and the categories of personal data processed are described below in more detail:

Sending commercial communications in relation to our own products and services and to those related to the purpose of the contract under legitimate interest (direct marketing).

Once you engage our Services, your personal data will be used to send you commercial communications in relation to our own products and services, and to those related to those you have already engaged (email, push, pop-up or any other electronic or telematic means available at any time). These communications will be personalised with information that will be extracted from our internal sources and on the basis on which we will create profiles generated from your behaviour patterns.

We create these profiles with the aim of conducting an analysis related to your economic and personal characteristics, but not related to payments, based solely on the consultation of information from internal sources, in order to determine which of our own products and services are the best fit for your situation based on two variables: your willingness to take out the product and the probability of the transaction being approved. The creation of the profile will be the result of an automated decision, in which the following logic will be applied:

We will process the information you provide in order to determine your payment behaviour, the customer segment(s) to which you belong - according to our internal classification criteria- and the periodic fulfillment of your contractual obligations. This activity may lead us to take the decision not to offer you certain products or services, according to the risk that is estimated by the bank and the scoring obtained from the analysis of your information. For example, if you already have an outstanding debt with us, we might not offer you other products which may increase your insolvency.

In addition, we will process your personal data to analyse your behaviour regarding the impact and success of our commercial campaigns.

In order to carry out these data processing activities, Openbank will process the following categories of personal data: identification data: name, surname, email address or mobile phone number, data related to arrears, solvency and debt history, pending payment orders, information about any previous negative payment history you have had with us or previous credit approvals and data on the goods and services purchased: data related to the product you purchase.

The legal basis supporting these data processing activities will be the legitimate interest of Openbank in marketing and offering our products and services through the sending of general communications or those adapted to your personal characteristics.

The prevailing interest of Openbank in carrying out this data processing is to maintain our relationship with you by suggesting new products and improving the conditions of the products and/or services you already have taken out or engaged, as well as offering you information on products that you may find of interest.

Openbank considers that the abovementioned personal processing activities are not an impediment to the normal exercise of your rights and freedoms, as they are considered as standard practices within the business sector. Consequently, we understand that receipt of this type of communications will fall within your reasonable expectations. We are also committed to using the least intrusive means for conducting such data processing activities.

These data processing activities will continue for as long as your contract with Openbank remains in force, and unless you indicate otherwise by objecting through any of the channels detailed in Section 10 of this Privacy Policy.

Sending commercial communications in relation to our own products and services on the basis of internal and external sources.

Provided that you have given us your prior express consent to process your personal data, Openbank may send you personalised commercial communications about its own products and services, for as long as our contractual relationship remains in force. These commercial communications may be made by automated and non-automated means (by post, telephone, SMS, instant messaging applications, email, web push, pop-up or any other electronic or telematic means available at any time), and will take into consideration the analysis of your customer commercial profile.

This profile will be generated from the analysis of your behavioural and risk patterns, other internal sources as payment details, as well as from information obtained from external sources such as:

From your device: IP address, fingerprint, language settings, browser settings, time-zone, operating system, platform, screen resolution and other similar information related to device settings.

Public sources:

From CIR – Central insolventieregister, we obtain details on bankruptcy, suspension of payments and debt restructuring of natural persons, which are kept in the local registers of the various courts. All insolvency data published after 1 January 2005 can be consulted up to six months after the insolvency has ended.

You can find more information at the following link: https://www.rechtspraak.nl/Registers/paginas/toelichting-insolventieregister.aspx.

From the Centraal curatele en bewindregisters, we obtain information about whether an individual is under administration or guardianship to prevent unwanted agreements.

You can find more information at the following link: https://www.rechtspraak.nl/Registers/paginas/toelichting-insolventieregister.aspx

From Overlijdensregister, we verify your identity to avoid unwanted agreements and contacts. You can find more information at the following link: https://www.overlijdensregister.nl/ .

From other sources that provide us with non-personal information, including:

Here.com provides us with information related to your address: https://www.here.com/here-statement-gdpr.
Telecommunications companies provide us with anonymised information related to geographical behavioural mobile data.
OpenStreetMap provides us with information related to geographic data, such as street maps, to anyone.

In order to carry out this data processing activity, Openbank will process the following categories of personal data: identification data: name, surname, email address or mobile phone number, data related to arrears, solvency and debt history, pending payment orders, information about negative payment history and previous credit approvals and data on the goods and services purchased: data related to the product you purchase and to payment, other personal data obtained from the death register or related to personal circumstances, including whether an individual is under administration or guardianship to prevent unwanted agreements.

The legal basis of this data processing activity is your prior informed consent. We create these profiles with the aim of conducting an analysis related to your economic and personal characteristics, but not related to payments, based solely on the consultation of information from internal sources, in order to determine which of our own products and services are the best fit for your situation based on two variables: your willingness to take out the product and the probability of the transaction being approved. The creation of the profile will be the result of an automated decision, in which the following logic will be applied:

In relation to this data processing activity, you can withdraw the consent provided to Openbank at any time through the channels detailed Section 10 of this Privacy Policy.

It is important that you understand that this data processing activity is limited to the abovementioned purpose, which is to suugest You Openbank products and services based on data obtained from external sources.

Sending commercial communications in relation to products and services of third-party companies based on data obtained from internal and external sources.

Provided that you have given us your prior express consent to process your personal data, Openbank may send you personalised commercial communications about third-party products and services. These commercial communications may be made by automated and non-automated means (by post, telephone, SMS, instant messaging applications, email, web push, pop-up or any other electronic or telematic means available at any time), and will take into account the analysis of your commercial profile.

We will send you commercial communications on products and services of third parties that operate in particular, but not limited to, in the following sectors: financial, insurance, leisure and tourism, entertainment, telecommunications, information society, retail, luxury, health, food, automotive, hospitality, department stores, energy, real estate, security services, among others.

This profile will be generated from the analysis of your behavioural and risk patterns. For instance, if the information we have about you shows that you enjoy technological products, we will send you commercial communications about products offered by companies in this sector. We also use other internal sources such as payments details, as well as from information obtained from external sources, as:

From your device: IP address, fingerprint, language settings, browser settings, time zone, operating system, platform, screen resolution and other similar information related to device settings.

Public sources:

From CIR – Central insolventieregister, we obtain details on bankruptcy, suspension of payments and debt restructuring of natural persons, which are kept in the local registers of the various courts. All insolvency data published after January 1, 2005 can be consulted up to six months after the insolvency has ended.

You can find more information at the following link: https://www.rechtspraak.nl/Registers/paginas/toelichting-insolventieregister.aspx

From the Centraal curatele en bewindregisters, we obtain information about whether an individual is under administration or guardianship to prevent unwanted agreements.

You can find more information at the following link: https://www.rechtspraak.nl/Registers/paginas/toelichting-insolventieregister.aspx

From Overlijdensregister, we verify your identity to avoid unwanted agreements and contacts. You can find more information at the following link: https://www.overlijdensregister.nl/ .

From other sources that provide us with non-personal information, including:

Here.com provides us with information related to your address: https://www.here.com/here-statement-gdpr.
Telecommunications companies and which provide us with anonymized information related to geographical behavioural mobile data.
OpenStreetMap provides us with information related to geographic data, such as street maps, to anyone.

In relation to this data processing activity, you can withdraw the consent provided to Openbank at any time through the channels detailed Section 10 of this Privacy Policy.

It is important that you understand that this data processing activity is limited to the abovementioned purpose, which is the recommendation of third-party products and services.

Transfer of data to other Santander Group companies for the purpose of sending commercial communications and promotional offers in relation to their products and services.

Provided that you have given us your consent to perform this data processing activity, Openbank may send your personal data to other companies of the Santander Group. The purpose of this transfer is to communicate the categories of your personal data detailed below in this clause to these Santander Group companies so that the latter can offer you their products and services that may be of interest.

The Santander Group companies to which we will communicate your personal data are those within the Santander Group of companies as defined in article 42 of the Spanish Commercial Code.

These commercial communications may be made by automated and non-automated means (by post, telephone, SMS, instant messaging applications, email, web push, pop-up or any other electronic or telematic means available at any time), and will take into consideration the analysis of your Customer profile on the basis of information provided to these third parties.

This profile will be generated from the analysis of your behavioural and risk patterns, other internal sources such as payment details, as well as from information obtained from external sources, including:

From your device: IP address, fingerprint, language settings, browser settings, time zone, operating system, platform, screen resolution and other similar information related to device settings.

Public sources:

From CIR – Central insolventieregister: we obtain details on bankruptcy, suspension of payments and debt restructuring of natural persons, which are kept in the local registers of the various courts. All insolvency data published after 1 January 2005 can be consulted up to six months after the insolvency has ended.

You can find more information at the following link: https://www.rechtspraak.nl/Registers/paginas/toelichting-insolventieregister.aspx

From the Centraal curatele en bewindregisters: we obtain information about whether an individual is under administration or guardianship to prevent unwanted agreements.

You can find more information at the following link: https://www.rechtspraak.nl/Registers/paginas/toelichting-insolventiereg…

From Overlijdensregister: we verify your identity to avoid unwanted agreements and contacts. You can find more information at the following link: https://www.overlijdensregister.nl/ .

From other sources that provide us with non-personal information, including:

Here.com provides us with information related to your address: https://www.here.com/here-statement-gdpr.
Telecommunications companies provide us with anonymised information related to geographical behavioral mobile data.
OpenStreetMap provides information related to geographic data, such as street maps, to anyone.

In relation to this data processing activity, you can withdraw the consent provided to Openbank at any time through the channels provided to do so in Section 10 of this Privacy Policy.

It is important that you understand that this data processing activity is limited to the abovementioned purpose, which is the recommendation of other Santander Group companies' products and services.

8. How long do we keep your personal data for?

We will process your data for as long as your contractual relationship with us remains in force. Following termination of said relationship, as a general rule, we will keep your data blocked, implementing technical and organisational measures necessary to prevent its processing, including its visibility, with the exception of making it available to judges and courts, the public prosecutor's office or public administrations and competent authorities where we are required to do so to fulfil potential responsibilities derived from the processing and only for the retention period under applicable consumer legislation.

This is without prejudice to our obligation to comply with the statutory limitation periods that can be inferred from any contract you have entered into with Openbank.

9. To whom will your personal data be communicated?

Authorities: To any third parties to whom we are legally obliged to provide information, such as public bodies, tax authorities, courts and tribunals.
Service providers and subcontractors: We will collaborate with third-party service providers which may have access to your personal data, and process them on our behalf, as a consequence of the services they provide us. We follow strict criteria when selecting our service providers in order to comply with the data protection requirements and obligations, and we undertake to sign the corresponding data processing agreements with them, whereby we will enforce, among others, the following obligations: to apply appropriate technical and organisational measures; to process the personal data for the agreed purposes and only in accordance with our documented instructions; and to delete or return to us the data once the provision of the services has been completed or terminated.

In particular, we will outsource the provision of services by third-party service providers from the following sectors, among others: logistics services, legal advice, private valuation services, supplier certification, multidisciplinary professional services companies, maintenance-related companies, technology service providers, IT service providers, instant messaging service providers, and call centre companies.

Debt collection companies: If you have a pending unpaid debt with us, we will share your data when we outsource collection of the debt through a third party, such as a debt collection company. The data shared with the debt collection agency is used to collect your overdue debts. They will process your data acting as a Controller under the GDPR, in accordance with its own privacy notice. Debt collection companies may report your unpaid debts to credit information bureaus or authorities, which may affect your creditworthiness and your ability to apply for future credit.

Fraud prevention service providers: We will share your data with Emailage Limited, a company we collaborate with to prevent fraud. Emailage also acts as a Controller for the processing of your personal data and will use it for the purposes established in its privacy policy. You can exercise your rights regarding data protection by contacting Emailage at: DPO@lexisnexisrisk.com.

Debt buyers: Upon transfer of your open debt to a buyer and continuously until you pay it off, we will share your personal data as well as information about the goods or services associated with the debt. The buyer will process your personal data in accordance with its own privacy notice, which you will be notified about when the debt is transferred.

Providers that access or process your data outside the European Union. We may transfer your data internationally within the framework of some of the abovementioned services offered by third-party providers. The purpose thereof will always be the maintenance and management of your contractual relationship with us or the prevention of fraudulent actions or transactions. These transfers are made both to countries that offer an adequate level of protection, comparable to that of the European Union, and also to countries without such a level. In the latter case, you do not have to worry. We use various mechanisms established by applicable regulations to comply with all safeguards when dealing with your personal data, such as standard contractual clauses or certification mechanisms. You can obtain more information about any international data transfers we perform by sending an email to privacy.nl@zinia.com.

10. Your data protection rights

You can exercise the following rights at any time:

Right of access: You have the right to obtain an answer to whether or not Openbank processes personal data relating to you and, if so, to access such data.
Right to data portability: You have the right to receive a copy of the personal data you have provided to us, in a readable, structured, commonly used format, and also to request the transfer to another institution.
Right to rectification: You have the right to request the correction of inaccurate data.
Right to erasure: You have the right to request the erasure of your data when, among other reasons, it is no longer necessary for the purposes for which you provided it to us.
Right to object: Under certain circumstances, you can object to the processing of your personal data. If you object, Openbank will stop processing the data, except where there are compelling legitimate reasons, or for the exercise or defense of possible claims.
Right to restriction of processing: Under certain circumstances laid down in applicable data protection law, you can request that the processing of your data be restricted.
Right to withdraw your consent: You have the right to, at any time and without providing any specific cause, to withdraw your previously given consent. The withdrawal of consent will not affect the lawfulness of the data processing carried out on the basis of that consent prior to its withdrawal.
The right not to be subject to exclusively automated decisions: In the event that you have consented to profiling and it is carried out through an exclusively automated process, you can request the intervention of one of our analysts, express your point of view and contest the decisions made on the basis of this profiling.

You can exercise the rights described above through the following channels:

• Website: via the "Personal data" section of the Customer Area;

• Email: privacy.nl@zinia.com ;

• Post: Privacy, Open Bank S.A., Plaza de Santa Bárbara 2, 28004 Madrid, Spain.

• Location: Plaza de Santa Bárbara 2, 28004 Madrid, Spain.

Lastly, you can submit a claim to Openbank and/or the Dutch Data Protection Authority (the supervisory authority competent in the field of data protection), in particular if you are not satisfied after exercising your rights, by writing to the above address or on the website www.aepd.es. If you live in a Member State other than the Netherlands, you can also contact your national data protection supervisory authority directly.

11. Keep your data up to date

To enable us to contact you, please ensure that all information you provide for our databases is true, complete, accurate and completely up-to-date.

If the personal information ou have provided, in particular your postal address, email address and telephone number (landline and mobile), we kindly ask you to immediately inform us through any of the channels listed in Section 10.

In the event that you do not notify us of such changes, you acknowledge and agree that all communications we send to the postal address or email address or to the contact telephone numbers appearing in our file systems are valid, binding and in full force and effect.

12. Cookies

At Openbank, we use cookies, among others, to be able to identify you when you log in to your Customer Area or personalise content that may be of interest to you based on your browsing habits.

When you visit the Openbank website, we will inform you about the cookies we use. You can also manage the analytics, advertising and preference cookies used when browsing website. You can read our Cookies Policy for more information.

13. Changes to the Privacy Policy

We are committed to keeping this Privacy Policy updated to reflect any new developments that occur in relation to the scope of the processing of your personal data we carry out. To this end, it is important that you take the time to read and understand it. We will notify you of any changes we need to make to this privacy policy by email.