Privacy Policy
1. Introduction and scope of application
The purpose of this privacy policy (hereinafter, the "Privacy Policy" or the "Policy"), in accordance with Regulation (EU) 679/2016 of 27 April 2016, approving the General Data Protection Regulation (hereinafter, the "GDPR") and other applicable implementing data protection legislation, is to regulate and provide information about the processing carried out by Open Bank, S.A. (hereinafter “Openbank” or “we”) of personal data of customers (hereinafter, “you” or the “Customer”) who register for the “Buy Now, Pay Later” service (hereinafter, the “Service“). The Service is run by Zinia (hereinafter, “Zinia”), a registered trademark of Openbank.
This Policy provides you with information about the categories of personal data we process, the means by which we obtain your personal data, the purposes for which we collect and process your personal data, the legitimate basis for such processing, the data recipients, the applicable data retention periods and the rights granted to you by the regulations in relation to your personal data.
Please take a few minutes to read and properly understand its contents. If you have any questions, please contact our Data Protection Officer, whose contact details can be found below.
2. Who is the Data Controller?
“Open Bank, S.A.”, operating through its registered trademark Zinia.
Business address: Plaza de Santa Bárbara 2, 28004 Madrid, Spain
Email address to contact the Data Protection Officer: privacy.nl@zinia.com
3. What information do we collect from you and how do we obtain it?
- Contact and identification data: first name and surname, invoicing and shipping address, mobile phone number, fingerprint, cookie ID, email address and country of residence.
- Economic, financial and insurance data: data related to the price of the goods you purchase, data related to the payment of your purchase (such as bank account, bank name and branch, or payment through IDEAL), data related to arrears, solvency and debt history, as well as to orders pending payment, and information about negative payment history and previous credit approvals.
- Data on the goods and services purchased: data related to the product you purchase, such as item, model, price and tracking number.
- Device data: IP address, language settings, browser settings, time-zone, operating system, platform, screen resolution, log in through the different devices you use and other similar device settings.
- Data about your personal characteristics: date of birth, age, sex and nationality.
- Unique identifiers: data collected from cookie ID, device ID, fingerprint, recorded voice calls, chat conversations and email correspondence.
- Employment data: position and contact details of the contact persons acting as legal representatives of the businesses we collaborate with.
- Special categories of personal data: data that reveals information about health and information related to sanction lists.
- Data about politically exposed persons and sanction lists: sanction and PEP lists contain information such as the name, date of birth, place of birth, occupation or position of a person included on the respective list as well as why he or she features on it.
In addition to the above data that you provide us with directly through the various forms for requesting information or through your engagement of the Service, or that which we collect from third parties, including data we receive from the business where you make your purchase or credit reporting agencies, we will also process other data regarding you that we may obtain from internal sources, such as: (i) the data we obtain derived from the contractual relationship we have with you; (ii) the data we obtain as a result of your interaction through our website/app; and (iii) inferred data that we deduce and/or obtain from data that you have previously provided us with (e.g., when we create profiles).
4. Data processing activities we carry out
| Data processing activity | Purpose of the data processing activity. What we do and why | Categories of personal data processed | Legal basis for the data processing | Termination of the data processing purpose | |
|---|---|---|---|---|---|
| 1 | User/Customer registration management | Managing customer interactions in accordance with the terms and conditions of the Service, including registration and communication of relevant information.
| From you: Identification data: your contact details, such as your email address and phone number.
| Adequate execution and performance of the agreement you have entered into with Openbank for the provision of the Services, as per Article 6.1 (b) GDPR. | When the agreement between you and Openbank terminates. |
| 2 | Conducting a risk analysis on fraud prevention
| Analysis of potentially fraudulent activities as part of the user registration management in order to prevent registration applications that could be fraudulent (automated decision).
| From you: Identification data: your name, email address, invoicing and shipping address, and mobile phone number. Data related to your personal characteristics: date of birth. From third parties: profile information and other data from social media platforms and publicly available sources.
| Legitimate interest of Openbank in preventing fraudulent activities and protecting existing customers and its business, as per Article 6.1 (f) GDPR.
| When the fraud assessment is performed. |
| 3 | Data transfer to third parties for fraud prevention
| We will transfer your data to Emailage Ltd, to detect and prevent potential fraud attempts and to comply with the procedures, rights and guarantees that the current legislation establishes and recognises at all times. Emailage also acts as a controller when processing your personal data and will use it for the purposes established in its privacy policy. You can exercise your rights regarding data protection against Emailage at DPO@lexisnexisrisk.com | Identification data: personal data, such as name, email address, IP address and postal address.
Data about your personal characteristics: date of birth, age and sex.
| Legitimate interest of Openbank in preventing fraudulent activities and protecting existing customers and its business, as per Article 6.1 (f) GDPR. | When data are transferred to the third party. |
| 4 | Addressing enquiries and exercising data protection rights.
| Handling, managing and resolving requests relating to customers, interested parties and other data controllers exercising their GDPR rights, as well as complaints submitted directly by the data subject to Openbank or through the corresponding supervisory authorities.
| Identification data: your contact details, such as your email address and telephone number.
Data related to personal characteristics: your date of birth and sex. | As per article 6.1 (c) of GDPR, legal obligation of Openbank, as data controller, to comply with obligations set forth in Articles 15-22 of GDPR. | When data protection rights are exercised. |
| 5 | Debt collection | Managing the collection of Customers debts with Openbank. | Contact and identification data: first name and surname, invoicing and shipping address, mobile phone number and email address. Economic, financial and insurance data: data related to the price of the goods you purchase and data related to arrears, solvency and debt history, as well as to orders pending payment. Data on the goods and services acquired: data related to the product you purchase, such as item, model, price and tracking number. Data related to personal characteristics: date of birth and sex.
| Adequate execution and performance of the agreement you have entered into with Openbank for the provision of the Services, as per Article 6.1 (b) GDPR. | When you pay the debt you have with Openbank. |
| 6 | Selling debt portfolio | Selling the debt portfolio of Openbank Customers to third-party companies in order to obtain a return from debt defaults. | Contact and identification data: first name and surname, invoicing and shipping address, mobile phone number and email address. Economic, financial and insurance data: data related to the price of the goods you purchase and data related to arrears, solvency and debt history, as well as to orders pending payment. Data on the goods and services acquired: data related to the product you purchase, such as item, model, price and delivery tracking number. Data related to personal characteristics: date of birth and sex. | Legitimate interest of Openbank in managing the debt portfolio of Customers and selling it to third parties in order to obtain a financial benefit, as per Article 6.1(f) GDPR. | When we transfer the outstanding debt to third-party companies. |
| 7 | Financial data processing
| Maintenance of accounting and administrative procedures provided for in the accounting regulations and to comply with the applicable laws in force. Generation of reports and/or communications on personal data to the different supervisory bodies (Bank of Spain). Archiving and accounting in accordance with the accounting regulations. | Contact and identification data: first name and surname, invoicing and shipping address, mobile phone number and email address. Economic, financial and insurance data: data related to the price of the goods you purchase and data related to arrears, solvency and debt history, as well as to orders pending payment. Data on the goods and services acquired: data related to the product you purchase, such as item, model, price and delivery tracking number. Data related to your personal characteristics: date of birth and sex. | As per Article 6.1 (c) of GDPR, legal obligation of Openbank to keep accounting and administrative records and to comply with reporting obligations with the corresponding financial and anti-money laundering supervisory authorities, as per Spanish Law 44/2002 of the Financial System and Spanish Law 10/2010 for the prevention of money laundering and terrorism financing. | When the agreement between you and Openbank terminates. |
| 8 | Transfer of data from the business where you make a purchase to Openbank and invoice purchase approval for execution of the agreement. See Section 6 for further information.
| The business’ right to charge you for your purchase is transferred to Openbank (sale of the invoice).
Approval of customer registration based on a buy-now-pay-later credit analysis relating to the creditworthiness of a potential customer based solely on automated decisions to approve the buying and selling of the invoice. | From you:
Identification data: your contact details such as email address and telephone number.
Internal data related to previous 'buy now, pay later' applications.
From other sources: Economic, financial and insurance data: data related to arrears, solvency, and debt history, pending payment order, information about negative payment history and previous credit approvals.
From the shop where you make your purchase: Data on the goods and services purchased: data related to the product you purchase, such as item, model, price and delivery tracking number.
Device data: IP address, fingerprint, language settings, browser settings, time zone, operating system, platform, screen resolution and other similar information related to device settings.
Data related to personal characteristics: data of birth.
Data obtained from external sources:
Experian databases: we obtain external information to ensure that consumers take out credit that suits their financial situation and circumstances. The information is collected from different sources such as: negative registrations from telcos, e-commerce businesses, utilities and debt collection agencies (DCA), bankruptcies as well as Natural Persons Debt Restructuring Act (WSNP) registrations, or information that comes from Experian customers. You can obtain more information at: https://www.experian.nl/consumenten-informatie/privacyverklaring-consumenten Public sources: From CIR – Central Insolventieregister [Central Insolvency Register]: we obtain details of bankruptcies, suspension of payments and debt restructuring of natural persons, which are kept in the local registers of the various courts. All insolvency data published after 1 January 2005 can be consulted up to six months after the insolvency has ended. You can find more information via the following link: https://www.rechtspraak.nl/Registers/paginas/toelichting-insolventieregister.aspx
From the Centraal curatele en bewindregisters, we check whether an individual is under administration or guardianship to prevent unwanted agreements. You can find more information via the following link: https://www.rechtspraak.nl/Registers/paginas/toelichting-insolventieregister.aspx From Overlijdensregister, we verify your identity to avoid unwanted agreements and contacts. You can find more information via the following link: https://www.overlijdensregister.nl/ .
You can find more information about Post NL at https://www.postnl.nl/;
Messagebird at: https://www.messagebird.com/legal/privacy; and
Kadaster at: https://www.kadaster.com/privacy.
| Adequate execution and performance of the agreement you have entered into with Openbank for the provision of the Services, as per Article 6.1 (b) GDPR. | When the purchase takes place.
|
| 9 | Phone and email address validation.
| Data processing to confirm the phone number and email address provided, check if the data provided are correct and to ensure the quality of the data. | Identification data: your email address or phone number. | Adequate execution and performance of the agreement you have entered into with Openbank for the provision of the Services, as per Article 6.1 (b) GDPR. | When the validation is concluded. |
| 10 | Sending of communications for fraud-prevention purposes
| During the contract formalisation process and after you have completed the process and have become an Openbank Customer, we will send you communications in order to verify your identity or to prevent fraudulent attempts or detected fraudulent activities. | Identification data: name, surname and email address. | Legitimate interest of Openbank in preventing fraudulent activities and protecting existing customers and its business, as per Article 6.1 (f) GDPR. | When the agreement between you and Openbank terminates. |
| 11 | Customer satisfaction surveys and market research
| Calls to Customers to conduct satisfaction and other surveys, market research and internal statistics to prepare commercial reports to better understand the consumption habits of our Customers; thereby allowing us to internally assess the design, creation and improvement of new products that may be of interest to our Customers or to reach commercial agreements with third parties. | Identification data: first name, surname, email address and mobile phone number. Economic, financial and insurance data: data related to the purchase. Data on the goods and services acquired: data related to the product you purchase, such as item, model, price and delivery tracking number. | Legitimate interest of Openbank in using the data obtained through surveys, market research, internal statistics or commercial reports to improve our products and the provision of services for customers, as per Article 6.1 (f) GDPR. | When the agreement between you and Openbank terminates. |
| 12 | Ensuring network and service information security
| Ensuring the security of Openbank’s network and information. The processing is necessary to achieve the specific purpose. The legitimate interest takes precedence over a Customer’s right to oppose it. | Identification data: unique identifier Data related to the contractual relationship. | Legitimate interest of Openbank in protecting its network and information security system to protect its business and services, as per Article 6.1 (f) GDPR. | When the agreement between you and Openbank terminates. |
| 13 | Processing of vulnerable Customer data regarding disability
| Only if you have asked us to do so and based on your prior informed consent, we will process data relating to your disability or situation of vulnerability in order to provide you with the Service adapted to your personal needs and circumstances. For example, if you have a hearing or visual impairment, we can arrange for special assistance if so required. | Identification data: first name, surname and email address. Special categories of personal data: health related data. | Prior informed consent obtained from you, as per Article 6.1 (a) GDPR. | When the agreement between you and Openbank terminates. |
| 14 | Personal data anonymisation.
| Anonymisation of your personal data in order to enhance our Services and products and to analyse consumer behaviour, create statistics and reports for market analysis or the analysis of payment tendencies or volumes in certain regions or industries and for the development and testing of products. The purpose of the foregoing is to enhance our risk and credit models and to design our Services (if possible, we will first anonymise the data prior to carrying out such activities, to ensure that no personal data will be subsequently processed). | Contact and identification data: first name and surname, invoicing and shipping address, mobile phone number and email address. Economic, financial and insurance data: data related to the price of the goods you purchase and data related to arrears, solvency and debt history, as well as to orders pending payment. Data on the goods and services acquired: data related to the product you purchase, such as item, model, price and delivery tracking number. Data related to your personal characteristics: date of birth and sex.
| Legitimate interest of Openbank in using customers’ anonymised data to improve our products and the provision of Services for Customers, as per Article 6.1 (f) GDPR. | When the agreement between you and Openbank terminates. |
| 15 | Sending of marketing about Openbank products
| Sending of marketing through various means, including electronic means, with information on Openbank products and services based on customer segmentation. For further info, please see Section 7 of this Policy. | Identification data: first name, surname, email address or mobile phone. Economic, financial and insurance data: data related to arrears, solvency and debt history, as well as to orders pending payment. Information about negative payment history and previous credit approvals. Data on the goods and services acquired: data related to the product you purchase.
| Legitimate interest of Openbank in keeping its Customers updated about products and services that may be of interest to them based on previous products and services acquired, as per Article 6.1 (f) GDPR. | When the agreement between you and Openbank terminates. |
16
| Profiling activities with internal sources to understand which of our products and services could be of interest to you in order to, at a later stage, offer you those products and send you marketing about them
| Analysis and profiling related to your economic and personal characteristics, based solely on the consultation of information from internal sources, in order to determine which of our own products and services best suit you and/or your interests based on two variables: your predisposition to acquire the product and the probability of approving the transaction for you. For further info, please see Section 7 of this Policy. | Identification data: name, surname, email address or mobile phone number.
Economic, financial and insurance data: data related to arrears, solvency and debt history, pending payment orders. Information about negative payment history and previous credit approvals.
Data on the goods and services purchased: data related to the product you purchase.
| Legitimate interest of Openbank in promoting and offering its products and services to its customers; in particular, those adapted to its customers' personal characteristics - communications as per article 6.1f) GDPR.
| When the contract between You and Openbank terminates. |
17
| Profiling with internal data and external data to decide which type of marketing of third-party products we offer
| Analysis and profiling related to your economic and personal characteristics, based solely on the consultation of information from internal and external sources, in order to determine which third-party products and services are the best fit for you. For further info, please see Section 7 of this Policy.
| From you and from external sources:
Identification data: name, surname, email address or mobile phone number.
Economic, financial and insurance data: data related to arrears, solvency and debt history, pending payment orders, information about negative payment history and previous credit approvals.
Data on the goods and services purchased: data related to the product you purchase and data related to payment, other personal data such as information obtained from the death register or related to personal circumstances, such as information about whether an individual is under administration or guardianship to prevent unwanted agreements. For further info, please see Section 7 of this Policy.
| Prior informed consent obtained from you, as per Article 6.1 (a) GDPR. | When you withdraw your consent. |
18
| Profiling with internal and external data to decide which type of marketing we carry out regarding our products
| Profiling you with internal and external sources to send you marketing about Openbank products. For further info, please see Section 7 of this Policy. | Data obtained from you and external sources: Identification data: name, surname, email address or mobile phone number.
Economic, financial and insurance data: data related to arrears, solvency and debt history, pending payment orders, information about negative payment history and previous credit approvals.
Data on the goods and services purchased: data related to the product you purchase and data related to payment, other personal data such as information obtained from the death register or related to personal circumstances such as information about whether an individual is under administration or guardianship to prevent unwanted agreements.
For further info, please see Section 7 of this Policy.
| Prior informed consent obtained from you, as per Article 6.1 (a) GDPR. | When you withdraw your consent.
|
| 19 | Data transfer to other entities within the Banco Santander Group for marketing purposes | Transferring customer data to other companies within the Banco Santander Group, as per the definition of “group of companies” provided for in Article 42 of the Spanish Code of Commerce, which can be found here, so those companies can send you marketing about their products and services through various means (including electronic). For further info, please see Section 7 of this Policy. | Data obtained from you and from external sources
Identification data: name, surname, mail address or mobile phone.
Economic, financial and insurance data: data related to arrears, solvency and debt history, pending payment orders, information about negative payment history and previous credit approvals. Data on the goods and services purchased: data related to the product you purchase and data related to payment, other personal data such as information obtained from the death register or related to personal circumstances such as information about whether an individual is under administration or guardianship to prevent unwanted agreements.
For further info, please see Section 7 of this Policy. | Prior informed consent obtained from you, as per Article 6.1 (a) GDPR. | When you withdraw your consent. |
| 20 | Profiling with internal and external data relating to behaviour and fraud scoring
| Profiling interested parties with information obtained from both internal and external sources in order to analyse the behaviour of the customer and to prevent possible fraudulent situations. | From you: Identification data: your name and email address. From third parties: | Prior informed consent obtained from you, as per Article 6.1 (a) GDPR. | When the agreement between you and Openbank terminates. |
| 21 | Legal, administrative and judicial complaints
| To handle the complaints of different parties according to the service provided. | Contact and identification data: first name and surname, invoicing and shipping address, mobile phone number and email address. Economic, financial and insurance data: data related to the price of the goods you purchase and to arrears, solvency and debt history, as well as to orders pending payment. Data on the goods and services purchased: data related to the products you purchase, such as item, model, price and delivery tracking number. Data about your personal characteristics: date of birth and sex. | Legal obligation, as per 6.1 (c) of GDPR. | When the complaint has been handled. |
| 22 | Customer service for calls from users
| Answering calls made to customer services, managing and resolving all inquiries made. | Contact and identification data: first name and surname, invoicing and shipping address, mobile phone number and email address. Economic, financial and insurance data: data related to the price of the goods you purchase and to arrears, solvency and debt history, as well as to orders pending payment. Data on the goods and services purchased: data related to the products you purchase, such as item, model, price and delivery tracking number. Data about your personal characteristics: sex. | Legal obligation, as per Article 6.1 (c) of GDPR, in connection with legal obligations set forth in Spanish Law 44/2002 of the Financial System and Order ECO/734/2004 of 11 March, regulating customer services in financial entities. | When the call has been handled. |
| 23 | Legal/contractual communications
| Sending communications to Customers in order to provide accurate and updated information regarding their relationship, such as amendments to the Terms and Conditions or the Privacy Policy, account closing, refund, payment letters. | Identification data: name, surname, email address and mobile phone number.
Economic, financial and insurance data: data related to the contractual relationship. | Adequate execution and performance of the agreement you have entered into with Openbank for the provision of the Services, as per Article 6.1 (b) GDPR.
Legal obligation to keep our customers updated of any changes in the T&Cs governing the Services relating to this Privacy Policy, as per Article 6.1 (c) GDPR | When the agreement between you and Openbank terminates. |
| 24 | Debt payment with different payment methods
| Payment of the debt by the Customer. | Identification data: name and surname, economic, financial and insurance data, bank account, bank name and branch, or payment through IDEAL. | Adequate execution and performance of the agreement you have entered into with Openbank for the provision of the Service, as per Article 6.1 (b) GDPR. | When you pay off the debt. |
| 25 | Call recording.
| Recording and safekeeping of telephone calls and communication registers thorough different means provided for this purpose. | Contact and identification data: name and surname, billing and shipping address, mobile phone number, email address.
Economic, financial and insurance data: data related to the price of the goods you purchase, data related to arrears, solvency and debt history, pending payment orders.
Data on the goods and services purchased: data related to the product you purchase, such as item, model, price and delivery tracking number.
Data about your personal characteristics: voice, date of birth, and sex.
| Adequate execution and performance of the agreement you have entered into with Openbank for the provision of the Service, as per Article 6.1 (b) GDPR. | When the telephone call between you and Openbank terminates. |
| 26 | Quality and service metrics.
| Conducting quality metrics to better understand the quality level reached during the provision of the services and, thus, be able to internally assess quality standards and improvements to be made.
| Contact and identification data: name and surname, billing and shipping address, mobile phone number, email address.
Economic, financial and insurance data: data related to the price of the goods you purchase, data related to arrears, solvency and debt history, pending payment orders.
Data on the goods and services purchased: data related to the product you purchase, such as item, model, price and delivery tracking number.
Data about your personal characteristics: sex.
| Legitimate interest of Openbank in measuring its quality standards to improve products and the provision of Services to customers, as per Article 6.1 (f) GDPR. | When the agreement between you and Openbank terminates. |
| 27 | Complaints related to the products acquired
| Management of your complaints relating to the product acquired, as well as coordinating complaints with the business where you made your purchase.
| Contact and identification data: name and surname, billing and shipping address, mobile phone number, email address.
Economic, financial and insurance data: data related to the price of the goods you purchase, data related to arrears, solvency and debt history, pending payment orders.
Data on the goods and services purchased: data related to the product you purchase, such as item, model, price and delivery tracking number.
Data about your personal characteristics: date of birth, and sex.
| Legal obligation to handle and manage complaints received from customers, as per Article 6.1 (c) GDPR. | When the complaint has been handled. |
| 28 | Identity validation | Data processing to confirm your identity and to check whether the data that you have provided us are correct. You must confirm your email address and mobile phone number entering a code that is sent to you. | Identification data: mobile phone number and email. | Legal obligation, as per Article 6.1 (c) GDPR. Article 5 (d) GDPR, principle of accuracy.
| When we validate your data. |
| 29 | Respond to your requests on social media. | When you use our social media, we will process your data to respond to your requests and to analyse your interactions with Zinia | Identification data: Information related to your social media profile and email address. | Our legitimate interest in properly handling the requests you send us on social media, as well as in offering the Services in a simple and efficient manner and adapting our products in a way that meets your needs and expectations, as per Article 6.1 (f) GDPR. | When the request between you and Openbank is resolved. |
| 30 | Control and compliance audits | Data processing related to the execution of the compliance verification controls implemented internally, as well as in the framework of different audits. | Any data about you that we may have access to. | Our legitimate interest in verifying the suitability and adequacy of our processes in order to comply with legal obligations and internal quality standards for the identification, control and mitigation of legal or operational risks. Keep in mind that this information may be accessed by third-party companies that provide the auditing service for these purposes. | When the control or the compliance audit terminates. |
| 31 | Prevent money laundering or terrorist financing Openbank (includes automated decision-making) | Verifying information provided to prevent criminal activities.
Verifying that the end-user of the Service, or the individual acting as the legal representative or proxy of a business, is a publicly or politically exposed person and if so, applying enhanced measures of due diligence in the business relationships or operations that we carry out with you. | From you: name, surname, date of birth, nationality and country of residence. From other sources: information form external sanction lists and PEPs lists. | Comply with the regulation:
Article 6.1 (c) of the General Data Protection Regulation (GDPR).
Law 10/2010, on the Prevention of Money Laundering and Terrorist Financing, and Royal Decree 304/2014 of 5 May, approving the Regulations of Law 10/2010.
| When the agreement between you and Openbank terminates or, in the case of proxies and legal representatives, when you stop representing them. |
| 32 | Processing details of proxies or representatives of legal entities or related to self-employed professionals | If you are self-employed or represent a business that is interested in collaborating with us, we will process your contact details, as well as those relating to the position you hold, and, in general, the data necessary to contact you. Under no circumstance will we use the personal data we hold to establish a relationship with you on an individual level. | Contact and identification data: name and surname, mobile phone number, email address. | Adequate execution and performance of the agreement with the businesses we collaborate with, as per Article 6.1 (f) GDPR. | When the agreement between the business and Openbank terminates or when you stop acting as a representative of the company. |
In addition to the information provided in the table above relating to all the data processing activities we carry out, a more detailed explanation is provided below of some the processing activities we consider particularly relevant, including, where applicable, information about external data sources, the logic involved in automated data processing and the potential consequences of such processing.
5. Fraud prevention
We have the obligation and aim to avoid fraud and to protect you and all our customers against possible fraudulent actions.
To this end, when you request the Service, we will use automated decision-making that significantly affects you. This means that profiling is performed based on the automated processing of your data before the decision is made. Such profiling is carried out to evaluate the information provided during your application in order to make the decision on whether or not to grant credit, or to assess whether your use of our Services involves a risk of fraud. We profile your user behaviour using specialised fraud-prevention tools and compare these data on behaviours and conditions with our internally established risk criteria.
The consequence of these automated decisions for you is that, based on the analysis carried out, we will decide if we are able to preliminarily approve your application to use the Service. We use the data you provide, as well as data from external sources and Openbank’s own internal information, which includes information we have about you including data on your previous use of our Services and on the device you use to request it.
We decide whether or not you pose a risk of fraud based on whether or not our processing shows that your behaviour indicates possible fraudulent conduct, that your behaviour is not consistent with your previous use of our Services, or that you have attempted to conceal your true identity. Automated decisions, whereby we assess whether or not you constitute a fraud risk, are based on information you have provided, data from fraud prevention tools and service providers that we use and collaborate with, as well as Openbank’s own internal information.
The personal data categories used in each decision are set out in Section 4. See Section 9 for more information about whom we share information with as regards profiling during automated decisions.
If you are not approved in the automated decision-making process mentioned in this section, you will not have access to the Service. We have several control mechanisms in place to ensure that our automated decision-making is appropriate. These mechanisms include ongoing testing and reviewing of our decision models and detailed documentation of rejected applications and the reasoning behind them. If you have any concern about the outcome, you can contact us, and one of our analysts will intervene to determine whether or not the procedure was performed appropriately. You can also object in accordance with the following instructions:
Under data protection legislation, you have the right to object to any automated decision with legal consequences or decisions that can otherwise significantly affect you. In this case, you can do so by sending an email to privacy.nl@zinia.com. Upon receiving your request, we will proceed to review the decision made, taking into account any additional information and circumstances that you may provide.
6. Transfer of data from the business where you make the purchase to Openbank and invoice purchase approval for execution of the agreement.
When you request the Service, we need to process the personal data provided directly by you or from the business where you are making your purchase, or those collected by Openbank from external sources, such as third parties, and publicly available sources. The personal data categories used in each decision are set out in Section 4.
We process your data to analyse the sale of the invoice, as well as to manage the derived contractual obligations, in order to maintain the contractual relationship we have with you and to send you marketing related to the corresponding products. Additionally, the processing helps us assess your solvency and predict if you can afford the payment of the goods purchased in order to prevent possible debt default.
The logic behind the analysis we carry out to approve the sale of the invoice is based on the analysis of the information that you have provided us, such as your purchase history and payments, together with the external sources listed in Section 4, which provide us with information relating to your identity and financial situation. The aforementioned data and the analytical properties of our risk models enable us to automatically infer if you would be able to afford the payment of the buy-now-pay-later product, which consequently allows us to approve or reject your request.
If we reject your request, you have the right to request an explanation about the decision made exercise your right to not be subject to exclusively automated decisions, by requesting the intervention of one of our analysts, express your point of view and to challenge the decisions made on the basis of this profiling.
7. Commercial and marketing communications
As part of the aforementioned data processing activities, we will process your personal data for marketing purposes. The scope and purpose of such data processing, as well as the legal basis for them and the categories of personal data processed, are set out below in greater detail:
- Sending marketing about our own products and services, and those related to the purpose of the agreement corresponding to legitimate interest (direct marketing).
Once you sign up to our Services, your personal data will be used to send you marketing about our own products and services, as well as those relating to the ones you have already signed up to (email, web push, pop-up or any other electronic or telematic means available). This marketing will be personalised via information extracted from our internal sources and will be used to create profiles generated from your behaviour patterns.
The purpose of creating said profiles is to be able to perform an analysis relating to your economic and personal characteristics, but not related to payments, based solely on the consultation of information from internal sources in order to determine which of our own products and services, as well as those relating to the acquisition, best suit you based on two variables: your predisposition to acquire the product and the probability of approving the transaction for you. The creation of the profile will be the result of an automated decision in which the following logic will be applied:
We will process the information you provide in order to determine your payment behaviour and the customer segment or segments to which you belong - according to our internal classification criteria- and the periodic fulfilment of your contractual obligations. This may lead us to make the decision to not offer you certain products or services, according to the risk estimated by the entity and the scoring obtained from the analysis of the information we have about you. For example, if you already have debt with us, we will not offer you other products which may increase your insolvency.
In addition, we will process your personal data to analyse your behaviour regarding the impact and success of our marketing campaigns.
In order to carry out these data processing activities, Openbank will process the following categories of personal data: identification data: first name, surname, email address or mobile phone number, and data related to arrears, solvency and debt history, as well as to orders pending payment. Information about any previous negative payment history you have had with us or previous credit approvals, and data on the goods and services purchased: data related to the product you purchase.
The legal basis for these data processing activities is the legitimate interest of Openbank in promoting and offering you our products and services through the sending of marketing either of a general nature or adapted to your personal characteristics.
The prevailing interest of Openbank in carrying out this data processing is to maintain our relationship with you by suggesting new products and improving the conditions of the products and/or services you have already taken out or engaged, as well as offering you information on products that may be interesting to you.
Openbank considers that the above-mentioned personal processing activities are not an impediment to the normal exercise of your rights and freedoms, as they are considered standard practices within the business sector, and we therefore understand that the receipt of this type of marketing falls within your reasonable expectations. We are also committed to using the least intrusive means possible for conducting such data processing activities.
These data processing activities will continue for as long as your agreement with Openbank remains in force or you object to them through any of the channels mentioned in Section 10 of this Privacy Policy.
- Sending marketing about our own products and services consulting internal and external sources.
Provided that you have given us your prior express consent to perform this data processing activitiy, Openbank may send you personalised marketing about its own products and services, for as long as our contractual relationship remains in force. This marketing may be made by automated and non-automated means (by post, telephone, SMS, instant messaging applications, email, web push, pop-up or any other electronic or telematic means available at any time) and will take into consideration the analysis of your commercial profile.
This profile will be generated from the analysis of your behavioural and risk patterns, other internal sources, such as payments details, as well as information obtained from external sources, including:
From your device: IP address, fingerprint, language settings, browser settings, time-zone, operating system, platform, screen resolution and other similar information related to device settings.
Public sources:
- From CIR – Central insolventieregister: we obtain details on bankruptcy, suspension of payments and debt restructuring of natural persons, which are kept in the local registers of the various courts. All insolvency data published after 1 January 2005 can be consulted up to six months after the insolvency has ended
You can find more information via the following link: https://www.rechtspraak.nl/Registers/paginas/toelichting-insolventieregister.aspx.
- From the Centraal curatele en bewindregisters, we obtain information about whether an individual is under administration or guardianship to prevent unfavourable agreements.
You can find more information via the following link: https://www.rechtspraak.nl/Registers/paginas/toelichting-insolventieregister.aspx
- From Overlijdensregister,we verify your identity to avoid unfavourable agreements and contracts. You can find more information via the following link: https://www.overlijdensregister.nl/ .
From other sources that provide us with non-personal information, including:
- Here.com provides us with information related to your address: https://www.here.com/here-statement-gdpr.
- Telecommunications companies provide us with anonymised information related to geographical behavioural mobile data.
- OpenStreetMap provides us with information related to geographic data, such as street maps, to anyone.
In order to carry out this data processing activity, Openbank will process the following categories of personal data: identification data: first name, surname, email address or mobile phone; data related to arrears, solvency and debt history, as well as to orders pending payment; information about negative payment history and previous credit approvals; and data on the goods and services purchased: data related to the products you purchase and payments; other personal data obtained from a death register or related to personal circumstances we have knowledge of regarding whether or not an individual is under administration or guardianship to prevent unfavourable agreements.
The legal basis of this data processing activity is having obtained your prior informed consent. The objective we pursue with the creation of these profiles is to be able to carry out an analysis of your economic and personal characteristics, in order to determine which of the products marketed by this entity best suit you based on two variables: your predisposition to acquire the product and the probability of approving the transaction for you. The creation of the profile will be the result of an automated decision, in which the following logic will be applied:
We will process the information you provide in order to determine your payment behaviour, the customer segment or segments to which you belong - according to our internal classification criteria- and the periodic fulfilment of your contractual obligations. This activity may lead us to make the decision to not offer you certain products or services, according to the risk estimated by the entity and the rating that results from the analysis of the information obtained. For example, if we obtain information from external sources that indicates you are bankrupt, we will not offer you any products which will increase your insolvency.
In relation to this data processing activity, you can withdraw the consent provided to Openbank at any time through the channels mentioned in Section 10 of this Privacy Policy.
It is important that you understand that this data processing is limited to the above-mentioned purpose, namely, suggesting Openbank products and services based on data obtained from external sources.
- Sending marketing about third-party products and services based on data obtained from internal and external sources.
Provided that you have given us your consent to perform this data processing activity, Openbank may send you personalised marketing about the products and services of third parties. This marketing may be sent by automated and non-automated means (by post, telephone, SMS, instant messaging applications, email, web push, pop-up or any other electronic or telematic means available at any time), and will take into account the analysis of your commercial profile.
We will send you marketing about products and services of third parties that undertake their business activity particularly in, but not limited to, the following sectors: financial, insurance, leisure and tourism, entertainment, telecommunications, information society, retail, luxury, health, food, automotive, hospitality, department stores, energy, real estate, security services, among others.
This profile will be generated from the analysis of your behavioural and risk patterns. For instance, if the information we have about you shows that you enjoy tech products, we will send you marketing about products offered by companies in this sector. We also use other internal sources, such as payments details, as well as information obtained from external sources, including:
From your device: IP address, fingerprint, language settings, browser settings, time-zone, operating system, platform, screen resolution and other similar information related to device settings.
Public sources:
- From CIR – Central insolventieregister, we obtain details on bankruptcy, suspension of payments and debt restructuring of natural persons, which are kept in the local registers of the various courts. All insolvency data published after 1 January 2005 can be consulted up to six months after the insolvency has ended.
You can find more information via the following link: https://www.rechtspraak.nl/Registers/paginas/toelichting-insolventieregister.aspx
- From the Centraal curatele en bewindregisters, we obtain information about whether an individual is under administration or guardianship to prevent unfavourable agreements.
You can find more information via the following link: https://www.rechtspraak.nl/Registers/paginas/toelichting-insolventieregister.aspx
- From Overlijdensregister, we verify your identity to avoid unfavourable agreements and contracts: https://www.overlijdensregister.nl/ .
From other sources that provide us with non-personal information, including:
- Here.com provides us with information related to your address: https://www.here.com/here-statement-gdpr.
- Telecommunications companies and which provide us with anonymised information related to geographical behavioural mobile data.
- OpenStreetMap provides us with information related to geographic data, such as street maps, to anyone.
In order to carry out this data processing activity, Openbank will process the following categories of personal data: identification data: first name, surname, email address or mobile phone; data related to arrears, solvency and debt history, as well as to orders pending payment; information about negative payment history and previous credit approvals; and data on the goods and services purchased: data related to the products you purchase and to payments; other personal data obtained from a death register or related to personal circumstances we have knowledge of regarding whether or not an individual is under administration or guardianship to prevent unfavourable agreements.
The legal basis of this data processing is having obtained tour prior informed consent. The objective we pursue with the creation of these profiles is to be able to carry out an analysis of your economic and personal characteristics, in order to determine which of the products marketed by those third parties companies that best suit you based on two variables: your predisposition to acquire the product and the probability of approving the transaction for you. The creation of the profile will be the result of an automated decision, in which the following logic will be applied:
We will process the information you provide in order to determine your payment behaviour, the customer segment or segments to which you belong - according to our internal classification criteria- and the periodic fulfilment of your contractual obligations. This may lead us to make the decision to not offer you certain products or services, according to the risk estimated by the entity and the rating that results from the analysis of the information obtained.
In relation to this data processing activity, you can withdraw the consent provided to Openbank at any time through the channels mentioned in Section 10 of this Privacy Policy.
It is important that you understand that this data processing activity is limited to the above-mentioned purpose, which is suggesting the products and services of third parties.
- Transfer of data to other Santander Group companies for sending marketing and promotions regarding their products and services.
Provided that you have given us your consent to perform this data processing activity, Openbank may transfer your personal data to other companies of the Santander Group. The purpose of this transfer is to be able to communicate the categories of your personal data, set out below in this clause, to these Santander Group companies in order to allow them to offer you their products and services that may be of interest to you.
The Santander Group companies with which we will share your personal data are those within the Santander Group of companies (according to the definition of “group of companies” provided for in Article 42 of the Spanish Code of Commerce). You can see which companies are within the Santander Group of companies here.
This marketing may be made by automated and non-automated means (by post, telephone, SMS, instant messaging applications, email, web push, pop-up or any other electronic or telematic means available at any time) and will take into consideration the analysis of your customer profile, according to the information provided to these third parties.
This profile will be generated from the analysis of your behavioural and risk patterns, other internal sources, such as payment details, and information obtained from external sources, including:
From your device: IP address, fingerprint, language settings, browser settings, time-zone, operating system, platform, screen resolution and other similar information related to device settings.
Public sources:
- From CIR – Central insolventieregister: we obtain details on bankruptcy, suspension of payments and debt restructuring of natural persons, which are kept in the local registers of the various courts. All insolvency data published after 1 January 2005 can be consulted up to six months after the insolvency has ended.
You can find more information via the following link: https://www.rechtspraak.nl/Registers/paginas/toelichting-insolventieregister.aspx
- From the Centraal curatele en bewindregisters: we obtain information about whether an individual is under administration or guardianship to prevent unfavourable agreements.
You can find more information via the following link: https://www.rechtspraak.nl/Registers/paginas/toelichting-insolventiereg…
- From Overlijdensregister: we verify your identity to avoid unfavourable agreements and contracts: https://www.overlijdensregister.nl/.
From other sources that provide us with non-personal information, including:
- Here.com provides us with information related to your address: https://www.here.com/here-statement-gdpr.
- Telecommunications companies provide us with anonymised information related to geographical behavioral mobile data.
- OpenStreetMap provides information related to geographic data, such as street maps, to anyone.
In order to carry out this data processing activity, Openbank will process the following categories of personal data: identification data: first name, surname, email address or mobile phone; data related to arrears, solvency and debt history, as well as to orders pending payment; information about negative payment history and previous credit approvals; and data on the goods and services purchased: data related to the products you purchase and to payments; other personal data obtained from a death register or related to personal circumstances we have knowledge of regarding whether or not an individual is under administration or guardianship to prevent unfavourable agreements.
In relation to this data processing activity, you can withdraw the consent provided to Openbank at any time through the channels mentioned in Section 10 of this Privacy Policy.
It is important that you understand that this data processing activity is limited to the above-mentioned purpose, which is suggesting other products and services of Santander Group companies.
8. How long do we keep your personal data for?
Openbank will keep your data for as long as required to undertake the purpose for which they were collected and, subsequently, they will be blocked for the corresponding retention period provided for by law or as per the statute of limitations. After these periods, where applicable, Openbank will destroy or completely anonymise the data.
The blocking of your data implies Openbank refraining from carrying out any processing of your data. However, your data will be retained for the purpose of making them available to the competent public administrations, judges, courts and tribunals or the Public Prosecutor's Office in relation to any liability that may arise from the contractual relationship held with you or relating to the processing of such data.
Furthermore, if you are a customer, we will process your data until your contractual relationship with Openbank terminates. After said termination, as a general rule, we will keep your personal data blocked. Please note that some actions provided for by consumer law, such as injunctions or actions for declaration of nullity, are not subject to any statute of limitations.
9. Who will your personal data be shared with?
- Authorities: to those third parties to whom we are legally obliged to provide information, such as public bodies, tax authorities, courts and tribunals.
- Service providers and subcontractors: we will collaborate with third-party service providers which may have access to your personal data, and process them on our behalf, as a consequence of the services they provide us. We follow strict criteria in selecting our service providers so as to comply with the corresponding data protection requirements and obligations, and we undertake to sign the corresponding data processing agreements with them, whereby we will impose them, among others, the following obligations: to apply appropriate technical and organisational measures; to process the personal data for the agreed purposes and only in accordance with our documented instructions; and to delete or return to us the data once the provision of the services has been completed or terminated.
In particular, we will outsource the provision of services by third-party service providers which are part of the following sectors, among others: logistic services, legal advice, private valuation services, supplier certification, multidisciplinary professional service companies, maintenance-related companies, technology service providers, IT service providers, instant messaging service providers, and call centre companies.
- Debt collection agencies: in the event you have a pending unpaid debt with us, we will share your data when we outsource collection of such debt to a third party, such as a debt collection agency. The data shared with the debt collection agency is used to collect your overdue debt. The agency will process your data acting as a controller under the GDPR and in accordance with its own privacy notice. Debt collection agencies may report your unpaid debts to credit information bureaus or authorities, which may affect your creditworthiness and your ability to apply for future credit.
- Fraud prevention service providers: we will share your data with Emailage Limited, a company we collaborate with to prevent fraud. Emailage also acts as a controller for the processing of your personal data and will use it for the purposes established in its privacy policy. You can exercise your data protection rights as regards Emailage by sending an email to: DPO@lexisnexisrisk.com.
- Debt buyers: Upon transfer of your open debt to a buyer and continuously until you pay it off, we will share your personal data as well as information about the goods or services associated with the debt. The buyer will process your personal data in accordance with its own privacy notice, which you will be notified about when the debt is transferred.
- Providers that access or process your data outside the European Union: we may transfer your data internationally within the framework of some of the above-mentioned services offered by third-party providers. The purpose thereof will always be the maintenance and management of the contractual relationship you have with us or the prevention of fraudulent actions or transactions. These transfers are made both to countries that offer an adequate level of protection, comparable to that of the European Union, and also to countries without such a level. In the latter case, we use several mechanisms established by applicable regulations to comply with all safeguards when dealing with your personal data, such as standard contractual clauses or certification mechanisms. You can obtain more information about any international data transfers we carry out by sending an email to: privacy.nl@zinia.com.
10. Your data protection rights
You can exercise the following rights at any time:
- Right of access: you have the right to obtain know whether or not Openbank processes personal data relating to you and, if so, to access such data.
- Right to data portability: you have the right to receive a copy of the personal data you have provided us, in a readable, structured and commonly used format, and also to request its transfer to another institution.
- Right to rectification: you have the right to request that inaccurate data be corrected.
- Right to erasure: you have the right to request erasure of your data when, among other things, they are no longer necessary for the purpose for which they were provided.
- Right to object: under certain circumstances, you can object to the processing of your personal data. If you object, Openbank will stop processing the data, except where there are compelling legitimate reasons for doing so, or for the exercising or challenging of possible claims.
- Right to restriction of processing: under certain circumstances laid down in the applicable data protection legislation, you can request that the processing of your data be restricted.
- Right to withdraw your consent: you are entitled, at any time and without providing specific reasons, to withdraw the consent you previously and specifically provided. The withdrawal of the consent will not affect the lawfulness of the data processing activities carried out based on that consent prior to its withdrawal.
- The right not to be subject to exclusively automated decisions: in the event that you have consented to the profiling and that this it is done through an exclusively automated process, you can request the intervention of one of our analysts, express your point of view and challenge the decisions made on the basis of said profiling.
You can exercise the rights described above through the following channels:
• Website: via the "Personal data" section of the Customer Area;
• Email: privacy.nl@zinia.com;
• Postal address: Privacy, Open Bank S.A., Plaza de Santa Bárbara 2, 28004 Madrid, Spain.
• Location: Plaza de Santa Bárbara 2, 28004 Madrid, Spain.
Finally, you can submit a claim to Openbank and/or the German Data Protection Authority (the supervisory authority competent in the field of data protection), particularly if you have not been satisfied with the process of exercising your rights, by writing to the above-mentioned address or via the website www.aepd.es. If you live in an EU member state, other than Germany, you can also directly contact your national data protection supervisory authority.
11. Keeping your data up to date
To enable us to communicate with you, please ensure that all the information you provide for our databases is true, complete, accurate and completely up to date.
If the personal information you have provided us, particularly your postal address, email address and telephone number (landline and mobile) has changed, we kindly ask you to immediately inform us through any of the channels referred to in Section 10.
In the event that you do not notify us of such changes, you acknowledge and agree that all communications sent by us to the postal address or email address or to the contact telephone numbers that feature in our filing systems are valid, binding and in full force and effect.
12. Use of Cookies
At Openbank, we use cookies, among others, to remember who you are when you access your private area or to customise content that may be of interest to you based on your browsing habits.
When you access the Zinia website, we will inform you about the cookies we use, and you can configure the analysis, advertising and personalisation cookies used when browsing the Zinia website. You can read our Cookie Policy for more information.
13. Amendments to the Privacy Policy
We are committed to keeping this Privacy Policy updated to reflect any new developments that occur in relation to the scope of the processing of your personal data. As such, it is important that you take the time to read and understand this Policy. We will notify you of any amendments made to this Privacy Policy by email.
In the event of any dispute regarding or discrepancy between the Dutch and the English version of this Privacy Policy, the Dutch version shall take precedence.
You can download our Privacy Policy here.