Openbank Privacy and Cookie Policy
Clear Filters

Privacy and Cookie Policy

 

Date of last update: 9 April 2021

At Open Bank, S.A. (hereinafter, “OPENBANK”) we use cookies on our website www.openbank.es/en and we want to tell you all about them.

1. What are cookies?

Cookies are data storage and retrieval files which are downloaded to users’ devices whenever they access and/or browse our website. They even contain a number that uniquely identifies your computer or mobile device, even if you change your location or IP address

2. What are they used for?

Cookies allow us to collect data that could identify you or your approximate location, connection time, the device used (e.g. landline or mobile), the operating system and browser used, the most frequently visited pages, the number of clicks performed and information on your online behaviour.

In some cases, they also save information about your browsing habits and preferences that will allow us to provide you with a better and more personalised experience, and even show you advertising related to your preferences every time you visit our website.

They also allow us to collect data showing patterns on how our website is used to identify problems and make improvements, develop new products or services, and generate statistics or usage measurements.

3. How are cookies enabled?

Cookies can be activated in different ways, depending on their purpose. In some cases, when they are necessary for our website to work properly, they are installed during browsing; while in others, when your authorisation is required, they will be enabled when you give us your permission. You can make changes to this consent at any time through the various settings options we provide later on in this Cookie Policy.

Please note that you can access our website without all cookies being enabled (apart from technical cookies), but that disabling them may prevent the website from working properly.

4. What types of cookies do we use?

Below, we explain which cookies you can find when browsing our website and what they are used for:

4.1. Technical cookies

These cookies are necessary to enable functional browsing on our website and ensure that the content is effectively loaded, in turn allowing the correct use of the range of options or services available. In the Customer Area of the Openbank website, some of the technical cookies are also used to meet legal requirements, verify any products or services you take out or engage and resolve technical errors during the contractual process. Our website cannot function properly without these cookies.

What are they and what do we use them for? You can find out about this below:

Type

Cookie

Owner

Purpose

Duration

Own

__bgfpcchcc

Openbank

Security

Session

Own

__mousemovesnosession

Openbank

Fraud

Session

Own

_abck (Openbank)

Openbank

Security

Session

3rd

_gat

Google

Used to limit the percentage of requests.

1 minute

Own

bm_sz (Akamai CDN)

Akamai CDN

Improves performance by improving content delivery.

1 hour

Own

Bmuid (Akamai CDN)

Akamai CDN

Performance. Required for user browsing.

1 hour

Own

cdContextld (Openbank)

Openbank

Performance. Required for user browsing.

Session

Own

cdSNum

Openbank

Internal

1 year

Own

CONSENTMGR

Openbank

Required to know whether or not the user consents to cookies in the different categories.

90 days

Own

Ctm (Openbank)

Openbank

Performance. Required for user browsing.

1 year

Own

et_token (Openbank)

Openbank

Performance. Required for user browsing.

1 hour

3rd

JSESSIONID

New Relic

Session ID

Session

Own

Ndcd (Openbank)

Openbank

Security

Session

Own

Ndsid (Openbank)

Openbank

Security

Session

Own

offlogToken (Openbank)

Openbank

Performance. Required for user browsing.

1 hour

Own

ok-cookiebite (Openbank)

Openbank

Performance. Required for user browsing.

1 year

Own

tokenCredential (Openbank)

Openbank

Access to Customer Area.

1 hour

3rd

ga (Google Analytics)

Google Analytics

This type of cookie is used for technical purposes in the Customer Area of the website in order to meet legal requirements, verify the products and services you take out or engage and resolve technical errors during the contractual process. In its technical role, this cookie will not be used for advertising or analytics purposes.

2 years

3rd

Gid (Google Analytics)

Google Analytics

This type of cookie is used for technical purposes in the Customer Area of the website in order to meet legal requirements, verify the products and services you take out or engage and resolve technical errors during the contractual process. In its technical role, this cookie will not be used for advertising or analytics purposes.

1 day

4.2. Analytics cookies

These cookies provide us with statistical information about your use of our website, which allows us to make improvements. For example, if you have encountered technical problems when accessing certain pages, we can detect and improve this issue.

What are they and what do we use them for? You can find out about this below:

Type

Cookie

Owner

Purpose

Duration

3rd

_fbp

Facebook

Used by Facebook to measure the candidate record and optimise this recruitment source.

 3 months

3rd

_ga

Google

Used to identify users.

2 years

3rd

_ga (Google Analytics)

Google Analytics

To measure user browsing: pages visited, main interactions, etc.

2 years

3rd

_gaexp (Google optimise)

Google Optimize

To generate A/B test to compare user behaviour between two versions of the same page.

4 months

3rd

_gat_tealium_0 (Taelium)

Tealium

Survey. This is a Google Analytics cookie used to limit the percentage of requests.

Session

3rd

_gid

Google

Used to differentiate between users.

2 years

3rd

_gid (Google Analytics)

Google Analytics

To measure user browsing: pages visited, main interactions, etc.

1 day

Own

cookie_policy<(Openbank)

Openbank

To determine if the user accepts pop-up cookies.

6 months

Own

fpc_idPreaprob (Tealium)

Tealium

Survey. Source cookie to assist with analysis.

Session

Own

fpc_tipoUsuario (Tealium)

Tealium

Survey. Source cookie to assist with analysis.

Session

Own

fpc_org (Tealium)

Tealium

Survey. Source cookie to assist with analysis.

Session

3rd

gtm_auth (Google Optimize)

Google Optimize

To generate A/B test to compare user behaviour between two versions of the same page.

Session

3rd

gtm_debug (Google Optimize)

Google Optimize

To generate A/B test to compare user behaviour between two versions of the same page.

Session

3rd

gtm_experiment (Google Optimize)

Google Optimize

To generate A/B test to compare user behaviour between two versions of the same page.

Session

3rd

gtm_preview (Google Optimize)

Google Optimize

To generate A/B test to compare user behaviour between two versions of the same page.

Session

Own

nombreProducto Persistencia

Google Optimize

Survey. Source cookie to assist with analysis.

1 year

Own

utag_main (Tealium)

Tealium

Survey. Website administration via Tealium to serve analytics cookies.

1 year

4.3. Preference cookies

Preference cookies allow us to record information that changes the way in which our website is shared or how it looks, with the aim of offering you predetermined characteristics depending on the data gathered from your terminal, such as: language, browser type, the locale via which access is gained.

What are they and what do we use them for? You can find out about this below:

Type

Cookie

Owner

Purpose

Duration

Own

language (Openbank)

Openbank

To determine the language selected by the user.

Session

3rd

TLTSID

IBM

Active  only for the duration of a browser session, used to group visits in a session. The end user can choose whether or not to allow this cookie.

Session

4.4. Behavioural advertising cookies

Behavioural advertising cookies collect information about your behaviour based on your browsing habits and allow us to manage advertising spaces more effectively by matching the content to your specific profile.

What are they and what do we use them for? You can find out about this below:

Type

Cookie

Owner

Purpose

Duration

3rd

_fbp (Facebook)

Facebook

Subdomain Index, timestamp, random number. Identifies browsers with the aim of providing site and advertising analysis services.

90 days

3rd

_gcl_au (Google Analytics)

Google

Used by Google AdSense to test the efficiency of ads on websites that use their services.

2 months

3rd

_pxhd (Idealista)

Idealista

Security cookie used by one of the tools that prevents attacks on Idealista’s website (perimeterX)

247 days

3rd

DDMMUI-PROFILE (Google)

Google

 Helps personalise advertisements in accordance with user preferences

2 years

3rd

1P_JAR (Google)

JAR

Helps to personalise ads in Google’s properties, such as Google Search.

540 days

3rd

Act (Facebook)

Facebook

Analysis through user identification

1 year

3rd

ad-id (Amazon)

Amazon

Cookie ID stored for targeting. This is an internal binary format.

1 year

3rd

Ad-privacy (Amazon)

Amazon

Linked to blocking cookies.

1 year

3rd

Aid (Google Ads)

Google

The ads displayed on the user’s devices are coordinated and measured.

30 days

3rd

C_user (Facebook)

Facebook

Used in conjunction with the Xs cookie to authenticate the user’s identity on Facebook.

90 days

3rd

CONSENT (Google)

Google

JavaScript Plugin to notify the user that cookies are used on the website.

1 year

3rd

Datr (Facebook)

Facebook

Browser identifier and timestamp. Identifies browsers for site and security purposes, including account recovery and account identification that may be at risk.

2 years

3rd

DSID (Google / Doubleclick)

Google

Display ad identity cookie.

1 year

3rd

Fr (Facebook)

Facebook

User and browser ID; timestamp; other data. This is Facebook’s main advertising cookie. Used to offer, analyse and improve the relevance of ads.

90 days

3rd

HIPID (Idealista)

Idealista

Used by Idealista to direct part of the www.idealista.com traffic to specific machines.

 

3rd

IDE (DoubleClick)

Google

One of the main advertising cookies on non-Google sites, stored in browsers under the doubleclick.net domain.

2 years

3rd

NID (Google)

Google

Helps to personalise ads on Google’s properties, such as Google Search.

1 year

3rd

mo (Idealista)

Idealista

Used by Idealista to set the pixel.

Session

3rd

MORTSESSION (Idealista)

Idealista

Used by Idealista to set the pixel.

Session

3rd

OGPC (Google)

Google

Helps to personalise ads on Google’s properties, such as Google Search.

1 year

3rd

PI (Facebook)

Facebook

Used to record a device or browser logging in via the Facebook platform.

90 days

3rd

Presence (Facebook)

Facebook

Site Features and Services

1 year

3rd

SAPISID (Google)

Google

Google API session cookies

1 year

3rd

Sb (Facebook)

Facebook

Browser ID and timestamp.

2 years

3rd

SID (Google)

Google

Helps to personalise ads in Google’s properties, such as Google Search.

1 year

3rd

Spin (Facebook)

Facebook

Contains session information

1 year

3rd

SSID (Google)

Google

Analysis through user identification

1 year

3rd

SSIDA (Google)

Google

Google uses these cookies to store user preferences and information when viewing pages containing Google Maps.

1 year

3rd

Test_cookie (Double_Click)

Google

Checks whether the user’s browser supports cookies.

Session

3rd

Wd (Facebook)

Facebook

Dimensions of the screen or windows. Allows for the user to be offered an optimal display experience.

7 days

3rd

Xs (Facebook)

Facebook

Session ID, creation date, authentication value, secure session status, caching storage group ID. Used in conjunction with the c_user cookie to authenticate your identity on Facebook.

90 days

3rd

s_vi (Unidad Editorial)

Unidad Editorial

Inter-session identifier

2 years

3rd

MUID (Bing)

Bing

Inter-session identifier

1 year

5. How long are cookies enabled for?

Depending on the type of cookies, and the information we provide about each of them, cookies may remain active for a longer or shorter time.

For example, session cookies are designed to collect and store data while the user accesses a website. When the browser is closed or the session expires, these cookies disappear.

Persistent cookies, however, are still active when you leave the website and go back to it. They will remain stored for the time specified in each case, although you may delete them at any time.

6. Who processes or manages cookies?

Data collected by cookies may be managed by both Openbank and third parties. The explanation of each of the cookies found above indicates whether the cookies are our own or whether they are third party (3rd).

For example, you will see that the third-party cookies we use are those of Google Analytics, Google Inc., which allow Google to monitor on our behalf how visitors use our website, collect reports and help improve the website. For further information on how Google collects and processes data, please visit https://policies.google.com/privacy?hl=en.

7. I have accepted cookies but I now want to disable them. How do I do this?

You can easily and at any time reconsider your cookie preferences and even disable all categories of cookies except those technically necessary for the website to run properly, by clicking here.

Additionally, you may also allow, block and delete cookies and delete your browsing data, including cookies, at any time, from your browser. To do this, you will need to access your browser settings options via the links below:

Firefox

Internet Explorer

Microsoft Edge

Safari

Chrome

You can also disable cookies in your browser by installing a plug-in or an opt-out system provided by some third parties who install cookies on our website, for example:

Adobe Analytics

Criteo

Google (behavioural advertising) (requires Google login)

Please note that some features of our website content are only available if certain cookies are allowed to be installed in your browser. If you choose not to accept or to block certain cookies, depending on their purpose, this may, in whole or in part, affect the normal operation of the website or prevent access to some of the services it offers.

8. Processing of personal data

8.1. Data Controller

Open Bank, S.A. Plaza de Santa Bárbara 2, 28046, Madrid.

Contact details for the Data Protection Officer: privacy@openbank.es

Please find basic information on data processing below. Further information can be found at www.openbank.es/en/privacy-cookies.

8.2. Purposes of the processing and lawfulness

The purposes for which we process the personal data we obtain through cookies are indicated in section “4. What types of cookies do we use?”.

The use of technical cookies by Openbank is necessary to enable your browsing on our website. The legal basis for the use of other cookies is your consent, which you can manage by clicking here or as indicated in section “7. I have accepted cookies, but I now want to disable them. How do I do this?”

8.3. Recipients

We collaborate with third-party providers who may have access to your data to provide us with services which are always under contract. They will process the data in our name and on our behalf, following our instructions at all times. As an example, these may be Google or Tealium.

We make international transfers of your data, only in the context of some of the above-mentioned service provisions, both to countries providing an adequate level of protection, comparable to that of the European Union, as well as to countries that do not benefit from this level of protection. In the latter case, you do not have to worry. Openbank uses mechanisms established by regulations to comply with all guarantees, such as standard contractual clauses or certification mechanisms. You can view the international data transfers we carry out by clicking here, or by writing to privacy@openbank.es.​

Furthermore, in relation to third-party cookies, we would like to remind you that they are either sent from a domain not managed by Openbank but by the relevant third party, or from our domain, in which case the information collected is handled by that third party. You can find more information on any messages provided by third parties, including international data transfers, if applicable, in their respective cookie policies.

8.4. Retention periods

Your data will be processed for the periods indicated in section “4. What types of cookies do we use?” - while your usage authorisations are still valid.

We will subsequently retain the data, which will be duly locked, for the timeframes legally established for actions arising from such authorisation, if required for a defence against any claim concerning our use of your data. After such periods, we will proceed to destroy the data.

8.5. Data protection rights

We hereby inform you that you have, and may exercise, the following rights: access, portability, rectification, erasure, opposition, restriction of processing, the right not to be subject to a decision based solely on automated processing. You can access more information on your rights at www.openbank.es/en/privacy-cookies

9. Changes to the Cookie Policy

Openbank is committed to keeping this Cookie Policy updated in order to collect any new information available in connection with the cookies we use. For this reason, it is important that you regularly spend time reading and making sure you understand it. For any relevant modification that we need to make, we will notify you in advance, at least through our website, so that you may be properly informed at all times.

10. Do you have any questions?

If you have any questions about the Cookie Policy on our website, you may contact us by writing to Plaza de Santa Bárbara 2, 28046, Madrid  or by emailing privacy@openbank.es.

11. Finally, we suggest you

  • Check the Cookie Policy frequently for information on any changes.
  • Read this Cookie Policy along with our data protection policy, which is also available on our website, where we explain how we process your personal data.
  • If you wish, you can download our Cookie Policy.

Date of last update: 15 September 2021


TABLE OF CONTENTS

1. Introduction - Scope of application.

2.  Who is the data controller for your PERSONAL data?

3. What PERSONAL data do we process at Openbank and how do we obtain it?

4. What processing do we perform on your PERSONAL data?

4.1. Responding to and managing your requests for information about Openbank products and/or services

4.2. Managing customer registration and the application of pre-contractual measures

4.3. Processing personal data once you are a customer in relation to the different products you take out

           - Taking out a basic debit product
            (Payroll Account / Current Account / Savings Account / Deposit)
             Maintenance and general management of the contractual relationship and products taken out

           - Taking out a credit product (Mortgage, Loan, Credit Card / arranging Overdraft Protection)

           - Profiling related to taking out a mortgage product

           - Profiling related to taking out a credit card

           - Profiling related to taking out a personal loan

           - Profiling related to offers for pre-approved loans

           - Processing of specific data related to arranging overdraft protection

           - Processing of specific data related to Bizum

           - Taking out a payment method (Debit Card / Prepaid Card / Bizum / Mobile Payment Apps)

           - Taking out a product for a minor
             (Open Young Prepaid Card / Open Young Savings Account or registration in the “Open Young” app)

           - Taking out an investment product
             (Shares / Investment Fund / Warrants / Pension Plans / ETFs/
             Securities Account / Model Portfolio / Automated Investment Service

           - Taking out an insurance product

           - Signing up to the Expense Categorisation Tool

           - Signing up to the Openbanking Financial Aggregator

           - Signing up to the Password Manager service

           - Making a donation to a charity

4.4. Processing of our customers’ personal data carried out regardless of the Openbank product taken out

           - Anti-money laundering and anti-terrorism-financing

           - Reporting Information to CIRBE (Central de Información de Riesgos del Banco de España [Central Credit Register of the Bank of Spain])

           - Reporting information to the Spanish Tax Agency (Agencia Estatal de Administración Tributaria, “AEAT”)

           - Reporting information to other Grupo Santander companies for the combating of financial crime

           - Reporting non-payments to credit information databases

           - Detecting and preventing potential attempted fraud

           - Designing and training risk and behavioural models

           - Recording your voice and/or image and electronic conversations held with you

           - Processing personal data of representatives, proxies of legal entities and individual business owners

           - Sending notifications via the Openbank website and app

           - Surveys and market studies

           - Addressing your requests for information on social media

           - Capturing images through video surveillance systems at our branches

           - Audits and verification of compliance

4.5. Sending of marketing messages

5. How long will we store your PERSONAL data for at Openbank?

6. With whom do we share your personal data?

7. What are your rights in relation to the processing of your personal data?

8. Do you need to keep your PERSONAL data up to date?

9. Use of cookies

10. Changes to this Privacy Policy

 

1. Introduction - Scope of application

This privacy policy (hereinafter, “Privacy Policy” or “Policy”) is intended to regulate and provide information about the processing carried out by Open Bank, S.A. (hereinafter, “Openbank”) for the personal data of: (i) potential customers; (ii) existing customers; (iii) former customers; and (iv) other third parties whose data we may process at Openbank as a result of the relationship we maintain with our customers, as in the case of guarantors, beneficiaries of cards or pension plans, authorised parties, legal representatives and contact persons for customers who are legal entities. In this Policy, we will provide you with information on the categories of personal data we process, the means through which we have obtained your personal data, the purposes for which we collect and process your personal data, the legitimate basis for such processing, the recipients of the data, the duration for which it will be stored,   the rights granted to you under the regulations regarding your personal data, as well as any other information we consider relevant to privacy in order to ensure we are transparent at all times.

Please note that this Privacy Policy is supplementary to the different privacy notices we provide or send you at different times in our pre-contractual or contractual relationship with you.

Please take a few minutes to fully read and understand its contents. If you have any questions, please contact our Data Protection Officer, whose contact details you will find below.

2. Who is the Data Controller for my data?

Corporate name: Open Bank, S.A.

Registered Office: Plaza de Santa Bárbara, 2, 28004, Madrid.

Contact details for the Data Protection Officer: privacy@openbank.es.

3. What data do we process at Openbank and how do we obtain it?

We will process the personal data categories, details of which are provided below, and which we directly obtain from you through the various information request and/or product or service application forms we use. Please note that the data we specify in each of the forms as being “required” is necessary for the proper performance of the contractual or pre-contractual relationship with Openbank. As such, failure to provide this data will prevent us from being able to accept your application or provide you with our services.

· Identifying information: Tax ID/National ID number; name and surname; address; signature/fingerprints; image/voice; electronic signature; Social Security/mutual insurance company number; health card; telephone; email; IP address; and biometric data or physical characteristics.

· Information on your personal characteristics: Marital status; native language; physical characteristics; family information; date of birth; place of birth; age; and gender and nationality.

· Information on social circumstances: Licenses, permits or authorisations; membership with clubs or associations; hobbies and lifestyle; property and possessions; family situation and accommodation characteristics.

· Special category data: health-related information or criminal records.

· Academic and professional information: Training and qualifications; student record; professional experience; and membership of professional associations.

· Employment information: Profession; position; non-financial payroll data; and employee history.

· Commercial information: Activities and business; commercial licenses; subscription to publications, and artistic, literary or scientific works.

· Economic, financial and insurance information: Income and revenues; tax deductions; investments and assets; information on insurance, mortgages, and loans taken out; guarantees; banking information, subsidies and benefits; pension and retirement plans; credit history; financial payroll data; and credit card.

· Information on goods and services transactions: Compensations or indemnities; financial transactions; and goods and services received or supplied.

In addition to the aforementioned data that you provide to us directly through the various information request and/or product or service application forms, we will process other data we have about you from internal sources, such as: (i) data we obtain from our contractual relationship with you; (ii) data we obtain as a result of your interaction through our website/app; and (iii) inferred data that we deduce and/or obtain from data you have previously provided to us (e.g. obtained when we prepare profiles).

Similarly, in addition to the above personal data, and always depending on the product taken out, as explained in more detail below, we will process additional data about you that we obtain from the external sources described below, complying with the procedures, rights and guarantees established at all times by current legislation:

i. Public Administration bodies, such as the Ministry of Finance, the General Treasury of Social Security and the AEAT (Spanish Tax Agency).

ii. Publicly accessible sources, such as: Telephone guides or public records, such as the National Institute of Statistics, the Trade Registry, the Property Registry and the Land Registry.

iii. Information on your financial solvency and possible arrearage that we obtain from credit reference databases from Asnef-Equifax Servicios de Información sobre Solvencia y Crédito, S.L.  (hereinafter, “ASNEF Database”), details for which are provided here, data from  Experian Bureau de Crédito, S.A. (hereinafter, “BADEXCUG Database”) , details for which are provided here , and data from credit information databases, such as the Central Credit Register of the Bank of Spain (hereinafter, “CIRBE”).

iv. Information about you that may be contained in fraudulent data detection databases we consult.

v. Third-party companies to which you have given your consent for your data to be transferred to Openbank or which otherwise legitimately transfer your data to Openbank in accordance with current legislation, as in the case of real estate credit intermediaries or other institutions within Grupo Santander of which you are a customer.

4. Why do we process your data?

Depending on the relationship you have with Openbank (from simply being interested in one of our products or services without actually taking it out, to becoming an Openbank customer and taking out some of the products or services we offer), we will process your personal data differently. Below, we explain the scope of such processing, indicating the personal data processed in each type of processing, the purposes of such processing, as well as the legitimate basis applicable to this.

4.1 Responding to and managing your requests for information about Openbank products and/or services:

Our website has different forms for requesting information about products or services that users can voluntarily fill out if they are interested in receiving information about our products or services, or in performing simulations to take out one of our products. If you decide to complete any of these forms or perform any of these simulations, we will process the data you provide in order to attend to your request for information and send you messages by any means, including electronic means, related to such request for information. The legitimate basis for such processing is the application of pre-contractual measures at the request of the interested parties themselves.

4.2 Managing customer registration and application of pre-contractual measures:

Before you take out any of our products or services, we will process the personal data you provided directly in the customer registration form, as well as data we obtain from the ASNEF Database. Don't forget that that you may exercise your data protection rights indicated in section 7- “What rights do you have in relation to the processing of your personal data?” at all times and in relation to each processing procedure described in this section. During your registration process as a customer, we will process your personal data obtained through the aforementioned sources for the following purposes:

i. To manage your customer registration request and go on to apply the corresponding pre-contractual measures necessary to manage the contract for the product or service you requested from us and send you messages related to your registration process. Accordingly, we will send the necessary pre-contractual information to your email address.

ii. To assess your financial solvency and creditworthiness by consulting the ASNEF Database, in which we will assess your ability to meet the finan cial obligations relating to your business relationship with Openbank. Please note that, as a result of this enquiry, we may approve or deny your registration. In the event that we deny your registration, you will be immediately informed.

iii. To prevent fraud at the time the account opening application is submitted to protect our customers and the solvency of the bank.

iv. To assist you during the application procedure by sending reminders in cases where you might have applied to open an account but this process was not completed because there are steps pending (missing information), as well as to detect any incident preventing you from completing the application process.

v. To reliably identify you, so as to comply with the due diligence measures that we are subject to in accordance with anti-money laundering regulations.

Likewise, depending on the Openbank product you wish to take out, we will profile your data in order to predict your risk of default and thus determine if we can allow you to take out the Openbank product you request. To obtain more information regarding the privacy of the specific processing, please check the specific section referring to the product you wish to take out (for example, if you take out a mortgage, we will process the data for that purpose in accordance with what is described in our policy).

The legitimate basis for such data processing includes the following:

o Proper performance of the contract: Applying, where requested by you, pre-contractual measures and executing and fulfilling our contractual obligations if you ultimately become a customer of Openbank. Please note that that whenever you apply to open an account, you will also request a debit card so that you are able to carry out transactions with us. In addition, in order to protect the solvency of Openbank and that of the rest of our customers, before accepting a new customer, we must assess your financial capacity to meet your payment obligations during the pre-contractual phase, as well as your risk of entering a default or insolvency situation. We will explain the analysis performed to assess your solvency and the logic we apply in each of the cases in section 4.3 of the Policy.

o Our legitimate interest in assisting you during the application procedure by sending reminders where you have started the application process, but this has not been completed because there are steps pending (missing information) as well as to detect any incident preventing you from completing the application process.

o Our legitimate interest in preventing fraud (such as identity impersonations during an application or  applications based on false information), at the time the customer registration request is made. You can find more details in section 4.4 “Processing of our customers’ personal data carried out regardless of the Openbank product taken out”, section “Detecting and preventing potential attempted fraud”.

o Our legal obligation to reliably identify you in accordance with the regulations on anti-money laundering and anti-terrorism-financing, as detailed in section 4.4 “Anti-money laundering and anti-terrorism-financing”.

The personal data categories  that Openbank will process for the purposes described above are as follows: Identifying information, which in some cases may be biometric, e.g. your image and voice in case you identify yourself by means of an unassisted video call; employment information; economic, financial and insurance information; information on your personal characteristics; commercial information; and identifying information for the persons you include in your account as holders and/or authorised parties.

4.2.1. Adapting our contractual relationship in case of vulnerabilities.

If you expressly tell us that you have a hearing, visual or other impairment, we will use this information during the contractual relationship to provide you with a service adapted to your needs, such as, for example, avoiding contacting you by phone if you have hearing problems and using other contact channels as a priority.

The legitimate basis for such data processing will always be the express consent you have given us to be able to process this data. The personal data categories that Openbank will process to carry out the purpose described above are as follows: Identifying and health-related information.

4.3 Processing personal data once you are a customer in relation to the different products you take out:

Once you have successfully completed your registration process and are formally an Openbank customer, we will carry out the following additional personal data processing based on the specific products and services you take out with us. Don’t forget that that you may exercise your data protection rights indicated in section 7 “What rights do you have in relation to the processing of your personal data?” at all times and in relation to each processing procedure described in this section.

Notwithstanding the specific processing related to an application for a specific product, please note that Openbank may carry out additional processing of customer personal data regardless of the product taken out, as explained in section 4.4 “Processing of our customers’ personal data carried out regardless of the Openbank product taken out”  in this Privacy Policy.

• Taking out a basic debit product (Payroll Account/Current Account/Savings Account/Deposit) - Maintenance and general management of the contractual relationship and the products taken out: The application process for taking out a basic debit product implies that Openbank will process the personal data you have provided in the application form for the relevant debit product, as well as the information we obtain later during the course of the contractual relationship (e.g. about your operations with our products). We will also process the information we obtain from the external sources specified in section 3  and from consulting the internal and external databases detailed above in section 4.2 regarding the customer registration process for the following purpose:

i. To address, evaluate and manage your application to take out a debit product and, if you actually take it out, to comply with the applicable contractual obligations, maintain the contractual relationship with you and send you messages, including marketing messages via electronic means, related to the products taken out. Also, if you so request, for the purpose of including other holders and/or authorised parties in the debit products taken out.

The legitimate basis for such data processing includes the following:

o Proper performance of the contract: Applying, where requested by you, pre-contractual measures and executing and fulfilling our contractual obligations in relation to the basic debit product you take out with Openbank.

The personal data categories that Openbank will process to carry out the purpose described above are as follows: Identifying information; employment information; economic, financial and insurance information; information on your personal characteristics; and, if you include other holders and/or authorised parties, the identifying information for such persons.

• Taking out a credit product (Mortgage, Loan, Credit Card/ Overdraft Protection): The application process for taking out a credit product implies that Openbank will process the personal data you have provided in the application form for the relevant credit product, as well as the information we obtain from the publicly accessible sources detailed in section 3 of this Policy for the following purposes:

i. To address, evaluate and manage your application to take out a credit product and, if you actually take it out, to comply with the applicable contractual obligations, maintain the contractual relationship with you and send you messages related to the products taken out.

ii. To assess your creditworthiness and predict your risk of default in order to prevent our customers from falling into arrears, thus protecting our solvency and the rest of our customers. To do this, we will compare and profile your information according to the behaviour and risk models we have designed using internal and/or external sources. Below we will explain in detail the type of profiling, logic applied and data used depending on the specific type of credit product you wish to take out, as well as the types of processing used when taking out such products.

The legitimate basis for such data processing includes the following:

o Proper performance of the contract: To execute and fulfil our contractual obligations in relation to the credit product you take out with Openbank.

The personal data categories that Openbank will process to carry out the purposes described above are as follows: Identifying information; employment information; economic, financial and insurance information; information on your personal characteristics; as well as the data we obtain from the external sources listed in section 3 of this Policy and specified in detail below according to the type of profiling to be carried out based on the specific product applied for and taken out.

Below, we explain the scope of the different types of profiling we will carry out using your personal data and the processing conducted, based on the credit product you wish to take out:

· Profiling and data processing linked to taking out a mortgage product: As outlined in the previous section, if you apply to take out a mortgage product, Openbank needs to prudently evaluate both the mortgaged product and your personal circumstances to analyse your financial capacity and risk of default and, consequently, determine if you will be able to honour the payment of the mortgage you are about to take out with us.

To do this, we will compare and profile, according to the specific behaviour and risk models we have designed for mortgage contracts, the personal data you provided directly through the different information request forms, as well as the data we obtain from the following external publicly accessible sources:

•  ASNEF Database, BADEXCUG Database and CIRBE.

• Public administration bodies such as the Ministry of Finance.

• Public registries such as the National Institute of Statistics, the Trade Registry, the Property Registry and the Land Registry.

The logic applied to this profiling will consist of:

(i) Analysing your current income and your current economic situation, all your assets and liabilities, including information about all your financial commitments through CIRBE, as well as your redemptions history with Openbank, or the information we ask you to directly provide for the purposes of taking out your mortgage, such as your last payroll slips or your personal income tax returns. We will specifically analyse the sources of income that serve as proof of ability to pay, whether this is cash income (income, periodic private transfers —spousal maintenance—, income from the leasing of real property, financial investment returns, income from private businesses or companies, income from other sources), funds (such as savings accounts or investment products) and periodic expenses.

(ii) Analysing the information you provide regarding the number of people who are part of your family unit as this information is essential to take into account the average income and expenses per family member and not just yours as a mortgage applicant.

(iii) Your creditworthiness or that of any person who has been designated as guarantor during the mortgage application procedure by consulting ASNEF, BADEXCUG and CIRBE databases to identify potential debts and non-payments.

(iv) We will also take into account socio-demographic and behavioural information pertaining to Spain’s population according to the market area for the national territory where the property to be mortgaged is located, in accordance with the information published by the National Institute of Statistics on www.ine.es,  specifically using statistical data on household income. Information last updated: 2020.

Whenever necessary, particularly in cases where mortgage applicants are self-employed or receive seasonal income or any other irregular income, we may make enquiries to verify the information relating to the sources of income that prove payment capacity and thus validate that the documentation you provide us with is reliable, through enquiries with relevant public bodies (Trade Registry).

Regarding the mortgaged product, to ensure the quality of the data, we will analyse the information relating to the property and we will confirm this using external sources such as the Land Registry and the Property Registry, obtained online, which provide us with accurate data on the property and are an effective tool for fighting fraud in the real estate sector. The cadastral reference shows information of an economic nature or with tax implications relating to the property, e.g. public instruments, court orders and resolutions, files and administrative resolutions. Relevant information can also be found in the documents containing significant legal acts, proceedings or transactions pertaining to the property and other real rights, lease or assignment agreements under any title for use of the property, electric power supply contracts, technical projects or any other documents relating to the real property that are determined by law.

By combining all sources of information (both internal and external), the data described above and the analytical capabilities of our behaviour and risk models, using a profiling process we will be able to infer the payment behaviour of a potential mortgage borrower and therefore determine their risk of default in relation to a mortgage loan.

Please note that, as a result of this analysis and the information from our internal sources and the information obtained through the enquiries made in the external sources described above, we may approve or deny your mortgage contract application.

You may request information about the result of said profiling in order to receive an explanation as to the decision made, express your point of view regarding said decision, object to the result of the profiling, and request involvement from the responsible team within Openbank to review the decision made as a result of the profiling.

Also, please note that the process for granting a mortgage loan involves the following:

(i) in order to conduct the operation, we will submit your information in the context of said contract to the appraisal firm due to assess the asset to be mortgaged, to the relevant Notary Public to prepare the deed for the mortgage, and to the Property Registry insofar as we are obligated to register the transaction;

(ii) long-term management and monitoring of the entire cycle of the operation, therefore we have to analyse your economic situation and borrowing capacity not only when you request the mortgage from us, but also thereafter, provided the mortgage loan is still pending.

The legitimate basis for this profiling includes the following:

o Proper performance of the contract: Applying, at your request, pre-contractual measures and executing and fulfilling our contractual obligations if you ultimately take out a mortgage with Openbank.

o Legal obligation: In compliance with the Guidelines on granting and monitoring loans issued by the European Banking Authority and adopted by the Bank of Spain (EBA/GL/2020/06)

· Profiling for the taking out of a credit card and processing of information related to the contract:

Likewise, and as we have mentioned above, the application process for taking out a credit product such as a credit card implies that Openbank, for the proper performance of the contract, will compare and profile your data according to the behaviour and risk models we have designed to predict the risk of default in the taking out of credit cards, both in the case of existing customers and new customers.

If you are already an existing Openbank customer and apply for a credit card, profiling will consist of automatically analysing the information we have about you as a customer from our own sources, such as your account balance, purchased securities, plans, funds, mortgages, cards, deposits (contributions / redemptions) loans (amount and number), direct debits, expenditure with merchants and card transactions (physical/online), payroll and pensions, cash (cash inflow and outflow), use of cards, age, and internal default. We will also verify whether you have any debt with other institutions, according to what is reported by the ASNEF and CIRBE credit databases.

However, for those who are not yet customers and for whom, therefore, applying for a credit card implies the start of a first-time contractual relationship, profiling will consist of automatically analysing the information you have provided us with directly in the application process fora credit card, e.g. your email address, age, number of onboarding current account holders, address, post code, the province you live in, as well as the information retrieved from the metadata obtained at the time of the application process and from the following external sources:

•  ASNEF Database, BADEXCUG Database and CIRBE.

• Public administration bodies such as the Ministry of Finance.

• Public registries such as the National Institute of Statistics, the Trade Registry, the Property Registry and the Land Registry.

All of this will allow us to know:

(i)  the average surface area of the properties in the post code where you reside (through the Property Registry and the Land Registry obtained online, last updated: June 2018);

(ii) The average available income and average arrearage for your post code (Ministry of Finance, last updated: 2018);

(iii) The population of the province where you live; percentage of population represented by the town with respect to the province where you live; relative difference between income for the post code and for the town in which you live; relative difference between income for the town and for the province in which you live; ratio between income for the post code and the province where you live; and ratio between the income for the town and the province in which you reside (through the National Institute of Statistics, last updated: 2020).

(iv) Your financial creditworthiness, by consulting credit and equity databases such as ASNEF or BADEXCUG to identify potential debts and non-payments.

We will also take into account whether the customer is in debt and how long this debt has existed, within the last 90 days, and, if the customer’s debt is more than 90 days old, we may consider that you cannot pay us the instalments for the requested credit card.

By combining all sources of information, (both internal and external), the information described above and the analytical capabilities of our behaviour and risk models, using a profiling process, it is possible to infer the payment behaviour of a potential credit card holder and, therefore, determine their risk of default in relation to a credit card.

Please note that as a result of this profiling, we may either approve or deny your credit card application. For example, if, at the time of application, you have a debt with the bank that you cannot cover or you are included in a financial solvency database and you do not meet the criteria established by Openbank, we may deny your application.

You may request information about the result of said profiling in order to receive an explanation as to the decision made, express your point of view regarding said decision, object to the result of the profiling, and request involvement from the responsible team within Openbank to review the decision made as a result of the profiling.

Also, please note that the process for granting a credit card involves the long-term management and monitoring of the entire cycle of the operation, therefore we are required to analyse your financial situation and borrowing capacity not only when you request the card, but also afterwards.

The legitimate basis for this profiling includes the following:

o Proper performance of the contract: When taking out a credit card, at the applicant’s request,  we will apply pre-contractual measures and perform and fulfil our contractual obligations.

o Legal obligation: In accordance with the Guidelines on granting and monitoring loans issued by the European Banking Authority and adopted by the Bank of Spain (EBA/GL/2020/06), and in accordance with the regulations of Order EHA/2899/2011, of 28 October, on transparency and protection of the banking services customer.

· Profiling for the taking out of a personal loan:

The application process for taking out a personal loan implies that Openbank will compare and profile your data according to the behaviour and risk models we have designed to predict your risk of default and thus avoid situations that entail harm to Openbank. In this regard, if you apply for a personal loan, we will use our behaviour and risk models to prepare a profile and assess your solvency and financial capacity based on our internal sources (e.g. data provided in the loan application form, such as your full name or National ID number), the data generated throughout the contractual relationship (data relating to transactions with cards you made, paid direct debits, your account balances) and the information obtained from the following external sources: ASNEF and CIRBE databases.

In particular, we will use the following personal data categories to carry out the profiling and assess your creditworthiness and predict your risk of default when you take out a loan: Identifying information (full name and National ID number); employment information (if you are an employee, whether permanent or temporary, the time you have been employed at the company you work for or whether you are a civil servant, pensioner or self-employed person); main residence scheme (rent, family home, mortgaged, property with no encumbrances); marital status (married, divorced, single or widower); financial information on the loan requested (type of loan, amount and term); number of credit cards taken out with other financial institutions and internal default; information on goods and services transactions (Openbank account movements; average balance in the current accounts of Openbank; net monthly income and monthly expenses; and other loans granted); amounts unpaid with other companies; actual, past due and enforceable debts; information about the loans, credits (direct risk), sureties and guarantees (indirect risk) that you hold with other financial institutions: amount, start date and maturity, amounts pending payment, type of loan and guarantees.

The logic applied to this automated profiling will consist of analysing the amount of the loan requested as well as its term, along with the applicant’s income, whether recurrent or temporary, your economic stability, expenses you incur such as loans with other institutions specified by CIRBE or that you may have, such as current credit card expenses and their payment due date, or possible debts identified in the ASNEF credit databases, in order to determine if you will be able to pay the requested loan.

By combining all the sources of information (both internal and external), the data described above and the analytical capabilities of our behaviour and risk models, and using a profiling process, it is possible to infer the personal loan applicant’s payment behaviour, in order to ensure that the customer’s payment capacity is sufficient to meet the instalments resulting from the amount and term requested, leaving a sufficient remainder to cover basic needs.

Please note that that, as a result of this profiling, we may either approve or deny your personal loan contract application, for example, if we consider that with your the current debt you have the capacity to pay future debts.

You may request information about the result of said profiling in order to receive an explanation as to the decision made, express your point of view regarding said decision, object to the result of the profiling, and request involvement from the responsible team within Openbank to review the decision made as a result of the profiling.

The legitimate basis for this profiling includes the following:

o Proper performance of the contract: Applying, at your request, pre-contractual measures and the execution and fulfilment of our contractual obligations if you ultimately take out a credit card.

o Legal obligation: In accordance with the Guidelines on granting and monitoring loans  issued by the European Banking Authority and adopted by the Bank of Spain (EBA/GL/2020/06), and in accordance with the regulations of Order EHA/2899/2011, of 28 October, on transparency and protection of the banking services customer.

· Profiling related to offers of pre-approved loans:

The offer of a pre-approved loan implies that Openbank will compare and profile your data according to the behaviour and risk models we have designed to predict your risk of default using the information obtained from internal sources.

The logic applied to this profiling will consist of analysing the customer’s identifying and economic data, such as their salary or pension; account balances; securities deposited; mortgages; cards; deposits (contributions / redemptions); investments in funds and/or plans; other loans already taken out (amount and number); direct debits; retail spending and card transactions (physical/online); cash transactions (cash inflow and outflow) to assess their level of association with Openbank and their borrowing capacity; as well as the transaction history of the last 13 months to view their consumer habits; age; internal default; unpaid amounts; and date of non-payment.

By combining all the sources of information (both internal and external), the data described above and the analytical capabilities of our behaviour and risk models, through a process involving profiling, the loan amount and the type of pre-approved loan which we could grant you can be inferred, so as to ensure that the customer’s payment capacity is sufficient to meet the instalments resulting from the amount and term requested, leaving a sufficient remainder to cover basic needs.

Please note that as a result of this profiling, we may modify the conditions of the pre-approved loan offered, or we may not even make you an offer. You may object to us carrying out the previous profiling, but in that case it is likely that we will not be able to offer you pre-approved loans.

The legitimate basis for this profiling includes the following:

o Our legitimate interest in performing direct marketing tasks and offering our customers pre-approved loans adjusted to their financial situation and borrowing capacity.

o Proper performance of the contract: Application, at your request, of pre-contractual measures and the execution and fulfilment of our contractual obligations if you ultimately take out a loan. For the final approval of the loan, we will need to verify the absence of debts in the ASNEF Database, but to do so we will inform you in advance.

o Consent: in the event that you authorise us to profile you  using  external information, in addition to pre-approving you for a loan as mentioned above, we will also consult the ASNEF Database before offering you the product.

· Specific data processing related to arranging overdraft protection:

The request to take out a credit product such as overdraft protection means that Openbank, for the proper performance of the contract, will compare and profile your data according to the behaviour and risk models we use to predict the risk of default in arranging overdraft protection.

Whenever a customer wishes to arrange overdraft protection, the profiling we will carry out will consist of automatically analysing the information we have on said customer in our internal sources, e.g. account balance; purchased securities; plans; funds; mortgages; cards; deposits (contributions / redemptions); loans (amount and number); payrolls and pensions; cash (cash inflow and outflow); and internal default. We are also required to verify whether you have any debt with other banks, according to what is reported by the ASNEF and CIRBE credit databases.

By combining all sources of information, (both internal and external), the data described above and the analytical capabilities of our behaviour and risk models, using a profiling process it is possible to infer the payment behaviour of a potential credit card holder and, therefore, determine their risk of default in relation to said product.

Please note that as a result of this profiling, we may either approve or deny your overdraft protection application.

You may request information about the result of said profiling in order to receive an explanation as to the decision made, express your point of view regarding said decision, object to the result of the profiling, and request involvement from the responsible team within Openbank to review the decision made as a result of the profiling.

The legitimate basis for this profiling includes the following:

o Proper performance of the contract: Applying at your request, pre-contractual measures and executing and fulfilling our contractual obligations if you ultimately arrange the overdraft protection.

• Taking out a payment method (Debit Card/Prepaid Card/Bizum/Mobile Payment Applications):  The application process for taking out a payment method requires Openbank to process the data you provide us with through the application form for the payment method you wish to take out, the information we have on you in our systems if you are an Openbank customer, as well as the data obtained from the external sources described in section 3 of this Policy, for the following purposes:

(i) To address, evaluate and manage your application to take out the payment method and, if you actually take out one or several payment methods, to comply with the applicable contractual obligations, maintain the contractual relationship with you and send you messages related to the products taken out.

Additionally, certain third-party mobile apps available for payments may require you to accept the terms and conditions of the corresponding service provider before you start using them. Under these terms, they will inform you in an individualised manner about how your personal data will be processed in each of these services.

The legitimate basis for such data processing includes the following:

o Applying, at your request, pre-contractual measures and executing and fulfilling our contractual obligations in relation to the payment method you take out with Openbank.

The personal data categories that Openbank will process to carry out the purposes described above are as follows: identifying information; employment information; economic, financial and insurance information; and information regarding your personal characteristics.

• Specific data processing related to Mobile Payment applications (Samsung Pay, Apple Pay, Google Pay, Fitbit Pay, Garmin Pay and Openbank Wallet)

If you request any Mobile Payment service from us, consisting of associating the different Openbank cards with devices you have in order to make payments and conduct transactions with third parties through your devices, you must take into account the data processing detailed in  the terms and conditions and the privacy policy for each app you download.

Likewise, when registering an Openbank card, you will be informed about the processing of specific data related to the mobile payment service, mainly regarding access to information by the service provider company, which will be necessary for the proper provision thereof.

You can obtain more information about the data processing conducted by the different Mobile Payment apps related to Openbank below, although this will also be detailed at the time you register with the service:

•  Samsung Pay

• Apple Pay

Google Pay

Fitbit Pay

Garmin Pay

• Openbank Wallet

The legitimate basis for such data processing includes the following:

o Applying, at your request, measures for the execution and fulfilment of our contractual obligations in relation to the registration of the service.

The personal data categories that Openbank will process to carry out the purposes described above are as follows: identifying information; economic, financial and insurance information.

• Processing of specific data related to Bizum.

If you request the instant transfer service, we will process your personal data in order to manage your registration with the service. Please note that the data controller for the instant transfer directory is Bizum S.L. (hereinafter “Bizum”).

In order to properly provide the instant transfer service, it will be necessary for us to transfer certain identifying information to Bizum: customer name and surname, TIN (or similar identification document), mobile phone number, IBAN and  username or alias, which will be his/her first name and the initials of his/her two surnames, the purpose being to identify the recipient of an instant transfer transaction. This transfer will be made to Bizum, a company whose aim is to provide information technology services for the sending of instant transfers, as the owner of the directory accessed by member banks of the Bizum service. You can access additional information on Bizum’s privacy policy here.

Furthermore, in order to correctly provide its service, Openbank will store the data for instant transfers made by its customers. We will not provide data to other final users that is not strictly essential for the provision of the service.

The legitimate basis for such data processing includes the following:

o Execution and fulfilment of contractual obligations in relation to the instant transfer service.

o Consent provided in the context of additional or added-value actions not included within data processing essential for service performance, e.g. the sending of photos or chats.

The personal data categories that Openbank will process for the purposes described above are the following: identifying information and economic, financial and insurance information.

• Taking out a product on behalf of a minor (Open Young Prepaid Card or Open Young Savings Account or registration in the “Open Young” app): At Openbank, we will process the information you provide us with, as a legal guardian or representative, in the relevant application form, as well as the copy of the Family Record Book for the following purposes:

i. To address, evaluate and manage your application to take out a product on behalf of a minor, and, if you do take out a prepaid card or savings account for a minor, or manage the registration in the “Open Young” app, to comply with the contractual obligations established therein and maintain the contractual relationship held with you as well as to send you messages related to the products taken out.

ii. Verify that you are the father/mother, guardian or legal representative of the minor, to thus verify your ability to sign the contract on his/her behalf.

iii. Contact the minor once he/she has reached legal age to inform him/her that he/she may dispose of the funds in his/her Open Young savings account whenever he/she so wishes, as well as to offer him/her the possibility of opening a regular current account with Openbank.

The legitimate basis for such data processing includes the following:

o Applying, at the applicant’s request, pre-contractual measures and executing and fulfilling our contractual obligations in relation with the Openbank product taken out by you on behalf of the minor. The personal data categories that Openbank will process to carry out the purposes described above are as follows: identifying information; economic, financial and insurance information, as well as the identifying information for the minor on whose behalf you take out the Openbank product. You can find additional information on the type of personal data used and the processing we carry out for taking out products for minors at: Protection of a Minor’s Personal Data and their Rights.

• Taking out an investment product or service (such as share purchases/Investment Fund holdings/Warrants/Pension Plans/ETFS/Securities Account/Build your Portfolio Service/Automated Investment Service):  When you apply to take out and/or ultimately take out an investment product or service, Openbank must process the data you have provided in the application form  in question for the following purposes:

i. To address, evaluate and manage your application to take out the investment product or service and, if you ultimately take out one or several investment products or services, to comply with applicable contractual obligations, maintain the contractual relationship with you and send you messages related to the products taken out.

ii. Whenever so required by regulations, we will process the information and personal data you provide us with in order to define your investor profile. To do this, we will take into account your knowledge and experience of financial instruments, your investment goals, as well as your financial situation, in order to determine your appropriateness and suitability as a customer to take out the investment product or service you request.

iii. If you wish to subscribe to an investment fund or invest in a pension plan, as distributors of the fund or plan, as applicable, we will be required to report your information to the corresponding asset manager and depository, as applicable, to enable the subscription, purchasing and/or management of the fund or plan; this will include messages from the fund or pension plan regarding the service taken out.

iv. Likewise, if you request a transfer from Openbank to another bank, your data must be transferred to the destination bank in order to mobilise your balance and vested rights.

Please note that at the time you purchase or engage the corresponding investment product or service, we will send you documentation through which you will be provided, non-exhaustively, with information regarding the data categories that will be processed based on the investment product you have purchased, as well as information related to exercising your rights.

The legitimate basis for such data processing includes the following:

o Applying pre-contractual measures and executing the contract, complying with the obligations established therein and maintaining the contractual relationship with you and sending you messages related to the products or services purchased or engaged.

 o Legal obligation to perform the suitability and appropriateness test in compliance with Directive 2014/65 on markets in financial instruments (MIFID II).

The personal data categories that Openbank will process to carry out the purposes described above are as follows: Identifying information; and when applicable, data obtained through the suitability and appropriateness test prepared by Openbank using academic or professional information, information related to personal characteristics, information related to contracted products and services, as well as information related to your investment goals, the risks you are willing to take and your financial situation.

• Taking out an insurance product: Whenever you apply for and/or ultimately take out an insurance product, Openbank, as data processor in its capacity as insurance broker, is required to process, on behalf of the insurer, the information you provided in the application form, for the following purpose:

(i) To manage and analyse your request to thus comply with the contractual relationship for the new insurance product taken out in accordance with the regulations of our industry.

Depending on the insurance product you apply for, we will inform you, in each case and individually, about all the legal aspects of the processing of your data, for example, how your data will be used and what third parties might be involved in the application process.

However, please note that Openbank simply acts as a linked bancassurance operator, i.e., it markets third-party products through its distribution network. Therefore, in order to process your request, we are required to provide certain information to insurers with which you take out the insurance products, who will act as data controllers of your personal data. Upon taking out an insurance product that you have requested, we will provide you with the information regarding the processing of your personal data by the insurer. You should review the privacy policy of the corresponding insurers with which you take out the products to obtain information on the personal data processing carried out by these companies.

The legitimate basis for such data processing includes the following:

o Applying pre-contractual measures and executing the contract for the insurance product.

The personal data categories that Openbank will process to carry out the purposes described above are as follows: Identifying information; employment information; economic, financial and insurance information. Likewise, should you request home insurance, we will process information regarding the home covered by the insurance, e.g.: the address; post code; area; and district in which it is located, as well as the approximate surface area in square metres. This information is necessary to be able to calculate the sum insured for the property. If you take out Mobile Theft insurance, we will be required to process certain information from the insured mobile device, such as the IMEI number, in order to fulfil the aforementioned purposes.

• Signing up to the Expense Categorisation Tool: As a result of you being registered a customer, we can classify the transactions of your bank account or securities account, or the information we access, into representative spending categories (e.g. education, restaurant, supermarket, leisure expenses). We will carry out this data processing as part of our management of the contractual relationship we have with you, for the following purposes:

(i) To offer you classified information on the expenses you incur in predetermined product or service categories (e.g. education, restaurant, supermarket, leisure expenses) that will allow you to manage and supervise your finances and expenses more easily.

The legitimate basis for such data processing includes the following:

o Fulfilling our contractual obligations acquired with you when you sign up to our expense categorisation service.

Please note that if you exercise your right to object, Openbank will cease to provide the service engaged. You can find additional information about the Openbank Expense Categorisation Tool here.

The personal data categories that Openbank will process to fulfil the purposes described above are as follows: identifying information; economic, financial and insurance information; and information regarding your personal characteristics.

• Signing up to the Openbanking Financial Aggregator: If you sign up to the Openbanking Financial Aggregator service, we will aggregate the financial accounts you have in other financial institutions for the following purposes:

(i) To consolidate the information on the financial products that you have taken out with other banks, to categorise your transactions, thus allowing us to optimise the information you access by allowing you to view your expenses in an integrated way. Likewise, when you take out the Openbanking Financial Aggregator service, we will process your personal data to send you alerts and notifications about your movements and bank positions.

(ii) To send you marketing messages about Openbank products and services and/or about the products and services of companies with which we collaborate, adapted to your profile, provided you give us your consent to do so.

The legitimate basis for such data processing includes the following:

 o Fulfilling our contractual obligations acquired with you when you sign up to our Openbanking Financial Aggregator service.

o Your consent for the use of information related to the Openbanking Financial Aggregator to profile you and send you marketing information about products and services offered by Openbank or companies with which we collaborate.

Please note that if you exercise your right to object, Openbank will cease to provide the service purchased. You can find additional information about the Openbanking Financial Aggregator here. The personal data categories that Openbank will process to fulfil the purposes described above are as follows: identifying information; economic, financial and insurance information; and information regarding your personal characteristics.

• Signing up to the Open Discounts service: If you register for the “Open Discounts” service, you will receive discounts and promotions from third parties with which Openbank has partnership agreements.

The legitimate basis for this data processing is  managing the registration of the service that you have requested from us and fulfilling our contractual obligations taken on with you when you take out our service.

Please note that if you exercise your right to object, Openbank will cease to provide the service purchased.

The personal data categories that Openbank will process for purposes described above are as follows: identifying information.

• Signing up to the Password Manager service: If you sign up to the “Password Manager Databank” service, you will be able to save and manage all your passwords, data, or any information more comfortably and securely.

The legitimate basis for such data processing includes the following:

o Fulfilling our contractual obligations taken on with you when you purchase our Password Manager Databank service.

The personal data categories that Openbank will process to carry out the purposes described above are as follows: identifying information.

• Making a donation to charity: At Openbank, we have two methods allowing you to make charitable donations to non-profit organisations (NGOs or Foundations): (i) a solidarity transfer and (ii) our solidarity debit card.

Whenever you use these services, we will process the data you provide us with for the following purpose:

(i) Duly addressing your request to take out debit products (in relation to the solidarity transfer) and payment methods (in relation to the solidarity debit card).

(ii) In addition, when you apply for a solidarity card, we will provide your name and surname, National ID number, address, date on which the donation is made and the amount thereof to the NGOs/Foundations, to manage your donations and for them to issue an annual donation certificate, if possible.

The legitimate basis for such data processing includes the following:

o Executing the contract to make a charity donation.

The personal data categories that Openbank will process to carry out the purpose described above are as follows: Identifying information; address to which the solidarity debit card must be sent; employment information; economic, financial and insurance information; and information regarding your personal characteristics.

4.4 Processing of our customers’ personal data carried out regardless of the Openbank product purchased:

Don’t forget that you may exercise your data protection rights at any time as set out in section 7 “What rights do you have in relation to the processing of your personal data?” In relation to such processing, although you may exercise your right to erasure and/or limitation, as well as to object to processing based on a legitimate interest, we will not be able to offer you or continue providing you the contracted services and/or products.

• Anti-money laundering and anti-terrorism-financing: The processing of personal data, as well as the databases, automated or not, created for purposes of complying with the provisions of Act 10/2010, of 28 April, on anti-money laundering and anti-terrorism-financing, with which we are required to comply as a financial institution, requires the processing of your personal data for the following purposes:

i. To report, on a monthly basis, to the Financial Holdings Database, the identifying information of our customers (or that of their representatives or proxies in the case of legal-person customers) and authorised parties regarding the opening or cancellation date of current accounts, savings accounts, securities accounts and term deposits. The above information will form part of this Database, the data controller of which is the Department of State for the Economy and Support for Companies. For the purposes of exercising the rights of access, correction, erasure and objection established under Regulation 2016/679 and Organic Law, 3/2018, we hereby inform you that according to Article 32 of Act 10/2010, of 28 April, on anti-money laundering and anti-terrorism-financing, such rights are not applicable to the databases and processing of personal data created and managed by the SEBPLAC (Servicio Ejecutivo de la Comisión de Prevención del Blanqueo de Capitales e Infracciones Monetarias [Executive Service of the Commission for the Prevention of Money Laundering and Monetary Offences]) for the fulfilment of the functions granted by said Law.

ii. To provide information on payment transactions to the authorities or official bodies of other countries,  including those located both inside and outside the European Union, within the context of anti-money laundering, anti-terrorism-financing and the prevention of serious organised crime. For these purposes, the exchanging of information between the Executive Service and the AEAT, in full accordance with the provision contained in Articles 94.4 and 95.1.i) of Act 58/2003, of December 17, General Taxation Law must be deemed to be of particular relevance.

iii. To verify whether you are a person with public responsibilities or a politically-exposed person and, if so, applying the reinforced due diligence measures in the business relations or operations we carry out with you.

iv. To verify the accuracy of the information and documents you provide to us in order to be informed about the nature of your professional or business activity and providing this information to the authorities or official bodies of other countries, located both inside and outside the European Union, and to other companies belonging to Grupo Santander as part of anti-money laundering, anti-terrorism-financing and the prevention of serious organised crime.

v. To reliably verify your identity using a valid ID document. To do so, we will store your identification document (including your image) and, if necessary, display it through any means, formats and media, for the sole purpose of verifying your identity when necessary to comply with the contract signed with you in your capacity as customer (as is the case when a claim is filed) and to meet the requirements of the competent authorities and/or comply with our legal obligations..

Additionally, in order to identify you in a more convenient and simple way, we provide you with a procedure that allows us to identify you using a video call with an agent. You will also have the option of making an unassisted, agent-free call, in which case we will use facial recognition techniques involving biometric data processing on your image. If you opt for video call identification (either assisted or unassisted), we will require your prior consent in order to carry it out, record it and store the recording. This information may be accessed by various bodies when legally required.

Alternatively, if you prefer, you can confirm your identity through other available means, such as providing us with your account number at another bank.

In addition, if you give us your consent, we can submit an enquiry to the General Social Security Treasury under the Agreement signed between the Association of Financial Credit Institutions and the General Social Security Treasury, in order to verify that the documents and information you have provided to us during the contracting process and throughout the contractual relationship are truthful, and to prevent possible fraud that could come to light as the result of the verifications carried out.

The legitimate basis for such data processing includes the following:

o Compliance with legal obligations: In particular, Openbank will carry out this processing to comply with Act 10/2010 on Anti-Money Laundering and Anti-Terrorism-Financing, Directive (EU) 2018/843 of the European Parliament and of the Council and Royal Decree-Law 7/2021 on the transposition of European Union directives and other applicable regulations on anti-money laundering and anti-terrorism financing.

o Consent, so as to process your biometric data if you decide to identify yourself by means of an unassisted call or if you would like us to verify that the information you have provided to us during the application process and throughout the contractual relationship is truthful, as well as to prevent possible fraud that could come to light as a result of the verifications carried out.

o Consent to be able to consult  the General Social Security Treasury.

The personal data categories that Openbank will process to carry out the purposes described above are as follows: Identifying information; biometric data derived from facial recognition techniques used in the unassisted call identification procedure; information on your personal characteristics; employment information; economic, financial and insurance information; and information on goods and services transactions.

• Submission of Information to CIRBE: As a financial institution, we must comply with the legal obligations applicable to the financial system and we will process your data for the following purposes:

(i) To report the risks relating to your banking transactions to CIRBE based on the number of credits or loans you have requested as well as the amounts associated with them, their recoverability and, if applicable, defaults on your part, e.g. failure to pay your credit or loan within the agreed term. By way of example, if you requested a loan of €10,000, to be repaid within four years, we will report this circumstance to CIRBE as well as any failure to pay any of the loan instalments. The purpose of this message is to allow other financial institutions to consult CIRBE and, based on the information shown therein regarding your financial transactions and the risks inherent to them, assess your appropriateness as a customer in the event that you request any type of loan or financial product.

The legitimate basis for such data processing includes the following:

o Compliance with legal obligations: In particular, Openbank will carry out this processing to comply with the legal obligations applicable to the financial system and, in particular, Law 44/2002 on the Reform of the Financial System.

The personal data categories that Openbank will process for the purposes described above are the following: identifying information and information on goods and services transactions.

• Reporting information to the Tax Agency (“AEAT”): As a financial institution, we are required to report certain information about our customers to the AEAT and the competent tax authorities of other countries in compliance with the regulations on the automatic exchanging of tax information. Accordingly, we will process your personal data for the following purposes:

(i) To report your tax residence and information regarding the contractual relationship you have with us to the AEAT, which in turn may be required to be sent to the competent tax authorities of other countries.

The legitimate basis for such data processing includes the following:

o Compliance with legal obligations: In particular, Openbank will carry out such processing to comply with the Foreign Account Tax Compliance Act -FATCA- enacted by the United States of America, and the Common Reporting Standard -CRS- enacted by the Organization for Economic Cooperation and Development (hereinafter “OECD”).

The personal data categories that Openbank will process for the purposes described above are the following: identifying information; tax residence and information related to the contractual relationship.

• Reporting information to other companies of Grupo Santander for the prevention of financial crime: At Openbank, we will report your data to other companies belonging to Grupo Santander (under the terms of Article 42 of the Commercial Code), of which we are part, along with any relevant transaction data for the following purposes:

(i) To comply with the internal regulations of Grupo Santander developed to comply with our legal obligations in the area of financial crime prevention;

(ii) To allow the companies of Grupo Santander to comply with their legal obligations in regard to anti-money laundering and anti-terrorism-financing;

(iii) To allow the companies belonging to Grupo Santander to comply with their regulatory reporting obligations to the supervisory authorities (European Central Bank or the Executive Service of the Commission for the Prevention of Money Laundering and Monetary Offences (hereinafter, “SEPBLAC”).

The legitimate basis for such data processing includes the following:

o Complying with other legal obligations: In particular, Openbank will carry out this processing to comply with (i) our obligations to prevent financial crime, complying particularly with the provisions of Directive 2015/849 and the Delegated Regulation of the European Union (EU) 2019/758; (ii) our obligations with regards to anti-money laundering and anti-terrorism-financing; and (iii) mandatory reporting to the competent supervisory authorities.

The personal data categories that Openbank will process to carry out the purposes described above are as follows: Identifying information; information on your personal characteristics; employment data; economic, financial and insurance information; and information on goods and services transactions.

• Reporting non-payments to credit information databases: In the event of any non-payment on your part during your contractual relationship with Openbank, we will process your personal data for the following purpose:

(i) To report said non-payment to the credit information database of Asnef-Equifax Servicios de Información sobre Solvencia y Crédito, S.L., which is responsible for managing the ASNEF Database. You can access additional information on the data processing by this company by visiting their website.

(ii) To report said non-payment to the Experian Bureau de Crédito, S.A. credit information database, which is responsible for the management of the BADEXCUG Database. You can access additional information on the data processing by this company by visiting their website.

Such disclosures shall comply with the procedures, rights and guarantees established and recognised at all times by the legislation in force.

The legitimate basis for such data processing includes the following:

o Our legitimate interest in preventing non-payment situations that are detrimental to us and to adequately control them, and per the legitimate right held by third-party financial institutions to be informed of any non-payment when processing new financing applications.

The personal data categories that Openbank will process to carry out the purposes described above are as follows: Identifying information and information relating to defaults or debts you have acquired.

• Detecting and preventing potential attempted fraud: At Openbank, our obligation and our goal is to prevent fraud and protect you and the rest of our customers against possible fraudulent and criminal behaviour, such as identity theft, the counterfeiting of cards, or password theft. We will process the data you have provided us with directly, e.g. data related to your location, patterns of conduct, or data we obtain from specialised external sources (such as fraud prevention agencies) to detect and prevent potential fraud attempts, and especially for the following purposes:

(i) If you are already an Openbank customer, we will consult your data in our own internal sources, in order to  perform a behavioural analysis of your transactional profile as a customer using fraud prevention tools. Thus, each time you request a new operation or transaction, we will assess it according to your transactional profile, enabling us to determine whether or not this transaction is normal according to your habits and whether it can be considered as suspected fraud. This will allow us to detect potentially fraudulent activities such as improper access to customers’ personal information, possible identity theft or any situation that could be interpreted as fraudulent or undesired use of the account, in order to protect our customers’ interests. If any attempted fraud or suspicious activity is detected (e.g. repetitive transfers or use of a device other than the usual one), and except where public interest is involved, we will inform you accordingly, review the available information and, if necessary, request additional information. Likewise, as a precautionary measure, and until we perform the appropriate checks, any transaction will be put on hold.

(ii) If you are not yet an Openbank customer, before you enter a contract with us, we will perform different analyses to prevent fraudulent transactions, such as verifying your identity and detecting possible inconsistencies in the information provided. If we detect any anomaly when opening the account, we will proceed to block the operation until it is clarified. For the analyses we conduct, we use information that you provide us with during the registration process, e.g. your email domain, age and variables associated with the request you are making, other variables and metadata associated with your request related to the devices from which you have applied to open the account, the browser or the operating system you use, and information from publicly accessible sources we obtain from the  National Institute of Statistics,  specifically  income data based on the post code in which you reside, obtained from the National Institute of Statistics website: www.ine.es specifically using statistical data on household income. Information last updated: 2018.

Likewise, before you enter a contract with us, we will share some of your personal data with third-party service providers that help us detect and prevent possible fraud attempts, complying with and respecting the procedures, rights and guarantees that the legislation in force establishes and grants you at all times. Information we share with these third parties includes some of the information you provide when you register as a customer, such as your email address, as well as information related to your browsing, such as the IP address of your device.

These third parties we use to help us detect and prevent fraudulent transactions are:

o Emailage Limited, a company established in the United Kingdom. Emailage is also the data controller for your personal data and will use it for the purposes set out in its privacy policy. You can exercise your data protection rights with Emailage at privacy@emailage.com.

o Confirma Sistemas de Información, S.L.,  the company to which we will send your information if you start a contract process with us. In particular, we will send your data to the CONFIRMA Database with which Openbank is registered, to detect and avoid possible fraud attempts. With regard to the CONFIRMA Database, we are required to inform you of the following:

“Applicants are informed that their data included in this application will be submitted to the CONFIRMA Database, which is designed to prevent fraud. The legal basis for the processing of personal data is the legitimate interest of the data controller in preventing fraud (Recital 47 of the General Data Protection Regulation 2016/679). The maximum period for retaining data is two years.

The data controllers are the signatories of the CONFIRMA Database Regulations, and the data controller is Confirma Sistemas de Información, S.L., address: Avda. de la Industria 18, Tres Cantos, 28760, Madrid. Applicants may consult the list of signatories of the CONFIRMA Database Regulations on www.confirmasystems.es. The CONFIRMA Database is accessible to the signatories of its regulations that, within their field of activity, may be affected by fraud.

The data reported to the CONFIRMA Database may be transferred to signatories to the corresponding Regulations. No transfer of data to a third-party country or international organisation is envisaged.

In accordance with current data protection regulations, the signatories may exercise their rights of access, rectification, erasure, limitation of processing or objection by contacting the data processor, CONFIRMA SISTEMAS DE INFORMACIÓN, S.L., at the above address. Signatories may also exercise their right to lodge a claim with the Supervisory Authority.

Confirma Sistemas de Información, S.L. has appointed a Data Protection Officer, whose email address is dpo@@confirmasistemas.es”.

The legitimate basis for such data processing includes the following:

o Our legitimate interest in preventing fraud both with new customers and with existing customers (Recital 47 of the General Data Protection Regulation 2016/679 (“GDPR”) and Legal Report 195/2017 of the Spanish Data Protection Agency) and avoiding harm to our customers.

o Complying with other legal obligations: In particular, Openbank will carry out this processing in compliance with Decision (EU) 2016/456 of the European Central Bank, of 4 March 2016, regarding the conditions governing the investigations carried out by the European Anti-Fraud Office within the European Central Bank in the fight against fraud, corruption and any illegal activity affecting the financial interests of the Union (ECB/2016/3) (recast) (OJEU of 30 March).

The personal data categories that Openbank will process to carry out the purposes described above are as follows: Identifying information; information on your personal characteristics; information on goods and services transactions; employment information; and internet browsing data and details about the device used.

• Design and training of risk and behaviour models: For Openbank, it is important that we have a solid understanding of the needs for financial and banking products and services, the creditworthiness and consumption habits of our active customers. Therefore, we will carry out pseudonymisation and/or anonymisation procedures on your personal data that we will use to design and train algorithms, allowing us to create different behaviour and risk models, which we will subsequently use to carry out profiling activities on active customers. In particular, to design and train our behaviour and risk models, we use pseudonymised and/or anonymised personal and financial information from our own sources and external sources, such as:

i. Information we have about you sourced from the documentation you have provided and your contractual relationship with us.

ii. Information appearing in Openbank’s databases related to your behaviour during operations undertaken with us.

iii. Information held in creditworthiness databases to which we have access, such as the ASNEF Database or the BADEXCUG Database.

iv. Statistical information on income data based on the post code in which you reside, obtained from the National Institute of Statistics website: www.ine.es, specifically using statistical data on household income. Information last updated: 2018.

While your personal data will be used to design and train our behaviour and risk models, this processing linked exclusively to such design and training will not have any individualised legal consequences on you and, upon training the model, at no time will we use your identifying personal data.

Subsequently, and in other cases entailing the processing of your personal data explained in previous sections of this Policy, we will be able to use these behaviour and risk models to compare our customer database against them, to profile our customers, both for marketing purposes (sending advertising) and to analyse and assess your level of risk and creditworthiness and your propensity to purchase any of our products. Likewise, depending on the behaviour and risk model we use, we may use internal and/or external sources depending on: (i) the credit product you apply to take out; and (ii) if you are already an existing Openbank customer. The reason for which the profiling level is different depending on whether or not you are an existing Openbank customer is because, if you are a customer, we already have information on you sourced from the contractual relationship that allows us to predict your risk of default without consulting external sources.

We would also like to inform you that at Openbank we have a control model that ensures the quality of the information of the algorithms used for the design of our behaviour and risk models.

The legitimate basis for such data processing includes the following:

o Our legitimate interest in designing, creating and offering innovative and efficient financial products and services to our customers based on the different behaviour and risk models created by our algorithms.

The personal data categories that Openbank will process for the purpose described above are as follows: economic, financial and insurance information; information on goods and services transactions; as well as information on financial solvency obtained from external sources such as CIRBE, ASNEF Database, BADEXCUG Database, other statistical information about income data based on the post code for your place of residence obtained from the National Institute of Statistics and other metadata such as data from your device when you connect.

• Follow-up of our messages with you for analytical purposes.

To be able to analyse the functioning of our products and services, we monitor how you interact with the different messages we send you. This means that, if you receive an email from Openbank, we can find out if you have opened it, as well as other information associated with the email. We will use this information for analytical purposes in order to determine whether you are interested in our messages, whether we should improve them or understand how we can improve our customer experience through the different communication channels according to customer needs and interests, for example, by analysing whether our customers are more receptive through the telephone channel than by email.

The legitimate basis for such data processing includes the following:

o Our legitimate interest in sending marketing messages and providing our customers with information about Openbank products and/or services similar to those they have taken out and/or engaged.

The personal data categories that Openbank will process for the purpose described above are as follows: Identifying information and metadata linked to the message sent, such as the time the email is opened.

•Recording of your voice and/or image and electronic conversations held with you: Throughout your contractual relationship with Openbank, there may be situations in which we record your voice and/or image and electronic conversations we have with you relating to operations and queries. In such situations -of which you will be informed, in advance and expressly, when they occur- we will store the telephone and/or electronic conversation for the following purposes:

(i) To conduct an internal audit of the quality of the service; and

(ii) To use the recording as proof of the instructions received and/or the service provided -both in and out of court- if necessary.

The legitimate basis for such data processing includes the following:

o Our legitimate interest in recording your voice, as well as the electronic conversations we have stored to: (i) be able to audit the quality of our services and thus improve them and make them more efficient; and (ii) respond to information requests from the competent authorities or use the recordings as evidence in court.

The personal data categories that Openbank will process to carry out the purposes described above are as follows: identifying information; economic, financial and insurance information; as well as data and information necessary to audit the quality of our services.

• Processing of the personal data of representatives, proxies of legal entities and individual business owners: If you are an individual business owner or represent a legal entity which is a customer of Openbank or is interested in taking out any of our products or services, we will process your contact details as well as those relating to the position you hold and, in general, the necessary details of your professional contact information, for the following purposes:

(i) To contact the legal entity you represent; as well as

(ii) To maintain and manage the contractual relationship that binds us to it.

The legitimate basis for such processing includes the following:

o Execution and enforcement of the contract with the legal entity you represent.

o Our legitimate interest in processing the personal data of individual business owners, representatives and/or attorneys-in-fact of legal entities in order to manage and maintain the business and contractual relationship with the legal entities they represent.

o Compliance with legal obligations in order to verify your capacity to represent the legal entities and the validity of the position you hold, as well as to comply with our formal identification obligations under Law 10/2010 on Anti-Money Laundering and Anti-Terrorism Financing.

The personal data categories that Openbank will process for the purposes described above are the following: identifying information and information on the legal entity or employer you represent.

•Sending notifications via the Openbank website and app: We will process your data to send you notifications via email, web push, SMS, the Openbank app and/or website for the following purposes:

(i) To notify you about certain circumstances that occur with the products and services you have taken out or engaged with Openbank (one case would be notifications of denied transactions). Therefore, if you hold one of our cards, we may send you notifications every time you use it for security purposes and to allow you to check your spending and be alerted when a purchase is rejected.

(ii) To send you notifications for the prevention of financial fraud, security alerts and/or expense control when you use any of the products you have taken out with us, as is the case with a credit card. You can activate/deactivate and even configure some of the notifications as you wish by adjusting the settings in the “Notifications” section of the app’s main menu, or in the “Notifications” section of your Customer Area on our website.

The legitimate basis for such data processing includes the following:

o For the proper performance of the contract, we may send you notifications relating to the transactions you perform through the products and services you have purchased or engaged.

o Our legitimate interest in sending you notifications, the purpose of which is the prevention of financial fraud as well as security alerts when operating with any of the products you have taken out with us, such as a credit card.

The personal data categories that Openbank will process to carry out the purposes described above are the following: identifying information.

• Surveys and market studies: Openbank will process the personal data associated with the use of the products and services you have taken out or engaged in order to conduct customer satisfaction surveys via email, SMS, telephone or other communication channels, market studies or internal statistics, and prepare commercial reports to better understand the consumer habits of our customers, and thus be able to internally assess the design, creation and improvement of new products that may be of interest to our customers or enter into business agreements with third parties. If possible, we will anonymise your personal data to conduct our surveys and market research.

The legitimate basis for such processing includes the following:

o Our legitimate interest in using data obtained through surveys, market research, internal statistics or business reports to improve our products and the provision of services to customers.

The personal data categories that Openbank will process for the purpose described above are the following: identifying information; economic, financial and insurance information; and browsing data.

• To address your legal claims and for Openbank to safeguard legal rights.

In defence against the claims you may file against Openbank, we will process the personal data necessary to be able to draw up and defend any claims, judicial or extrajudicial, initiated by this bank or by you.

The legitimate basis for such processing includes the following:

o Our legal obligation to resolve the claims lodged by data subjects in compliance with the provisions of Regulation (EU) No. 524/2013 of the European Parliament and of the Council of 21 May 2013, on dispute resolution, and in compliance with the regulations, which govern the transparency of banking operations and the protection of customers.

o Our legitimate interest in responding to different legal, administrative or judicial claims, processing them and exercising any legal action we deem appropriate, as well as defending us from those that could be directed against the company, per our right to effective judicial protection. You cannot object to this processing, as the reasons for it are imperative.

The personal data categories that Openbank will process for the purpose described above are as follows: identifying information; economic, financial and insurance information, as well as data necessary to be able to resolve the claim filed.

• Addressing your requests for information on social media: When you make use of our social media channels such as Facebook, Twitter or Instagram to request information from us or to make an enquiry, we will process your personal data using specialised tools, for the following purpose:

(i) To streamline and optimise the answers to your questions made through social media. Please note that when you use our social media channels, the processing of your personal data will also be subject to the provisions of the privacy policy of the corresponding social media company through which you request information or make an enquiry.

(ii) Likewise, we will analyse the interactions (comments or posts) related to Openbank that you submit via different social media channels to internally determine what improvements can be implemented in our operations and the products and services we offer our customers. Thus, in the event that a high number of customers complain on social media about a specific onboarding step, we will take into account these complaints to improve the problems mentioned by users on social media; or if many customers liked a promotion and expressed this on social media, we can launch this promotion again after a while.

The legitimate basis for such data processing includes the following:

o Our legitimate interest in being duly able, in the quickest and most attainable way, to address enquiries from our customers submitted to us through social media, as well as offering an efficient and simple operation and products which are adapted to the expectations and needs of our customers.

The personal data categories that Openbank will process for the purpose described above are the following: identifying information.

•Capturing images through video surveillance systems at our branches: When you access one of our branches, we will capture images of you through our video surveillance systems. We will process your images captured through video surveillance systems for the following purpose:

(i) to safeguard your integrity, as well as that of our assets and our own facilities.

The legitimate basis for such data processing includes the following:

o  The legal obligation relating to the installation of image-capture and registration systems in banking establishments and branches, under the provisions of: Organic Law 4/2015, of 30 March, on the protection of Citizens’ Security; Royal Decree 2364/1994, of 9 December, which approves the Private Security Regulations: and Order INT/317/2011, of 1 February, on private security measures.

The personal data categories that Openbank will process to carry out the purposes described above are as follows: Identification data (images).

• Audits and verification of compliance: We will process your data related to the performance of the internally implemented compliance verification controls, as well as in the context of different audits.

The legitimate basis for such processing includes the following:

o Compliance with legal obligations, such as, for example, conducting account audits.

o Our legitimate interest in verifying the suitability of our processes, in order to comply with legal obligations and internal quality standards for the identification, control and mitigation of legal or operational risks. Please note that this information may be accessed by third parties providing the audit service for these purposes.

The personal data categories to be processed by Openbank  are  all the personal data to which it has access.

4.5 Sending marketing messages

In this section, we provide information on the scope, purpose and legitimate basis for the different types of processing we will carry out on your personal data based on the different marketing messages we can send you from Openbank. However, please note that you may at all times exercise your rights regarding data protection as set out in section 7 in relation to such processing, and especially the right to object. Likewise, to avoid inconveniencing you and to comply at all times with the provisions of the law, prior to processing your data for marketing purposes or via postal mail or telephone calling, we will consult the advertising exclusion databases (Robinson Lists) included in the list published by the Spanish Data Protection Agency to verify that you do not appear on one of these, in cases where such consultation is legally required.

• Sending marketing messages about Openbank products and services or benefits associated with them, adapted to your profile based on information obtained from internal sources:

As soon as you have taken out our services, your personal data will be used to send you marketing messages for our own products and services, including those you have already taken out (by mail, telephone, SMS, instant messaging apps, email, web push, pop-up or any other electronic or telematic means available at any time). These messages will be personalised with information that will be extracted from our internal sources and based on which we will create profiles generated from your behavioural patterns.

The goal we pursue with the creation of these profiles is to be able to carry out an analysis related to your economic and personal characteristics, based solely on the search for information from internal sources, in order to determine which related products and services best suit your situation based on two variables: your willingness to take out the product and the probability of the transaction being approved. The profile will be created through an automated decision, in which the following logic will be applied:

We will process the information you provide to determine your payment behaviour, the customer segment or segments you belong to -according to our internal classification criteria- and the periodic fulfilment of your contractual obligations. This activity may lead us to make a decision not to offer you certain products or services, depending on the risk that the bank estimates and the rating determining following analysis of the information obtained.

In addition, we will process your personal data to analyse your behaviour regarding the impact and success of our commercial campaigns.

These data-processing activities will continue during the term of the contract signed with you, unless you indicate otherwise by exercising your right to object.

The legitimate basis for such data processing includes the following:

o Our legitimate interest in promoting and offering our products and services, by sending general messages or messages adapted to your personal characteristics.

We hereby inform you that Openbank’s main interest in carrying out this data processing is to maintain our relationship with you by offering new products and improving the conditions of the products and/or services you have taken out or engaged, and offer you information about Openbank and its products that may be of interest to you. Additionally, this allows Openbank to continue its economic activity and grow within the financial and banking sector.

Openbank considers that the personal data processing activities mentioned above do not constitute an impediment to the normal exercising of your rights and freedoms, as they are considered normal practices within the business sector, so we understand that the receipt of this type of message will not be detrimental to your expectations. We also undertake to use the least harmful means to carry out such data processing activities.

The personal data categories that Openbank will process to carry out the purposes described above are as follows: Identifying information and economic, financial and insurance information.

• Sending marketing messages about Openbank products and services, adapted to your profile based on information obtained from internal and external sources:

Provided you have given us your prior and express consent, Openbank may send you personalised marketing messages about its own products and services, while our contractual relationship is in force, and even after the termination of the contract for a maximum period of two years. These marketing messages may be sent by automated and non-automated means (by mail, telephone, SMS, instant messaging apps, email, web push, pop-up or any other electronic or telematic means available at any time) and will take into account the analysis of your customer commercial profile.

This profile will be generated from the analysis of your behaviour and risk patterns, as well as the information extracted from the external sources indicated in section 3 of this Policy.

The purpose of these profiles is to analyse your economic and personal characteristics, in order to determine which products marketed by this bank best suit your situation based on two variables: your willingness to purchase the product and the probability of the transaction being approved. The profile will be created through an automated decision, in which the following logic will be applied:

We will process the information you provide to determine your payment behaviour, the customer segment or segments you belong to -according to our internal classification criteria- and the periodic fulfilment of your contractual obligations. This activity may lead us to make a decision not to offer you certain products or services, depending on the risk we estimate and the rating determined following analysis of the information obtained.

In relation to this processing activity, you can withdraw the consent given to Openbank at any time through the channels provided for this purpose in this Privacy Policy.

It is important that you understand that this data processing activity is limited to the aforementioned purpose, which is to suggest Openbank products and services to you.

The legitimate basis for such data processing includes the following:

o Your prior informed consent to send the marketing messages described above.

The personal data categories that Openbank will process to carry out the purposes described above are as follows: Identifying information and economic, financial and insurance information.

•  Sending marketing messages about third-party products and services, adapted to your profile based on information obtained from internal and external sources:

Provided you have given us your prior and express consent, Openbank may send you personalised marketing messages about third-party company products and services, even after the termination of the contract for a maximum period of two years. These marketing messages may be sent by automated and non-automated means (by mail, telephone, SMS, instant messaging applications, email, web push, pop-up or any other electronic or telematic means available at any time) and will take into account the analysis of your customer commercial profile.

With regard to third-party companies from which we will send you marketing messages about products and services, please note that said institutions carry out their individual commercial activity -but not exclusively- in the following sectors: financial, insurance, leisure and tourism, entertainment, telecommunications, information society, retail, luxury, health, food, automotive industry, hospitality, department stores, energy, real estate and security services, among others.

This profile will be generated from the analysis of your behaviour and risk patterns, as well as the information extracted from the external sources indicated in section 3 of this Policy.

The aim of these profiles is to be able to analyse your economic and personal characteristics, in order to determine which products marketed by such third parties best suit your situation based on two variables: your willingness to take out the product and the probability of the transaction being approved. The creation of the profile will be the result of an automated decision and will relate to the information that we have provided to you regarding profiling throughout this policy.

We will process the information you provide and the information we extract from external sources to determine your payment behaviour, the customer segment or segments you belong to -according to our internal classification criteria- and the periodic fulfilment of your contractual obligations. This activity may lead us to make a decision not to offer you certain third-party products or services, depending on the risk we estimate and the rating that results from the analysis of the information obtained.

In relation to this data-processing activity, you can withdraw the consent given to Openbank at any time through the channels provided for this purpose in this Privacy Policy.

It is important that you understand that this data-processing activity is limited to the aforementioned purpose, which is to suggest third-party products and services to you.

The legitimate basis for such data processing includes the following:

o Your prior informed consent to send the marketing messages described above.

The personal data categories that Openbank will process to carry out the purposes described above are as follows: Identifying information and economic, financial and insurance information.

• Transfer of data to other companies of Grupo Santander for sending marketing messages and promotional offers:

As long as you have given us your prior and express consent, Openbank may transfer your personal data to other companies belonging to Grupo Santander (under the terms of Article 42 of the Commercial Code). The purpose of this transfer is to be able to inform other Grupo Santander companies of the categories of your personal data detailed below in this clause, in order for them to offer you their products and services that may be of interest to you, even after the end of the contract, for a maximum period of two years.

The companies belonging to Grupo Santander with which we will share your personal data are as follows:

• Santander Consumer Finance S. A. located at Av. de Cantabria s/n - 28660 Boadilla del Monte, Madrid (“Santander Consumer”). Data Protection Officer: scprotecciondedatos@santanderconsumer.com

• Santander Consumer Renting, S.L., located at Calle Santa Bárbara, 1 28180 Torrelaguna, Madrid (same DPO as Santander Consumer)

• Transolver Finance EFC, S.A., located at Avenida de Aragón 402 28022 Madrid (both same DPO as Santander Consumer).

These marketing messages may be sent by automated and non-automated means (by mail, telephone, SMS, instant messaging apps, email, web push, pop-up or any other electronic or telematic means available at any time) and will take into account the analysis of your customer profile, according to the information provided to these third parties. This profile will be generated from the analysis of your behaviour and risk patterns, as well as the information extracted from the external sources indicated in section 3 of this Policy.

In relation to this data-processing activity, you may withdraw the consent given to Openbank at any time through the channels provided for this purpose in this Policy, as well as through the channels that these third parties make available to you in their respective Privacy Policies.

It is important that you understand that this data-processing activity is limited to the aforementioned purpose, which is to suggest other products and services from Grupo Santander to you.

The legitimate basis for such data processing includes the following:

o Your prior and express consent for the transfer of your data to other institutions of Grupo Santander (under the terms of Article 42 of the Commercial Code) and for them to offer you their products and services by sending marketing messages.

The personal data categories that Openbank will process to carry out the purposes described above are as follows: Identifying information and economic, financial and insurance information.

• Personalised advertising on Openbank’s private website:

When you log in to your Customer Area on our website, we will show you advertising about features, products and services that we consider may be of interest to you based on the products you have taken out. You can opt out of this type of personalised advertising, following the instructions in section 7 “What are my rights regarding the processing of my personal data?”; however, you will continue to receive generic ads that will not be based on your interests or preferences.

The legitimate basis for such data processing includes the following:

o Our legitimate interest in sending marketing messages and providing our customers with information about Openbank products and/or services similar to those they have taken out or engaged as they will be more likely to take them out.

The personal data categories that Openbank will process to carry out the purpose described above are as follows: Identifying information and economic, financial and insurance information.

• Sending information on products and services that are of interest to you through social media:

If you are registered in social media, we will process your personal data for the following purposes:

(i) To show you ads directed to you specifically regarding Openbank products or services that are similar to those you have already taken out with us and that may be of interest to you.

In order to perform these actions, we will use tools that social media companies have developed specifically for this purpose (such as, for example, Facebook Custom Audiences). The social media companies themselves will provide you, in their privacy policies, with information on how they process your data using these tools for which we act as joint data controllers.

By using these tools, Openbank conducts segmentation based on users’ interests and, therefore, if you are a social media user and are classified as being in the audience we select, you could receive advertising from Openbank. Please note that, in these cases, Openbank only performs audience segmentation but does not have access to the final users receiving the advertising. Therefore, in order to object to receiving these messages, you must contact the social media company that sent you the advertising.

The legitimate basis for such data processing includes the following:

o Our legitimate interest in sending marketing messages using different means about Openbank products and/or services.

o Notwithstanding the foregoing, when, based on the use of the different tools that social media companies have developed, you are subject to comprehensive profiling, we will check that the tool has requested prior and express consent  from users to carry out the processing described herein and to be able to send you information about products and services of interest to you.

The personal data categories that Openbank will process to carry out the purpose described above are as follows: Identifying information and economic, financial and insurance information.

5. How long will Openbank store my data?

At Openbank, we will keep your data as long as is required for the purpose for which your data was collected and, subsequently, we will keep it blocked for the legally-established retention periods or statutory limitation periods. After such periods, we will proceed to destroy the data.

In particular, if you are a customer, we will process your data for as long as you maintain the contractual relationship with us. As soon as this relationship has ended, and as a general rule, we will keep your personal data blocked for ten years, until the obligations deriving from the contract have expired, as required by the regulations for the prevention of money laundering. Where applicable, we will also abide by statutory limitation periods depending on the specific contracts you enter into with Openbank (e.g., up to 21 years under the mortgage regulations). Once the above-mentioned legal deadlines have elapsed, we will proceed to destroy your data.

For applications or simulations that you carry out that do not lead to establishing a contractual relationship, we will keep your data for the amount of time we deem reasonable, to avoid duplicating your steps and in case we have to defend ourselves against any claim for any use we made of your data. We will then proceed to destroy the data.

6. With whom do we share your personal data?

Openbank may disclose your personal data to the following recipients based on our legitimate interests, the legal obligations with which we are required to comply and/or the products you have taken out:

i. We will send your personal data to public authorities, official bodies or banking monitoring and supervisory institutions and competent tax authorities that require it, in order to comply with the regulations that are applicable at any time in the banking and financial sector, regulations on anti-money laundering and combating the financing of terrorism and legislation on consumer protection.

ii. In the event of non-payment, we will send the data to creditworthiness databases (ASNEF database and BADEXCUG database), complying with the procedures and guarantees established at all times and recognised by current legislation.

iii. We will share your data with companies belonging to Grupo Santander (under the terms of Article 42 of the Commercial Code), in order to comply with their internal regulations on the prevention of financial crime, their legal obligations to prevent money laundering and regulatory reporting to the supervisory authorities or sending marketing messages.

iv. When you take out or engage certain products or services (such as funds, pension plans, insurance), we will send your data to third-party partners for the correct provision of the service (i.e., asset managers, product depositories, insurers).

v. We will report your data to Notaries Public whenever their involvement is required, whenever the service you have requested from us has to be formalised with their participation (as is the case when taking out mortgages).

vi. Your data will also be passed on to appraisal companies, whenever their involvement is necessary based on the product you have taken out (such as a mortgage), in order to manage the appraisal request and draw up the corresponding appraisal report.

vii. We will forward your data to Public Registries (such as the Property Registry) when the corresponding guarantees (mortgages) are to be registered.

viii. We will share your data with Emailage Limited and Confirma Sistemas de Información, S.L. in order to detect and prevent potential fraud attempts, complying with and respecting the procedures, rights and guarantees that the legislation in force establishes and grants you at all times.

ix. Similarly, at Openbank, we collaborate with third-party service providers who may have access to your personal data, but who will process them in our name and on our behalf, following our instructions at all times, and always in order to provide us with the services that we may have engaged from them in each case. Specifically, Openbank engages services from third-party providers who carry out their activity in, amongst others, the following sectors: logistics services, legal advisory services, private valuation/appraisal services, supplier approval, multidisciplinary professional services companies, hosting companies, maintenance-related companies, technology service providers, IT service providers, physical security companies, instant messaging service providers, infrastructure management and maintenance companies,  call centre services companies and audit and control companies. In any case, Openbank follows strict criteria for the selection of third-party service providers in order to comply with our data protection obligations, and we undertake to enter into the corresponding data processing contract with them, imposing, inter alia, the following obligations: to implement appropriate technical and organisational measures, to process personal data for the agreed purposes and in accordance with our documented instructions only, and to delete or return the data to us upon completion of the services.

x. We transfer your data internationally only within the framework of some of the above-mentioned services by third-party providers. The purpose thereof will always be the maintenance and management of the contractual relationship you have with us or the prevention of fraudulent actions or transactions. These transfers are made both to countries that offer an adequate level of protection, comparable to that of the European Union, and also to countries without such a level. In the latter case, you do not have to worry. Openbank uses various mechanisms established by regulations to comply with all guarantees when dealing with your personal data, such as standard contractual clauses or certification mechanisms. You can consult any international data transfers we perform either directly or by subcontracting some of our suppliers here, or by referring to privacy@openbank.es.

7. What are your rights in relation to the processing of your personal data?

We inform you that you have and can exercise the following rights:

•    Right of access: you have the right to obtain confirmation about whether or not we are processing personal data that concerns you and, if so, access such data.

•    Right to data portability: you have the right to receive the personal data you have provided to us in a commonly used and readable, structured format and to transfer these to another bank.

•    Right to rectification: you have the right to request data rectification when inaccuracies are detected.

•    Right to erasure: you may request the erasure of data when, amongst other reasons, it is no longer necessary for the purposes for which you provided such data.

•    Right to object: in certain circumstances, you may object to certain processing of your personal data (such as objecting to electronic marketing). In such a case, Openbank will immediately cease such data processing, in accordance with the applicable regulations.

•    Right to restriction of processing: in certain circumstances established by current data protection regulations, you may request a restriction on the processing of your data.

•    Right to withdraw your consent: you can withdraw any consent you have given at any time. Withdrawal of consent will not affect the lawfulness of the processing based on the consent prior to its withdrawal.

•    Right not to be subject to a decision based solely on automated processing: if you have authorised profiling and it is carried out entirely by an automated procedure, you may request the personal involvement of one of our analysts, express your point of view and challenge decisions based on such profiles.

You may exercise the above-mentioned rights through the following channels:

•    Website: from the “Personal details” section of your customer profile.

•    Email: privacy@openbank.es.

•    Post: “Open Bank, S.A.”, Plaza de Santa Bárbara, 2, 28004, Madrid.

•    Branch: Paseo de la Castellana 134, 28046, Madrid.

•    Contact Centre: 900 22 32 42. If calling from abroad: (+34) 91 276 21 54.

Finally, you may file a claim with Openbank and/or the Spanish Data Protection Agency (as the Supervisory Authority responsible for data protection), especially when you are not satisfied with the exercising of your rights, by writing to the address above, if writing to Openbank, or to C/ Jorge Juan, 6. 28001 – Madrid, if writing to the Spanish Data Protection Agency; or through the website at www.aepd.es.

8. Do you need to keep your data up to date?

In order to be able to communicate with you properly, as well as be able to correctly provide you with the services you have engaged, you undertake to ensure that all the information you provide us with is correct, complete, exact and duly updated, assuming any liability that may arise from having provided us with incorrect, erroneous or inaccurate information.

Therefore, if you change any of the personal details you have given us, especially your postal address, email and contact telephone numbers (landline and mobile), please inform us as soon as possible by calling the Contact Centre: 900 22 32 42 (or +34 91 276 21 54 if calling from abroad), updating your information directly in your “Personal Details” section of your Openbank profile or emailing us at privacy@openbank.es. In some cases, we may need to ask you for some additional documentation or proof.

In the event that you do not inform us of these possible changes, you assume that the correspondence we have sent to your postal or email address, as well as to the contact telephone numbers in our files, must be considered valid, binding and fully effective.

9. Use of cookies

At Openbank, we use cookies to, for example, remember who you are when you log in to your Customer Area and customise content that is of interest to you based on your browsing habits.

When you visit the Openbank website, we will inform you about the cookies we use and you will be able to configure the analysis, advertising and personalisation cookies you use when browsing Openbank. You may refer to our Cookie Policy for more information.

10. Changes to this Privacy Policy

At Openbank, we are committed to keeping this Privacy Policy up to date in order to collect any new information that may arise in relation to the scope of the processing that we carry out on your personal data. For this reason, it is important that you regularly spend time reading and making sure you understand it. For any possible modification that we need to make, we will notify you in advance, at minimum through our website/app and through a personalised message that we will send to you in the Customer Area of your profile and to your personal email so that you have the opportunity to be properly informed at all times.

If you wish, you may download our privacy policy.

You may also download the previous version of our privacy policy (26 October 2020)

You may also download the previous version of our privacy policy (25 May 2018)