This privacy policy (hereinafter the "Privacy Policy" or the "Policy") is intended to regulate and provide information regarding personal data processing carried out by Open Bank, S.A. (hereinafter, "Openbank") of: (i) potential customers; (ii) existing customers; (iii) former customers; and (iv) other third parties involved whose data may be processed in Openbank due to the relationship we maintain with our customers, as is the case for guarantors/sureties, agents, legal representatives (of natural or legal persons) and individual business owners.

Through this Policy, we will provide you with information regarding the categories of personal data that we process, the means by which we have obtained your personal data, the purposes for which we collect and process your personal data, the legal basis for this processing, the recipients of the data, the length of time data is stored, your legal rights with regard to your personal data, as well as any other privacy information we believe should be provided to you in order to ensure our complete transparency at all times.

Please bear in mind that throughout your relationship with us, in addition to providing you with this Privacy Policy, we will inform you of some of the data processing that will take place.

Please take a moment to read and fully understand the contents. If you have any questions, you can contact our data protection officer using the details below.

2. WHO IS THE CONTROLLER FOR MY DATA?

Corporate name: Open Bank, S.A.

Registered Office: Plaza de Santa Bárbara, 2, 28004, Madrid.

Contact details of the Data Protection Officer: privacy@openbank.es.

3. WHAT DATE DO WE PROCESS AT OPENBANK AND HOW DO WE OBTAIN IT?

We will process the following categories of personal data which we obtain directly from you through the various information request forms and/or product or services application forms that we use. Please bear in mind that the data marked on each of the forms as "obligatory" is necessary for the correct execution of your pre-contractual or contractual relationship with Openbank. Therefore, in the event that these details are not provided, it will not be possible to process your request or provide our services.

(i) Identity data: tax/national identification number (NIF/DNI); full name; address; signature/fingerprint; image/voice; electronic signature; social security number; telephone number; email address; IP address; and biometric data.

(ii) Data relating to personal characteristics: marital status; mother tongue; physical characteristics; family details; date of birth; place of birth; age; gender; and nationality.

(iii) Data relating to social circumstances: licences, permits or authorisations; club or association membership; interests and lifestyle; property and possessions; family status; and housing characteristics.

(iv) Specially protected data: health or relating to the committing of criminal offences, where appropriate.

(v) Academic and occupational data: education and qualifications; education history; professional experience; and professional association memberships.

(vi) Employment data: profession; job role; non-financial payslip data; and employee history.

(vii) Data relating to marketing: activities and businesses; business licences; subscriptions to publications; and artistic, literary or scientific creations.

(viii) Data relating to finances and insurance: income and revenue; tax deductions; investments and assets; information regarding insurance, mortgages, credit and loans taken out; guarantees; bank details; subsidies and benefits; pension and retirement plans; credit history; financial payslip data; and credit cards.

(ix) Data relating to transactions involving goods and services: compensation and indemnities; financial transactions; and goods and services received or provided.

In addition to the above data that you provide directly through the various information request forms and/or product or services application forms, we will process other data we have about you on internal sources, such as: (i) data we obtain deriving from our contractual relationship with you; (ii) data we obtain as a consequence of your interaction through our website/app; and (iii) inferred data that we deduce and/or obtain from data that you have provided previously (as is the case when we create profiles).

Similarly, in addition to the above personal data, and according to the product taken out, as explained in greater detail below, we will process additional data about you that we obtain from the external sources listed below, in accordance with the procedures, rights and guarantees established at any given time by the legislation in force:

(i) Public bodies, such as the Ministry of Finance, the General Treasury of Social Security and the Spanish Tax Agency.

(ii) Sources in the public domain, such as telephone books and public records, including the National Statistics Institute (hereinafter, the “INE”), the Trade Registry, the Property Registry and the Land Registry.

(iii) Shared creditworthiness filing systems from (i) Asnef-Equifax Servicios de Información sobre Solvencia y Crédito, S.L. (hereinafter the "ASNEF Filing System"); and (ii) Experian Bureau de Crédito, S.A. (hereinafter the "BADEXCUG Filing System"), including the legal information filing system (hereinafter the "FEIJ Filing System"), from which we obtain data about your creditworthiness and any non-performing loans.

(iv) Credit information filing systems, such as the Bank of Spain's Risk Information Centre (hereinafter the "CIRBE"), a public service operating under Law 44/2002, of 22 November, on reform measures for the financial system, which provides the risk data necessary for banks' financial activity. In accordance with the aforementioned law, at Openbank we are entitled to obtain reports on the risks posed by natural or legal persons recorded by the CIRBE, provided that they have applied to us for a loan or any other risk transaction, when they have personally acted as a guarantor, or when said persons are listed as liable for payment or as guarantors in negotiable instruments or credit documents when the purchase or negotiation has been requested from Openbank. To obtain the aforementioned information from the CIRBE, we will request your authorisation as proof that we have duly informed you, as required by the applicable legislation.

(v) The Public Insolvency Register where you can consult the different procedural and insolvency resolutions and/or out-of-court agreements on insolvent debtors.

(vi) Fraudulent data detection filing systems that we consult.

(vii) Third-party companies that have been granted your consent to transfer your data to Openbank or otherwise legitimately transfer your data to Openbank in accordance with the legislation in force, as is the case for (i) mortgage intermediaries; (ii) third-party companies with which we collaborate to offer you better conditions (e.g. rebates, discounts) or to provide services (e.g. instant transfer service from Bizum, S.L., financial aggregator); (iii) third-party companies that make debits or credits to your Openbank account (e.g. when a salary payment is made, a transfer is received, or a bill is debited); (iv) other banks, for example if you request that Openbank is subrogated in the mortgage loan you have with them; or (v) other Santander Group entities of which you are a customer.

4. HOW DO WE PROCESS YOUR DATA?

Depending on the relationship you have with Openbank (from simply expressing an interest in one of our products or services without making a purchase, or becoming an Openbank customer and purchasing the products or services we offer), we will process your personal data differently. Below, we explain the scope of this processing in each case, including the categories of data processed, the purposes of the processing and the legal bases applicable.

Remember that, at any time, in relation to any of the processing described, you may exercise your data protection rights as set out in Section 7 "What rights do you have with regard to the processing of your personal data?". However, it is possible that if you decide to exercise your right to erasure and/or restriction, we will not be able to offer you or continue to provide the services and/or products taken out.

4.1 Response and management of your requests for information about Openbank products and/or services

On our website and/or app, there are different forms that users can complete voluntarily if they are interested in receiving information about our products or services, or running simulations of taking out any of our products. These simulations can also be run through our contact centre.

If you decide to complete any of these forms, or run any of these simulations, we will process the data you provide for the purposes of:

(i) Responding to your information request and sending you information by any means, including electronically, or calling you back, in relation to said information request.

The legal basis for this data processing is:

- Application of pre-contractual measures at the request of the data subject.

The categories of personal data that Openbank will process to fulfil the purpose set out above are: identity data.

4.2 Management of your customer registration and application of pre-contractual measures

During your customer registration process, we will process the personal data you have provided about yourself, as well as data obtained from the sources mentioned below, for the following purposes:

(i) Managing your customer registration request and proceeding to apply the relevant pre-contractual measures necessary to enable us to manage the taking out or engagement of the product or service that you have requested from us and sending you information regarding the handling of your registration (for example, sending the necessary pre-contractual information to your email address).

(ii) Assessing your creditworthiness by consulting the ASNEF Filing System, and assessing your capacity to meet the financial obligations linked to taking out or engaging the product or service with Openbank, such as any direct debits for bills being set up on the account you are opening with us. Please bear in mind that, as a result of this consultation, we may approve or reject your registration. If we reject your registration, you will be informed immediately.

(iii) Preventing fraud at the time of the request to open an account in order to protect our customers and the company's solvency.

(iv) Assisting you with the application process by sending reminders in cases where you have applied to open an account but have not completed the process and there are steps pending (e.g. sending information), as well as detecting any incidents that prevent you from finalising the account opening process.

(v) Cancelling the recruitment application in the event you fail to complete the recruitment process within one month of its commencement.

(vi) Reliably identifying you in order to comply with the due diligence measures to which we are subject, in accordance with anti-money laundering legislation.

(vii) If you have opted for us to verify your identity via a third-party bank, we will process your data for these purposes and send them to the platform operated by Sociedad Española de Sistemas de Pago, S.A. (hereinafter, "Iberpay"), exclusively for the purpose of carrying out said verification in the account that you have indicated to us. We can inform you that the Iberpay platform data controllers are the entities in the National Electronic Clearing System (SNCE), with Iberpay acting as data processor.

(viii) Managing your signing of a contract with us, with an electronic signature.

(ix) Similarly, depending on the Openbank product you want to take out, we will carry out profiling using your data for the purpose of predicting your risk of non-performing loans and to determine whether we can grant you the Openbank product you have requested. For further information about this processing, you should consult the specific section referring to the product you want to take out in addition to opening an account (for example, if you take out a mortgage, we will process the data for this purpose, in accordance with the provisions of our Policy).

The legal bases for this data processing are:

- Correct execution of the contract. The application, at your request, of pre-contractual measures and execution and performance of our contractual obligations if, in the end, you do become an Openbank customer. Bear in mind that when you apply to open an account, you will also apply for a debit card to be able to carry out transactions with us. To protect the solvency of Openbank and the rest of our customers, before accepting a new customer, we must assess, at the pre-contractual stage, your financial capacity to meet your payment obligations, as well as your risk of non-performing loans or insolvency. We will explain the assessment carried out to assess your creditworthiness and the logic applied in each of the cases set out in Section 4.4 "Data processing once you become a customer, in relation to the products you have taken ou" of the Policy.

- Our legitimate interest in assisting you during the application process, by sending reminders in cases where you have started the contract process, but it has not been finalised and there are steps pending (e.g., sending information); as well as detecting any incidents that prevent you from finalising the application process. You can object to this processing based on our legitimate interest according to the provisions of Section 7 "What rights do you have with regard to the processing of your personal data?".

- Our legitimate interest in preventing fraud (such as identity theft during formalisation of the contract or requests made based on false information), at the time of the customer registration request. You can find more details in Section 4.5.6 "Detection and prevention of possible attempted fraud".

- Our legal obligation to reliably identify you, in accordance with legislation on anti-money laundering and counter-terrorism financing Section 4.5.1 "Anti-money laundering and counter-terrorism financing".

The categories of personal data that Openbank will process in order to fulfil the purposes described above are as follows: identity data, which in some cases may be biometric – such as your image and voice if you identify yourself through an automated video call; employment data; economic, financial and insurance data; data relating to your personal characteristics; data relating to marketing; and identity data for people included in your account as holders and/or agents.

4.2.1 Specific data processing relating to the validation of the customer's identity

During your customer registration process, we must verify and prove your identity; for this purpose we will take whatever measures we deem necessary. Specifically, we will request a copy of your national identity document and verify its authenticity using an automated mechanism.

To do this, we will store a copy of the document (including your image) and, where applicable, we will view it in any media or format, for the sole purpose of verifying your identity when necessary to comply with the contract signed and to meet the requirements of the competent authorities and/or fulfil our legal obligations.

There will also be a second verification, which will involve a human being who will make the final decision regarding the authenticity of the national identity document.

The legal basis for this data processing is:

- Legal obligation. Among others, our legal obligation to ensure the accuracy of information under Article 5 of the General Data Protection Regulation 2016/679 (hereinafter the "GDPR"), according to Article 6.1 c) of the GDPR.

The categories of personal data that Openbank will process to fulfil the purpose set out above are: identity data.

4.3 Adaptation of our contractual relationship in the case of vulnerabilities

If you expressly inform us that you have a visual or hearing impairment or any other vulnerability (e.g., you are a displaced person or over 65 in a vulnerable situation), we will use this information during the contractual relationship for the purpose of:

(i) Providing a service suited to your needs, such as for example not contacting you by telephone if you have hearing difficulties, and prioritising other channels of communic

The legal basis for this data processing is:

- The express consent that you have provided to us to process this data. Remember that if you change your mind, you can withdraw the consent you have given us according to the provisions of Section 7 "What rights do you have with regard to the processing of your personal data?".

The categories of personal data that Openbank will process to fulfil the purpose set out above are: identity data; and, where applicable, health data or data relating to your particular situation.

4.4 Data processing once you become a customer, in relation to the products you have taken out

Once you have satisfactorily completed your registration process and have formally become an Openbank customer, we will carry out the following additional processing of your personal data depending on the products and services you have taken out with us.

Notwithstanding the specific processing related to the taking out of a particular product, bear in mind that Openbank may carry out additional processing of our customers' personal data, independently of the Openbank product taken out, as we explain in Section 4.5 "Processing of our customers' personal data carried out independently of the Openbank product taken out" of this Privacy Policy.

4.4.1 Taking out a basic deposit product (salary account/current account/savings account/deposit)

The request to take out a basic deposit product requires Openbank to process the personal data you have provided in the form through which you requested the relevant deposit product, as well as data we obtain during the contractual relationship (such as data regarding your transactions with our products) and data we obtain from the external and internal sources set out in Sections 3 "What data do we process at Openbank and how do we obtain it?" and 4.2 "Management of your customer registration and application of pre-contractual measures" for the purpose of:

(i) Attending to, assessing and managing your request to take out a deposit product and, if in the end you do take it out, fulfilling the applicable contractual obligations, maintaining our contractual relationship with you and sending information, including marketing and emails, in relation to the products taken out.

(ii) When you make this request, including other holders and/or agents in the deposit products taken out.

(iii) Being able to make the appropriate arrangements to transfer balances of accounts presumed to be abandoned to the State.

The legal basis for this data processing is:

- Correct execution of the contract. The application, at your request, of pre-contractual measures and execution and performance of our contractual obligations in relation to the basic deposit product you take out with Openbank.

- Legal obligation. Specifically, in accordance with the provisions of Article 18 of Law 33/2003 of 3 November, on the Assets of Public Administrations for procedures related to balances presumed to have been abandoned.

4.4.2 Taking out a credit product (mortgage/loan/credit card/overdraft protection)

The request to take out a credit product requires Openbank to process the personal data you provided on the form through which you requested the corresponding product, we will also process other data we have about you from internal sources (such as your bank details), as well as data that we obtain from public sources, as specified in Section 3 "What data do we process at Openbank and how do we obtain it" of this Policy for the purposes of:

(i) Attending to, assessing and managing your request to take out a credit product and, if in the end you do take it out, fulfilling the contractual obligations set out the contract and maintaining our contractual relationship with you, as well as sending information in relation to the products taken out.

(ii) Assessing your solvency and predicting your risk of non-performing loans, in order to prevent arrears and to protect our own solvency and our other customers. To do this, we will assess the data we have about you (such as your banking transactions) and we will compare and profile your data according to the behavioural and risk models that we have designed using internal and/or external sources. Below, we will provide a detailed explanation of the type of profiling, the logic applied and the data used, depending on the particular type of credit product you are requesting, as well as the types of processing arising from the taking out of these products.

The legal basis for this data processing is:

- Correct execution of the contract. Execution and performance of our contractual obligations in relation to the credit product you take out with Openbank.

- Legal obligation. In accordance with the Guidelines on loan origination and monitoring issued by the European Banking Authority and adopted by the Bank of Spain (EBA/GL/2020/06), Order EHA/2899/2011, of 28 October, on transparency and protection of customers of banking services and Circular 5/2012, of 27 June, of the Bank of Spain, for credit institutions and payment services providers, regarding the transparency of banking services and responsibility in granting loans.

The categories of personal data that Openbank will process to fulfil the purposes set out above are: identity data; employment data; economic, financial and insurance data; data relating to your personal characteristics; as well as data we obtain from the external sources listed in Section 3 "What data do we process at Openbank and how do we obtain it?" of this Policy and specified in detail below according to the type of profiling to be carried out based on the particular product requested and/or taken out.

Below, we will explain the scope of the different profiling we will carry out with regard to your personal data and the processing that will be performed, depending on the credit product you wish to take out:

4.4.2.1 Profiling and processing data relating to taking out a mortgage loan

As mentioned in the previous section, if you apply for a mortgage product, Openbank will need to conduct a prudent assessment of both the purpose of the mortgage and your personal circumstances in order to assess your financial capacity and risk of non-performing loans and, consequently, to determine whether you will be able to make the mortgage payments you would be assuming with us.

To do this, we will compare and profile, according to the specific behavioural and risk models that we have designed for mortgage loans, the personal data that you have provided directly through the various information request forms, as well as data we obtain from the following external sources:

(i) ASNEF Filing System, BADEXCUG Filing System and the CIRBE.

(ii) Public authorities such as the Ministry of Finance.

(iii) Public records such as the INE, the Trade Registry, the Property Registry and the Land Registry.

The logic applied to this profiling consists of:

(i) Assessing your current income and financial situation, all your assets and liabilities, including information about all your financial commitments through the CIRBE, as well as your repayment history with Openbank, or the information we request from you directly for the purposes of granting the mortgage, such as your most recent payslips or personal income tax returns. Specifically, we will assess the sources of income that demonstrate your repayment capacity, including cash income (income, periodic private transfers, child support, income from property leasing, financial investment returns, income from private companies or businesses, income from other sources), funds (such as savings accounts or investment products) and periodic spending.

(ii) Assessing the information you provide regarding the number of people who make up your household, as this information is essential when considering income and spending per family member, not only yours as the mortgage applicant.

(iii) Assessing your creditworthiness or that of any person you have named as a guarantor during the mortgage granting process by checking potential debts and arrears shown in the ASNEF Filing System, the BADEXCUG Filing System and the CIRBE.

(iv) We will also take into account sociodemographic and behavioural information about the Spanish population according to the market area in which the property to be mortgaged is located, in accordance with the information published in INE, specifically using statistical data on household income. Information last updated: 2022.

(v) Where necessary, particularly in cases where mortgage applicants are self-employed or receive seasonal income or any other irregular income, we may make enquiries to verify the information relating to the sources of income that demonstrate your repayment capacity, and confirm that the documentation you provide is reliable, through consultation with the relevant public bodies (Trade Registry).

(vi) With regard to the mortgage product, to guarantee the quality of the data, we will analyse the information about the property and validate it with external sources such as the Land Registry and the Property Registry, which provide us with exact data and are an effective tool in the fight against fraud in the property sector. Using the land registry code, we can find financial and tax information in relation to the property, such as public deeds, court orders and rulings, administrative records and rulings, and in the documents containing relevant facts, proceedings and business relating to property ownership and other real rights, lease or transfer agreements of any type for the use of the property, electricity supply contracts, technical projects or any other documents relating to the properties that are required by regulations.

The logic applied to this profile comprises bringing together all the sources of information (internal and external), the data specified above and the analytical capabilities of our behavioural and risk models, through a process through which we will be able to infer the payment behaviour of a potential mortgage borrower, and therefore determine their default risk in relation to a mortgage loan.

Bear in mind that as a consequence of this analysis, the information from our internal sources and the information obtained from consultations carried out with the external sources described above, we will be able to approve or reject your mortgage loan application. If your application is rejected, you shall be duly informed, and it will be specifically stated if the sole reason for the rejection is the existence of a debt with another institution in a credit information system.

Similarly, bear in mind that the process of granting a mortgage loan involves the following:

(i) As we will inform you, where applicable, there is a possibility that we may enter into collaboration agreements with third parties which would enable you to receive certain rebates on your mortgage instalments (e.g., if you contract a particular utility for the mortgaged property with one of our partner companies, the cost of your loan could be lower). Bear in mind that, in this case, the third party with which you contract the service will have to inform us that you have entered into a contract with them, transferring the data that is strictly necessary for us to apply the rebate. In any case, the partner company must inform you of this transfer when you enter into the contract with them.

(ii) Throughout the loan cycle, we will carry out processing and monitoring that requires us to assess your financial situation and debt capacity not only when you make the mortgage application, but also subsequently for as long as the mortgage loan remains outstanding.

(iii) As part of the origination process, we will share your data with the Property Registry, as we are obligated to register the transaction (see Section 6 "To whom do we disclose your data?" for further information).

(iv) Given that a mortgage loan must be notarised, we must also share your data with them (see Section 6 "To whom do we disclose your data?" for further information).

(v) For the same reason, your data will also be transferred to the management company you contract to process documents and with the appraiser for the purposes of managing the appraisal request and preparing the relevant appraisal report (see Section 6 "To whom do we disclose your data?" for further information).

(vi) Additionally, if you make a creditor subrogation request for the mortgage you hold with Openbank with another institution, we will share with that institution the information required for the purposes of processing the subrogation. Specifically, at the request of the subrogated creditor, we may send them supporting information about the costs of the subrogated loan, in order for that institution to carry out the necessary processing to fulfil its legal obligations (see Section 6 "To whom do we disclose your data?" for further information).

(vii) Furthermore, as part of our collaboration with mortgage intermediaries, we can obtain your data through them for the purpose of studying the viability of your financing application and we will be able to contact you through any channel, including electronic channels, to facilitate your financing/mortgage loan application and conduct the relevant procedures for the loan to be granted. Similarly, if you accept the offer we make you, Openbank can transfer your data to the intermediary so that it can assist you in generating and processing the mortgage loan application, and inform you of the result of the study, in accordance with the legislation governing the provision of mortgage intermediation services.

(viii) Finally, with the information we have from the energy certificates for the properties in our mortgage portfolio, we will prepare anonymous statistical reports on the general status of our assets with regard to energy efficiency.

In addition, bear in mind that Openbank will also process the data of any third party that is involved in the mortgage loan, including, but not limited to, guarantors or sureties, when necessary for the correct execution of the contract, according to the provisions of Section 4.8 "Processing third-party data" below.

The legal basis for this processing is:

- Correct execution of the contract. The application, at your request, of pre-contractual measures and execution and performance of our contractual obligations if, in the end, you do take out an Openbank mortgage.

- Your prior and informed consent if you make a creditor subrogation request for your mortgage loan, in accordance with the provisions of Law 2/1994 of 30 March, on subrogation and amendment of mortgage loans and Law 5/2019 of 15 March regulating mortgage loan agreements. Remember that if you change your mind, you can withdraw the consent you have given us according to the provisions of Section 7 "What rights do you have with regard to the processing of your personal data?".

- Our legitimate interest in knowing the energy rating for the properties in our mortgage portfolio, in order to carry out climate stress tests required under the European Banking Authority Opinion on the disclosure requirement on environmentally sustainable activities in accordance with Article 8 of Regulation (EU) 2020/852 of the European Parliament and of the Council of 18 June 2020 on the establishment of a framework to facilitate sustainable investment, and amending Regulation (EU) 2019/2088.

4.4.2.2 Profiling and processing data relating to taking out a credit card (automated decision)

Similarly, as we have mentioned above, an application to take out a credit product, such as a credit card, requires Openbank, to ensure the correct execution of the contract, to compare and profile your data according to the behavioural and risk models that we have designed to predict the risk of non-performing loans related to credit cards for both new and existing customers.

If you are already an Openbank customer and you apply for a credit card, the profiling will consist of an automated analysis of the information we have about you as a customer in our own sources, such as your account balance; securities contracts; plans; funds; mortgages; cards; deposits (contributions/repayments); loans (amount and number); direct debit payments; spending in shops and card transactions (physical/online); salaries and pensions; cash (cash inflows and outflows); use of cards; age; and internal arrears. We will also check whether you have any debts with other institutions, according to the ASNEF Filing System.

However, for data subjects who are not yet customers and whose credit card application involves the start of a contractual relationship with us, the profiling will consist of automated analysis of the data they have provided to us directly in the credit card application process such as email address; age; number of current account holders for onboarding; address; postcode; province in which they reside; information from metadata that we obtain when the application is made; and information from the following external sources:

(i) ASNEF Filing System, BADEXCUG Filing System and the CIRBE.

(ii) Public authorities such as the Ministry of Finance.

(iii) Public records such as the Trade Registry, the Property Registry and the Land Registry.

This will enable us to identify:

(i) The surface area of the properties in the postcode area where you live (through the Property Registry and the Land Registry, last updated: June 2018).

(ii) The average disposable income and average non-performing loans in the postcode area where you live (through the Ministry of Finance, last updated: 2020).

(iii) Your creditworthiness, by consulting potential debts and defaults shown in financial solvency filing systems such as the ASNEF Filing System or the BADEXCUG Filing System.

(iv) Similarly, it will be considered whether you have any debt and how long you have had it for. If the debt has a delinquency of over 90 days, it is possible that we will consider you unable to make the payments on the requested credit card.

The logic applied to this profile comprises bringing together all the sources of information (internal and external), the data specified above and the analytical capabilities of our behavioural and risk models, through a process through which it is possible to infer the payment behaviour of a potential credit card holder, and therefore determine their default risk in relation to a credit card.

Bear in mind that, as a result of this profiling, we may approve or reject your credit card application For example, if, upon making the application, you have a debt with the institution that you have been unable to repay, or in a financial solvency filing system that does not meet the criteria established by Openbank, there is a possibility that we will reject your application. If your application is rejected, you shall be duly informed, and it will be specifically stated if the sole reason is the existence of a debt with another institution in a credit information system.

Similarly, bear in mind that the process of granting a credit card implies processing and monitoring throughout the credit card life cycle, which requires us to assess your financial situation and debt capacity not only when you make the credit card application, but also subsequently.

The legal basis for this profiling is:

- Correct execution of the contract. In the case of taking out a credit card, when the applicant makes their request, the pre-contractual measures and execution and performance of our contractual obligations will be applied.

4.4.2.3 Profiling and processing data relating to the granting of a personal loan for existing customers (with documentation) (automated decision)

The personal loan application requires Openbank to compare and profile your data in accordance with the behavioural and risk models we have designed to predict your risk of non-performing loans and avoid situations that would be damaging to Openbank and to you (due to the risk of over-indebtedness) in line with responsible lending legislation, and in accordance with the procedures, guarantees and rights established at any time by the legislation in force.

In this regard, if you are already an Openbank customer and you apply for a personal loan, we will use our behavioural and risk models to carry out profiling and assess your creditworthiness and financial capacity based on data obtained from our internal sources (data provided on the loan application form, such as your full name or national identification number), data that has been generated during the contractual relationship with you (data regarding card transactions you have made, bills paid, your account balances) and information obtained from the following external sources:

(i) ASNEF Filing System and BADEXCUG Filing System.

(ii) The CIRBE.

(iii) Public records such as the INE (Census 2011), the Trade Registry (Official Gazette of the Trade Registry) and the Land Registry.

(iv) Camerdata, S.A. filing system, from the census provided by Spain's Chamber of Commerce.

(v) Digital maps of Here Global, B.V.

(vi) Surveys with anonymised information carried out by market research companies, such as AIMC Marcas or AIMC EGM.

Specifically, the categories of data we will obtain from the aforementioned sources are: data relating to creditworthiness and possible non-performing loans; credit information; information relating to postal addresses (e.g., residential and sociodemographic information; property characteristics; information about the surrounding area; urban planning variables; nearby areas of interest); and consumer profiles.

We will use the following categories of personal data to carry out profiling, assess your creditworthiness and predict your risk of non-performing loans upon taking out a loan: identity data (full name and national identification number); employment data (if you are a permanent or temporary salaried employee, the length of time you have worked for that company or whether you are a public official, retired or self-employed); primary residence circumstances (renting, family home, mortgaged, property without charges); marital status (married, divorced, single or widowed); financial data about the loan requested (type of loan, amount and term); number of credit cards you hold with other financial institutions and internal arrears; data relating to transactions involving goods and services (Openbank account movements); average balance in Openbank current accounts; net monthly income and monthly spending; and other loans granted); default amounts with other companies; certain due and payable debts; information about loans, credit (direct risk), collateral and guarantees (indirect risk) that you maintain with other financial institutions (amount, start and maturity date, outstanding amounts, type of loan and guarantees); other data mentioned above obtained from external sources.

The logic applied to this automated profiling will consist of analysing the loan amount requested, as well as its term, together with the data obtained from the aforementioned information sources (internal and external).

Bringing together all the sources of information and the analytical capabilities of our behavioural and risk models, through a profiling process, it is possible to infer the payment behaviour of a personal loan applicant, to ensure that the customer's repayment capacity is sufficient to cover the loan instalments for the requested term, leaving a sufficient remainder to meet their basic needs.

Bear in mind that as a consequence of this profiling, we will also be able to approve or reject your personal loan application, for example, if we believe that with your current level of indebtedness and the amount of your income, you will be able to make future debt repayments. If your application is rejected, you shall be duly informed, and it will be specifically stated if the sole reason is the existence of a debt with another institution in a credit information system.

The legal basis for this profiling is:

4.4.2.4 Profiling and processing data relating to the granting of a loan for non-customers (aggregated) (automated decision)

In this regard, if you are not already an Openbank customer and you apply for a personal loan, we will use our behavioural and risk models to carry out profiling and assess your creditworthiness and financial capacity based on data obtained from our internal sources (data provided on the loan application form, such as your full name or national identification number), data that has been generated, as applicable, during the contractual relationship with you (data regarding card transactions you have made, bills paid, your account balances) and information obtained from the following external sources:

(i) ASNEF Filing System and BADEXCUG Filing System.

(ii) The CIRBE.

(iii) Public sector bodies such as the Spanish Tax Agency, the Tax Agency of the Basque Country and the Tax Agency of Navarra.

(iv) The INE public records: Relationship between municipalities and their codes by provinces, to 01-01-2010; official population figures taken from the review of the Municipal Register to 1 January 2022; and mapping from census and street sections of the Electoral Census 2022.

(v) The National Centre for Geographical Information, an independent body governed by Royal Decree 310/2021.

Specifically, the categories of data we will obtain from the aforementioned sources are: data relating to your creditworthiness and possible non-performing loans; credit information; and residential and sociodemographic information (obtained based on postcode and province, population and income).

Also bear in mind that, as part of the correct execution of the contract, when applying for the loan, you will need to register with our financial aggregator. Tink AB (hereinafter, "Tink"), the organisation that provides the aggregator service, will also process your data in its capacity as data controller and will transfer it to Openbank under the collaboration agreement between the two institutions, in accordance with its privacy policy. As such, through the accounts you have aggregated (external sources), we will obtain the following categories of data: your balances in different credit and deposit products with other financial institutions and the movements of such accounts (including data on dates, amounts, descriptions, and the sender and recipient of transfers).

Once the aforementioned aggregation has been carried out by the external provider, before consulting creditworthiness and credit information filing systems, we will verify your identity using the number of the account you have aggregated through Tink, through the Iberpay platform.

The logic applied to this automated profiling will consist of analysing the loan amount requested, as well as its term, together with the data obtained from the aforementioned sources of information (internal and external) to determine whether you will be able to make the repayments on the requested loan and assess the risk of over-indebtedness.

Bear in mind that as a consequence of this profiling, we will also be able to approve or reject your personal loan application, for example, if we believe that with your current level of indebtedness you will be able to make future debt repayments. If your application is rejected, you shall be duly informed, and it will be specifically stated if the sole reason is the existence of a debt with another institution in a credit information system.

The legal basis for this profiling is:

4.4.2.5 Profiling and processing data relating to the offering of a pre-approved loan

The offer of a pre-approved loan requires Openbank to compare and profile your data according to the behavioural and risk models that we have designed to predict your risk of non-performing loans using information obtained from internal sources.

The logic applied to this profiling will consist of analysing the identity and financial data we have about you, such as your salary or pension; account balances; deposited securities; mortgages; cards; deposits (contributions/repayments); funds and/or plans; other loans you have already taken out (amount and number); direct debit payments; spending in shops and card transactions (physical/online); cash movements (cash inflows and outflows) to assess the depth of your relationship with Openbank and your debt capacity; as well as a transaction history for the last 13 months to see your spending habits; age; internal arrears; default amounts; and date of default.

Bringing together all the sources of information (internal and external), the data specified above and the analytical capabilities of our behavioural and risk models, through a profiling process, it is possible to infer the amount and type of pre-approved loan we can grant you, in order to ensure that your repayment capacity is sufficient to cover the loan instalment for the requested term, leaving a sufficient remainder to meet your basic needs.

Bear in mind that, as a consequence of this profiling, we will be able to change the conditions of the pre-approved loan offered, or even not offer you any loan. You can object to this profiling, but, in this case, it is unlikely that we will be able to offer you pre-approved loans.

The legal basis for this profiling is:

- Our legitimate interest in carrying out direct marketing and offering our customers pre-approved loans suited to their financial situation and debt capacity. You can object to this processing based on our legitimate interest according to the provisions of Section 7 "What rights do you have with regard to the processing of your personal data?".

- On the basis of our legitimate interest, to grant the loan (during the loan application process), we will have to verify the absence of debts in the ASNEF Filing System, but we will inform you of this in advance. This processing cannot be objected to, as there are compelling reasons for it.

- Consent. If you authorise us to profile you using external information, in addition to pre-approving you for a loan as mentioned above, we will also consult the ASNEF Filing System before offering you the product. Remember that if you change your mind, you can withdraw the consent you have given us according to the provisions of Section 7 "What rights do you have with regard to the processing of your personal data?".

4.4.2.6 Profiling and processing data relating to the granting of overdraft protection and authorised overdrafts (automated decision)

An application to take out a credit product, such as overdraft protection, requires Openbank, to ensure the correct execution of the contract, to compare and profile your data according to the behavioural and risk models that we use to predict the risk of non-performing loans related to overdraft protection.

If you request overdraft protection, the profiling we carry out will consist of automated analysis of the information we have about you in our internal sources, such as your account balance; securities contracts; plans; funds; mortgages; cards; deposits (contributions/repayments); loans (amount and number); salaries and pensions; cash (cash inflows and outflows); and internal arrears. When you make the application, we will also check whether you have any debts with other institutions, according to the ASNEF Filing System.

The logic applied to this profile comprises bringing together all the sources of information (internal and external), the data specified above and the analytical capabilities of the behavioural and risk models used, through a process through which it is possible to infer the payment behaviour of a possible overdraft protection holder, and therefore determine their default risk in relation to said product.

Bear in mind that, as a result of this profiling, we may approve or reject your overdraft protection application. If your application is rejected, you shall be duly informed, and it will be specifically stated if the sole reason is the existence of a debt with another institution in a credit information system.

You can request information about the result of this profiling in order to receive an explanation of the decision made, state your point of view on the matter, object to the result of the profiling and request the involvement of the Openbank team that is responsible for reviewing the decision made as a consequence of the profiling. At this stage, you can provide any additional documentation that you consider necessary.

In the event of a one-off request for an authorised overdraft, we will check whether you have any debt with other institutions, in accordance with the information provided by the ASNEF Filing System, but no automated decision will be taken.

The legal basis for this profiling is:

- On the basis of our legitimate interest, to grant the overdraft (during the application process), we will have to verify the absence of debts in the ASNEF Filing System, but we will inform you of this in advance. This processing cannot be objected to, as there are compelling reasons for it.

4.4.3 Taking out a payment method (debit card/prepaid card/Bizum/mobile payment applications)

An application to take out a payment method requires Openbank to process the data you provide through the form for the payment method you want to take out, the data we have about you in our systems if you are already an Openbank customer and the data we obtain from the external sources described in Section 3 "What data do we process at Openbank and how do we obtain it?" of this Policy for the purpose of:

(i) Attending to, assessing and managing your request to take out the payment method in which you are interested, and, if in the end you do take out one or more payment methods, fulfilling the obligations set out in said payment methods and maintaining our contractual relationship with you, as well as sending you information in relation to the products taken out.

Additionally, certain third-party mobile applications available for payments may, before you start to use them, require you to accept the terms and conditions of the relevant service provider. In these terms, we will send you a personalised report on how your personal data will be processed in each of these services.

The legal basis for this data processing is:

- Correct execution of the contract. The application, at your request, of pre-contractual measures and execution and performance of our contractual obligations in relation to the payment method you take out with Openbank.

The categories of personal data that Openbank will process to fulfil the purposes set out above are: identity data; employment data; economic, financial and insurance data; and data relating to your personal characteristics.

4.4.3.1 Processing specific data relating to mobile payment applications (Samsung Pay, Apple Pay, Google Pay, Fitbit Pay, Garmin Pay and Openbank Wallet)

If you apply for any mobile payment service, which consists of adding different Openbank cards on devices that you may have so that you can use them to make payments and transactions with third parties, you should bear in mind the data processing specified in the terms and conditions and the privacy policy for each application you download.

Similarly, when you register any Openbank card in these services, you will be informed of the specific data processing relating to the mobile payment service, mainly with regard to access to information by the company providing the service, which will be necessary to ensure proper provision of the service.

You can obtain more information about data processing by the different mobile payment applications related to Openbank below, although this will also be specified when you register for the service:

The legal basis for this data processing is:

- Correct execution of the contract. The application, at your request, of pre-contractual measures and execution and performance of our contractual obligations in relation to registration for the service.

The categories of personal data that Openbank will process to fulfil the purposes set out above are: identity data; and economic, financial and insurance data.

4.4.3.2 Processing specific data relating to Bizum

If you request the immediate transfer service, we will process your personal data in order to register you for the service. Bear in mind that the data controller for data in the immediate transfer directory is Bizum, S.L. (hereinafter "Bizum").

To correctly provide the immediate transfer service, we will need to transfer the following data about you:

(i) We will transfer certain personally identifiable information about you, specifically, your name and surname(s); NIF (or similar identity document); mobile telephone number; IBAN; and username or customer alias, which will correspond to your name and the initials of your two surnames, in order to identify the recipient of an immediate transfer. This data will be transferred to Bizum, the company responsible for providing information services for making immediate transfers, as owner of the directory accessed by the institutions signed up to the Bizum service. You can access additional information in the Bizum privacy policy.

(ii) We will also transfer your data to the companies that appear at www.bizum.es/entidades, which includes all institutions signed up to the Bizum service.

(iii) We may transfer your data to NGOs that have registered as beneficiaries for donations through Bizum, specifically your name and surname(s) and NIF, so that they can process your donations and, where possible, issue the annual donation certificate.

(iv) Finally, transaction data will be transferred to recipients and payers in the transactions carried out.

The Bizum service can access the contacts list on your telephone, in order to locate the number of the person to whom you want to send money, or from whom you want to receive money. When you contract the service, you authorise us to carry out the aforementioned consultation, which will enable us to determine whether the person has the Bizum service.

If you provide the personal data of a third party (e.g., someone else's telephone number), you guarantee that you have obtained prior informed consent from said third party to process their personal data. Similarly, you are aware that we could also obtain your personal data from third parties.

To correctly provide the service, Openbank will store the data from immediate transfers carried out by its customers. We will not share your data with other end users who are not strictly necessary to the service provision.

You can find additional information about Bizum's immediate transfer service in its Terms and Conditions.

The legal basis for this data processing is:

- Correct execution of the contract. Execution and performance of the contractual obligations in relation to the immediate transfer service.

- Consent for additional actions or value-added services that are not included in the essential data processing for the provision of the service, such as photo transfers or chats. Remember that if you change your mind, you can withdraw the consent you have given us according to the provisions of Section 7 "What rights do you have with regard to the processing of your personal data?".

The categories of personal data that Openbank will process to fulfil the purposes set out above are: identity data; and economic, financial and insurance data.

4.4.3.3 Taking out a debit card and credit card together (Premium and Diamond packs)

If you take out one of our Premium or Diamond packs which include a debit card and credit card, as well as processing your data for the purposes set out in Sections 4.4.2 "Taking out a credit product (mortgage/loans/credit card/overdraft protection)", 4.4.2.2. "Profiling and processing data relating to taking out a credit card (automated decision)" and 4.4.3 "Taking out a payment method (debit card/prepaid card/Bizum/mobile payments/mobile payments applications)", we will also be able to process data in order to offer you the advantages and benefits of these packs, including:

(i) Taking out related insurance (e.g., anti-fraud, travel accident and assistance).

(ii) Transaction alerts.

The legal basis for this additional processing is:

- Correct execution of the contract. Execution and performance of the contractual obligations in relation to the Premium and Diamond packs.

The categories of personal data that Openbank will process to fulfil the purposes set out above are: identity data; and economic, financial and insurance data.

4.4.4 Taking out a product on behalf of a minor (Open Young prepaid card/Open Young savings accounts/registration in the Open Young application)

At Openbank, we will process the information that, as father/mother, guardian or legal representative, you provide on the relevant application form, as well as a copy of the Family Book, for the purpose of:

(i) Attending to, assessing and managing your request to take out a product on behalf of a minor and, if in the end you do take out a prepaid card or a savings account for a minor, or register then on the Open Young app, fulfilling the obligations set out in the contract, maintaining our contractual relationship with you and sending information in relation to the products taken out.

(ii) Verifying that you are the father/mother, guardian or legal representative or the minor, and thus proving your capacity to enter into contracts on their behalf.

(iii) Contacting the minor when they reach the age of majority to inform them that they may access the funds in their Open Young savings account whenever they wish, and to offer them the chance to open a conventional current account with Openbank.

The legal basis for this data processing is:

- Correct execution of the contract. The application, at the applicant's request, of pre-contractual measures and execution and performance of our contractual obligations in relation to the product you take out with Openbank on behalf of the minor.

The categories of personal data that Openbank will process to fulfil the purposes set out above are: identity data; economic, financial and insurance data; as well as identity data for the minor on whose behalf you are taking out the Openbank product.

You can find additional information about the type of personal data and processing we carry out in relation to products intended for minors at: Personal data protection for minors and their rights.

The application for and/or taking out of an investment product or service requires Openbank to process the data you provide to us on the form through which you make the application for the product or service in question, for the following purposes:

(i) Attending to, assessing and managing your request to take out the investment product or service in which you are interested, and, if in the end you do take out one or more investment products or services, fulfilling the obligations set out, maintaining our contractual relationship with you and sending information in relation to the products or services taken out.

(ii) When required by legislation, we will process the information and personal data you provide to us in order to create your investor profile, which entails automated decision-making. To do this, we will consider your knowledge and experience with regard to financial instruments, your investment objectives and your financial situation, so that we can determine whether you are a suitable and appropriate customer for the investment product or service you are requesting. Please note that if you disagree with the decision, you can challenge it, express your point of view and ask for human intervention by writing to privacy@openbank.es.

(iii) If you want to subscribe to an investment fund or take out a pension plan, as the sellers of the fund or plan, as appropriate, we will need to share your data with the relevant management company and depository institution, where applicable, so that we can carry out the subscription, formalisation and/or management, and send information on behalf of the fund or pension plan with regard to the service you have taken out or engaged.

Bear in mind that, when you take out the relevant investment product or service, we will provide you with documentation that will provide you, among other things, information corresponding to the data categories subject to processing depending on the investment product taken out and information on how to exercise your rights.

The legal basis for this data processing is:

- Correct execution of the contract. The application of pre-contractual measures and execution of the contract, performing the obligations set out in said contract, maintaining our contractual relationship with you and sending information in relation to the products taken out.

- Legal obligation. Specifically, performance of this suitability and appropriateness testing in accordance with Directive 2014/65/EU on markets in financial instruments (MIFID II).

The categories of personal data that Openbank will process to fulfil the purposes set out above are: identity data; and, where applicable, data obtained through the suitability and appropriateness testing carried out by Openbank (including academic or occupational data; data relating to personal characteristics; data relating to products and services taken out; as well as data relating to your investment objectives, the risks you are prepared to assume and your financial situation).

4.4.5.1 Processing specific data relating to the transfer of investment products

If, subsequently, after taking out an investment product with us, you decide to request its transfer to another institution, Openbank will transfer your data to the recipient institution for the purposes of moving your balance and consolidated financial rights.

The legal basis for this data processing is:idated financial rights.

- Your prior and informed consent. Remember that if you change your mind, you can withdraw the consent you have given us according to the provisions of Section 7 "What rights do you have with regard to the processing of your personal data?".

- Legal obligation. Specifically, according to the provisions of Article 28 of Law 35/2003, of 4 November, on collective investment institutions.

The categories of personal data that Openbank will process to fulfil the purposes set out above are: identity data; and data relating to products and services taken out.

4.4.6 Taking out an insurance product

The application for and/or taking out of an insurance product requires Openbank, as data processor in its capacity as insurance broker, to carry out, on behalf of the insurance company, the processing of the data you provide to us on the form through which you request the product, for the purpose of:

(i) Processing and assessing your application and thus fulfilling the contractual relationship for the new insurance product you are taking out, in accordance with our sectoral regulations.

Depending on the insurance product you request, we will inform you individually, in each case, of all legal aspects of the processing of your data, including how your data will be used and the third parties that may be involved in the process of taking out the insurance.

However, bear in mind that Openbank is acting simply as a related bancassurance operator, i.e., it markets third-party products through its distribution network. Therefore, to be able to process your application, we will have to grant access to your data to the third-party insurance companies with which you take out the insurance products, which will be responsible for processing your personal data. When you take out the insurance product that you have requested, we will send you the relevant information regarding the processing of your personal data by the insurance company. You must review the privacy policy of the insurance company with which you take out the products in order to obtain information about the personal data processing that it will carry out.

Bear in mind that, through our website, in some cases we may also redirect you to the insurance company's website so that you can request a quote directly for taking out your insurance. In these cases, Openbank will not act as data processor for the insurance company, given that you are providing the data directly via their website.

In addition, in the event that any of your debit or credit cards have any type of insurance associated with them, please note that the insurer will be responsible for the processing of your data and, should you require our assistance in handling any complaint or claim or any aspect related to its application, we will have to share the necessary information with the insurer so that you can obtain the requested coverage.

The legal basis for this data processing is:

- Correct execution of the contract. The application of pre-contractual measures and execution of the insurance contract.

The categories of personal data that Openbank will process to fulfil the purposes set out above are: identity data; employment data; and economic, financial and insurance data. Similarly, if you apply for home insurance, we will process information regarding the insured property, such as: the address; postcode; area; district in which it is located; and approximate surface area in square metres. This data is necessary for calculating the value of the insured property. If you take out mobile phone theft insurance, we will need to process certain information about the insured mobile device, such as the IMEI number, to fulfil the purposes set out above.

4.4.7 Categorising spending

Given your status as a customer, we can classify the movements in your bank account or securities account, or the information to which we have access, in spending categories (education, restaurants, supermarkets, leisure expenses). We will carry out this data processing as part of the management of the contractual relationship we maintain with you for the purpose of:

(i) Providing you with classified information about your spending in predetermined product or service categories (education, restaurants, supermarkets and leisure expenses) that will allow you to manage and supervise your finances and spending in a simpler way.

The legal basis for this data processing is:

- Correct execution of the contract. Performance of our contractual obligations with you when you become a customer.

The categories of personal data that Openbank will process to fulfil the purposes set out above are: identity data; economic, financial and insurance data; and data relating to transactions involving goods and services.

4.4.8 Engaging the services of the Openbanking Financial Aggregator

If you contract the services of the Openbanking Financial Aggregator, we will aggregate the financial accounts you hold with other financial institutions for the purpose of:

(i) Enabling you to view, in a consolidated way on a single screen, the balances and positions of your accounts and cards with other institutions. As such, each movement in your accounts and cards will be categorised automatically by the aggregator.

(ii) Informing you, through a system of alerts and notifications, about your movements and positions (through the private area of the website or through push messaging for the app).

Bear in mind that Tink is the institution that provides the aggregator service, and therefore will also process your data as data controller and will transfer it to Openbank under the collaboration agreement between the two institutions, all in accordance with its privacy policy.

The legal basis for this data processing is:

- Correct execution of the contract. Performance of our contractual obligations acquired with you when you engage our Openbanking Financial Aggregator service.

Bear in mind that, if you exercise your right to object, Openbank will stop providing the engaged service. You can find additional information about the Openbanking Financial Aggregator in its Terms and Conditions.

4.4.9 Engaging the Open Discounts service

If you register for the Open Discounts service, you will receive discounts and promotions from third parties with which Openbank has collaboration agreements.

The legal basis for this data processing is:

- Correct execution of the contract. Registering for the service you have requested from us and performing our contractual obligations acquired with you when you engage our service.

Bear in mind that, if you exercise your right to erasure, Openbank will stop providing the engaged service.

The categories of personal data that Openbank will process to fulfil the purposes set out above are: identity data.

4.4.10 Engaging the Password Manager Databank service

If you engage the Password Manager Databank service, you will be able to save and manage all your passwords, data or other information easily and securely.

Bear in mind that, if you forget your master password, for your own security we cannot recover it and the information will remain inaccessible, including to Openbank.

The legal basis for this data processing is:

- Correct execution of the contract. Performance of our contractual obligations acquired with you when you engage our Password Manager Databank service.

Bear in mind that, if you exercise your right to object, Openbank will stop providing the engaged service. You can find additional information about Password Manager Databank in its Terms and Conditions.

The categories of personal data that Openbank will process to fulfil the purposes set out above are: identity data.

4.4.11 Making a donation

Openbank has two methods by which you can make donations to non-profit organisations (NGOs or foundations): (i) transfer; and (ii) our debit card, where you can round up your card payments (hereinafter, the "donation").

Whenever you use these services, we will process the data you provide to us for the purpose of:

(i) Duly attend to you request to take out deposit products (in relation to the transfer) and payment methods (in relation to the debit card).

(ii) Furthermore, when you make a donation, we will provide your name and surname(s), DNI, address, email address, transaction date and amount to the NGOs/foundations in order to process your donations and, where possible, for them to issue an annual donation certificate.

The legal basis for this data processing is:

- Correct execution of the contract. Execution of the donation contract.

The categories of personal data that Openbank will process to fulfil the purpose set out above are: identity data; address to which the debit card must be sent; your employment data; economic, financial and insurance data; and data relating to your personal characteristics.

4.4.12 Open Markets

In order for you to access the Open Markets service and view the products available, as well as to be able to purchase gift vouchers, we will have to share your personal details with Open Digital Markets, S.L., an entity that provides a brokerage service in the marketing of several non-financial products.

The legitimate basis for this data processing is:

-Your prior informed consent for the transfer of data. Please note that if you change your mind, you may withdraw the consent you have given us, as indicated in Section 7 “What rights do you have regarding the processing of your personal data?”

The categories of personal data that Openbank will process in order to carry out the purposes described above are the following: identification data; economic, financial and insurance data.

4.5 Processing of our customers' personal data carried out regardless of the Openbank product taken out

4.5.1 Anti-money laundering and counter-terrorism financing

‌The processing of personal data, as well as automated or non-automated filing systems created for compliance with the provisions of Law 10/2010, of 28 April, on anti-money laundering and counter-terrorism financing, with which as a financial institution we are obligated to comply, is carried out for the following purposes:

(i) Making monthly declarations in the financial ownership filing system regarding the identity data of our customers (or their representatives or proxies, in the case of legal person customers) and any other parties involved, with regard to the opening or cancellation date of current accounts, savings accounts, securities accounts and term deposits. The above data forms part of this filing system, the processor of which is the Secretary of State for Economy and Business Support. Bear in mind that, in accordance with Article 23 of the GDPR and Article 32 of Law 10/2010 on anti-money laundering and counter-terrorism financing, the rights provided for in Articles 15 to 22 of the GDPR do not apply to the filing systems and processing of personal data created and managed by the Executive Service of the Commission for the Prevention of Money Laundering and Monetary Offences (hereinafter "SEPBLAC") for the fulfilment of the obligations imposed by said law.

(ii) Providing information about payment transactions and such other information as may be necessary, in compliance with the above-mentioned regulations, to official authorities or bodies, including those within and outside of the European Union, as part of the fight against terrorism financing, serious forms of organised crime and money laundering. For this purpose, particular importance is placed on the exchange of information between the SEPBLAC and the Spanish Tax Agency, in full compliance with the provisions of Articles 94.4 and 95.1.i) of the General Tax Law 58/2003, of 17 December.

(iii) Consulting external databases for the purpose of preventing money laundering and terrorist financing by checking whether the available data match the data contained in the external databases, establishing and analysing different alerts on banking transactions and applying the relevant measures derived from the applicable regulations.

(iv) Verifying whether you are a person with public responsibility or politically exposed person and, if so, applying the enhanced due diligence measures in business relations or transactions that we maintain with you.

(v) Confirming the authenticity of the information and documents you send us in order to understand the nature of your professional or business activity, and sending them to the official authorities and bodies of other countries, both within and outside of the European Union, and to other Santander Group companies as part of the fight against terrorism financing, serious forms of organised crime and money laundering.

(vi) Reliably verifying your identity using a valid identity document. To do this, we will store a copy of your identity document (including your image) and, where applicable, we will view it in any media or format, for the sole purpose of verifying your identity when necessary to comply with the contract signed with you in your capacity as customer (as is the case when a complaint is made) and to meet the requirements of the competent authorities and/or fulfil our legal obligations.

(vii) With the above objective (reliable verification of your identity), we will check that the information you provide matches the information contained in the official documents we have (for example, your ID card) and, if they do not match, we will proceed to modify the information in our database or we will contact you to request more information and have the data updated (for example, if the address on the ID card does not match the one indicated on the form, we will contact you to send us evidence of the current address).

(viii) Ongoing monitoring of customer relationships in compliance with anti-money laundering regulations, including:

-monitoring transactions to ensure that they are consistent with the customer information we have in our systems and the risk assigned;

-verifying the origin of the funds; and

-monitoring the documents and information available on the institution's customers and requesting the updating of those deemed necessary.

(ix) In relation to the above points, if applicable, for example, when the customer does not send the updated documents within a reasonable period of time, the data will be processed in order to block the customer's operations (this blocking may affect both products/services taken out or engaged and the possibility of taking out or engaging new products/services with Openbank) and/or cancel the business relationship with the customer.

In accordance with the regulations on the prevention of money laundering and the financing of terrorism, in order to take the appropriate due diligence and information measures, we shall analyse and take into account any complex, unusual conduct or conduct without a separate lawful economic purpose or any conduct or information available to us that may be indicative of a possible offence against property or socio-economic order.

Additionally, to reliably verify your identity, we will give you access to a procedure that enables us to identify you via a video call with an agent. You will also have the option of making an automated call, without an agent, in which case your image will be subject to facial recognition techniques which require biometric data processing. If you opt for video call identification (with or without an agent), we will need your prior consent to make and record the call, and save the recording. This information may be accessed by various organisations, when legally required.

In the event that you request video identification so that we can verify your identity, we will process the image pattern extracted from your photograph during the identification process and the image on your identity document.

Alternatively, if you prefer, you can identify yourself by other means which we make available to you, such as visiting an Openbank branch in person or making a transfer from a bank account you hold with another institution, provided that this is a Spanish account. Similarly, we will verify whether you are the holder of the aforementioned account by consulting the sender bank.

Likewise, if you give us your consent, we can consult the General Treasury of Social Security (hereinafter "TGSS"), pursuant to the agreement signed between the TGSS, the Spanish Banking Association (“AEB"), the Spanish Confederation of Savings Banks and the National Cooperative Unit, for the purpose of confirming the veracity of the documents and information you have provided during the formalisation process and throughout the contractual relationship in order to discover the nature of your professional or business activity for the purpose of preventing money laundering.

The legal basis for this data processing is:

- Legal obligation. Specifically, Openbank will carry out this processing to comply with Law 10/2010 on anti-money laundering and counter-terrorism financing, Directive (EU) 2018/843 of the European Parliament and of the Council, and Royal Decree-Law 7/2021 transposing European Union directives and other applicable regulations on anti-money laundering and counter-terrorism financing.

- Consent to process your biometric data, if you decide to identify yourself by means of an automated call and for the recording of the call (whether or not it is automated). Remember that if you change your mind, you can withdraw the consent you have given us according to the provisions of Section 7 "What rights do you have with regard to the processing of your personal data?".

-Consent to consult the TGSS. For this purpose, pursuant to the agreement between the AEB and the TGSS, we must receive this consent in the wording included in Appendix III of said agreement, and which we have reproduced below for the purposes of transparency:

"I have been informed by the financial institution Open Bank, S.A., that the applicable anti-money laundering legislation requires these banking institutions to obtain information from their customers about their business activity and to verify that information.

For the sole purpose of verifying the information provided, I grant my express consent for Open Bank, S.A., to request the relevant information from the General Treasury of Social Security on my behalf.

The data obtained from the General Treasury of Social Security will be used for the sole purposes described above. Any breach of this obligation by the financial institution and/or financial institution's staff shall trigger the full application of Organic Law 3/2018 of 5 December, on the protection of personal data and guarantee of digital rights."

Remember that if you change your mind, you can withdraw the consent you have given us according to the provisions of Section 7 "What rights do you have with regard to the processing of your personal data?".

The categories of personal data that Openbank will process to fulfil the purposes set out above are: identity data; biometric data derived from the facial recognition techniques used in the automated call identification process; data relating to your personal characteristics; employment data; economic, financial and insurance data; and data relating to transactions involving goods and services; data indicated in the section on fraud detection and prevention; and specially protected data such as data relating to the commission of criminal offences (e.g., data appearing in police and court orders we may receive relating to any possible offences against property or socio-economic order).

4.5.2 Sending information to the CIRBE

As a financial institution, we have to comply with the legal obligations applicable to the financial system, and therefore we will process your data for the purpose of:

(i) Informing the CIRBE of the risks of your banking transactions, depending on the number of credits or loans you have requested, as well as their amounts, their recoverability and, where applicable, defaults on your part such as failure to make credit or loan payments on the agreed dates. For example, if you have requested a loan of €10,000 to be repaid within a term of four years, we will inform the CIRBE of this, as well as any failure to repay any of the loan instalments. The purpose of this information is to enable other financial institutions to consult the CIRBE and, according to the information shown there regarding your financial transactions and their inherent risks, they will be able to assess your suitability as a customer in the event that you apply for any type of loan or financial product from them.

The legal basis for this data processing is:

- Legal obligation. Specifically, Openbank will carry out this processing to comply with the legal obligations applicable to the financial system, and in particular with Law 44/2002 on the reform of the financial system.

The categories of personal data that Openbank will process to fulfil the purposes set out above are: identity data; and data relating to transactions involving goods and services.

4.5.3 Sending information to the Spanish Tax Agency (hereinafter "AEAT")

As a financial institution, we are obliged to send certain information about our customers to AEAT and the competent tax authorities in other countries, in accordance with regulations on the automatic exchange of tax information. Therefore, we will process your personal data for the purpose of:

(i) Informing AEAT of your tax residence and providing information regarding the contractual relationship that you have with us, which in turn may be required to send this to the competent tax authorities in other countries.

The legal basis for this data processing is:

- Legal obligation. Specifically, Openbank will carry out this processing to comply with the United States of America Foreign Account Tax Compliance Act (FATCA) and the Organisation for Economic Co-operation and Development ("OECD") Common Reporting Standard (CRS).

The categories of personal data that Openbank will process to fulfil the purpose set out above are: identity data; and tax residence and information relating to the contractual relationship.

Openbank will share your data with other companies in the Santander Group, of which we form part (pursuant to Article 42 of the Spanish Commercial Code), together with any relevant transaction information for the following purposes:

(i) Complying with Santander Group internal regulations drawn up to fulfil our legal obligations regarding the prevention of financial crime.

(ii) Enabling Santander Group companies to fulfil their legal obligations regarding anti-money laundering and counter-terrorism financing.

(iii) Enabling Santander Group companies to fulfil their obligations regarding regulatory reporting to supervisory authorities (European Central Bank or SEPBLAC).

The legal basis for this data processing is:

- Legal obligation. Specifically, Openbank will carry out this processing in order to fulfil (i) our financial crime prevention obligations, in particular to comply with the provisions of Directive (EU) 2015/849 and Commission Delegated Regulation (EU) 2019/758; (ii) our obligations with regard to anti-money laundering and counter-terrorism financing; and (iii) mandatory reporting to the competent supervisory authorities.

The categories of personal data that Openbank will process to fulfil the purposes set out above are: identity data; data relating to your personal characteristics; employment data; economic, financial and insurance data; and data relating to transactions involving goods and services.

4.5.5 Reporting defaults in credit information filing systems

If you have failed to make any payments during your contractual relationship with Openbank, of an amount of at least €50 (fifty euros) (provided that the debt is a certain, due and payable debt), we will process your personal data for the purpose of:

(i) Reporting this default in the ASNEF Filing System. You can access additional information about the data processing through this filing system at the following link.

(ii) Reporting this default in the BADEXCUG Filing System. You can access additional information about the data processing through this filing system at the following link.

This reporting will comply with the procedures, rights and guarantees established and recognised at all times by current legislation.

Openbank and each of its systems will act as joint controllers of your data, which will be processed in order to keep a record of defaults, and may be consulted by third-party companies with which you maintain a contractual relationship (financial institutions, utility or telephone companies etc.).

You will be able to exercise your data protection rights by contacting Openbank or any of the filing systems indicated. Any complaint relating to the existence, age or amount of the debt must be addressed to Openbank.

Bear in mind that the data is stored in the filing system for a maximum of five (5) years, unless the debt is settled before said period ends.

The legal basis for this data processing is:

- Our legitimate interest in preventing any defaults to our detriment and carrying out adequate control of these situations, and the legitimate right of third-party companies to be aware of the existence of default in order to prevent your over-indebtedness and to protect the integrity and stability of the banking and financial system. You cannot object to this processing as there are compelling reasons for its completion, subject to the provisions of Article 20 of Organic Law 3/2018, of 5 December, on the protection of personal data and guarantee of digital rights.

The categories of personal data that Openbank will process to fulfil the purposes set out above are: identity data; and data regarding defaults or debts you have incurred.

4.5.6 Detection and prevention of possible attempted fraud

Openbank's obligation and objective is to prevent fraud and protect you and our other customers against possible fraudulent or criminal behaviour, such as identity theft, card cloning or password theft. Therefore, we will process data that you have provided directly, data that we obtain from internal sources, for example, those relating to your location or behaviour patterns, as well as data that we obtain from specialised external sources (as is the case for fraud prevention agencies) to detect and prevent possible attempted fraud, and in particular for the following purposes:

(i) If you are already an Openbank customer, we will consult your data in our own internal sources, in order to perform a behavioural analysis of your transaction profile as a customer using fraud prevention tools. As such, every time you conduct a new transaction, we will assess it in accordance with your transaction profile, and that will enable us to determine whether or not this transaction is in line with your habits and could therefore be considered suspected fraud. We will also process your data for the purpose of detecting behaviour and risk patterns that allow us to identify anomalous or irregular transactions carried out through national and European payment systems.

This will enable us to detect potentially fraudulent activities, such as undue access to customers' personal data, possible identity theft or any situation that could be interpreted as fraudulent or unwanted use of the account, with the objective protecting the interests of our customers. If any attempted fraud or suspicious activity is detected (such as repetitive transfers or the use of a different device), unless there is a situation of public interest, we will inform you, review the available information and, where applicable, request additional information from you. Similarly, out of caution and until we carry out the necessary checks, we will block any transactions.

The logic applied to the processing carried out with the aim of detecting anomalies and fraud patterns across national and European payment systems consists of:

-In terms of fraud prevention, the processing enables payment service providers to perform real-time analysis on our behalf of the risks associated with accounts and payments. To this end, they are provided with tools that allow them to validate account and transaction data based on previously identified historical patterns and to detect potential anomalies and indicators to help them manage fraud risks before sending a payment or as part of account confirmation activities.

-In terms of fraud detection, the processing allows payment service providers to perform post-transaction analysis. It provides modules to help payment service providers investigate and identify high-risk transactions after payments have been made.

-Finally, the processing allows data analysis to identify new risk patterns and payment anomalies to improve prevention and detection processes.

(ii) If you are not yet an Openbank customer, before you enter into a contract with us, we will carry out various assessments to prevent fraudulent and criminal transactions, such as verifying your identity and detecting any inconsistencies in the information provided. If we do detect any anomalies in the account opening, we will block the process until it is resolved or the account is closed, where appropriate.

For the assessments we carry out, we use the information that you provide during the registration process, such as your email address, age and variables associated with the application you are making, other variables and metadata associated with your application relating to the devices from which you are applying to open an account, the browser you use or the operating system, and information from public sources which we obtain from the INE, specifically income data according to the postcode in which you live, using statistical data on household income. Information last updated: 2023.

We may also consult the Spanish National Markets and Competition Commission's public numbering register (hereinafter the "Numbering Register"), created under Royal Decree 2296/2004 of 10 December, approving the regulation on electronic communication markets, network access and numbering, which collates information about the operator that each telephone number assigned corresponds to. If our checks in the Numbering Register show that your telephone number is assigned to certain telephone operators, we will take this into account as one of the factors that, together with others, could infer the existence of certain behaviours or patterns compatible with fraudulent conduct, which will be assessed jointly when determining whether or not to provide a product or service.

Before you enter into a contract with us, we will also share some of your personal data with third-party service providers which help us to detect and prevent possible attempted fraud or other criminal behaviour, respecting and complying with the procedures, rights and guarantees established and recognised at all times by current legislation. The information we share with these third parties includes part of the information that you provide to us when you register as a customer, such as your email address, and information relating to your browsing, such as the IP address of your device.

These third parties that we use to help us to detect and prevent fraudulent transactions are:

- Emailage Limited, incorporated in the United Kingdom. Emailage is also responsible for processing your personal data, and will use it for the purposes set out in its privacy policy. We will process your email address and IP address using the service provided by Emailage Ltd., to generate a fraud risk score. For this purpose, Emailage Ltd., compares and assesses the data points provided with the associated metadata (email data, IP geolocation data) and previous customer queries and fraud indicators provided to Emailage Ltd's global fraud network. Using our fraud risk score, together with other checks we may carry out, we will be able to assess the risk associated with the application or transaction and make decisions in an effort to identify and prevent fraud. You can exercise your data protection rights with Emailage here.

- We will share your data with Confirma Sistemas de Información, S.L., if you initiate the process of entering into a contract with us. Specifically, we will send your data to the Confirma filing system, which Openbank participates in for the purposes of detecting and preventing possible attempted fraud. With regard to the Confirma filing system, we are obligated to inform you of the following:

"The applicants have been informed that the data from this application will be shared with the Confirma filing system, for the purpose of comparing applications and transactions registered in the filing system by the participating institutions in order to detect possible fraud in the contract formalisation process. This purpose involves, among other things, the assessment of the probability of fraud in the application. The legal basis for the processing of personal data is the legitimate interest of the joint data controllers in preventing fraud (Recital 47 of the GDPR), and avoiding possible negative financial consequences and any legal breaches on the part of the applicants. Consulting the Confirma filing system is ideally suited to the purpose, and proportional in relation to the benefit obtained by the joint data controllers and the impact on applicants' privacy. Similarly, data processing is among the reasonable expectations of the data subjects as a common practice, and is carried out in the context of an application to enter into a contract. To avoid damage and negative consequences for the applicants, technical and organisational measures have been adopted to strengthen the confidentiality and security of this information.

The maximum period of time for which the data will be stored is five years.

The joint data controllers are the institutions included in the Confirma filing system. The data processor is Confirma Sistemas de Información, S.L., whose registered address is at Avda. de la Industria, 18, TRES CANTOS, 28760 MADRID, SPAIN. Applicants can see the list of institutions currently included in the Confirma filing system on the website www.confirmasistemas.es.

Institutions can participate in the Confirma filing system if they adhere to its regulations, and their activity could be subject to fraud when taking out products".

The data communicated to the Confirma filing system may be consulted by the institutions adhered to the Confirma Filing System Regulations. There are no plans to transfer data to a third country or international organisation.

In accordance with current data protection legislation, data subjects may exercise their rights of access, rectification, erasure, objection, restriction of processing, the right to not be subject to individual automated decisions having legal effects, and portability, by contacting the data processor, CONFIRMA SISTEMAS DE INFORMACIÓN, S.L., at the address indicated above. Likewise, data subjects may make use of their right to lodge a complaint with the Control Authority.

CONFIRMA SISTEMAS DE INFORMACIÓN, S.L. has appointed a Data Protection Officer that can be contacted by email at dpo@confirmasistemas.es, for any requests regarding privacy issues related to the Confirma Filing System.

In the event that fraud attempts are detected, or fraudulent transactions are suspected, the aforementioned data will be used to preventively block the use of the products or services that you have taken out or engaged, as well as, if necessary, to cancel the business relationship with the client.

Please note that, as we are obliged to comply with the regulations on the prevention of money laundering and the financing of terrorism, we will make use of the relevant information detailed in this section in order to prevent money laundering and the financing of terrorism and to be able to take the appropriate due diligence and information measures in accordance with the aforementioned regulations. This is necessary because, in order to comply with the regulations, we must analyse and take into account any complex, unusual conduct or conduct without a separate lawful economic purpose or which may present indications of a possible crime against wealth or socio-economic order, such as swindling and fraud in general.

The legal basis for this data processing is:

- Our legitimate interest in detecting and preventing fraud, from the application to take out products or services and throughout the entire relationship with our customers (Recital 47 of the GDPR and Legal Report 195/2017 of the Spanish Data Protection Agency (AEPD)), and avoiding any damage to our customers, acting in the interest of account holders that may be affected by third-party fraud This processing cannot be objected to, as there are compelling reasons for it.

- Legal obligation. Specifically, Openbank will carry out this processing in accordance with Decision (EU) 2016/456 of the European Central Bank, of 4 March 2016, concerning the terms and conditions for European Anti-Fraud Office investigations of the European Central Bank, in relation to the prevention of fraud, corruption and any other illegal activities affecting the financial interests of the Union (recast) (ECB/2016/3) (OJEU of 30 March)and Law 10/2010 of 28 April, preventing money laundering and terrorist financing.

The categories of personal data that Openbank will process to fulfil the purposes set out above are: identity data; data relating to your personal characteristics; data relating to transactions involving goods and services; employment data; and internet browser data and data from the device used.

4.5.7 Recovery and payment of debts

We will manage the collection of any debts you incur with us in order to resolve any default that may arise, to avoid any problems and to ensure the payment of additional costs and interest. We will contact you through the institution's various channels (post, telephone, SMS, instant messaging applications, email, web push, pop-up or any other digital channel available at any given time). We reserve the right to send you the aforementioned information by certified letter with acknowledgement of receipt.

We will therefore process your data, among others, for the following purposes:

(i) Informing you of any default, as well as how to remedy the default, and any early debt collection procedures or transferring the debt collection to a specialised third party.

The legal basis for this processing is:

- Correct execution of the contract.

The categories of personal data that Openbank will process to fulfil the purpose set out above are: identity data; and economic, financial and insurance data.

4.5.8 Designing and training risk and behavioural models

It is important to Openbank that we identify and fully understand the needs of banking and financial products and services, as well as the creditworthiness and spending habits of our active customers. To do this, we will carry out the pseudonymisation and/or anonymisation of your personal data, which we will use to design and train the algorithms that enable us to create different behavioural and risk models that we will subsequently use to perform profiling on active customers. In particular, to design and train our behavioural and risk models, we use pseudonymised and/or anonymised personal and financial information from our own and external sources, such as:

(i) Information we have about you derived from the documentation you have provided to us and from your contractual relationship with us (e.g., your transactions).

(ii) Information stored in Openbank filing systems about your behaviour in transactions entered into with us.

(iii) Information contained in financial solvency filing systems to which we have access, such as the ASNEF Filing System and BADEXCUG Filing System.

(iv) Statistical information regarding income data according to the postcode in which you live, obtained from the INE, specifically using statistical data on household income. Information last updated: 2020.

(v) Third-party cookies to develop and improve products that use information about your device and the type of browser you use, if you have given us your consent for their use on our website.

If your personal data is used to design and train our behavioural and risk models, this processing – related exclusively to this design and training – will have no personal legal consequences for you and, when training the model, at no time will we use your personally identifiable information.

Subsequently, and in other processing of your personal data explained in previous sections of this Policy, we may use these behavioural and risk models to compare our customer databases against the models in order to profile our customers, both for marketing purposes (sending advertising) and to analyse and assess their level of risk and creditworthiness, and their propensity to take out one of our products, as well as for their authorisation; to detect and prevent possible fraud attempts; and for the prevention of money laundering and terrorist financing. Similarly, according to the behavioural and risk model that we use, we could use internal and/or external sources, depending on: (i) the credit product you wish to take out; and (ii) whether you are an existing Openbank customer. The reason why the level of profiling is different depending on whether or not you are an existing Openbank customer is because if you are a customer, we already have information about you derived from the contractual relationship that enables us to predict your risk of non-performing loans without consulting external sources.

Similarly, we are pleased to inform you that Openbank has a control model that ensures the quality of the information from the algorithms used to design our behavioural and risk models.

The legal basis for this data processing is:

- Our legitimate interest in designing, creating and offering innovative and efficient financial products and services to our customers based on different behavioural and risk models created by our algorithms, as well as to analyse and assess the level of risk and creditworthiness of our customers, to detect and prevent possible fraud attempts, and to prevent money laundering and terrorist financing. You can object to this processing based on our legitimate interest according to the provisions of Section 7 "What rights do you have with regard to the processing of your personal data?"

The categories of personal data that Openbank will process to fulfil the purposes set out above are: your voice; economic, financial and insurance data; data relating to transactions involving goods and services; information contained in financial solvency filing systems to which we have access, such as the ASNEF Filing System and BADEXCUG Filing System; other statistical information regarding income data according to the postcode in which you live, obtained from INE; and other metadata such as the device from which you are connected.

4.5.9 Statistical analysis

Similarly, for the purpose of identifying and understanding the needs of our customers, as well as their spending habits, we will carry out a series of statistical analyses, which includes customer experience analysis, in order to improve:

(i) Our products and services.

(ii) Our analytical models.

(iii) Our processes and operations.

(iv) Monitoring and analysis of the portfolio of existing and potential Openbank customers.

(v) Information on interactions with our communications.

To do this, we pseudonymise and/or anonymise your personal data using pseudonymised and/or anonymised personal and financial information from our own and external sources, such as:

(i) Information we have about you derived from the documentation you have provided to us and from your contractual relationship with us.

(ii) Information stored in Openbank filing systems about your behaviour in transactions entered into with us.

(iii) Information contained in financial solvency filing systems to which we have access, such as the ASNEF Filing System and BADEXCUG Filing System.

This processing, exclusively related to carrying out the aforementioned statistical analysis, will have no personal legal consequences for you, and the information generated will at no time include personally identifiable information.

The legal basis for this data processing is:

- Our legitimate interest in designing, creating and offering innovative and efficient financial products and services to our customers based on the statistical analysis conducted. You can object to this processing based on our legitimate interest according to the provisions of Section 7 "What rights do you have with regard to the processing of your personal data?"

The categories of personal data that Openbank will process to fulfil the purpose set out above are: economic, financial and insurance data; data relating to transactions involving goods and services; information about creditworthiness obtained from external sources such as the ASNEF Filing System, BADEXCUG Filing System; other statistical information regarding income data according to the postcode in which you live, obtained from the INE; and other metadata such as the device from which you are connected.

4.5.10 Incident analysis and resolution

We also process your personal data to manage any incident that may occur when using the website or app and the different services and products of Openbank, which includes detecting, managing and resolving such incident.

The legal basis for this data processing is:

-Our legitimate interest in detecting and resolving incidents in order to provide you with an adequate service. You may object to this processing based on our legitimate interest as set out in Section 7 “What rights do you have with regard to the processing of your personal data?”

The categories of personal data that Openbank will process for the purposes described above are the following: identification data, economic, financial and insurance data as well as your IP address.

4.5.11 Recording your voice and/or image and electronic conversations held with you

Throughout your contractual relationship with Openbank, there may be situations in which we record your voice and/or image and the electronic conversations we have with you regarding transactions and queries. In these situations – of which you will be expressly informed in advance when they arise – we will store the telephone and/or electronic conversation for the following purposes:

(i) Internal service quality audits.

(ii) Using the recordings as evidence of the instructions received and/or service provided, in court or out of court, if necessary.

(iii) Designing and training models.

The legal basis for this data processing is:

- Our legitimate interest in recording your voice, as well as the electronic conversations held with you, in order to: (i) be able to audit the quality of our services and therefore to improve them and make them more efficient; and (ii) respond to information requests from the competent authorities or use the recordings as evidence in court.

You can object to this processing based on our legitimate interest according to the provisions of Section 7 "What rights do you have with regard to the processing of your personal data?".

The categories of personal data that Openbank will process to fulfil the purposes set out above are: identity data; economic, financial and insurance data; and data and information required to audit the quality of our services.

We will process your data in order to send you notifications via email, web push, SMS, our app and/or our website for the following purposes:

(i) To notify you regarding certain circumstances that arise with the products and services you have taken out with Openbank or the relationship you have with us (such as be notifications about rejected transactions). As such, if you have taken out a card with us, we may send you notifications whenever you use it for security reasons, as well as for you to control your spending and to notify you when a purchase has been rejected.

(ii) To send you notifications for the prevention of financial fraud, security alerts and/or spending controls: (i) for transactions using one of the products you have taken out with us, such as a credit card: (ii) when you use one of our services (e.g., Bizum); or (iii) when you log in from a new device.

(iii) Additionally, if you are no longer an Openbank customer, we will also process the data necessary to send you communications to which we are legally obliged, e.g., to provide you with tax information.

You can activate/deactivate and even configure some of the notifications to suit your preferences, by going into the settings of the "Notifications" section of the main menu on the app, or in the "Notifications" section of your private area on our website.

The legal bases for this data processing are:

- Correct execution of the contract. We may send you notifications about transactions you carry out using the products and services you have taken out.

- Our legitimate interest in sending you notifications in order to preventing financial fraud, as well as security alerts when you carry out a transaction using one of the products and services you have taken out with us, such as a credit card. This processing cannot be objected to, as there are compelling reasons for it.

- Legal obligation to make a number of documents or information available to you during the corresponding period, even after the relationship with us has ended, e.g. Royal Decree-Law 19/2018 of 23 November on payment services and other urgent financial measures.

The categories of personal data that Openbank will process to fulfil the purposes set out above are: identity data and economic, financial and insurance data.

4.5.13 Quality and satisfaction surveys and market research

Openbank will process personal data associated with the use of the products and services you have taken out with us to carry out quality and customer satisfaction surveys (by email, SMS, telephone or other communication channels), conduct market research or compile internal statistics, and to produce commercial reports to better understand our customers' spending habits and to conduct an internal assessment of the design, creation and improvement of new products that may be of interest to our customers, or to reach commercial agreements with third parties. Where possible, we will anonymise your personal data to carry out surveys and market research.

As part of the activities set out above, among others, we will carry out satisfaction surveys using the Net Promoter Score (NPS) methodology, in order to identify whether our customers would recommend Openbank products, for the purposes of which your personal data may be transferred to the third party conducting the survey.

The legal basis for this processing is:

- Our legitimate interest in using the data obtained from surveys, market research, internal statistics or commercial reports to improve our products and our service provision to customers. You can object to this processing based on our legitimate interest according to the provisions of Section 7 "What rights do you have with regard to the processing of your personal data?".

The categories of personal data that Openbank will process to fulfil the purpose set out above are: identity data; economic, financial and insurance data; and browser data.

4.5.14 Answering legal complaints, requirements from competent bodies and protecting legal rights on behalf of Openbank

We will process personal data that is necessary to: (i) assist you or persons acting on your behalf in the exercise of your rights; (ii) process and respond to requests from the competent authorities and bodies (both judicial and extrajudicial), such as requests for information in the course of judicial investigations; (iii) formulate and exercise our own defence against claims, judicial or extrajudicial, initiated by Openbank or by you.

The legal basis for this processing is:

- Legal obligation. Specifically, the different obligations to meet the requirements of competent authorities, to resolve complaints made by the data subjects in accordance with the provisions of Regulation (EU) No 524/2013 of the European Parliament and of the Council of 21 May 2013 on dispute resolution, and in accordance with the legislation governing the transparency of banking transactions and customer protection, as well as the personal data protection regulations, among others.

- Our legitimate interest in responding to legal, administrative or judicial claims, addressing them and taking the legal action we deem necessary, as well as to defend ourselves against any claims brought against the company, all pursuant to the right to effective judicial protection. This processing cannot be objected to, as there are compelling reasons for it.

The categories of personal data that Openbank will process to fulfil the purpose set out above are: identity data; economic, financial and insurance data; and data required to resolve the complaint lodged or to respond to the requirements of the competent authority

When you use our social media channels, such as Facebook, Twitter and Instagram, to request information or make an enquiry, we will process your personal data using specialised tools for the purpose of:

(i) Streamlining and optimising the responses to your enquiries made via social media. Bear in mind that, when using our social media channels, the processing of your personal data will also be subject to the provisions of the privacy policy of the relevant social media platform through which you request information or make an enquiry.

(ii) We will also analyse your interactions (comments or posts) related to Openbank on different social media platforms, in order to determine internally what improvements could be implemented in our operations and the products and services we offer to our customers. Where there is a large number of customers complaining on social media about a specific step in the onboarding process, we will take these complaints into account to improve the issues highlighted by users on social media; or if many customers have liked a promotion on social media, we may relaunch that promotion after a period of time.

The legal basis for this data processing is:

- Our legitimate interest in being able to respond, in a streamlined and optimum way, to the enquiries made by our customers though social media, as well as offering an effective and simple operation and products adapted to the needs and expectations of our customers. You can object to this processing based on our legitimate interest according to the provisions of Section 7 "What rights do you have with regard to the processing of your personal data?".

The categories of personal data that Openbank will process to fulfil the purpose set out above are: identity data.

4.5.16 Capturing images on video surveillance systems in our branches

When you enter one of our branches, we will capture images of you on our video surveillance systems. We will carry out processing of your images captured on the video surveillance systems for the purpose of:

(i) Protecting your integrity and the integrity of our property and facilities.

The legal basis for this data processing is:

- Legal obligation. Specifically, with regard to the installation of systems for capturing and recording images in bank buildings and offices, pursuant to the provisions of Organic Law 4/2015, of 30 March, on the protection of public safety, Royal Decree 2,364/1994, of 9 December, which approves private security regulations and Order INT/317/2011, of 1 February, on private security measures.

The categories of personal data that Openbank will process to fulfil the purposes set out above are: identity data (images).

4.5.17 Audits and compliance verification

We will process your data relating to the implementation of internal compliance verification controls, and as part of different audits.

The legal basis for this processing is:

- Legal obligation. For example, carrying out account audits.

- Our legitimate interest in verifying the adequacy of our processes to fulfil the legal obligations and internal quality standards for identifying, controlling and mitigating legal or operational risks. You can object to this processing based on our legitimate interest according to the provisions of Section 7 "What rights do you have with regard to the processing of your personal data?".

Bear in mind that this information can be accessed by third-party companies which provide audit services for this purpose.

The categories of personal data that Openbank will process are all personal data to which it has access.

4.5.18 Verification of account ownership through Iberpay at the request of a third party

When you go to sign a contract with a third party which requires you to make a payment by direct debit or a charge in your Openbank account, we may process your data to confirm to the third party that you are the account holder. This request is made through Iberpay's account ownership verification service.

The legal basis for this processing is:

- Correct execution of the contract. Correct performance of the contract that you have entered into with Openbank or with the party requesting the data.

The categories of personal data that Openbank will process are: identity data.

4.5.19 Designing and training a machine learning model to validate DNIs

Notwithstanding what we have set out in Section 4.2.1 "Specific data processing relating to the validation of the customer's identity (automated decision)", in order to avoid the irregular opening of current accounts, we will design and train our own algorithm to analyse and study our customers' DNIs and detect common patterns that will enable us to identify falsified documents (currently, we use third-party software to verify the validity of your national identity document).

In particular, to design and train this model, we will use the personal data that appears on the DNIs of active Openbank customers who are Spanish nationals over 18 years of age.

The logic used for this purpose will consist of the capture and processing of the DNI image to perform a recognition analysis on said image and, subsequently, to validate it.

At present, this processing will be exclusively related to the aforementioned activities of designing and training the model, and will have no personal legal consequences for the customers affected. Once we have a final model and we have decided to use it in our customer registration processes, we will provide you adequate information about this, in accordance with the provisions of data protection regulations.

Similarly, we are pleased to inform you that Openbank has a control model that ensures the quality of the information from the algorithms used to design our machine learning models. In this particular case, there will also be a second verification, which will involve a human being who will make the final decision regarding the authenticity of the DNI.

The legal basis for this data processing is:

- Our legitimate interest in designing a behavioural model using our algorithms, which enables us to detect false positives and false negatives in the validation of customers' identity documents, and to avoid the irregular opening of current accounts and the resulting risk in terms of money laundering and the terrorism financing. You can object to this processing based on our legitimate interest according to the provisions of Section 7 "What rights do you have with regard to the processing of your personal data?".

The categories of personal data that Openbank will process to fulfil the purpose set out above are: identity data.

4.5.20 Strong customer authentication using biometric data

As a payment service provider, we are obligated to apply strong customer authentication (SCA) procedures, in order to confirm your identity or the validity of the payment instrument you are using and to strengthen the security of the payment market.

Specifically, strong customer authentication requires that, when we provide certain services, we must use at least two different datasets, known as authentication factors. These factors are divided into three groups: knowledge (something you know), possession (something you have) and inheritance (something you are).

The third of these factors, inheritance, is the biometric verification carried out through physical parameters, such as for example finger prints or facial recognition.

If you have a mobile phone with fingerprint or facial recognition, you can register it for the aforementioned purposes as a "trusted device" on the Openbank app. Openbank will receive confirmation from the device, but will not process biometric data.

The legal basis for this data processing is:

- Your prior and informed consent for biometric data processing. Remember that if you change your mind, you can withdraw the consent you have given us according to the provisions of Section 7 "What rights do you have with regard to the processing of your personal data?".

- Legal obligation. Specifically, Directive (EU) 2015/2366 of the European Parliament and of the Council of 25 November 2015 on payment services in the internal market, amending Directives 2002/65/EC, 2009/110/EC and 2013/36/EU and Regulation (EU) No 1093/2010, and repealing Directive 2007/64/EC, transposed in Spain by Royal Decree- Law 19/2018, of 23 November, on payment services and other urgent financial measures.

The categories of personal data that Openbank will process to fulfil the purpose set out above are: identity data.

4.5.21 Device access

When you use the Openbank application or carry out certain transactions through an electronic device, in addition to the processing explained above, we will also use the data you provide for other purposes.

Thus, in some processes you will be able to authorise us to access your device's camera or your files, for example, when we ask you for your ID card, you will be able to provide it by giving us access to your camera to take a photograph of it.

In addition, if you authorise it, you will be able to access your Customer Area on the application, verifying your identity through biometric recognition systems such as your fingerprint.

The legitimate basis for this data processing is:

-Your prior informed consent. Please note that if you change your mind, you may withdraw the consent you have given us as described in Section 7 "What rights do you have with regard to the processing of your personal data?"

The categories of personal data that Openbank will process in order to carry out the purposes described above are as follows: identification data and any other data that you may provide to us by these means.

4.5.22 Custody of documentation and communications

We will process your personal data in order to store those documents and exchanges of information that are necessary to establish or maintain the contractual relationship, to provide you with the corresponding services, as well as for any management that you request from us, in this case even if you are not our customer. For example, we are legally obliged to keep the contract you sign with us for the relevant period.

The legitimate basis for this data processing is:

-Correct performance of the contract. Application at your request of pre-contractual measures and execution and fulfilment of our contractual obligations in relation to the product you take out with Openbank.

-Legal obligation. Specifically, Openbank will carry out this processing in order to comply with the legal obligations applicable to banking institutions, among others.

The categories of personal data that Openbank will process in order to carry out the purpose described above are the following: identification data; economic, financial and insurance data.

4.5.23 Wills, bankruptcy proceedings and powers of attorney

Whether you are a customer or not, we will process your personal data for the following purposes: (i) to be able to process wills at Openbank (to manage the issuance of the account balance statement and the request for change of ownership of the account balance due to succession); (ii) to be able to take the necessary measures in the event that a customer is in a situation of bankruptcy; (iii) as well as to be able to consider valid power of attorney documents sent to us and to manage the request that accompanies them.

The legitimate basis for the data processing:

-Correct execution of the contract. To be able to carry out the procedures you request from us.

-Our legitimate interest in knowing the customer's financial situation and being able to take appropriate action.

-You may lodge your objection to this processing on the basis of our legitimate interest in accordance with the provisions of the Section 7 "What rights do you have with regard to the processing of your personal data?"

The categories of personal data that Openbank will process in order to carry out the purpose described above are the following: identification data; economic, financial and insurance data.

4.6 Sending marketing

In this section, we provide information about the scope, purpose and legal basis for the various forms of processing that we will carry out on your personal data, depending on the different types of marketing we can send you from Openbank. However, please bear in mind that at any time you may exercise your data protection rights as set out in Section 7 "What rights do you have with regard to the processing of your personal data?" in relation to this processing and in particular the right to object and/or withdraw your consent. Equally, so that we don't disturb you and ensure that we comply at all times with the law, before processing your data for the purposes of marketing by post or telephone, we will consult the advertising exclusion database (Robinson Lists) included in the report published by the AEPD to confirm that you are not included in any of them, in the case that such consultations are legally required.

Once you have engaged our services, your personal data will be used to send you marketing about our own products and services, including those you have taken out (for example, we may send you an email from Openbank about a new virtual debit card). This marketing may be sent using automated and non-automated methods (by post, telephone, SMS, instant messaging applications, email, web push, pop-up or any other digital channel available at any given time), and will be personalised with information extracted from our internal sources and based on which we have generated profiles based on your behaviour patterns.

The purpose of creating these profiles is to be able to assess your financial and personal characteristics, based solely on information from internal sources, in order to determine which of our related products and services best suit your personal situation, based on two variables: your willingness to take out the product and the probability that you will be eligible for the product.

The profile will be created based on an automated decision, in which the following logic will be applied. We will process the information you have provided to determine your payment behaviour, the customer segment(s) to which you belong according to our internal classification criteria and the periodic fulfilment of your contractual obligations. This activity may lead us to decide not to offer you certain products or services, depending on the risk estimated by the institution and the rating resulting from the analysis of the information obtained.

We will also process your personal data to assess your behaviour with regard to the impact and success of our advertising campaigns.

This data processing will be carried out while your contractual relationship with Openbank remains in force, unless you instruct us otherwise by exercising your right to object.

Similarly, since this processing is carried out based on an automated decision, you have the right to request an explanation of the decision made and can exercise your right not to be subject to a decision based solely on automated processing, requesting the involvement of one of our analysts to express your point of view on the decision made based on the creation of profiles and to contest it. At this stage, you can provide any additional documentation that you consider necessary.

The legal basis for this data processing is:

- Our legitimate interest in promoting and offering you our products and services, by sending general information or information adapted to your personal characteristics. Openbank's prevailing interest in carrying out this data processing is to maintain our relationship with you by providing new products and improving the conditions of the products and/or services you have taken out, and offering you information about Openbank and its products that could be of interest. We believe that the personal data processing indicated above in no way hinders the normal exercising of your rights and freedoms, as it is a common practice in the business sector, and we therefore trust that receiving this type of information will not fall below your expectations. Similarly, we undertake to use the least disruptive means possible to carry out these data processing activities. You can object to this processing based on our legitimate interest according to the provisions of Section 7 "What rights do you have with regard to the processing of your personal data?".

The categories of personal data that Openbank will process to fulfil the purposes set out above are: identity data; and economic, financial and insurance data.

4.6.2 Sending marketing about Openbank products and services based on information obtained and profiles created from internal and external sources (automated decision)

Provided that you have given us your prior and express consent, Openbank may send you personalised marketing about its own products and services (for example, we may send you an email from Openbank about a new loan) while our contractual relationship remains in force. This marketing may be sent using automated and non-automated methods (by post, telephone, SMS, instant messaging applications, email, web push, pop-up or any other digital channel available at any given time), and will take the analysis of your customer profile into account.

The purpose of creating these profiles is to be able to analyse your financial and personal characteristics, in order to determine which products marketed by this institution best suit your situation, based on two variables: your willingness to take out the product and the probability that you will be eligible for the product.

The profile will be created based on an automated decision, in which the following logic will be applied. We will process the information you have provided to determine your payment behaviour, the customer segment(s) to which you belong according to our internal classification criteria and the periodic fulfilment of your contractual obligations. This activity may lead us to decide not to offer you certain products or services, depending on the risk we estimate and the rating resulting from the analysis of the information obtained.

It is important that you understand that this data processing activity is restricted to the aforementioned purpose, which is to recommend Openbank products and services based on data obtained from internal and external sources.

Bear in mind that, if you give us your consent for this, we can use information obtained through the Openbanking Financial Aggregator (managed through Tink) for the above profiling in order to send you marketing about our products and services.

The legal basis for this data processing is:

- Your prior and informed consent to send marketing described above.

- Your prior and informed consent to use the information obtained from the Openbanking Financial Aggregator to send you the marketing described above.

The categories of personal data that Openbank will process to fulfil the purposes set out above are: identity data; and economic, financial and insurance data.

4.6.3 Sending marketing about third-party products and services based on profiles created using data from internal and external sources (automated decision)

Provided that you have given us your prior and express consent, Openbank may send you personalised marketing about the products and services of third-party companies (for example, we may send you an email from Openbank about discounts on home insurance). This marketing may be sent using automated and non-automated methods (by post, telephone, SMS, instant messaging applications, email, web push, pop-up or any other digital channel available at any given time) and will take the analysis of your customer profile into account.

Regarding the third-party companies about whose products and services marketing will be sent, please be advised that these institutions carry out their commercial activity primarily, although not exclusively, in the following sectors: financial, insurance, leisure and tourism, entertainment, telecommunications, information society, retail, luxury, health, food, automotive, hospitality, department stores, energy, real estate and security services, among others.

The purpose of creating these profiles is to be able to analyse your financial and personal characteristics, in order to determine which products marketed by these third-party companies best suit your situation, based on two variables: your willingness to take out the product and the probability that you will be eligible for the product.

This profile will be generated based on the analysis of your behaviour and risk patterns, as well as from the information extracted from the external sources set out in Section 3 "What data do we process at Openbank and how do we obtain it?" of this Policy. As such, for example, if the information we have about you shows that you are interested in technology products, we may send you marketing about products offered by companies in that sector.

The profile will be created based on an automated decision, in which the following logic will be applied. We will process the information you have provided, and the information extracted from external sources, to determine your payment behaviour, the customer segment(s) to which you belong according to our internal classification criteria and the periodic fulfilment of your contractual obligations. This activity may lead us to decide not to offer you certain third-party products or services, depending on the risk we estimate and the rating resulting from the analysis of the information obtained.

It is important that you understand that this data processing activity is restricted to the aforementioned purpose, which is to recommend you third-party products and services.

Bear in mind that, if you give your consent for this, we can use the information obtained through the Openbanking Financial Aggregator (managed through Tink) for the above profiling in order to send you marketing about third-party products and services.

The legal basis for this data processing is:

- Your prior and informed consent to send the marketing described above.

- Your prior and informed consent to use the information obtained from the Openbanking Financial Aggregator to send you the marketing described above.

The categories of personal data that Openbank will process to fulfil the purposes set out above are: identity data; and economic, financial and insurance data.

4.6.4 Personalised advertising on the Openbank private website

When you access the private section of your profile on our website, we will show you adverts for features, products and services that we believe might interest you based on the products you have taken out. If you wish, you can object to receiving this type of personalised advertising by following the instructions in Section 7 "What rights do you have with regard to the processing of your personal data?", but bear in mind that you will still receive general notifications that are not based on your interests or preferences, for example messages that offer an easier way to take out a product and, depending on your privacy settings, you may also receive other types of advertising.

The legal basis for this data processing is:

- Our legitimate interest in sending marketing and giving our customers information about Openbank products and/or services that are similar to those they have taken out, because this is the most likely way for them to take out additional ones. You can object to this processing based on our legitimate interest according to the provisions of Section 7 "What rights do you have with regard to the processing of your personal data?".

The categories of personal data that Openbank will process to fulfil the purpose set out above are: identity data; and economic, financial and insurance data.

If you are registered on any social media platform, we will process your personal data for the following purposes:

(i) Showing you adverts aimed specifically at you for Openbank products or services that are similar to those you have previously taken out with us, and which may be of interest to you.

‌To carry out these activities, we will use social media tools developed specifically for these purposes (for example, Facebook Custom Audiences).

Social media privacy policies will give you information about how your data is processed using these tools. With regard to this processing, we will be considered joint data controllers together with the social media platform or separate controllers, as the case may be.

By using these tools, Openbank will create segments according to users' interests and, therefore, if you are a social media user and you are categorised in the audience we select, you may receive Openbank advertising. Bear in mind that in these cases, Openbank only carries out the audience segmentation, it does not have access to the end users affected, and therefore to object to receiving this information you must contact the relevant social media platform.

The legal basis for this data processing is:

- Our legitimate interest in sending marketing though different channels regarding Openbank products and/or services. You can object to this processing based on our legitimate interest according to the provisions of Section 7 "What rights do you have with regard to the processing of your personal data?".

- Notwithstanding the above, when the various social media tools are used to develop a comprehensive profile of you, we will validate that the tool has requested prior and express consent from users to carry out the processing described herein, and to be able to send you information about products and services of interest to you.

The categories of personal data that Openbank will process to fulfil the purpose set out above are: identity data; and economic, financial and insurance data.

4.7 Draws, promotions and event attendance

Regardless of whether or not you are an Openbank customer, we will process your data when you participate in draws, promotions and events that we organise, for the purpose of managing your participation in and attendance at them (including confirmation of compliance with the requirements for participating in the draw/promotion and, where applicable, communicating with you and sending you the prize if you are the winner).

We may also process data for the performance of our legal obligations if you are the lucky winner, and we have to make a tax withholding on the prize. The data will be shared exclusively with the AEAT for tax purposes.

The legal basis for this processing is:

- Correct execution of the contract. Performance of our contractual obligations acquired with you when you accept the terms and conditions for taking part in promotions/drawsor when you request to attend the corresponding event.

- Legal obligation. Compliance with our tax obligations.

The categories of personal data that Openbank will process to fulfil the purpose set out above are: identity data.

4.8 Reviews and ratings of our products and services

Regardless of whether or not you are an Openbank customer, we will process your data when you leave a review or rating of our products and services on public websites or through the platforms available for this purpose and identify yourself or directly provide us with your personal data so that we can respond to you and take your contribution into account for future improvements.

The legal basis for this processing is:

-Our legitimate interest in responding to the assessments and using the assessments to implement the relevant changes. You may object to this processing on the basis of our legitimate interest in accordance with the provisions of Section 7 "What rights do you have with regard to the processing of your personal data?". The categories of personal data that Openbank will process for the purposes described above are as follows: identification data and the data you provide through the review or rating.

4.9 Processing third-party data

4.9.1 Guarantors or sureties

If you are a guarantor or surety, regardless of whether you are a customer or not, we will process your data for the following purposes, in accordance with the provisions of Sections 4.2 "Management of your customer registration and application of pre-contractual measures", 4.4. "Data processing once you become a customer, in relation to the products you have taken out" and 4.5. "Processing of our customers' personal data carried out independently of the Openbank product taken out":

(i) Managing your registration as a guarantor or surety and the application of pre-contractual measures.

(ii) Processing data relating to the products for which you are a guarantor or surety (e.g., if you are acting as a guarantor or surety for a mortgage loan, we will process your data in order to analyse your creditworthiness).

(iii) Anti-money laundering and counter-terrorism financing.

(iv) Sending information to the AEAT.

(v) Reporting defaults in credit information filing systems.

(vi) Detection and prevention of possible attempted fraud.

(vii) Recovery and payment of debts.

(viii) Designing and training risk and behavioural models.

(ix) Statistical analysis.

(x) Answering your legal complaints and protecting legal rights on behalf of Openbank.

(xi) Audits and compliance verification.

The categories of personal data that Openbank will process to fulfil the purpose set out above are: identity data; data relating to your personal characteristics; data relating to your social circumstances; employment data; data relating to marketing; and economic, financial and insurance data.

4.9.2 Individual business owners, representatives of natural or legal persons, or agents

If you are an individual business owner, representative of a natural or legal person, or agent, we will process your data for the following purposes, as applicable in each case:

(i) Maintenance and management of the pre-contractual and contractual relationship that binds us to a customer or the person interested in taking out our products or services.

(ii) Communicating with our customers.

(iii) Verifying your powers of representation.

The legal basis for this processing is:

- Correct execution of the contract with the natural or legal person you represent.

- Our legitimate interest in processing the personal data of individual business owners and representatives of legal persons in order to manage and maintain the commercial and contractual relationship with the legal person they represent. This processing cannot be objected to, as there are compelling reasons for it.

- Legal obligation. Specifically, verifying your capacity to represent the person you represent and the validity of the position you hold, as well as complying with our formal identification obligations pursuant to Law 10/2010 on anti-money laundering and counter-terrorism financing.

In addition to the aforementioned processing specifically derived from your status as an individual business owner, representative of a natural or legal person, or agent, notwithstanding the fact that you are not a customer as such, we will also process your data for the following purposes in accordance with the provisions of Section 4.5 "Processing of our customers' personal data carried out independently of the Openbank product taken out":

(i) Anti-money laundering and counter-terrorism financing.

(ii) Detection and prevention of possible attempted fraud.

(iii) Designing and training risk and behavioural models.

(iv) Statistical analysis.

(v) Answering your legal complaints and protecting legal rights, as well as complying with legal obligations on behalf of Openbank.

(vi) Audits and compliance verification.

The categories of personal data that Openbank will process to fulfil the purpose set out above are: identity data; data relating to your personal characteristics; academic and occupational data; data relating to marketing. In the case of individual business owners and representatives of legal persons, we will process your contact data, data relating to the position you hold and, in general, the data necessary to locate you professionally.

5. HOW LONG DOES OPENBANK KEEP YOUR DATA FOR?

Openbank will keep your data for as long as it is required for the purpose for which it was collected and, subsequently, will block the data during the legally required retention periods or limitation periods. Where appropriate, after these periods, we will proceed to destroy or completely anonymise the data.

Blocking means that Openbank will not carry out any processing other than storing the data to make it available to the competent public bodies, judges and courts, or the public prosecutor's office; for any possible liabilities arising from the contractual relationship maintained with you or related to the data processing.

Specifically, if you are a customer, we will process your data throughout the time that you maintain a contractual relationship with us. Once this relationship is terminated, as a general rule, we will keep your personal data blocked. Bear in mind that some actions provided for by consumer regulations, such as cessation or declaration of invalidity, are not subject to any limitation periods.

Your applications or simulations that do not end in you taking out a product will be kept for what we deem a reasonable length of time, to avoid duplications in your management and in case there is any need to respond to a claim regarding our use of your data. We will then proceed to erase the data.

6. TO WHOM DO WE DISCLOSE YOUR DATA?

Openbank may share your personal data with the following recipients according to our legitimate interest, the legal obligations we have to fulfil and/or the products you have taken out:

(i) We will share your personal data with the public authorities, official bodies, banking supervisory and oversight bodies, and competent tax authorities which request said data for the purposes of complying with the regulations in force at any time in the banking and financial sector, the legislation on anti-money laundering and counter-terrorism financing, and legislation governing consumer protection.

(ii) In the event of defaults, we will share the data with financial solvency filing systems (the ASNEF Filing System and BADEXCUG Filing System), complying with the procedures and guarantees established and recognised at all times by current legislation.

(iii) We will share your data with Santander Group companies (in accordance with the provisions of Article 42 of the Spanish Commercial Code) to comply with their internal regulations on the prevention of financial crime, their legal obligations with regard to the prevention of money laundering or regulatory reporting to the supervisory authorities.

(iv) When you take out certain products or services (such as funds, pension plans, insurance), we will share your data with third-party companies for the correct provision of the service (i.e., management companies, depository institutions for the products, insurance companies).

(v) ‌If you contract the instant transfer service from Bizum‌, we will transfer your data to this organisation as owner of the directory, as well as institutions signed up to the service (www.bizum.es/entidades), to the beneficiaries and payers in transactions carried out and, where applicable, to the NGOs that have been registered as beneficiaries of donations.

(vi) We will share your data with notaries, when their involvement is required, if the service you have requested from us needs to be notarised (such as granting mortgages).

(vii) Your data will also be disclosed to property appraisal companies when their involvement is required depending on the product you have taken out (as in the case for a mortgage), in order to process the appraisal request and produce the corresponding appraisal report.

(viii) Depending on the product taken out, we may also transfer your data to a management company. For example, in the case of taking out a mortgage loan, we will do this so that they can assist you with processing the documents.

(ix) We will submit your data to public registries (such as the Property Registry) when the relevant guarantees (mortgages) need to be registered.

(x) If you make a creditor subrogation request for the mortgage you hold with Openbank with another institution, we will share with that institution the information required for the purposes of processing the subrogation. Specifically, at the request of the subrogated creditor, we may send them supporting information about the costs of the subrogated loan, in order for that institution to carry out the necessary processing to fulfil its legal obligations, in accordance with the provisions of Law 2/1994, of 30 March, on subrogation and amendment of mortgage loans and Law 5/2019, of 15 March, governing mortgage loan agreements.

(xi) We will share your data with Emailage Limited and Confirma Sistemas de Información, S.L., to detect and prevent possible attempted fraud, respecting and complying with the procedures, rights and guarantees established and recognised at all times by current legislation.

(xii) Similarly, Openbank collaborates with third-party service providers which may have access to your personal data, but they will process data on our behalf as data processors, following our instructions at all times and always to provide us with services that we have engaged from them in each case.

Specifically, Openbank contracts services from third-party providers which operate in sectors including but not limited to the following: logistics services, legal advice, supplier approval, multidisciplinary professional services companies, hosting companies, maintenance-related companies, technological service providers, software service providers, physical security companies, instant messaging service providers, infrastructure management and maintenance companies, call centre service companies and control companies.

In any case, Openbank follows strict selection criteria for third-party service providers in order to comply with our data protection obligations, and we undertake to enter into data processing contracts with them that impose the following obligations, among others: applying appropriate technical and organisational measures; processing personal data for the agreed purposes and only in accordance with our documented instructions; and deleting or returning the data to us once the services have been provided.

(xiii) We will transfer your data internationally only within the scope of some of the aforementioned service provision by third-party service providers.

Their purpose of these international data transfers will be the maintenance and management of the contractual relationship you have with us or the prevention of fraudulent activity or transactions.

These transfers will be carried out to countries offering an adequate level of protection, equivalent to the European Union, as well as countries that do not offer that level of protection. In the latter case, you have nothing to worry about. Openbank uses various regulatory mechanisms to ensure compliance with all guarantees when we process your personal data, such as standard contractual clauses or certification mechanisms.

You can consult the international data transfers that we carry out either directly or subcontracted to one of our service providers here, or by writing to privacy@openbank.es.

7. WHAT RIGHTS DO YOU HAVE WITH REGARD TO THE PROCESSING OF YOUR PERSONAL DATA?

We can inform you that you have, and can exercise, the following rights:

(i) Right of access: you have the right to obtain confirmation as to whether or not Openbank is processing personal data about you, and if so, to access said data.

(ii) Right to data portability: you have the right to receive the personal data you have provided to us in a structured, commonly used and readable format, and to transfer it to another entity.

(iii) Right to rectification: you have the right to request the rectification of any inaccurate data.

(iv) Right to erasure: you can request the erasure of the data when, among other reasons, the data is no longer necessary for the purposes for which you gave it to us.

(v) Right to object: under certain circumstances, you can object to certain processing of your personal data (for example, objecting to marketing being sent by email). In this case, Openbank will immediately stop said data processing, in accordance with the applicable regulations.

(vi) Right to restrict processing: under certain circumstances, which are established by current data protection regulations, you can request restrictions on the processing of your data.

(vii) Right to withdraw your consent: you may withdraw any consent you have granted at any time. Withdrawing consent will not affect the legality of processing based on the consent prior to its withdrawal.

(viii) Right not to be subject to automated decisions-making: if you have authorised profiling and this has been carried out entirely by an automated process, you can request the personal involvement of one of our analysts, express your point of view, and contest decisions based on these profiles. At this stage, you can provide any additional documentation that you consider necessary.

You can exercise the aforementioned rights through the following channels:

- Website: from your customer profile in the "Personal Data" section.

- Email: privacy@openbank.es.

- By post: "Open Bank, S.A.", Plaza de Santa Bárbara, 2, 28004, Madrid, Spain.

- Branch: Paseo de la Castellana 134, 28046, Madrid, Spain.

- Contact Centre: 900 22 32 42. For calls from abroad (+34) 91 276 21 54.

Finally, you can make a complaint to Openbank and/or the Spanish Data Protection Agency (AEPD) (as the competent supervisory authority with regard to data protection), especially when you have been dissatisfied when exercising your rights, by writing to the address provided above, if you wish to contact Openbank, or C/Jorge Juan, 6, 28001, Madrid, Spain, if you wish to contact the AEPD; or via the website ww.aepd.es.

8. DO YOU HAVE TO KEEP YOUR DATA UP TO DATE?

In order for us to communicate with you properly and provide the engaged services correctly, you undertake to ensure that all data you provide is correct, complete, accurate and duly updated, assuming any liability that may arise from having provided us with incorrect, erroneous or inaccurate data.

If you change any of the personal data you have submitted to us, especially your postal address, email address or contact telephone number (landline or mobile), please let us know as soon as possible by calling the contact centre (on 900 22 32 42 or +34 91 276 21 54 for calls from abroad), editing this information directly in the "Personal data" section on your Openbank profile or emailing us at privacy@openbank.es. In some cases, we may need to ask you for additional documentation or proof.

If you do not inform us of these possible changes, you assume that the information we have sent to the postal address, email address or contact telephone number included in our filing systems should be considered valid, binding and fully enforceable.

9. USE OF COOKIES AND TRACKERS

Openbank uses cookies and trackers to, among other things, remember who you are when you access your private area, or to personalise content to ensure it is of interest to you based on your browsing habits.

When you enter the Openbank website or app, we will inform you about the cookies or similar technologies we use. You can configure the analytics, advertising, behavioural, personalisation, and product development and improvement cookies that we use when you browse on Openbank or use our app. You can consult our website Cookie Policy or our App Cookie Policy for further information.

10. COMPLIANCE WITH CODES OF CONDUCT

Openbank complies with the Code of Conduct for Data Protection in Advertising of the Association for Advertising Self-regulation (hereinafter "AUTOCONTROL"), accredited by the Spanish Data Protection Agency, and therefore it is bound by its extrajudicial system for processing claims when they concern data protection and advertising, available to data subjects here. Bear in mind that the language of mediation is Spanish and, in exceptional cases, English.

11. CHANGES TO THIS PRIVACY POLICY

Openbank undertakes to keep this Privacy Policy up to date, including any changes that arise in relation to the scope of processing we carry out on your personal data. For this reason, it is important that you periodically take some time to read it carefully and understand it. You will be informed in advance of any possible modification that we may introduce, at least through our website/app and in a personalised message that we will send to the private area of your customer profile and to your personal email, so that you have the opportunity to remain duly informed at all times.

If you wish, you can download our Privacy Policy in Spanish.

You can also download the previous version of our Privacy Policy (19 December 2023).

You can also download the previous version of our Privacy Policy (24 September 2021).

You can also download the previous version of our Privacy Policy (26 October 2020).

You can also download the previous version of our Privacy Policy (25 May 2018).

Cookie Policy

1. What are cookies?

2. What are they used for?

3. How are cookies enabled?

4. What types of cookies do we use?

5. How long are cookies enabled for?

6. Who processes or manages cookies?

7. I have accepted cookies but I now want to disable them. How do I do this?

8. Processing of personal data

9. Changes to the Cookie Policy

10. Do you have any questions?

11. Finally, we suggest you:

Last updated: May 2024

At Open Bank, S.A. (hereinafter, “OPENBANK”) we use cookies on our website www.openbank.es/en (hereinafter, the “Website”) and we want to tell you all about them in this Cookie Policy (hereinafter, the “Cookie Policy”).

1. What are cookies?

Cookies are data storage and retrieval files that are downloaded to your devices whenever you visit and/or browse our Website. They even contain a number that uniquely identifies your computer or mobile device, even if you change your location or IP address.

2. What are they used for?

Cookies allow us to collect data that could identify you or your approximate location, connection time, the device used (e.g. fixed or mobile), the operating system and browser used, the most frequently visited pages, the number of clicks performed and information on your online behaviour.

In some cases, they also save information about your browsing habits and preferences that will allow us to provide you with a better and more customised experience, and even show you advertising related to your preferences every time you visit our Website.

They also allow us to collect data showing patterns on how our website is used to identify problems and make improvements, develop new products or services, and generate statistics or usage measurements.

3. How are cookies enabled?

Cookies can be enabled in different ways, depending on their purpose. In some cases, when they are necessary for our Website to work properly, they are installed during browsing; while in others, when your authorisation is required, they will be enabled when you give us your permission. You can make changes to this consent at any time through the various settings options we provide later on in this Cookie Policy.

Please note that you can access our Website without all cookies being enabled (apart from technical cookies), but that disabling them may prevent the Website from working properly.

For those cookies that, in order to function, require your authorisation, with the aim of ensuring that your preferences are respected and that only those types of cookies that you have previously accepted are implemented, Google's Consent Mode tool is used on the Website.

This tool allows Google to be informed, through the parameters explained below and some labels, which type of cookies you have accepted and, consequently, the behaviour of the labels is adjusted to respect your wishes.

Parametres	Description
ad_storage	Enabling storage, such as cookies (website) or device identifiers (applications), related to advertising.
ad_user_data	Establishing consent to send user data to Google for online advertising purposes.
ad_personalization	Establishing consent for personalised advertising.
analytics_storage	Enabling storage, such as cookies (website) or device identifiers (apps), related to statistics, such as length of visits.

You can find out more through the following link.

4. What types of cookies do we use?

Below, we explain which cookies you can find when browsing our Website and what they are used for:

4.1. Technical cookies

These first- or third-party cookies are used, for example: to identify you when you log in to your Customer Area, to remember or validate products that you use, to validate various transactions you perform with us (such as a transfer), to resolve technical errors or to control potential security threats to a service. They are necessary to ensure the optimal performance of the Website, our products and services and the security we provide.

What are they and what do we use them for?

Type	Cookie	Owner	Purpose	Duration
1st	Bmuid	Akamai	Performance. Required for user browsing.	1 hour
1st	cdContextld	Biocatch	Required to detect fraudulent cases.	Session
1st	cdSNum	Biocatch	Required to detect fraudulent cases.	1 year
1st	CONSENTMGR	Tealium	Required to know whether the user consents to cookies in the different categories.	1 year
1st	et_token	Openbank	Performance. Required for user browsing.	1 hour
1st	offlogToken	Openbank	Performance. Required for user browsing.	1 hour
1st	ok-cookiebite	Openbank	Performance. Required for user browsing.	1 year
1st	tokenCredential	Openbank	Access to Customer Area.	1 hour
1st	lastTimeStamp	Openbank	Required to save the timestamp (date) of the last session.	Session
1st	customerSessionId	Openbank	Session identifier in Customer Area.	1 hour
1st	rls	Openbank	Used to personalise the functionality for the user.	Session
1st	rnc	Openbank	Used to personalise the functionality for the user.	Session
1st	neruda	Openbank	Used to personalise the functionality for the user.	Session
1st	openbank_gdpr_geolocation	Openbank	Used to manage the location on ATM page.	2 days
1st	utag_main	Tealium	Required to load Tealium, the tool used to display the cookie consent modal. Saves the timestamp (date) of visit, a random number and the number of sessions of that random number.	1 year
1st	callmeback-form	Openbank	Collects the number of call me back form requests to trigger the captcha from a certain number.	Session
1st	fpc_referral	Tealium	Used to persist the referral from where our Website was accessed during the session in order to detect fraudulent cases	Session
1st	Language	Openbank	Required to identify the language selected by the user.	Session
1st	cardImageUrl	Openbank	Save url containing or redirecting to credit card image	Session
1st	jointHolderInvite	Openbank	Invitation of a user to be an intervener of another account	2 minutos
1st	roboAnalitycs	Openbank	Allows to determine if the user is in the process of taking out the robo-advisor service.	Session
1st	RASuitabilityStarted	Openbank	Allows to determine whether the user has started the robo-advisor service suitability test.	Session
3rd	DSSessionAttributes	DocuSign	Necessary to store the data required to manage the agreement signature.	Session
3rd	ssid	DocuSign	Necessary to store the data required to manage the agreement signature.	Session
3rd	__RequestVerificationToken_L1NpZ25pbmc1	DocuSign	Necessary to store the data required to manage the agreement signature.	Session
3rd	dtCookie	Dynatrace	Correlates user interactions during a visit for website performance monitoring and analysis	Session
3rd	dtLatC	Dynatrace	Measures server latency for performance monitoring purposes	Session
3rd	dtPC	Dynatrace	Assigns a session identifier to correlate device interactions with the website	Session
3rd	dtSa	Dynatrace	Stores the name of the actions performed by the user on the website to enable performance monitoring and analysis.	Session
3rd	dtValidationCookie	Dynatrace	Determines the top-level domain (last part of a domain name)	1 second
3rd	dtDisabled	Dynatrace	Determines whether Real User Monitoring Javascript (responsible for collecting user information on the website) should be disabled for cost, traffic control and website overload prevention.	Session
3rd	rxVisitor	Dynatrace	Stores an anonymous identifier that allows correlating the different visits of the same user to the website.	Session
3rd	rxvt	Dynatrace	Stores two timestamps to determine the duration and end of the session to monitor website performance.	Session

4.2. Analytics cookies

These first- or third-party cookies are used to perform statistical analyses of Website usage and to develop improvements that will enhance your browsing experience. For example, we monitor your visits in order to analyse and understand how you use our Website, to make it more intuitive and to quantify the impacts of advertising during your browsing.

Among the analytics cookies used on this Website are GOOGLE ANALYTICS cookies. GOOGLE ANALYTICS is a web analytics service provided by Google, Inc. Specifically, the use of Google Analytics allows us to monitor how visitors use the Website, collect reports and help improve the Website. For more information on how cookies work and are disabled, you can visit the Google Privacy Centre websites at https://policies.google.com/privacy?hl=en and the Google opt-out add-on at https://tools.google.com/dlpage/gaoptout?hl=en-GB. You may also revoke your consent to these, as explained in Section 7 below.

If you consent to the installation of web analytics or performance cookies on your device, please note that GOOGLE ANALYTICS cookies shall be installed. The installation of these cookies may result in Google making international data transfers to the United States, which may, in very isolated and specific cases, involve access to the data by this country’s authorities for investigative and national security purposes. However, as part of our high standards of privacy compliance, we inform you that we have signed the Standard Contractual Clauses approved by the European Commission on 4 June 2021 with Google Ireland and their subcontractors in the United States as a safeguard mechanism recognised by the GDPR with the aim of preserving the security of the data that may be subject to an international transfer. We also take additional measures to protect the confidentiality and integrity of personal information.

What are they and what do we use them for?

Type	Cookie	Owner	Purpose	Duration
1st	_ga	Google Analytics	Used to identify users.	2 years
1st	_ga_<container-id>	Google Analytics	Used to maintain the session status.	2 years
3rd	_gat_tealium_0	Google Analytics	Used to limit the percentage of requests.	Session
1st	_gid	Google Analytics	Used to identify users.	1 day
1st	fpc_idPreaprob	Openbank	Used to remember loan pre-approval to improve measurement.	Session
1st	fpc_tipoUsuario	Openbank	Used to remember if you are already a customer to improve measurement.	Session
1st	fpc_org	Openbank	Used to remember the origin of the session to improve measurement.	Session
1st	nombreProductoPersistencia	Openbank	Used to remember the product chosen in the session to improve measurement.	1 year
1st	TAPID	Tealium	Used to differentiate between sessions.	1 year
1st	TLTSID	Acoustic	Active only for the duration of a browser session, it is used to group visits in a session. The end user can decide whether or not to enable this cookie.	Session
1st	fpc_identificadorOnboarding	Openbank	Used to persist a unique identifier in onboarding during all steps in order to perform a correct measurement.	Session
1st	fpc_idPreaprobPP	Openbank	Used to persist a pre-approval id during the personal loan process in order to perform a correct measurement.	Session
1st	fpc_onboardingPromoCode	Openbank	Used to persist a promotion id during the onboarding process in order to perform a correct measurement.	Session
1st	fpc_productoOnboardingDetalle	Openbank	Used to persist a product during the onboarding process in order to perform a correct measurement.	Session
1st	fpc_tipoHipoteca	Openbank	Used to persist the desired mortgage type during the mortgage calculation process in order to perform a correct measurement.	Session
1st	utag_dr	Openbank	Used to persist information about the chosen mortgage during the calculation in order to perform a correct measurement.	Session

4.3. Preference cookies

These first- or third-party cookies allow us to remember your preferences from your previous visits. For example: the browser you use, your geographical region, the sections you have saved as your favourites and any content that is of interest to you.

What are they and what do we use them for?

Type	Cookie	Owner	Purpose	Duration
3rd	gtm_auth	Google Optimize	To generate A/B test to compare user behaviour between two versions of the same page.	Session
3rd	gtm_debug	Google Optimize	To generate A/B test to compare user behaviour between two versions of the same page.	Session
3rd	gtm_experiment	Google Optimize	To generate A/B test to compare user behaviour between two versions of the same page.	Session
3rd	gtm_preview	Google Optimize	To generate A/B test to compare user behaviour between two versions of the same page.	Session
1st	_gaexp	Google Optimize	To generate A/B test to compare user behaviour between two versions of the same page.	90 days

4.4. Behavioural advertising cookies

These first- or third-party cookies store information regarding your behaviour, obtained through analyses of your browsing habits, and allow us to personalise the advertising we show you based on your profile with the aim of making it more useful to you.

What are they and what do we use them for?

Type	Cookie	Owner	Purpose	Duration
1st	_fbp	Facebook	Used to identify browsers to provide advertising and website analysis services.	90 days
3rd	DDMMUI-PROFILE	Google	Used to track site conversions across all media channels and to create audiences from users who have been on the website, allowing us to show relevant ads through a DV360 account (Display programmatic).	2 years
3rd	ad-id	Amazon	Cookie ID in an internal binary format, stored for specific targeting.	33 months
3rd	Ad-privacy	Amazon	Used to remember your privacy preferences, such as advertising, and is related to the objection of cookies.	13 months
3rd	Aid	Google	Used to link activity across devices if you have previously signed in to your Google account on another device. This is done to coordinate the ads users see across devices and to measure conversion events. These cookies may be established on the following domains: google.com/ads, google.com/ads/measurement and googleadservices.com.	30 days
3rd	C_user	Facebook	Used to verify your account and determine whether or not you are logged in. This is to help you access Facebook products and to provide you with the appropriate experience and features.	1 year
3rd	DSID	Google	This cookie is similar to the AID cookie, which is used to link activity across devices when users have previously signed in to their Google account on another device. This is done to coordinate the ads users see across devices and to measure conversion events. These cookies may be established on the following domains: google.com/ads, google.com/ads/measurement and googleadservices.com.	1 year
3rd	Fr	Facebook	Used to show advertisements from companies and other organisations and to recommend them to people who may be interested in the products, services or causes they promote.	90 days
3rd	IDE	Google	One of the main advertising cookies on non-Google sites called and stored in browsers under the domain	2 years
3rd	SAPISID	Facebook	This Google security cookie is used to authenticate users, prevent fraudulent use of login credentials and to protect the data of users from unauthorised persons. They can also be found on the websites of advertisers that work with Google products, such as Openbank.	1 year
3rd	Sb	Facebook	Website and product security and integrity: used to protect Facebook products, your account and your data.	2 years
3rd	SID	Google	Google cookies. Google uses cookies, such as NIDs and SIDs, to help personalise ads on Google assets, such as Google Search results.	1 year
3rd	SSID	Google	Analysis by means of user identifier.	1 year
3rd	Test_cookie	Google	Used to confirm that your browser is able to accept cookies and it expires when you close your browser.	Session
3rd	Wd	Facebook	Performance: used to give you the best possible experience.	7 days
3rd	Xs	Facebook	Authentication: We use cookies to verify your account and determine whether you are logged in, in order to help you access Facebook products and show you the right experience and features.	1 year
3rd	MUID	Bing	A Microsoft cookie containing a GUID assigned to the browser. It is established when interacting with an asset, including a UET beacon call or a visit to a Microsoft asset through the browser.	13 months
1st	_uetsid	Bing	Random ID (session ID) generated by the UET tag that is unique to each domain and is used to improve the accuracy of conversion tracking.	30 days
1st	_uetvid	Bing	A unique, anonymous visitor ID, assigned by UET, representing a unique visitor.	1 year
3rd	AnalyticsSyncHistory	LinkedIn	Used to store information about the time a synchronisation was made with the lms_analytics cookie for users from the designated countries.	1 months
3rd	UserMatchHistory	LinkedIn	LinkedIn Ad ID synchronisation	1 month
3rd	dpr (Facebook)	Facebook	Performance: used to give you the best possible experience.	7 days
3rd	csrf (Facebook)	Facebook	Website and product security and integrity: used to protect Facebook products, your account and your data.	2 years
1st	_uetmsclkid	Microsoft	Ad-click information is generated at the time the ad is clicked on and added to the landing page URL when Microsoft's automatic click ID tagging is enabled. Format: GUID followed by an additional byte indicating whether or not the current value is new (unique to that session), e.g., "cdd4afcccb1c9a4cad9544dd7e5006d5"	90 days
3rd	fpc_s_id	Finance Ads	Used for the measurement of advertising. Tracking Cookie. No User-Profiling or Sensitive Data Storage is carried out. Used to attribute conversion to one publisher or another.	30 days
3rd	li_oatml	LinkedIn	Used to identify LinkedIn members outside of LinkedIn for advertising and analytics outside of designated countries and, for a limited time, advertising in designated countries.	30 days
3rd	lms_ads	LinkedIn	Used to identify LinkedIn members outside LinkedIn in designated advertising countries.	30 days
3rd	lms_analytics	LinkedIn	Used to identify LinkedIn members outside LinkedIn in countries designated for analytics.	30 days
1st	li_fat_id	LinkedIn	Indirect identifier of representatives for conversion tracking, retargeting and analytics.	30 days
3rd	li_sugr	LinkedIn	Used for the probabilistic matching of a user’s identity outside the designated countries.	90 days
3rd	U	LinkedIn	Browser identifier for users outside designated countries.	3 months
3rd	_guid	LinkedIn	Used to identify a LinkedIn member for advertising through Google Ads.	90 days
1st	li_giant	LinkedIn	Indirect identifier for LinkedIn member groups used for conversion tracking.	7 days
3rd	sunid	eMaS	They allow the user to be identified anonymously and their online behaviour to be tracked.	365 days
1st	fpc_faggregator	Finance Ads	Used for the measurement of advertising. Tracking Cookie. No User-Profiling or Sensitive Data Storage is carried out. Used to attribute conversion to one publisher or another.	30 days
1st	fpc_onbProductL	Openbank	Used to persist a product during the onboarding process in order to perform a correct measurement.	Session
1st	fpc_clickid	Tradedoubler	Used for advertising measurement. Used to persist an id in order to correctly attribute conversion from this advertiser.	30 days
1st	fpc_gclid	Google	Used to measure advertising. It is used to follow an ID in order to correctly attribute conversion from Google.	30 days
1st	fpc_dclid	Openbank	Used to measure advertising. It is used to follow an ID in order to correctly attribute conversion.	30 days
1st	_gcl_au	Google	Used to collect click-through parameters from advertising campaigns and tracks them in order to correctly attribute conversion.	90 days
3rd	bcookie	LinkedIn	LinkedIn security cookie to identify devices and avoid misuse of its platform.	1 year
3rd	li_gc	LinkedIn	Used to save consent for LinkedIn advertising purposes.	6 months
3rd	lidc	LinkedIn	Used to facilitate the choice of data centre where the other values are stored.	1 day
3rd	lang	LinkedIn	Used to remember language preferences for LinkedIn advertising purposes.	Session
1st	mbox	Adobe	Used to store anonymous identifiers on the browser.	2 years
1st	at_check	Adobe	Used to check if the ability to read and write cookies is enabled in the browser.	Session
1st	mboxEdgeCluster	Adobe	Used to store the correct server at the start of a browsing session.	30 minutes
1st	AMCV_<id>@AdobeOrg	Adobe	Used to save anonymous identifiers on the browser.	13 months
1st	AMCVS_<id>@AdobeOrg	Adobe	Used to store whether or not you are logged in.	Session
3rd	AEC	Google	Used by Google to ensure that browsing is done by the user and not by third parties and, therefore, prevent other sites from acting fraudulently, as if it were the user without their knowledge.	6 months
3rd	Secure-ENID	Google	Used to remember preferences and other information, such as the user's preferred language, number of search results and whether the Google Safe Search filter is turned on or off.	13 months
3rd	ar_debug	Google	Used in browser attribution reports for debugging purposes, allowing you to test and verify your attribution logic.	Session
3rd	Openbank!mboxPC	Adobe	Present when enabling the cross-domain functionality of Adobe Target for a browser.	13 months
3rd	Openbank!mboxSession	Adobe	Present when enabling the cross-domain functionality of Adobe Target for a session.	Session
3rd	receive-cookie-deprecation	Google	Used to distinguish whether the browser is part of Google Chrome's Privacy Sandbox initiative or not.	6 months

4.5. Product development and improvement cookies

These third-party cookies use information about your device and the type of browsing you perform in order to design and create algorithm-based behavioural models. For example, we analyse the data from your visits to our Websites in order to optimise the design of the products.

These models enable us to build user profiles so that we can send you marketing tailored to your interests. Further, on a more generic basis, we may predict your financial behaviour and suggest related Openbank products. For example, we can use data about your browsing to send you communications about events related to the pages you have browsed.

What are they and what do we use them for?

Type	Cookie	Owner	Purpose	Duration
1st	_ga	Google Analytics	Used to identify users.	2 years
1st	_ga_<container-id>	Google Analytics	Used to maintain the session status.	2 years
3rd	_gat_tealium_0	Google Analytics	Used to limit the percentage of requests.	Session
1st	_gid	Google Analytics	Used to differentiate between users	1 day

5. How long are cookies enabled for?

Depending on the type of cookies, and the information we provide about each of them, cookies may remain enabled for a longer or shorter time.

For example, session cookies are designed to collect and store data while you access a website. When the browser is closed or the session expires, these cookies disappear.

Persistent cookies, however, are still active when you leave the Website and when you go back to it. They will remain stored for the time indicated in each case, and you can delete them at any time.

6. Who processes or manages cookies?

Data collected by cookies may be managed by both Openbank and third parties. The explanation for each of the cookies found above indicates which cookies are our own (1st) and which cookies are third-party (3rd).

You may access the privacy policies of third parties that manage cookies on the Website by clicking on the links included directly in the explanation of each of the different types above (in the “Owner” column).

Please note that if you accept a third-party cookie and, for example, you access a YouTube video, YouTube can then set cookies using this code and it will know that you have watched that video, or even visited the page where the video is located.

7. I have accepted cookies but I now want to disable them. How do I do this?

You can easily and at any time reconsider your cookie preferences and even disable all categories of cookies except those technically necessary for the website to run properly, by clicking here.

Additionally, you may also allow, block and delete cookies and delete your browsing data, including cookies, at any time, from your browser. To do this, you will need to access your browser settings options via the links below:

You can also disable cookies in your browser by installing a plug-in or an opt-out system provided by some third parties who install cookies on our website, for example:

Adobe Analytics

Criteo

Google (behavioural advertising) (requires Google login)

Please note that some features of our Website content are only available if you allow certain cookies to be installed in your browser. If you choose not to accept, or to block, certain cookies, depending on their purpose, this may, wholly or in part, affect the normal operation of the Website or prevent access to certain services it offers.

8. Processing of personal data

8.1. Data Controller

Open Bank, S.A., with registered office at Plaza de Santa Bárbara 2, 28046, Madrid.

Contact details for the Data Protection Officer: privacy@openbank.es

Please find basic information on data processing below. Further information can be found at www.openbank.es/en/privacy-cookies.

8.2. Purposes of the processing and lawfulness

The purposes for which we process the personal data we obtain through cookies are indicated in section “4. What types of cookies do we use?”.

The use of technical cookies by Openbank is necessary to enable your browsing on our website. The legal basis for the use of other cookies is your consent, which you can manage by clicking here or as indicated in section “7. I have accepted cookies, but I now want to disable them. How do I do this?”

8.3. Recipients

We collaborate with third-party providers who may have access to your data to provide us with services which are always under contract. They will process the data in our name and on our behalf, following our instructions at all times. As an example, these may be Google or Tealium.

We make international transfers of your data, only in the context of some of the above-mentioned service provisions, both to countries providing an adequate level of protection, comparable to that of the European Union, as well as to countries that do not benefit from this level of protection. In the latter case, you do not have to worry. Openbank uses mechanisms established by regulations to comply with all guarantees, such as standard contractual clauses or certification mechanisms. You can view the international data transfers we carry out by clicking here, or by writing to privacy@openbank.es.

Furthermore, in relation to third-party cookies, we would like to remind you that they are either sent from a domain not managed by Openbank but by the relevant third party, or from our domain, in which case the information collected is handled by that third party. You can find more information on any messages provided by third parties, including international data transfers, if applicable, in their respective cookie policies.

8.4. Retention periods

Your data will be processed for the periods indicated in section “4. What types of cookies do we use?” - while your usage authorisations are still valid.

We will subsequently retain the data, which will be duly locked, for the timeframes legally established for actions arising from such authorisation, if required for a defence against any claim concerning our use of your data. After such periods, we will proceed to destroy the data.

8.5. Data protection rights

We hereby inform you that you have, and may exercise, the following rights: access, portability, rectification, erasure, opposition, restriction of processing, the right not to be subject to a decision based solely on automated processing. You can access more information on your rights at www.openbank.es/en/privacy-cookies.

Openbank is committed to keeping this Cookie Policy updated in order to collect any new information available in connection with the cookies we use. For this reason, it is important that you regularly spend time reading and making sure you understand it. For any relevant modification that we need to make, we will notify you in advance, at least through our website, so that you may be properly informed at all times.

10. Do you have any questions?

If you have any questions about the Cookie Policy on our website, you may contact us by writing to Plaza de Santa Bárbara 2, 28046, Madrid or by emailing privacy@openbank.es.

11. Finally, we suggest you:

- Check the Cookie Policy frequently for information on any changes.

- Read this Cookie Policy along with our data protection policy, which is also available on our website, where we explain how we process your personal data.