Information on data protection

Further information on data protection for customers

• Who is the data controller?
  

• Banco Santander, S.A (hereinafter "the Bank" or "Banco Santander").

  Postal address: C/ Juan Ignacio Luca de Tena, 11-13, 28027 Madrid, Spain.

  Data Protection Officer/Privacy Office contact: privacidad@gruposantander.es

• What types of persons are covered by this document?
  

• This document applies to all persons who show an interest in or apply to the Bank for a product or service (pre-customer), as well as to those who have a legal relationship with the Bank, regardless of the type of involvement, whether they are contract holders (customers), guarantors, authorised persons or representatives, among others.

  The lawful basis for processing the main types of persons are as follows:

  
  

  			PERSONS
  		Pre-customer	Customer	Guarantor	Authorised persons and other persons	Representantive
  LAWFUL BASIS	Execution of a contract or pre-contractual measures	YES	YES	YES	YES	YES
  	Consent	As authorised	As authorised	As authorised	As authorised	No
  	Legitimate interests	YES, less commercial profiling	YES	YES, less commercial profiling	YES, less commercial profiling	YES, less sales actions, with the exception of sending advertising to representatives or contact persons of legal persons, and commercial profiling.
  	Legal obligation	YES	YES	YES	YES, less risk assessment	YES, less risk assessment

• What types of personal data do we collect and process?
  

• 1. If you are a customer or have applied to become a customer (pre-customer):
  • Identification and contact details: Identity document (Spanish tax ID (NIF), Spanish national ID (DNI), foreign registration number (NIE), non-Spanish identity document/corporate tax ID (CIF)), name and surname, customer number, address, residence, telephone numbers, email address.
    
    

    If you have used a digitised handwritten signature in your relations with the Bank in order to request services and/or complete transactions, we will retain the data obtained by digitising the handwritten signature (such as the order, intensity, speed, pressure and acceleration of the stroke), which will be used exclusively as evidence in the event of repudiation, in order to verify, by means of comparison, that the signature is yours, thus authenticating the customer in order to accredit the authenticity of the documentation or transaction that you are formalising with the Bank.

    In the event that you request video identification so that we can authenticate your identity during remote contracting processes, your image pattern, extracted from your photograph during the identification process and from that on your identification document, will be processed.
    
    Also, in the event you activate voice recognition for authentication on the telephone channel, your voice pattern will be processed in order to authenticate you every time that you call.

  • Data relating to your personal characteristics: gender, age, date of birth, marital status, dependents, place of birth, nationality.
  • Data relating to your social circumstances: hobbies, property and details of your residence, farm or premises (such as size, location and energy features).
  • Academic and professional or employment data: level of studies, qualifications, employment status, activity, profession, professional category, professional association memberships.
    
  • Economic, financial and solvency data: Current accounts and balance, financial and credit scoring, billing volume (self-employed), source of income, payroll data.
  • Data relating to transactions for goods and services: catalogue of all banking products acquired by the customer, such as credit or debit cards, funds, mortgages, shareholder status, etc., information from other banks or third-party companies (aggregation or payment initiation service – aggregation service – or payment bundling services), means of payment, and the use thereof.
  • Data relating to sales information: use of channels, contact preferences.
  • Transaction data: income, expenses, balances, payments, transfers, direct debits, invoices, notes and movements of contracted products, including the origin, destination, item and third party related to the transaction, location where it is carried out and the date and time.
  • Data on your location, if you have consented to activate the geolocation service on your device.
  • Data about your online behaviour and preferences: for example, pages you visit, browsing habits, your computer's IP address or mobile device ID, device model, online identifiers, whether you have consented to the processing described in our Cookies Policy, available on our website https://www.bancosantander.es/en/politica-de-cookies.
  • Data about your interests that you share with us: for example, when you contact our managers via an enquiry call, when you carry out a simulation of our products and/or services.
  • Data relating to the devices from which you access the customer area of the Bank: device model and operating system.
  • Audiovisual data: for example, when we record your voice during a telephone conversation with our managers.
  • Sensitive data: if you have provided us with such data in the context of your relationship with the Bank, we will process your health data relating to your degree of disability, and other information relating to your situation of vulnerability, for the purposes provided for in the regulations on this matter.
  • Information on data from external sources is detailed in the section "How do we obtain your data?".
  1. If you are a guarantor:
  • Identification data: Identity document (NIF, DNI, NIE, non-Spanish identity document/CIF), name and surname, customer number, address, residence, telephone numbers, email address.
  • If you have used a digitised handwritten signature in your relations with the Bank in order to request services and/or complete transactions, we will retain the data obtained by digitising the handwritten signature (such as the order, intensity, speed, pressure and acceleration of the stroke), which will be used exclusively as evidence in the event of repudiation, in order to verify, by means of comparison, that the signature is yours, thus authenticating the customer in order to accredit the authenticity of the documentation or transaction that you are formalising with the Bank.
  • Personal characteristics: date of birth, place of birth, nationality
  • Social circumstances: property and details of your residence, farm or premises
  • Employment details: employment status, activity, profession, professional category
  • Sales information: use of channels
  • Economic, financial and insurance data: Financial and credit scoring, billing volume (self-employed), source of income, payroll data.
  • Information on data from external sources is detailed in the section "How do we obtain your data?".
  1. If you're an authorised person or representative:
  • Identification details: Identity document (NIF, DNI, NIE, non-Spanish identity document/CIF), name and surname, customer number, address, residence, telephone numbers, email address.
  • If you have used a digitised handwritten signature in your relations with the Bank in order to request services and/or complete transactions, we will retain the data obtained by digitising the handwritten signature (such as the order, intensity, speed, pressure and acceleration of the stroke), which will be used exclusively as evidence in the event of repudiation, in order to verify, by means of comparison, that the signature is yours, thus authenticating the customer in order to accredit the authenticity of the documentation or transaction that you are formalising with the Bank.
  • Personal characteristics: date of birth, place of birth, nationality
  • Academic and professional details: employment status, activity, profession, professional category
  • Sales information: use of channels
  • Information on data from external sources is detailed in the section "How do we obtain your data?".

  
  Regardless of the nature of your relationship with the Bank, the Bank will not collect or process special categories of data concerning you (e.g. data relating to your health, ethnic origin, religious beliefs or political opinions), unless this is strictly necessary in order to manage the service contracted or requested; for example, because you have paid your union dues directly from an account with our Bank or you have specific contractual conditions arising from your situation of vulnerability.

  Finally, the Bank will not collect or process data from minors, unless they have contracts with the Bank, either directly or on behalf of their parents or guardians. The processing of such minors' data shall be limited exclusively to the maintenance and monitoring of the product or service contracted.

• How do we obtain your data?
  

• The Bank obtains your data through the following sources:

  1. Directly from you, through the information that you provide when you request, contract, maintain and make use of products and/or services with us or marketed by us, both directly and indirectly and through any of the channels that the Bank makes available to you (branch, telephone channel, online services, etc.). Examples include: through enquiries, transactions, operations, simulations or applications for such products or services. In addition, subject to obtaining your consent, we may obtain personal data about you when you browse our websites and mobile phone applications, via the use of cookies or any other type of online identifier or Wi-Fi service systems, or through the fingerprint of your device or terminal.
  2. In some cases, such as, for example, the contracting of a product or service with several parties involved or in which the holder is a legal entity and you are a proxy, representative or employee of such entity, your data may be provided by one of them. In these cases, such third parties should be aware that, prior to the communication of your data, they are obligated to inform you of the transfer and, where appropriate, to have obtained your authorisation.
  3. Exceptionally, in order to comply with anti-money laundering and counter-terrorist financing due diligence obligations, we may use information already in the Bank's possession (for example, payroll orders made to the Bank by your employer) to verify the information that you have provided to us on the customer identification form.
  4. External information sources:
  • Central de Información de Riesgos del Banco de España (Bank of Spain Risk Information Centre, or CIRBE), from which we obtain solvency information about you.
  • Credit information systems of which the Bank is a member, such as Asnef-Equifax Servicios de Información sobre Solvencia y Crédito S.L. (Asnef), Experian Bureau de Crédito, S.A. (Experian) and the Registro de Aceptaciones Impagadas (Register of Bad Debt, or RAI), which provide information on solvency, delinquency and, in general, financial or credit risk indicators.
  • Fraud prevention information systems, such as Sociedad Española de Sistemas de Pago, S.A. (Iberpay), Confirma Sistemas de Información S.L. (Confirma) and telecommunications operators.
  • Specialised information files or public sources available on the internet relating to the prevention of money laundering and terrorist financing, from which the Bank obtains information on its customers who hold or are involved in accounts, legal representatives and beneficial owners of accounts.
  • Publicly accessible sources such as official state bulletins and newspapers, public records, government resolutions, telephone books and lists of persons belonging to professional associations.
  • The Spanish General Treasury of the Social Security (TGSS), to verify your source of income.
  • The Spanish Tax Agency (AEAT), in the event that you have provided us with your Secure Verification Code and have authorised the Bank to use it in the virtual office of the AEAT's website in order to download your tax data, so that the Bank can check its veracity for the purposes of analysing the application for the transaction in question.
  • Investment service companies when they deposit their customers' cash with the Bank, for the purposes of determining the bases for calculating contributions to the Spanish Deposit Guarantee Fund for Credit Institutions.
  • Third-party companies to which you have given your consent for the communication of your personal data to the Bank (for example, insurance companies or entities with which the Bank enters into collaboration agreements through which they obtain your consent for the communication of your personal data to Banco Santander, including Social Networks; Spanish universities to which you, through their corresponding mobile applications, have given your consent for the communication of your personal data to the Bank for commercial purposes; or entities to which you have given your consent to the use of cookies or similar technologies involving the communication to the Bank of your information collected by means of such technologies).
  • Third-party companies that provide services to you when necessary for the execution of a contract with the Bank or the implementation of pre-contractual measures requested by you; such as, for example, payment aggregation or payment initiation services (aggregation service), payment bundling services, prescription services for mortgages or other financial products, a request for information or aggregation of information on payment accounts or services as part of a credit application, or the verification of the requirements for a promotion involving a product or service contracted or applied for.
  • In addition, if you've provided your consent for this purpose, we may obtain personal data on your browsing through the company web pages of the Santander Group or companies who provide commercial information, collected via the use of cookies or any other type of online identifier or Wi-Fi service systems, or through the fingerprint of your device or terminal.
  • Your client, if you are acting as a representative or an authorised individual for a company, entity or another individual.
  • Valuation agencies, if you provide us with your own valuation in the context of a mortgage loan application, so that we can verify its authenticity automatically via the valuation agency issuing the report.
  • Administrative offices: in the event that you request a mortgage loan/credit from us, we will obtain information from them regarding the total costs associated with said transaction, including related transactions, so that you can make an informed decision, all in compliance with the recommendations provided by the Bank of Spain.

• For what purpose and on what lawful basis do we process your personal data?
  

• The different purposes of Banco Santander data processing are set out below, distinguishing between (i) pre-customers and customers, (ii) guarantors and (iii) authorised persons or representatives:

  I. If you are a customer or have applied to become a customer:

  1. Management of the pre-contractual and, where appropriate, contractual relationship with respect to the Bank's products and/or services that you've contracted.

     
     When you are interested in any of the products or services offered by the Bank and request information about them and/or the initiation of a contracting process, we will process your personal data for the purpose of assisting you and answering your queries or questions, processing your request and carrying out the preliminary procedures necessary to proceed with such contracting (for example, providing you with information and advice relating to the product or service in which you are interested or assessing the feasibility of your contracting request).

     In addition, we will communicate your data to other Santander Group companies and third-party affiliates and/or companies that collaborate with Santander Group (for example, insurance companies, financial asset managers or venture capital companies), in the event that you, as a customer of the Bank, carry out processes to simulate the contracting of any of these entities' products and/or services marketed by the Bank and/or actually contract said products, or in cases where you are a joint customer of the Bank and such entities, when the purpose of the data communication is the maintenance and development of the contract that you hold with the aforementioned entities. In these cases, the communication will only affect a limited amount of data that the Bank has regarding you, which is, specifically, the data strictly required for drawing up the agreement and/or executing/developing it: NIF, gender, age, address and direct debit information; and, in some cases, also your risk profile, email address and telephone number. The purpose of this is, on the one hand, to make it simpler and more agile to arrange products through the Bank that are marketed by the Bank but provided by other Group companies or third-party affiliates, taking your condition as a Bank customer into account; and on the other hand, for those companies of which you are also a customer, to have your contact details in order to send you information relevant to the development of your contractual relationship.

     Likewise, in those cases in which a customer applies for financing through the funds of the Instituto de Credito Oficial (Spanish Official Credit Institution), the European Investment Bank, the European Investment Fund or Public Administrations, we will process your personal data for the purpose of managing such application and assessing whether such financing is processed through the funds of the Bank or of the aforementioned entities. Once the financing has been formalised, if applicable, your personal data will be communicated to the Instituto de Crédito Oficial, the European Investment Bank, the European Investment Fund or the Public Administration in question, as appropriate, in order to know which part of the loan is being drawn down by the Bank.

     The lawful basis of this processing is your request for the adoption of pre-contractual measures aimed at contracting any of the products and/or services offered by the Bank or its Group companies.

     In addition, when you contract any of the Bank's products and/or services (assets, liabilities, finance, investment, pension plans, leasing and renting services, etc.), we will process your personal data for the following purposes:

  • To proceed with the signature, maintenance, development and execution of the contract. This also includes the processing of your personal data in order to organise the portfolios of the Bank's various customers and assign each portfolio to a specific manager.
  • To send out informative communications strictly related to the products or services that you have contracted and the operation of these products and services, including the verification of unusual account activity.
  • Where appropriate, to carry out the necessary actions to recover and pay any debts that you may have with the Bank, including updating the data that has already been provided by the debtor.
  • To carry out the new customer onboarding process and provide access to the Bank's digital channels.
  • To provide you with the services that you request from us or that are incorporated into the Bank's digital channels, including the payment aggregation or initiation service(aggregation service), payment grouping services, the performance of transactions and the management of (i) any type of query, claim or incident that may arise from the contractual relationship entered into and (ii) the services offered by ATMs (for example, withdrawals and deposits into accounts, payments of taxes and bills, viewing account activity, transfers, mobile top-ups or password recovery).

  
  The lawful basis for this processing is the execution of the contract signed between you and the Bank.

  In addition, the Bank may share information associated with the updating of your personal data with the companies, third-party collaborators and/or affiliates of the Santander Group, whose products it markets and/or shows you in your Customer Area of the Bank (website and app) or regarding which you may request information from your manager. In other words, if you update your personal data through the Bank, the Bank may provide the updated data to others.
  
  You can view the full list of Group companies and Santander Group third-party partners and/or affiliates to which we disclose your data by requesting it from your branch or via the following link: http://bsan.es/sociedades_banco_santander.

  The lawful basis of this processing is the legitimate interest of having all the information updated in all entities of the Santander Group, as well as in the Group's collaborators and/or affiliates whose products are marketed by the Group, without it being necessary for the Data Subjects to request said update for each of them.

  The Bank may also use your customer contact details to keep your shareholder information up to date.

  The lawful basis for this processing is the legitimate interest of the Bank in fulfilling its legal obligations and in facilitating the exercise of the shareholder's rights.

  Likewise, in relation to debt recovery activities, it is possible for the Bank, either directly or through companies with which it contracts such a service, to obtain data in addition to that provided by the debtor at the time of contracting, in order to facilitate their tracing or improve knowledge of their debt payment possibilities; this also includes the performance of actions to ascertain the solvency of debtors, through access to information on their assets and properties, all with the aim of recovering and paying the debt.

  The lawful basis for such processing would be the Bank's legitimate interest in ensuring the fulfilment of the payment obligations previously assumed by its customers with the Bank.

  1. Compliance with the Bank's legal obligations

     
     We will process your personal data to comply with the legal obligations applicable to the Bank, such as:

  • Anti-money laundering and counter-terrorist financing obligations.
    
    To comply with these obligations, the Bank will process the data required to comply with the due diligence obligations set out in the applicable regulation. In the event that you request your registration as a customer through the video identification system (remote registration), the Bank will process your data in order to verify your identity and authenticate you. Likewise, for these purposes, the Bank will share your personal data with other Santander Group companies and to third-party affiliates and/or collaborators of the Group that have delegated compliance with anti-money laundering and counter-terrorist financing obligations to the Bank, under the terms set out in said regulations.
    
    Additionally, the Bank may process data that is necessary to analyse transactions carried out that may present signs of money laundering or terrorist financing, and will carry out the relevant communications, where appropriate, with the Executive Service of the Commission for the Prevention of Money Laundering and Monetary Offenses (SEPBLAC) by (i) regularly reporting on transactions that comply with specific requirements set by SEPBLAC or (ii) requesting specific information on a transaction.
  • Tax obligations imposed by the Foreign Account Tax Compliance Act (FATCA) and the Common Reporting Standard (CRS) in relation to the automatic exchange of information obligation, which obliges the Bank to identify, classify and report certain financial accounts of customers who have legal obligations in the US in the case of FATCA and, in the case of CRS, to different financial authorities located in the jurisdictions participating in this standard. Likewise, for these purposes, the Bank will communicate your personal data to other Santander Group companies and to third-party affiliates and/or collaborators of the Group whose products or services the Group markets and that have expressly delegated compliance with these tax obligations to the Bank, under the terms set out in said regulations.
  • Obligations regarding responsible lending and protection of mortgage borrowers, debt restructuring and social housing. For these purposes, the Bank may process your data to verify and evaluate your solvency and credit risk, establish measures in case you are in a situation of vulnerability, assess the risk of payment default on the transactions that you maintain – as in the case of new transactions that you request from us – and the creation of risk models, including economic and personal information available from companies that provide information on solvency, delinquency and general indicators of financial or credit risk to which the Bank has access or has obtained through the aggregation service when you have consented to it.
  • Legal obligations imposed by MiFID (Markets in Financial Instruments Directive) regulations, which aim to assess your knowledge and experience in the financial markets, your financial situation and investment objectives, and which include the recording of any telephone conversations that end or may end with the closing of an investment services transaction. Likewise, for these purposes, the Bank will share your personal data, in particular the result of the evaluation of your knowledge and experience in the financial markets, with other Santander Group companies and third-party affiliates and/or collaborators, whose products or services the Group markets and which have expressly delegated compliance with these investment obligations to the Bank and which should have this information at their disposal, under the terms set out in said regulations.

  
  Occasionally, in order to comply with the obligations mentioned in the two previous points, the Bank uses an automated risk assessment system, which uses a scoring logic that takes into account its information. This system is based on the application, to each Data Subject, of previously designed algorithms, which automatically assign a score according to three different risk levels, as defined in the Bank's customer risk classification policy. This classification allows us to comply with regulatory requirements in terms of risk monitoring, solvency control, regulatory capital calculation, accounting standards (provisions) and responsible lending standards.

  By way of example, the Bank may use fully automated means to verify and evaluate your solvency and credit risk, both to assess the risk of payment default on the transactions that you maintain, as well as in the case of new financing transactions that you request from us.

  Similarly, and also by way of example, the Bank may make decisions based solely on the automated processing of your data when you complete questionnaires to assess your knowledge, experience, financial situation and investment objectives.

  The Bank submits this system to periodic reviews to avoid any possible mismatch, error or inaccuracy in this assessment. Notwithstanding the above, if you do not agree with the result of the assessment, you may challenge the decision by providing the information that you consider appropriate, as well as by requesting the personal involvement of one of our risk analysts.

  • Commercial, corporate and tax obligations and obligations of any kind imposed by the supervisory bodies and competent authorities (for example, the European Central Bank, the Bank of Spain, the Spanish National Markets and Competition Commission or the Spanish Data Protection Agency).

  
  The lawful basis for this processing is compliance with the legal obligations applicable to the Bank.

  1. Consultation of credit information systems and communication of payment defaults to them

     
     When you apply for a mortgage loan, the Bank may consult the information about you that appears in CIRBE and the credit information systems to which it is has access (for example, Experian, Asnef and RAI), in order to evaluate your solvency and credit risk and assess the viability of your mortgage loan application.

     Likewise, we will consult the content of the aforementioned credit information systems in the event that the aforementioned contracts are entered into and until they are terminated.

     When you hold credit risks with the Bank, either directly (holder) or indirectly (guarantor of a risk product), we will share your data with the CIRBE, including data relating to the characteristics of the risks.
     
     The lawful basis for consultation with and communication to CIRBE and the consultation of credit information systems is compliance with the legal obligations established by the regulations governing the financial system and real estate credit, in order to comply with the principles of responsible lending and minimisation of credit risk.

     We will also consult such credit information systems when you enter into a contract with us or apply to enter into a contract with us involving financing, deferred payment or periodic billing (e.g. loans or credits) or a contract that supports overdraft credit (e.g. an account) for the same purpose.

     Additionally, if you default on any payment, we may notify credit information systems to which we have access, such as Experian, Asnef and RAI, in compliance with the procedures and guarantees set out in current legislation at any time.

     The lawful basis for this processing is the Bank's legitimate interest in complying with appropriate control and preventing default situations, helping to safeguard the financial system and the economy in general insofar as it allows third-party entities access to solvency information when they have to analyse the solvency of applicants for risky transactions, as expressly established in the regulations governing the protection of personal data.

  2. Prevention and investigation of fraud

     
     We will process and/or share your data with third parties, whether or not they are Santander Group companies (for example, Confirma, Iberpay and telecommunications operators), to detect and analyse possible fraudulent activity, identify and learn about the participants in such activities, and, where appropriate, take relevant action.

     For this purpose, in cases in which you are a customer of both the Bank and other Santander Group companies and/or third-party affiliates and/or collaborators of the Group, the Bank will share your personal data with such companies and entities, in order to ensure compliance with the Group's management policies relating to the prevention and investigation of fraud.

     Likewise, in the event that you activate the voice recognition service for authentication on the telephone channel, the Bank will process your data for the purpose of authenticating your identity and preventing fraud.

     The lawful basis for this processing is the Bank's legitimate interest in preventing, investigating and/or discovering fraud.

  3. Preparation of a commercial profile

     
     We will process your data to create a commercial profile for you, which will allow us to:

  • Analyse the preferences, behaviours and needs of the Bank's customers related to the products and services offered by the Bank, as well as their propensity to contract or terminate products and services.
  • Present you with a personalised offer of financial products and services, as well as insurance products marketed by the Bank that are related to the products that you have already taken out, taking into account what you have taken out and your habits as a customer.
  • Make observations and recommendations about the products and services that you have already taken out and others that we believe may be of interest to you.
  • Detect potentially vulnerable clients early in order to assist them by adopting protection and support measures adapted to their personal circumstances.
  • Perform an analysis of your transactions and spending habits in order to provide you with information, advice or personalised warnings about them in order to optimise them (such as calculating your carbon footprint, analysing how you're spending your money, calculating your savings capacity, etc.), as well as to identify products and services that could be useful for this purpose.
  • Select cultural and sporting events sponsored by the Bank or Santander Group companies that may be of interest to you.

  
  For these purposes, we will only use internal sources, i.e. we will only process the information that you provide us with and which derives from your contractual and commercial relationship with the Bank: transactional data of the products and/or services that you have taken out with the Bank; information about your interests that you share with us, either through telephone calls with our managers or through your online behaviour (as detailed in section 13); simulations; savings rules that you set; requests for information or the contracting of our products and services; data on your savings and debt capacity in order to analyse your behavioural patterns and habits; data relating to the devices from which you access your Customer Area of the Bank; and geolocation data when you consent to its collection. In particular, we will consult the information that we have on the management of the services we provide you with or the products that you have contracted or maintained in the last year, including the information resulting from the risk models described in section 2, as well as whether you are a shareholder of the Bank.

  The lawful basis for this processing, aimed at identifying your needs regarding the products, services, recommendations, advice and information best suited to your personal characteristics and habits, is the Bank's legitimate interest in improving the quality of the service that we provide, as well as improving the conditions of the products or services that you have taken out or may take out in the future, tailoring them to your needs.

  Should you consent thereto, we will expand your commercial profile prepared by the Bank, sometimes using additional information from external sources (including third parties with whom you have consented for us to share your data, the payment aggregation or initiation service (aggregation service), payment bundling services; and the other sources mentioned in the section "How do we collect your data?"), so that we can present you with a more personalised product and service offering, based on said profile.

  This processing of existing information with the Bank, arising from your contractual relationship therewith and, where appropriate, additional information collected by external sources, allows for the preparation of a more detailed analysis of your preferences, behaviours and needs than that set out on the basis of the Bank's legitimate interest, and will be used to determine, more precisely, which products and services are better suited to your needs.

  The additional information that we process and, where appropriate, collect from external sources will relate to personal characteristics, social circumstances, academic and professional data, employment details, commercial information, location information, economic and financial data, insurance-related data and data in relation to transactions for goods and services, including transactional data relating to the aggregation service.

  The lawful basis for this processing is the consent provided by means of ticking the box established for this purpose on the form made available to you.

  1. Inclusion in loyalty actions, promotions and competitions/draws

     
     We will process your data to make loyalty phone calls, send you invitations to events and include you in loyalty actions, promotions, offers and competitions/draws that the Bank promotes among its customers, based on products that you have taken out. For example, the Bank may enter you in a draw in which you may be a winner for simply having used a card issued by the Bank as payment for your purchases or for making use of other services offered by the Bank during the promotion period.

     To do this, we will use your personal identification data and the data from the profile creation described in section 5 above, according to your preferences.

     The lawful basis for this processing is the Bank's legitimate interest in building customer loyalty and increasing customer satisfaction and loyalty.

  2. Management of administrative, preliminary ruling and judicial proceedings

     
     Where appropriate, we will process your personal data for the defence of the Bank's rights and interests in any administrative, preliminary ruling and/or judicial proceedings arising out of or linked to the relationship with you.

     The lawful basis for such processing is the Bank's legitimate interest in guaranteeing and exercising its right to effective judicial protection.

  3. Verification of the quality of the services provided

     
     The Bank processes the personal data of our customers for the purposes of carrying out procedures to review, audit and improve the quality of the services provided. This includes: (i) performing satisfaction surveys and analyses of the results; (ii) recording your voice and/or image and saving telephone conversations and/or video calls, only in cases where we expressly indicate this to you; (iii) performing market research through in-person surveys, the aim being to ascertain customers' perception and appraisal of existing and new products.

     The lawful basis for this processing is the Bank's legitimate interest in following a process of continuous improvement as regards the services provided to customers, prospective customers, users and any other interested persons who may contact the Bank, and guaranteeing, in any case, that said service is delivered to a high level of quality, on the part of the Bank as well as the suppliers that provide you with customer service.

  4. Preparation of reports on customers or with customers' personal data

     
     The Bank processes the personal data of our customers in order to prepare reports of a varied nature:

  • Customer monitoring: defaults, delinquency, refinancing, changes in scoring, etc. Although these reports generally contain aggregate information, they may occasionally include information on identified customers.
  • To produce liquidity and interest reports at the aggregate level, for internal use and, where appropriate, for submission to the supervisor.
  • Credit and operational risk.
  • Analysis of the Bank's risk acceptance activity (financial, non-financial and operational).
  • Conducting audits and reviews of the Bank's internal control.
  • Impact of non-performing loans on the Bank's profit and loss.
  • Follow-ups on commercial strategies and other business analyses, in order to monitor and develop them.
  • To obtain aggregate information in order to prepare statistical studies and business analyses of various kinds, e.g. on the use of the private channels that the Bank makes available to its customers or on the most significant transactions (e.g. the largest fluctuations in incoming or outgoing balances) and complaints that have been lodged at each of the Bank's branches.
  • To prepare internal reports and other reports of an aggregate (for example, business indicators, operational risk) and statistical nature.
  • Sustainability and energy efficiency analysis. In particular, we will process data in order to estimate the calculation of the carbon footprint from the transactions carried out, and to produce reports or statistics on environmental impact and energy efficiency.

  
  The lawful basis for this processing is the Bank's legitimate interest in increasing its knowledge of its customers, in being able to offer them a better service and advice on the products that they have contracted, in obtaining information on the state of the business that contributes to better corporate, strategic and commercial decision-making, and in maintaining adequate internal management of the Bank and of the business group to which it belongs.

  1. Producing statistics and analytical models

     
     At the Bank, we process the personal data of our customers for the purpose of producing statistics and analytical models, and in particular to:

  • Generate and develop predictive commercial analytical models.
  • Generate and develop models for personal data quality control and for the consistency of internal reporting quality.
  • Prepare statistical studies and business analyses that help to improve processes and operations.
  • Monitor and analyse the Bank's customer portfolio.

  
  In order to minimise the processing of personal data, the Bank uses encryption, aggregation, disassociation, anonymisation and/or pseudonymisation techniques, provided that they do not impair the reliability of the results.
  
  The lawful basis for this processing is the Bank's legitimate interest in gaining knowledge of its business and tailoring its product and service offerings to the needs of its customers, and in improving the Bank's commercial offering through the production and development of predictive and estimative analytical models and algorithms, all with the aim of optimising the services provided.

  1. Performance of sales actions

     
     At the Bank, we will process your personal data to inform you of the products available to you at the Bank, as well as to send you – by post, email and telephone – commercial communications, both general and segmented or personalised based on your commercial profile (as detailed in section 5 above), about the products and/or services marketed by the Bank, including the sending of greetings on specific dates.

     The lawful basis for this electronic processing with respect to the Bank's own products is Article 21.2 of Spanish Law 34/2002 of 11 July on information society services and electronic commerce, which authorises the sending of such communications when there is a prior contractual relationship, provided that the sender has lawfully obtained the recipient's contact details and uses them to send commercial communications referring to products or services of its own company that are similar to those that were initially contracted with the customer.

     The lawful basis for this processing by other means is the Bank's legitimate interest in keeping you informed of its products and services and those it is marketing.

     For the purposes of this privacy policy, "marketed products" are understood to be those of a financial nature, such as investment funds, pension plans, factoring and confirming products, deposit accounts, mortgages and POS terminals, which are distributed by the Bank.

     Additionally, should you consent thereto, we will process your personal data in order to perform sales actions – both general and personalised – based on your commercial profile (as detailed in section 5 above), such as (i) sending you, by electronic means (email, SMS, among others), sales information regarding products and/or services marketed by the Bank, (ii) offering you products and services from third parties, including Santander Group companies or its affiliate companies, or sold by these companies but not distributed by the Bank, and (iii) informing you about the advantages of third-party products and/or services that you could benefit from by being a customer of the Bank and which do not form part of your contractual offer. You may receive these sales actions via any means, including electronic means (email, fax, SMS, social media, mobile applications, etc.). This consent will be valid even once your relationship with the Bank has terminated, for a period of 12 months, unless revoked by you.

     In order to perform the commercial actions described in the above paragraph, we will use your identifying personal data in addition to your personal data arising from the preparation of profiles described in section 5, according to your preferences.

     The partner and/or affiliate companies whose products may be the subject of the sales actions belong to the following sectors: finance and insurance, consumer goods, training, education and culture, employment, house and home, health and beauty, hotels and travel, software, telecommunications and technology, automotive, consultancy services, property and development, leisure and free time, ticket sales for events or similar, security, textiles and fashion, catering, food, fishing and livestock, agri-food, sport, energy, repairs and maintenance, transport, logistics, administration, consultancy and advisory services, office supplies and equipment, business, industry, healthcare and social services.

     The lawful basis for this processing is the consent provided by means of ticking the box provided for this purpose on the form made available to you.

  2. Communicating personal data to Santander Group companies, affiliate companies thereof or partner companies thereof to perform sales actions

     
     Should you provide your consent for this purpose, we will transmit your data to Santander Group companies, as well as affiliate companies thereof (e.g. insurance companies and financial asset management companies) and partner companies from the sectors outlined in the above point, so that these companies may perform both general and tailored sales actions in relation to their products and services or those of the Bank.

     So that the above-mentioned companies may offer you tailored products and services, in addition to your identifying and contact information, we will send them the data relating to your commercial profile, described in section five above. These sales actions may be received via by any means, including electronic means (email, fax, SMS, social media, mobile applications). For further information, see the section "With whom do we share your data?".

     The lawful basis for this processing is the consent provided by means of ticking the box established for this purpose on the form made available to you.

  3. Use of cookies and similar technologies on the Bank's website and app

     
     The Bank uses its own and third-party cookies and similar technologies on its website and app for the following purposes:

  • To remember information so that the user can access the service with certain characteristics that may differentiate their experience from that of other users.
  • To monitor online sales processes, through the web and the app, with the aim of improving sales processes so that they are more intuitive for the customer.
  • To carry out tests, with various stakeholder segments, to check the effectiveness of the modifications introduced in the online sales processes.
  • To analyse user browsing, to detect the point at which users abandon the contracting process, to classify them according to their propensity to contract a product or service depending on how far they have progressed in the process and, if necessary, to contact interested parties so that they can continue with the process.
  • To track and analyse user behaviour, including quantifying ad impacts, to measure web and app activity, in order to make improvements based on the analysis of user usage data.
  • To store information on the users' devices and behaviour obtained through the ongoing observation of their browsing habits, in order to create a specific profile for displaying advertising in accordance with this profile.
  • To share a unique identifier with third parties in order to, on the basis of your commercial profile created by the Bank, show you personalised advertising about our products and services on those third parties' platforms.
  • To monitor our commercial campaigns in order to measure their effectiveness.

  
  For these purposes, the Bank uses both aggregated and individualised data.

  For more information about the cookies used by the Bank and the type of information collected through them, you can consult the Cookies Policy.

  The lawful basis for this processing is the consent given by the user to allow the use of cookies on the Bank's website and/or app.

  II. If you are a guarantor:

  When you apply as guarantor for a customer or potential customer of the Bank, we will process your personal data as described in paragraphs 1, 2, 3, 4, 5 (with consent), 7, 8, 9, 10, 11, 12 and 13 of section "I. If you are a customer or have applied to become a customer".

  III. If you are a representative, authorised person or party involved in a contract:

  1. Processing of contact data for the management of the contractual relationship

     
     If you are an authorised person or a party involved in a contract of a customer of the Bank (as guarantor, proxy, usufructuary, guardian, etc.) or act as a representative of an individual or a legal entity, we will process your contact information in order to maintain, manage and execute the contractual relationship entered into with that person.

     The lawful basis for the above processing is, in relation to persons acting as representatives of individuals, the execution of the contract; and, in the case of representatives of legal entities, the Bank's legitimate interest in maintaining, managing and executing the contractual relationship entered into with such entities.

  2. Acceptance of credentials

     
     We will process your personal data for the purpose of verifying your credentials and powers of representation by means of acceptance.
     
     The lawful basis for the above processing is, in relation to those acting as authorised persons, the execution of the contract; and, in the case of representatives of legal entities, the Bank's legitimate interest in maintaining, managing and executing the contractual relationship entered into with such entities.
     
     In addition, we will process your personal data as described in paragraphs 1, 2, 4, 5 (with consent only for authorised persons or parties involved in a contract; representatives are excluded), 7, 8, 9, 10, 11 (representatives of natural persons and processing with consent of representatives or contact persons of legal entities are excluded), 12 (with consent only for authorised persons or parties involved in a contract) and 13 of section "I. If you are a customer or have applied to become a customer".

• Is it compulsory to provide your data?
  

• Provided that you wish to take out a product or service with the Bank, you will be required to provide your data and ensure that it is kept up to date and, at any given time, corresponds to your current circumstances.

• What happens if you do not want to provide your consent?
  

• If you do not authorise the processing of your data in cases where your consent is requested, or you wish to revoke your consent at any time, this will not affect the maintenance of or compliance with your contractual relationship with the Bank. In addition, please note that, even if you do not authorise the processing already referred to, specific grounds on which you are able to receive sales communications from the Bank may exist, either on the basis of the legitimate interest thereof (provided that you have not asserted your right to object) or in cases provided for by the law in force.

• How long do we keep your data?
  

• We will process your personal data for as long as the contractual relationship remains valid and remains necessary for the purpose for which it was collected.
  
  If you cancel all your contracts, we will store your data for the purposes of sending you, by electronic means, sales communications regarding the Bank's products and services that are similar to those that you had taken out, unless you have asserted your right to object to this type of communications.
  
  In addition, if you had consented thereto, we will continue to process the data for the purposes of sending you sales communications about products and/or services sold by the Bank, and about products and/or services from third parties, including Santander Group companies and its affiliate companies.

  
  This all applies for a period of 12 months following the end of the contractual relationship.
  
  However, you may object, as well as revoke your consent to processing for the purposes mentioned at any time, as detailed in "What are your rights when you provide us with your data?".
  
  When your personal data become no longer necessary for the purposes set out in this document, we will store it, duly encrypted, which will mean that the Bank will not carry out any processing other than storing the data to make it available for the competent public administrations, judges and courts, or the public prosecutor's office, for any possible liabilities arising from the contractual relationship maintained or related to the data's processing. We will keep your encrypted data for the time frames set out in applicable provisions or, where applicable, in the contractual relationships with the Bank, and physically erase or fully anonymise your data once these time frames have passed.

• With whom do we share your data?
  

• We share your personal data with:

  1. Santander Group companies and third-party partners and/or affiliates of the Santander Group (for example, insurance companies and financial asset management companies). Depending on the purposes for processing, which we have informed you of in this document, we will only share your data with third parties: i) when doing so is necessary in order to undertake processes to simulate the acquisition of products and/or services from said entities, the actual acquisition of said products and/or services, and/or the maintenance and/or management of the contract in place with the aforementioned entities; ii) when you provide your consent; iii) when the transfer is based on the Bank's legitimate interest and/or that of the third-party company with which we are sharing your data and, lastly; iv) when the transfer is in order to comply with a legal obligation.
     
     You can view the full list of Group companies and Santander Group third-party partners and/or affiliates to which we disclose your data by requesting it from your branch or via the following link: http://bsan.es/sociedades_banco_santander.

     
     

  2. Government agencies and private entities, when there is a legal obligation to disclose it to them (non-exhaustive list):
     
     2.1) CIRBE (Servicio Central de Información de Riesgos de Banco de España – Bank of Spain Risk Information Centre):  The Bank, in accordance with Ley 44/2002 on the reform of the financial system, will disclose your identifying data (whether as a holder or guarantor) and data regarding the risk of the banking transactions you have contracted with us and, if applicable, your status as self-employed.
     
     2.2) Financial ownership files of the Servicio Ejecutivo de la Comisión de Prevención del Blanqueo de Capitales e Infracciones Monetarias (Executive Service of the Commission for the Prevention of Money Laundering and Monetary Offences): The Bank, in accordance with regulations on the prevention of money laundering and countering the financing of terrorism, must disclose the following to the Spanish State Secretariat for the Economy and Business Affairs: (i) identifying data of all holders, representatives or authorised persons and any other persons with dispositive powers in relation to current accounts, securities accounts and term deposits, independently of their business name, as well as amendments that may be made with regard to said accounts; and (ii) the start date, termination date and other mandatory data with respect to the aforementioned contracts.
     
     2.3) The Spanish Tax Agency, in accordance with tax legislation.
     
     2.4) Official bodies and authorities of other countries, both within and outside of the European Union, as part of the fight against terrorist financing, serious forms of organised crime and money laundering, in the case of transfer orders of funds, and to comply with national and international legal and/or tax-related obligations if you have indicated multiple countries of nationality and/or for tax residence other than Spain.
     
     2.5) Accounts auditors, when the Bank must be audited to satisfy a legal obligation.
     
     2.6) Deposit Guarantee Fund. The Bank, for purposes of calculating contributions to the Spanish Deposit Guarantee Fund for Credit Institutions, will disclose, to said Fund, individualised information regarding balances corresponding to the deposits made by customers.
  3. Courts and state law enforcement and security forces, when doing so is required due to a legal obligation or when it is necessary for the preparation, execution or defence of claims, on the basis of the legitimate interest of the Bank to guarantee its right to effective legal protection.
  4. Lawyers and legal representatives, when acting as procedural representatives before a court, on the basis of the legitimate interest of the Bank to guarantee its right to effective legal protection and legal assistance.
  5. Shared credit information systems: the Bank may disclose your identifying data and data regarding non-payment to credit information systems with which the Bank is linked, including Experian, Asnef and RAI. The procedures and guarantees in effect at any given time, as established and recognised by the legislation in force, will be complied with at all times.
  6. Third parties for the prevention of fraud, such as Confirma Sistemas de Información S.L. (Confirma) and mobile phone operators: In the case of any request for the opening or acquisition of a payment product or service and/or a financing or deferred payment operation, the bank will disclose your data to the “Fichero Confirma” (a filing system managed by Confirma) for the prevention of fraud. The data controllers of the Fichero Confirma are the participating institutions in the Fichero Confirma. The processor is Confirma Sistemas de Información S.L., with registered address at Avda. de la Industria, 18, Tres Cantos, 28760 Madrid, Spain. You can view the list of participating institutions at any time at www.confirmasistemas.es, as well as exercise your data protection rights with respect to Confirma by writing to the address indicated or emailing the Data Protection Officer at dpo@confirmasistemas.es. Your data will be stored in the CONFIRMA filing system for a period of two years. Moreover, with regard to any application for an acquisition of a product or service or when you amend your telephone number, your telephone number may be checked with mobile phone operators in order to detect potential identity theft and to prevent fraud.
  7. Sociedad Española de Sistemas de Pago, S.A. (Iberpay): For any request for the opening or acquisition of a payment product or service with the Bank via remote means (by telephone, electronically or online), and in order to comply with anti-money laundering legislation, when you opt for us to verify your identity via a third party that is subject to such legislation, we will transmit your data to the "Iberpay platform" for the sole purpose of verifying that you are the holder of the account that you have specified. The controllers as regards the "Iberpay platform" are the institutions participating in the SNCE (Sistema Nacional de Compensación Electrónica – Spanish National Electronic Clearing System), and the processor is Iberpay S.L. Moreover, for any application for an asset product through remote channels wherein you have authorised the Bank to value the risk of the transaction by means of the aggregation service, we will transmit your data to the Iberpay platform to verify that you are the holder of the aggregated account.
     
     Furthermore, for purposes of detecting and preventing fraud, the Bank may add your data to a shared filing system for the prevention of fraud in banking transactions, which is managed by Iberpay and for which responsibility is shared by the participating institutions, including the Bank, for the detection, investigation, monitoring and potential reporting of suspicious and fraudulent transactions involving your current or savings account. You may view the up-to-date list of the participating institutions as regards this filing system via the following link: and request additional information and enquire about the core elements of the co-responsibility agreement between said institutions by emailing privacidad@gruposantander.es .
     
     The only data that we will transmit to the filing system will be that relating to the IBAN and the holder of the account involved in the unauthorised or suspected fraudulent transaction. This data may be viewed by the other participating institutions. The lawful basis for the processing is the Bank's legitimate interest to detect and prevent fraud in banking transactions involving your account, which is also in the interest of account holders potentially affected by fraud committed by a third party.
     
     The data will be stored in the filing system for a maximum period of 30 days in the case of suspicious transactions, and of one year in the case of unauthorised transactions (when the fraud has been confirmed by the victim). The Bank will automatically erase data included in the shared filing system when they are no longer accurate or do not accurately reflect the situation of the victim.
  8. Other credit institutions, state-owned corporate entities, brokers, collective investment undertakings, venture capital firms and guarantee institutions, trusted third-party service providers, payment service providers, third-party aggregators, payment systems and technology service providers, Notaries, Registrars, valuing companies, digital certificate issuers and administrators, in cases where it is necessary for the execution of a contract or provision of a service that you request from us. For example, when you order a transfer to another institution within or outside the European Union, we will disclose, as necessary, your data for the execution of the order, or when risk operations that we grant you are guaranteed and/or subsidised by third-party institutions with which the Bank has entered into a cooperation agreement (for example, the European Investment Fund or the ICO [Instituto de Crédito Oficial – Spanish official credit institution]); when you make a request to us for a transaction via a third party (broker) with which the Bank works; when the contract that you entered into with the Bank must be notarised by a Notary Public or recorded in a Mercantile Registry, a Registry of Movable Goods or Property Registry for a trusted third party; or when, with regard to an application to acquire a service, in order to obtain the documentation and information needed to consider said application, we are required to do so via a digital certificate issuer. Moreover, when processing a mortgage transaction, we will disclose your data to the administrator to calculate and prepare the provision of funds.
  9. Banco Santander service provider: The Bank also works in partnership with some third-party service providers that have access to your personal data and who process this data, as the data processor, on behalf of the Bank as part of their services.
     
     The Bank follows strict criteria when selecting its service providers so as to ensure compliance with its data protection obligations, and it signs data processing agreements with them binding them to the following obligations: applying appropriate technical and organisational measures; processing personal data for the purposes agreed and only in accordance with documented instructions from the Bank; and deleting or returning the data to the Bank once the services have been provided.
     
     Specifically, the Bank will arrange to have third parties provide services in sectors including but not limited to the following: logistics services, legal advice, administration, provider approval, services from management companies not linked to the Santander Group for transmitting or executing shares or units in undertakings for collective investment via specialised technological platforms, multidisciplinary professional services companies, technological service provider companies, software service provider companies, physical security companies, instant messaging service providers and call centre service companies

• Will your personal data be transmitted to third-party countries?
  

• The data processors engaged by the bank may include providers outside of the European Economic Area, with your data being transmitted internationally. To that effect, the Bank will only transfer to third countries (i) if there is an adequacy decision that determines the country to have a level of protection comparable to that of the European Union; (ii) failing that, by applying suitable safeguards to conform with the data protection regulation, such as signing standard contractual clauses or the binding corporate rules. The Data Subject may request further information regarding the aforementioned appropriate safeguards by using the contact information in the section "What are your rights when you provide us with your data?"

  Furthermore, when you request a transaction in which the destination bank account is in a country outside of the European Economic Area, your personal data will be transferred to the institution with which said account is held. In such circumstances, the legitimate basis for the aforementioned transfer is that it is necessary for the execution of the contract between you and the Bank.

• What are your rights when you provide us with your data?
  

• You may exercise your rights of access, portability, rectification, erasure, restriction and objection. You will also have the right not to be subject to automated decision-making and, as such, you will be able to request human intervention in decision-making concerning you by the Bank and express your point of view; you may also contest decisions.

  With regard to processing on the basis of a legitimate interest, you may request information relating to the Bank's assessment, as well as object to any such processing; for the purposes thereof, you must contact the Data Protection Officer/Privacy Office and explain the reason for your objection. It will not be necessary for you to provide any such reason should your objection be in relation to the processing of your data for sales purposes; notification of your wish not to receive sales communications will suffice.
  
  In addition, you may revoke, at any time, the consent that you have given, with no legal effect on any processing carried out prior on the basis of said consent.
  
  To exercise these rights, or for any matter related to the processing of your personal data, please send an email to privacidad@gruposantander.es or send a letter to: C/ Juan Ignacio Luca de Tena, 11-13, 28027 Madrid, Spain (FAO Data Protection Officer/Privacy Office). Where there are reasonable doubts with regard to your identity (for example, where communications are sent from an email address that differs to the one that you provided to the Bank), you will be requested to provide additional information to help us verify your identity. Should you exercise your rights through a representative, you must also provide valid supporting documentation for this representation.
  
  The additional information that you provide to identify yourself will be processed for the purposes of verifying your identity and managing the handling of the right asserted.
  
  Should you exercise your right to access your personal data, please note that you will only receive a copy of the data that is being processed by this entity.
  
  In addition, you may contact the Bank's Data Protection Officer/Privacy Office at the following email address: privacidad@gruposantander.es.
  
  Finally, you can lodge a complaint with the Spanish Data Protection Agency (AEPD). The necessary information is available on its website: www.aepd.es.

The Bank may update this document in the future. The date of its entry into force is provided at the bottom of the document. Check this information periodically to ensure that you are aware of the latest version.

Version: 7 March 2023