Information on data protection

Further information on data protection for customers

• Who is the data controller?
  

• Banco Santander, S.A (hereinafter "the Bank" or "Banco Santander").

  Postal address: C/ Juan Ignacio Luca de Tena, 11-13, 28027 Madrid, Spain.

  Data Protection Officer/Privacy Office contact: privacidad@gruposantander.es

• What types of persons are covered by this document?
  

• This document applies to all persons who show an interest in or apply to the Bank for a product or service (pre-customer), as well as to those who have a legal relationship with the Bank, regardless of the type of involvement, whether they are contract holders (customers), guarantors, authorised persons or representatives, among others.

  The lawful basis for processing the main types of persons are as follows:

  
  

  			PERSONS
  		Pre-customer	Customer	Guarantor	Authorised persons and other persons	Representantive
  LAWFUL BASIS	Execution of a contract or pre-contractual measures	YES	YES	YES	YES	YES
  	Consent	As authorised	As authorised	As authorised	As authorised	No
  	Legitimate interests	YES, less commercial profiling	YES	YES, less commercial profiling	YES, less commercial profiling	YES, less sales actions, with the exception of sending advertising to representatives or contact persons of legal persons, and commercial profiling.
  	Legal obligation	YES	YES	YES	YES, less risk assessment	YES, less risk assessment

• Which types of personal data do we collect and process?
  

• 1. If you are a customer or have applied to become a customer (pre-customer):
  • Identification and contact details: Identity document (Spanish tax ID (NIF), Spanish national ID (DNI), foreign registration number (NIE), non-Spanish identity document/corporate tax ID (CIF)), name and surname, customer number, address, residence, telephone numbers, email address.
    
    

    If you have used a digitised handwritten signature in your relations with the Bank in order to request services and/or complete transactions, we will retain the data obtained by digitising the handwritten signature (such as the order, intensity, speed, pressure and acceleration of the stroke), which will be used exclusively as evidence in the event of repudiation, in order to verify, by means of comparison, that the signature is yours, thus authenticating the customer in order to accredit the authenticity of the documentation or transaction that you are formalising with the Bank.

    In the event that you request video identification so that we can authenticate your identity during remote contracting processes, your image pattern, extracted from your photograph during the identification process and from that on your identification document, will be processed.
    
    

  • Data relating to your personal characteristics: gender, age, date of birth, marital status, dependents, place of birth, nationality.
  • Data relating to your social circumstances: hobbies, property and details of your residence, farm or premises (such as size, location and energy features).
  • Academic and professional or employment data: level of studies, qualifications, employment status, activity, profession, professional category, professional association memberships.
    
  • Economic, financial and solvency data: Current accounts and balance, financial and credit scoring, billing volume (self-employed), source of income, payroll data.
  • Data relating to transactions for goods and services: catalogue of all banking products acquired by the customer, such as credit or debit cards, funds, mortgages, shareholder status, etc., information from other banks or third-party companies (aggregation or payment initiation service – aggregation service – or payment bundling services), means of payment, and the use thereof.
  • Data relating to sales information: use of channels, contact preferences.
  • Transaction data: income, expenses, balances, payments, transfers, direct debits, invoices, notes and movements of contracted products, including the origin, destination, item and third party related to the transaction, location where it is carried out and the date and time.
  • Data on your location, if you have consented to activate the geolocation service on your device.
  • Data regarding your on-line behaviour and preferences: for example, your computer’s IP address or device ID, as well as the web pages you visit, browsing habits, device model, or on-line identifiers, in accordance with the terms described in our Cookies Policy, available on our website https://www.bancosantander.es/en/politica-de-cookies.
  • Data about your interests you share with us, for example, when you make an enquiry call to our agents, when you run a simulation of our products and/or services or when you subscribe to the Newsletter service.
  • Data relating to the devices from which you access the customer area of the Bank: device model and operating system.
  • Audiovisual data: for example, when we record your voice during a telephone conversation with our managers.
  • Sensitive data: if you have provided us with such data in the context of your relationship with the Bank, we will process your health data relating to your degree of disability, and other information relating to your situation of vulnerability, for the purposes provided for in the regulations on this matter.
  • Information on data from external sources is detailed in the section "How do we obtain your data?".
  1. If you are a guarantor:
  • Identification data: Identity document (NIF, DNI, NIE, non-Spanish identity document/CIF), name and surname, customer number, address, residence, telephone numbers, email address.
  • If you have used a digitised handwritten signature in your relations with the Bank in order to request services and/or complete transactions, we will retain the data obtained by digitising the handwritten signature (such as the order, intensity, speed, pressure and acceleration of the stroke), which will be used exclusively as evidence in the event of repudiation, in order to verify, by means of comparison, that the signature is yours, thus authenticating the customer in order to accredit the authenticity of the documentation or transaction that you are formalising with the Bank.
  • Personal characteristics: date of birth, place of birth, nationality
  • Social circumstances: property and details of your residence, farm or premises
  • Employment details: employment status, activity, profession, professional category
  • Sales information: use of channels
  • Economic, financial and insurance data: Financial and credit scoring, billing volume (self-employed), source of income, payroll data.
  • Information on data from external sources is detailed in the section "How do we obtain your data?".
  1. If you're an authorised person or representative:
  • Identification details: Identity document (NIF, DNI, NIE, non-Spanish identity document/CIF), name and surname, customer number, address, residence, telephone numbers, email address.
  • If you have used a digitised handwritten signature in your relations with the Bank in order to request services and/or complete transactions, we will retain the data obtained by digitising the handwritten signature (such as the order, intensity, speed, pressure and acceleration of the stroke), which will be used exclusively as evidence in the event of repudiation, in order to verify, by means of comparison, that the signature is yours, thus authenticating the customer in order to accredit the authenticity of the documentation or transaction that you are formalising with the Bank.
  • Personal characteristics: date of birth, place of birth, nationality
  • Academic and professional details: employment status, activity, profession, professional category
  • Sales information: use of channels
  • Information on data from external sources is detailed in the section "How do we obtain your data?".

  
  Regardless of the nature of your relationship with the Bank, the Bank will not collect or process special categories of data concerning you (e.g. data relating to your health, ethnic origin, religious beliefs or political opinions), unless this is strictly necessary in order to manage the service contracted or requested; for example, because you have paid your union dues directly from an account with our Bank or you have specific contractual conditions arising from your situation of vulnerability.

  Finally, the Bank will not collect or process data from minors, unless they have contracts with the Bank, either directly or on behalf of their parents or guardians. The processing of such minors' data shall be limited exclusively to the maintenance and monitoring of the product or service contracted.

• How do we obtain your data?
  

• The Bank obtains your data through the following sources:

  1. Directly from you, through the information that you provide when you request, contract, maintain and make use of products and/or services with us or marketed by us, both directly and indirectly and through any of the channels that the Bank makes available to you (branch, telephone channel, online services, etc.). Examples include: through enquiries, transactions, operations, simulations or applications for such products or services. In addition, subject to obtaining your consent, we may obtain personal data about you when you browse our websites and mobile phone applications, via the use of cookies or any other type of online identifier or through the fingerprint of your device or terminal.
  2. In some cases, such as, for example, the contracting of a product or service with several parties involved or in which the holder is a legal entity and you are a proxy, representative or employee of such entity, your data may be provided by one of them. In these cases, such third parties should be aware that, prior to the communication of your data, they are obligated to inform you of the transfer and, where appropriate, to have obtained your authorisation.
  3. Exceptionally, in order to comply with anti-money laundering and counter-terrorist financing due diligence obligations, we may use information already in the Bank's possession (for example, payroll orders made to the Bank by your employer) to verify the information that you have provided to us on the customer identification form.
  4. Internal sources of information, such as data inferred about you based on personal data available because of your status as a customer, relating to financial or credit risk indicators.
     
  5. External information sources:
  • Central de Información de Riesgos del Banco de España (Bank of Spain Risk Information Centre, or CIRBE), from which we obtain solvency information about you.
  • Credit information systems of which the Bank is a member, such as Asnef-Equifax Servicios de Información sobre Solvencia y Crédito S.L. (Asnef), Experian Bureau de Crédito, S.A. (Experian) and the Registro de Aceptaciones Impagadas (Register of Bad Debt, or RAI), which provide information on solvency, delinquency and, in general, financial or credit risk indicators.
  • Fraud prevention information systems, such as Sociedad Española de Sistemas de Pago, S.A. (Iberpay), Confirma Sistemas de Información S.L. (Confirma), FrauDfense and telecommunications operators.
  • Specialised information files or public sources available on the internet relating to the prevention of money laundering and terrorist financing, from which the Bank obtains information on its customers who hold or are involved in accounts, legal representatives and beneficial owners of accounts.
  • Publicly accessible sources such as official state bulletins and newspapers, public records, government resolutions, telephone books and lists of persons belonging to professional associations.
  • The Spanish General Treasury of the Social Security (TGSS), to verify your source of income.
  • The Spanish Tax Agency (AEAT), in the event that you have provided us with your Secure Verification Code and have authorised the Bank to use it in the virtual office of the AEAT's website in order to download your tax data, so that the Bank can check its veracity for the purposes of analysing the application for the transaction in question.
  • Investment service companies when they deposit their customers' cash with the Bank, for the purposes of determining the bases for calculating contributions to the Spanish Deposit Guarantee Fund for Credit Institutions.
  • Third-party companies to which you have given your consent for the communication of your personal data to the Bank (for example, insurance companies or entities with which the Bank enters into collaboration agreements through which they obtain your consent for the communication of your personal data to Banco Santander, including Social Networks; Spanish universities to which you, through their corresponding mobile applications, have given your consent for the communication of your personal data to the Bank for commercial purposes; or entities to which you have given your consent to the use of cookies or similar technologies involving the communication to the Bank of your information collected by means of such technologies).
  • Third-party companies that provide services to you when necessary for the execution of a contract with the Bank or the implementation of pre-contractual measures requested by you; such as, for example, payment aggregation or payment initiation services (aggregation service), payment bundling services, prescription services for mortgages or other financial or insurance products, request for information or aggregation of information on payment accounts or services as part of a credit application, or the verification of the requirements for a promotion involving a product or service contracted or applied for.
  • In addition, if you've provided your consent for this purpose, we may obtain personal data on your browsing through the company web pages of the Santander Group or companies who provide commercial information, collected via the use of cookies or any other type of online identifier or through the fingerprint of your device or terminal.
  • Your client, if you are acting as a representative or an authorised individual for a company, entity or another individual.
  • Valuation agencies, if you provide us with your own valuation in the context of a mortgage loan application, so that we can verify its authenticity automatically via the valuation agency issuing the report.
  • Administrative agents' offices: should you apply for a loan/mortgage from us, we will obtain information from them about the total costs associated with this transaction, including related transactions, so that you can make an informed decision; this entire process will be undertaken in compliance with the recommendations provided by the Bank of Spain.
  • If you have given your consent to this end, we may obtain data relating to the insurance policies you have applied for or taken out through the Bank, which acts as the distribution network of Santander Mediación Operador de Banca-seguros vinculados, S.A. In particular:
    
    
    • Data relating to transactions involving goods and services:
      
      
      • Contracting and simulation (quotes) of insurance policies: information relating to all insurance products contracted (for example: product name, branch, type and format; premium data, payment method and surcharges; specific conditions such as capital, coverage, exclusions or grace periods; loans associated with the insurance policy; contracting channel).
        
        
      • Management of the contractual relationship: information related to the management, status, evolution and maintenance of the contracted products, including claims management (for example, receipts issued and their status; contributions and redemptions made; amendments to coverage, number of insured, payment method or other policy conditions or details; cancellation requests and outcome of retention actions; details on the insured asset—vehicle, property—or activity; initiation, cost and status of the claim and its payment, coverage or rejection and the reason; dates associated with all milestones in the management and evolution of the policy).
        
        
    • Data relating to the interaction between you and the companies:
      
      
      • Verification of the quality of the services: information relating to the quality surveys that the companies submit to verify the quality of their various services (channel, content, date and result/response of the surveys).
        
        
      • Complaints and claims: information on the reason, date and resolution of complaints and claims handled.
        
        
      • Campaigns and contacts: information related to sales, prevention/loyalty and retention campaigns conducted by the companies (target audience, content/offer, channel, contact and outcome and related dates), as well as contacts initiated by you (channel, reason, outcome and dates of the contact).

• For what purpose and on what lawful basis do we process your personal data?
  

• Next, the different purposes of Banco Santander data processing are set out below, distinguishing between (i) pre-customers and customers, (ii) guarantors and (iii) authorised persons or representatives:

  I. If you are a customer or have applied to become a customer:

  1. Managing the pre-contractual and, where applicable, contractual relationship relating to any Bank products and/or services which you take out

     
     When you are interested in any of the products or services offered by the Bank and request information about them and/or the initiation of a contracting process, we will process your personal data for the purpose of assisting you and answering your queries or questions, processing your request and carrying out the preliminary procedures necessary to proceed with such contracting (for example, providing you with information and advice relating to the product or service in which you are interested or assessing the feasibility of your contracting request) or contact you so that you can continue with the contracting process in the event that it has not been possible to complete it.

     In addition, we will communicate your data to other Santander Group companies and third-party affiliates and/or companies that collaborate with Santander Group (for example, insurance companies, financial asset managers or venture capital companies), in the event that you, as a customer of the Bank, carry out processes to simulate or apply to contract any of these entities' products and/or services marketed by the Bank and/or actually contract said products, or in cases where you are a joint customer of the Bank and such entities, when the purpose of the data communication is the maintenance and development of the contract that you hold with the aforementioned entities. In these cases, the communication will only affect a limited amount of data that the Bank has regarding you, which is, specifically, the data strictly required for drawing up the agreement and/or executing/developing it and for the companies involved to fulfil their legal obligations, namely: your TAX ID numer (NIF), gender, age, address and direct debit information; and, in some cases, also your risk profile, email address and telephone number. The purpose of this is to make it simpler and more agile to arrange products through the Bank that are marketed  or distributes by the Bank but provided by other Group companies or third-party affiliates, taking your condition as a Bank customer into account; ensure these companies can fulfil their legal obligations; and for those companies of which you are also a customer, to have your contact details in order to send you information relevant to the development of your contractual relationship.

     Likewise, in those cases in which a customer applies for financing through the funds of the Instituto de Credito Oficial (Spanish Official Credit Institution), the European Investment Bank, the European Investment Fund or Public Administrations, we will process your personal data for the purpose of managing such application and assessing whether such financing is processed through the funds of the Bank or of the aforementioned entities. Once the financing has been formalised, if applicable, your personal data will be communicated to the Instituto de Crédito Oficial, the European Investment Bank, the European Investment Fund or the Public Administration in question, as appropriate, in order to know which part of the loan is being drawn down by the Bank.

     The lawful basis of this processing is your request for the adoption of pre-contractual measures aimed at contracting any of the products and/or services offered by the Bank or its Group companies.

     In addition, when you contract any of the Bank's products and/or services (assets, liabilities, finance, investment, pension plans, leasing and renting services, etc.), we will process your personal data for the following purposes:

  • Signing, continuing, making changes to and performing the contract. This also includes processing your personal data for the purposes of arranging the portfolios of the Bank's various customers and assigning a specific manager to each portfolio, and processing the transactional data for the products and/or services that you take out with the Bank, when necessary, in order to check that you fulfil the conditions for signing and subsequently performing the contract.
  • To send out informative communications strictly related to the products or services that you have contracted and the operation of these products and services, including the verification of unusual account activity.
  • Where appropriate, to carry out the necessary actions to recover and pay any debts that you may have with the Bank, including updating the data that has already been provided by the debtor.
  • To carry out the new customer onboarding process and provide access to the Bank's digital channels.
  • To provide you with the services that you request from us or that are incorporated into the Bank's digital channels, including the payment aggregation or initiation service(aggregation service), payment grouping services, the performance of transactions and the management of (i) any type of query, claim or incident that may arise from the contractual relationship entered into and (ii) the services offered by ATMs (for example, withdrawals and deposits into accounts, payments of taxes and bills, viewing account activity, transfers, mobile top-ups or password recovery).

  
  The lawful basis for this processing is the execution of the contract signed between you and the Bank.

  In addition, the Bank may share information associated with the updating of your personal data with the companies, third-party collaborators and/or affiliates of the Santander Group, whose products it markets and/or shows you in your Customer Area of the Bank (website and app) or regarding which you may request information from your manager. In other words, if you update your personal data through the Bank, the Bank may provide the updated data to others.
  
  You can view the full list of Group companies and Santander Group third-party partners and/or affiliates to which we disclose your data by requesting it from your branch or via the following link: http://bsan.es/sociedades_banco_santander.

  The lawful basis of this processing is the legitimate interest of having all the information updated in all entities of the Santander Group, as well as in the Group's collaborators and/or affiliates whose products are marketed by the Group, without it being necessary for the Data Subjects to request said update for each of them.

  The Bank may also use your customer contact details to keep your shareholder information up to date.

  The lawful basis for this processing is the legitimate interest of the Bank in fulfilling its legal obligations and in facilitating the exercise of the shareholder's rights.

  Likewise, in relation to debt recovery activities, it is possible for the Bank, either directly or through companies with which it contracts such a service, to obtain data in addition to that provided by the debtor at the time of contracting, in order to facilitate their tracing or improve knowledge of their debt payment possibilities; this also includes the performance of actions to ascertain the solvency of debtors, through access to information on their assets and properties, all with the aim of recovering and paying the debt.

  The lawful basis for such processing would be the Bank's legitimate interest in ensuring the fulfilment of the payment obligations previously assumed by its customers with the Bank.

  1. Compliance with the Bank's legal obligations

     
     We will process your personal data to comply with the legal obligations applicable to the Bank, such as:

  • Anti-money laundering and counter-terrorist financing obligations.
    
    To comply with these obligations, the Bank will process the data required to comply with the due diligence obligations set out in the applicable regulation. In the event that you request your registration as a customer through the video identification system (remote registration), the Bank will process your data in order to verify your identity and authenticate you. Likewise, for these purposes, the Bank will share your personal data with other Santander Group companies and to third-party affiliates and/or collaborators of the Group that have delegated compliance with anti-money laundering and counter-terrorist financing obligations to the Bank, under the terms set out in said regulations.
    
    Additionally, the Bank may process data that is necessary to analyse transactions carried out that may present signs of money laundering or terrorist financing, and will carry out the relevant communications, where appropriate, with the Executive Service of the Commission for the Prevention of Money Laundering and Monetary Offenses (SEPBLAC) by (i) regularly reporting on transactions that comply with specific requirements set by SEPBLAC or (ii) requesting specific information on a transaction.
  • Tax obligations imposed by the Foreign Account Tax Compliance Act (FATCA) and the Common Reporting Standard (CRS) in relation to the automatic exchange of information obligation, which obliges the Bank to identify, classify and report certain financial accounts of customers who have legal obligations in the US in the case of FATCA and, in the case of CRS, to different financial authorities located in the jurisdictions participating in this standard. Likewise, for these purposes, the Bank will communicate your personal data to other Santander Group companies and to third-party affiliates and/or collaborators of the Group whose products or services the Group markets and that have expressly delegated compliance with these tax obligations to the Bank, under the terms set out in said regulations.
  • Obligations regarding responsible lending and protection of mortgage borrowers, debt restructuring and social housing. For these purposes, the Bank may process your data to verify and evaluate your solvency and credit risk, establish measures in case you are in a situation of vulnerability, assess the risk of payment default on the transactions that you maintain – as in the case of new transactions that you request from us – and the creation of risk models, including economic and personal information available from companies that provide information on solvency, delinquency and general indicators of financial or credit risk to which the Bank has access or has obtained through the aggregation service when you have consented to it.
  • Occasionally, to comply with the aforementioned credit risk assessment and verification obligations, when you are a partner or shareholder of a company that is a customer of the Bank or that applies to become one, we will process your identification and professional location data in order to consult any possible corporate links you may have with third parties. The legal basis for this processing is the legitimate interest of the Bank in complying with the regulatory obligations relating to the granting and monitoring of loans, through an analysis of the risk and solvency of companies that are interconnected.
    
  • Legal obligations under prevailing legislation on Securities Markets, Investment Services and other investment legislation to assess your knowledge and experience in the financial markets, your financial situation and investment objectives, and which include the recording of any telephone conversations that end or may end with the closing of an investment services transaction. Likewise, for these purposes, the Bank will share your personal data, in particular the result of the evaluation of your knowledge and experience in the financial markets, with other Santander Group companies and third-party affiliates and/or collaborators, whose products or services the Group markets or distributes and which have expressly delegated compliance with these investment obligations to the Bank and which should have this information at their disposal, under the terms set out in said regulations.

  
  Occasionally, in order to comply with the obligations mentioned in the two previous points, the Bank uses an automated risk assessment system, which uses a scoring logic that takes into account its information. This system is based on the application, to each Data Subject, of previously designed algorithms, which automatically assign a score according to three different risk levels, as defined in the Bank's customer risk classification policy. This classification allows us to comply with regulatory requirements in terms of risk monitoring, solvency control, regulatory capital calculation, accounting standards (provisions) and responsible lending standards.

  By way of example, the Bank may use fully automated means to verify and evaluate your solvency and credit risk, both to assess the risk of payment default on the transactions that you maintain, as well as in the case of new financing transactions that you request from us.

  Similarly, and also by way of example, the Bank may make decisions based solely on the automated processing of your data when you complete questionnaires to assess your knowledge, experience, financial situation and investment objectives.

  The Bank submits this system to periodic reviews to avoid any possible mismatch, error or inaccuracy in this assessment. Notwithstanding the above, if you do not agree with the result of the assessment, you may challenge the decision by providing the information that you consider appropriate, as well as by requesting the personal involvement of one of our risk analysts.

  • Commercial, corporate and tax obligations and obligations of any kind imposed by the supervisory bodies and competent authorities (for example, the European Central Bank, the Bank of Spain, the Spanish National Markets and Competition Commission or the Spanish Data Protection Agency).

  
  The lawful basis for this processing is compliance with the legal obligations applicable to the Bank.

  1. Consultation of credit information systems and communication of payment defaults to them

     
     When you apply for a mortgage loan, the Bank may consult the information about you that appears in CIRBE and the credit information systems to which it is has access (for example, Experian, Asnef and RAI), in order to evaluate your solvency and credit risk and assess the viability of your mortgage loan application.

     Likewise, we will consult the content of the aforementioned credit information systems in the event that the aforementioned contracts are entered into and until they are terminated.

     When you hold credit risks with the Bank, either directly (holder) or indirectly (guarantor of a risk product), we will share your data with the CIRBE, including data relating to the characteristics of the risks.
     
     The lawful basis for consultation with and communication to CIRBE and the consultation of credit information systems is compliance with the legal obligations established by the regulations governing the financial system and real estate credit, in order to comply with the principles of responsible lending and minimisation of credit risk.

     We will also consult such credit information systems when you enter into a contract with us or apply to enter into a contract with us involving financing, deferred payment or periodic billing (e.g. loans or credits) or a contract that supports overdraft credit (e.g. an account) for the same purpose.

     Additionally, if you default on any payment, we may notify credit information systems to which we have access, such as Experian, Asnef and RAI, in compliance with the procedures and guarantees set out in current legislation at any time.

     The lawful basis for this processing is the Bank's legitimate interest in complying with appropriate control and preventing default situations, helping to safeguard the financial system and the economy in general insofar as it allows third-party entities access to solvency information when they have to analyse the solvency of applicants for risky transactions, as expressly established in the regulations governing the protection of personal data.

  2. Prevention and investigation of fraud

     
     We will process and/or share your data with third parties, whether or not they are Santander Group companies (for example, Confirma, Iberpay and telecommunications operators), to detect and analyse possible fraudulent activity, identify and learn about the participants in such activities, and, where appropriate, take relevant action against these activities.

     For this purpose, in cases in which you are a customer of both the Bank and other Santander Group companies and/or third-party affiliates and/or collaborators of the Group, the Bank will share your personal data with such companies and entities, in order to ensure compliance with the Group's management policies relating to the prevention and investigation of fraud.

     In addition to the purpose of preventing these kinds of practices, we will process your data for the purpose of sending you communications about fraudsters, in anticipation of potential situations which could adversely affect you as a result of fraudulent acts by third parties, for example.

     The lawful basis of this data processing is the legitimate interest of the Bank or the other organisations that are part of shared fraud-prevention file systems, in cases where we add your data to or consult them in these shared file systems, in preventing, investigating and/or uncovering fraud. Further information on the entities to which we will disclose your data for this purpose, the conditions under which your data will be processed and how to exercise your rights can be found in the "With whom do we share your data?" section.

  3. Commercial profiling

     
     We will process your data to create commercial profiles for you, which will allow us to:

  • Analyse the preferences, behaviours and needs of the Bank's customers related to the products and services offered by the Bank, as well as their propensity to contract or terminate products and services.
  • Present you with a personalised offer of financial products and services, as well as insurance products marketed by the Bank that are related to the products that you have already taken out, taking into account what you have taken out and your habits as a customer.
  • Make observations and recommendations about the products and services that you have already taken out and others that we believe may be of interest to you.
  • Detect potentially vulnerable clients early in order to assist them by adopting protection and support measures adapted to their personal circumstances.
  • Perform an analysis of your transactions and spending habits in order to provide you with information, advice or personalised warnings about them in order to optimise them (such as calculating your carbon footprint, analysing how you're spending your money, calculating your savings capacity, etc.), as well as to identify products and services that could be useful for this purpose.
  • Selecting cultural, music and sporting events sponsored by the Bank or with Bank partner companies, or Santander Group companies that may be of interest to you.
  • If you have subscribed to the Bank's Newsletter or news bulletin service, analysing your preferences and behaviours in order to provide you with personalised content which we think may be of interest to you.
    

  
  For these purposes, we will only use internal sources, i.e. we will only process the information that you provide us with and which derives from your contractual and commercial relationship with the Bank: transactional data of the products and/or services that you have taken out with the Bank; information about your interests that you share with us, either through telephone calls with our managers or through your online behaviour (as detailed in section 13); simulations; savings rules that you set; requests for information or the contracting of our products and services; data on your savings and debt capacity in order to analyse your behavioural patterns and habits; data relating to the devices from which you access your Customer Area of the Bank; and geolocation data when you consent to its collection. In particular, we will consult the information that we have on the management of the services we provide you with or the products that you have contracted or maintained in the last year, including the information resulting from the risk models described in section 2, as well as whether you are a shareholder of the Bank.

  The lawful basis for this data processing, aimed at identifying your needs in relation to the products, services, recommendations, advice and information best suited to your personal characteristics and habits, is the Bank's legitimate interest in getting a better understanding of your business in order to improve our marketing activities and the quality of the service that we provide to you, as well as improving the conditions of the products or services that you have taken out or may take out in the future, by tailoring them to your needs.

  Should you consent thereto, we will expand your commercial profile prepared by the Bank, sometimes using additional information from external sources (including third parties with whom you have consented for us to share your data, the payment aggregation or initiation service (aggregation service), payment bundling services; and the other sources mentioned in the section "How do we collect your data?"), so that we can present you with a more personalised product and service offering, based on said profile.

  This processing of existing information with the Bank, arising from your contractual relationship therewith and, where appropriate, additional information collected by external sources, allows for the preparation of a more detailed analysis of your preferences, behaviours and needs than that set out on the basis of the Bank's legitimate interest, and will be used to determine, more precisely, which products and services are better suited to your needs.

  The additional information that we process and, where appropriate, collect from external sources will relate to personal characteristics, social circumstances, academic and professional data, employment details, commercial information, location information, economic and financial data, insurance-related data and data in relation to transactions for goods and services, including transactional data relating to the aggregation service.

  The lawful basis for this processing is the consent provided by means of ticking the box established for this purpose on the form made available to you.
  
  In addition, if you provide your consent as part of a simulation process or in contracting insurance marketed by the Bank, you authorise the Bank to draw up a specific commercial insurance profile geared towards identifying your needs regarding the insurance products and services that best suit your personal characteristics and habits, using for this purpose the personal data generated by your relationship with the insurance companies identified below together with the commercial profile that the Bank may have of you, in accordance with your preferences, and to use it for the commercial profiling purposes defined in this privacy policy.
  
  The additional information that we will process refers to data relating to transactions involving goods and services (such as information relating to all insurance products contracted; related to the management, status, evolution and maintenance of the contracted products, including claims management); data concerning the interaction between you and the insurance companies (such as information relating to the verification of the quality of the services, complaints and claims, campaigns and contacts).
  
  The insurance companies whose information will be processed by the Bank and which distribute their insurance through the Bank, the latter acting as the distribution network of Santander Mediación Operador de Banca-seguros vinculados, S.A., are: Santander Seguros y Reaseguros, Compañía Aseguradora, S.A.; Santander Generales Seguros y Reaseguros, S.A.; Santander Vida Seguros y Reaseguros, S.A.; and Santander MAPFRE Seguros y Reaseguros, S.A.
  
  The legal basis for this processing is the consent given by ticking the box provided in the process of simulating or contracting an insurance policy marketed by the Bank.
  

  1. Inclusion in loyalty actions, promotions and competitions/draws

     
     We will process your data to make loyalty phone calls, send you invitations to events and include you in loyalty actions, promotions, offers and competitions/draws that the Bank promotes among its customers, based on products that you have taken out. For example, the Bank may enter you in a draw in which you may be a winner for simply having used a card issued by the Bank as payment for your purchases or for making use of other services offered by the Bank during the promotion period.

     To do this, we will use your personal identification data and the data from the profile creation described in section 5 above, according to your preferences.

     The lawful basis for this processing is the Bank's legitimate interest in building customer loyalty and increasing customer satisfaction and loyalty.

  2. Management of administrative, preliminary ruling and judicial proceedings

     
     Where appropriate, we will process your personal data for the defence of the Bank's rights and interests in any administrative, preliminary ruling and/or judicial proceedings arising out of or linked to the relationship with you.

     The lawful basis for such processing is the Bank's legitimate interest in guaranteeing and exercising its right to effective judicial protection.

  3. Verification of the quality of the services provided

     
     The Bank processes the personal data of our customers for the purposes of carrying out procedures to review, audit and improve the quality of the services provided. This includes: (i) performing satisfaction surveys and analyses of the results; (ii) recording your voice and/or image and saving telephone conversations and/or video calls, only in cases where we expressly indicate this to you; (iii) performing market research through in-person surveys, the aim being to ascertain customers' perception and appraisal of existing and new products.

     The lawful basis for this processing is the Bank's legitimate interest in following a process of continuous improvement as regards the services provided to customers, prospective customers, users and any other interested persons who may contact the Bank, and guaranteeing, in any case, that said service is delivered to a high level of quality, on the part of the Bank as well as the suppliers that provide you with customer service.

  4. Preparation of reports on customers or with customers' personal data

     
     The Bank processes the personal data of our customers in order to prepare reports of a varied nature:

  • Customer monitoring: defaults, delinquency, refinancing, changes in scoring, etc. Although these reports generally contain aggregate information, they may occasionally include information on identified customers.
  • To produce liquidity and interest reports at the aggregate level, for internal use and, where appropriate, for submission to the supervisor.
  • Credit and operational risk.
  • Analysis of the Bank's risk acceptance activity (financial, non-financial and operational).
  • Conducting audits and reviews of the Bank's internal control.
  • Impact of non-performing loans on the Bank's profit and loss.
  • Follow-ups on commercial strategies and other business analyses, in order to monitor and develop them.
  • To obtain aggregate information in order to prepare statistical studies and business analyses of various kinds, e.g. on the use of the private channels that the Bank makes available to its customers or on the most significant transactions (e.g. the largest fluctuations in incoming or outgoing balances) and complaints that have been lodged at each of the Bank's branches.
  • To prepare internal reports and other reports of an aggregate (for example, business indicators, operational risk) and statistical nature.
  • Sustainability and energy efficiency analysis. In particular, we will process data in order to estimate the calculation of the carbon footprint from the transactions carried out, and to produce reports or statistics on environmental impact and energy efficiency.

  
  The lawful basis for this processing is the Bank's legitimate interest in increasing its knowledge of its customers, in being able to offer them a better service and advice on the products that they have contracted, in obtaining information on the state of the business that contributes to better corporate, strategic and commercial decision-making, and in maintaining adequate internal management of the Bank and of the business group to which it belongs.

  1. Producing statistics and analytical models

     
     At the Bank, we process the personal data of our customers for the purpose of producing statistics and analytical models, and in particular to:

  • Generate and develop predictive commercial analytical models.
  • Generate and develop models for personal data quality control and for the consistency of internal reporting quality.
  • Prepare statistical studies and business analyses that help to improve processes and operations.
  • Monitor and analyse the Bank's customer portfolio.

  
  In order to minimise the processing of personal data, the Bank uses encryption, aggregation, disassociation, anonymisation and/or pseudonymisation techniques, provided that they do not impair the reliability of the results.
  
  The lawful basis for this processing is the Bank's legitimate interest in gaining knowledge of its business and tailoring its product and service offerings to the needs of its customers, and in improving the Bank's commercial offering through the production and development of predictive and estimative analytical models and algorithms, all with the aim of optimising the services provided.

  1. Performance of sales actions

     
     At the Bank, we will process your personal data to inform you of the products available to you at the Bank, as well as to send you – by post, email and telephone – commercial communications, both general and segmented or personalised based on your commercial profiles (as detailed in section 5 above), about the products and/or services marketed by the Bank, including the sending of greetings on specific dates.

     The lawful basis for this electronic processing with respect to the Bank's own products is Article 21.2 of Spanish Law 34/2002 of 11 July on information society services and electronic commerce, which authorises the sending of such communications when there is a prior contractual relationship, provided that the sender has lawfully obtained the recipient's contact details and uses them to send commercial communications referring to products or services of its own company that are similar to those that were initially contracted with the customer.

     The lawful basis for this processing by other means is the Bank's legitimate interest in keeping you informed of its products and services and those it is marketing.

     For the purposes of this privacy policy, "marketed products" are understood to be those of a financial nature, such as investment funds, pension plans, factoring and confirming products, deposit accounts, mortgages and POS terminals, which are distributed by the Bank.

     In addition, should you consent to it, we will process your personal data for undertaking general and segmented marketing activities, or personalised marketing activities based on your commercial profiles (as detailed in section 5 above), such as (i) sending you, by electronic means (email, SMS, among others), sales information regarding products and/or services marketed by the Bank, (ii) offering you products and services from third parties, including Santander Group companies or its affiliate companies, or sold by these companies but not distributed by the Bank, and (iii) informing you about the advantages of third-party products and/or services that you could benefit from by being a customer of the Bank and which do not form part of your contractual offer. You may receive these sales actions via any means, including electronic means (email, fax, SMS, social media, mobile applications, etc.). This consent will be valid even once your relationship with the Bank has terminated, for a period of 12 months, unless revoked by you.

     In order to perform the commercial actions described in the above paragraph, we will use your identifying personal data in addition to your personal data arising from the preparation of profiles described in section 5, according to your preferences.

     The partner and/or affiliate companies whose products may be the subject of the sales actions belong to the following sectors: finance and insurance, consumer goods, training, education and culture, employment, house and home, health and beauty, hotels and travel, software, telecommunications and technology, automotive, consultancy services, property and development, leisure and free time, ticket sales for events or similar, security, textiles and fashion, catering, food, fishing and livestock, agri-food, sport, energy, repairs and maintenance, transport, logistics, administration, consultancy and advisory services, office supplies and equipment, business, industry, healthcare and social services.

     The lawful basis for this processing is the consent provided by means of ticking the box provided for this purpose on the form made available to you.

  2. Communicating personal data to Santander Group companies, affiliate companies thereof or partner companies thereof to perform sales actions

     
     Should you provide your consent for this purpose, we will transmit your data to Santander Group companies, as well as affiliate companies thereof (e.g. insurance companies and financial asset management companies) and partner companies from the sectors outlined in the above point, so that these companies may perform both general and tailored sales actions in relation to their products and services or those of the Bank.

     So that the above-mentioned companies may offer you tailored products and services, in addition to your identifying and contact information, we will send them the data relating to your commercial profiles, described in section five above. These sales actions may be received via by any means, including electronic means (email, fax, SMS, social media, mobile applications). For further information, see the section "With whom do we share your data?".

     The lawful basis for this processing is the consent provided by means of ticking the box established for this purpose on the form made available to you.

  3. Use of cookies and similar technologies on the Bank's website and app

     
     The Bank uses its own and third-party cookies and similar technologies on its website and app for the following purposes:

  • To remember information so that the user can access the service with certain characteristics that may differentiate their experience from that of other users.
  • To monitor online sales processes, through the web and the app, with the aim of improving sales processes so that they are more intuitive for the customer.
  • To carry out tests, with various stakeholder segments, to check the effectiveness of the modifications introduced in the online sales processes.
  • To analyse user browsing, to detect the point at which users abandon the contracting process, to classify them according to their propensity to contract a product or service depending on how far they have progressed in the process and, if necessary, to contact interested parties so that they can continue with the process.
  • To track and analyse user behaviour, including quantifying ad impacts, to measure web and app activity, in order to make improvements based on the analysis of user usage data.
  • To store information on the users' devices and behaviour obtained through the ongoing observation of their browsing habits, in order to create a specific profile for displaying advertising in accordance with this profile.
  • Sharing a unique identifier with third parties in order to, on the basis of your commercial profiles created by the Bank, display personalised advertising for you about our products and services on these third parties' platforms, and so that they can interact with you in accordance with their own cookie policies, if you have consented to their cookies being installed.
  • To monitor our commercial campaigns in order to measure their effectiveness.

  
  For these purposes, the Bank uses both aggregated and individualised data.

  For more information about the cookies used by the Bank and the type of information collected through them, you can consult the Cookies Policy.

  The lawful basis for this processing is the consent given by the user to allow the use of cookies on the Bank's website and/or app, except in the case of technical cookies or cookies strictly necessary to provide a service requested by the user, in which case the legal basis will be the application of pre-contractual measures requested by you or the execution of a contract to which you are a party.

  II. If you are a guarantor:

  When you apply as guarantor for a customer or potential customer of the Bank, we will process your personal data as described in paragraphs 1, 2, 3, 4, 5 (with consent), 7, 8, 9, 10, 11, 12 and 13 of section "I. If you are a customer or have applied to become a customer".

  III. If you are a representative, authorised person or party involved in a contract:

  1. Processing of contact data for the management of the contractual relationship

     
     If you are an authorised person or a party involved in a contract of a customer of the Bank (as guarantor, proxy, usufructuary, guardian, etc.) or act as a representative of an individual or a legal entity, we will process your contact information in order to maintain, manage and execute the contractual relationship entered into with that person.

     The lawful basis for the above processing is, in relation to persons acting as representatives of individuals, the execution of the contract; and, in the case of representatives of legal entities, the Bank's legitimate interest in maintaining, managing and executing the contractual relationship entered into with such entities.

  2. Acceptance of credentials

     
     We will process your personal data for the purpose of verifying your credentials and powers of representation by means of acceptance.
     
     The lawful basis for the above processing is, in relation to those acting as authorised persons, the execution of the contract; and, in the case of representatives of legal entities, the Bank's legitimate interest in maintaining, managing and executing the contractual relationship entered into with such entities.
     
     In addition, we will process your personal data as described in paragraphs 1, 2, 4, 5 (with consent only for authorised persons or parties involved in a contract; representatives are excluded), 7, 8, 9, 10, 11 (representatives of natural persons and processing with consent of representatives or contact persons of legal entities are excluded), 12 (with consent only for authorised persons or parties involved in a contract) and 13 of section "I. If you are a customer or have applied to become a customer".

• Is it compulsory to provide your data?
  

• Provided that you wish to take out a product or service with the Bank, you will be required to provide your data and ensure that it is kept up to date and, at any given time, corresponds to your current circumstances.

• What happens if you do not want to provide your consent?
  

• If you do not authorise the processing of your data in cases where your consent is requested, or you wish to revoke your consent at any time, this will not affect the maintenance of or compliance with your contractual relationship with the Bank. In addition, please note that, even if you do not authorise the processing already referred to, specific grounds on which you are able to receive sales communications from the Bank may exist, either on the basis of the legitimate interest thereof (provided that you have not asserted your right to object) or in cases provided for by the law in force.

• How long do we keep your data?
  

• We will process your personal data for as long as the contractual relationship remains valid and remains necessary for the purpose for which it was collected.
  
  If you cancel all your contracts, we will store your data for the purposes of sending you, by electronic means, sales communications regarding the Bank's products and services that are similar to those that you had taken out, unless you have asserted your right to object to this type of communications.
  
  In addition, if you had consented thereto, we will continue to process the data for the purposes of sending you sales communications about products and/or services sold by the Bank, and about products and/or services from third parties, including Santander Group companies and its affiliate companies.

  
  This all applies for a period of 12 months following the end of the contractual relationship.
  
  However, you may object, as well as revoke your consent to processing for the purposes mentioned at any time, as detailed in "What are your rights when you provide us with your data?".
  
  When your personal data become no longer necessary for the purposes set out in this document, we will store it, duly encrypted, which will mean that the Bank will not carry out any processing other than storing the data to make it available for the competent public administrations, judges and courts, or the public prosecutor's office, for any possible liabilities arising from the contractual relationship maintained or related to the data's processing. We will keep your encrypted data for the time frames set out in applicable provisions or, where applicable, in the contractual relationships with the Bank, and physically erase or fully anonymise your data once these time frames have passed.

• With whom do we share your data?
  

• We share your personal data with:

  1. Santander Group companies and third-party partners and/or affiliates of the Santander Group (for example, insurance companies and financial asset management companies). Depending on the purposes for processing, which we have informed you of in this document, we will only share your data with third parties: i) when doing so is necessary in order to undertake processes to simulate the acquisition of products and/or services from said entities, the actual acquisition of said products and/or services, and/or the maintenance and/or management of the contract in place with the aforementioned entities; ii) when you provide your consent; iii) when the transfer is based on the Bank's legitimate interest and/or that of the third-party company with which we are sharing your data and, lastly; iv) when the transfer is in order to comply with a legal obligation.
     
     You can view the full list of Group companies and Santander Group third-party partners and/or affiliates to which we disclose your data by requesting it from your branch or via the following link: http://bsan.es/sociedades_banco_santander.

     
     

  2. Government agencies and private entities, when there is a legal obligation to disclose it to them (non-exhaustive list):
     
     2.1) CIRBE (Servicio Central de Información de Riesgos de Banco de España – Bank of Spain Risk Information Centre):  The Bank, in accordance with Ley 44/2002 on the reform of the financial system, will disclose your identifying data (whether as a holder or guarantor) and data regarding the risk of the banking transactions you have contracted with us and, if applicable, your status as self-employed.
     
     2.2) Financial ownership files of the Servicio Ejecutivo de la Comisión de Prevención del Blanqueo de Capitales e Infracciones Monetarias (Executive Service of the Commission for the Prevention of Money Laundering and Monetary Offences): The Bank, in accordance with regulations on the prevention of money laundering and countering the financing of terrorism, must disclose the following to the Spanish State Secretariat for the Economy and Business Affairs: (i) identification details of all holders, beneficial owners, representatives or authorised parties and any other individuals with powers of attorney over current accounts, savings accounts, term deposits and any other type of payment account, as well as safe deposit box rental contracts, irrespective of the company name, as well as any changes made to them; and (ii) the start date, termination date and other mandatory data with respect to the aforementioned contracts.
     
     2.3) The Spanish Tax Agency, in accordance with tax legislation.
     
     2.4) Official bodies and authorities of other countries, both within and outside of the European Union, as part of the fight against terrorist financing, serious forms of organised crime and money laundering, in the case of transfer orders of funds, and to comply with national and international legal and/or tax-related obligations if you have indicated multiple countries of nationality and/or for tax residence other than Spain.
     
     2.5) Accounts auditors, when the Bank must be audited to satisfy a legal obligation.
     
     2.6) Deposit Guarantee Fund. The Bank, for purposes of calculating contributions to the Spanish Deposit Guarantee Fund for Credit Institutions, will disclose, to said Fund, individualised information regarding balances corresponding to the deposits made by customers.
  3. Courts and state law enforcement and security forces, when doing so is required due to a legal obligation or when it is necessary for the preparation, execution or defence of claims, on the basis of the legitimate interest of the Bank to guarantee its right to effective legal protection.
  4. Lawyers and legal representatives, when acting as procedural representatives before a court, on the basis of the legitimate interest of the Bank to guarantee its right to effective legal protection and legal assistance.
  5. Shared credit information systems: the Bank may disclose your identifying data and data regarding non-payment to credit information systems with which the Bank is linked, including Experian, Asnef and RAI. The procedures and guarantees in effect at any given time, as established and recognised by the legislation in force, will be complied with at all times.
  6. Third parties for the prevention of fraud, such as Confirma Sistemas de Información S.L. (Confirma) and mobile phone operators: In the case of any request for the opening or acquisition of a payment product or service and/or a financing or deferred payment operation, the bank will disclose your data to the “Fichero Confirma” (a filing system managed by Confirma) for the prevention of fraud.
     
     The purpose of the file system is the comparison of applications and transactions registered therein by the participating entities in order to detect potential fraud during the arrangement process. This purpose entails assessing the likelihood of fraud in the application. The joint data controllers are the entities that have subscibred to the Fichero Confirma Regulations, and the data processor is Confirma Sistemas de Información, S.L., with registered office at Avda. de la Industria, 18, TRES CANTOS (28760) MADRID. Applicants may consult the list of entities that are currently subscribed to the Fichero Confirma Regulations on the website www.confirmasistemas.es. The legal basis for processing personal data is the legitimate interest of the joint controllers in preventing fraud (Recital 47 GDPR), in order to avoid possible negative economic consequences and possible legal breaches by applicants. Consulting the Fichero Confirma is appropriate in view of the purpose pursued, and proportionate in relation to the benefit obtained by the joint controllers and the impact on the privacy of the applicants. Furthermore, the processing of data is in line with the reasonable expectations of data subjects as it is a common practice and takes place in the framework of an application. In order to avoid prejudice and negative consequences for applicants, technical and organisational measures have been taken to reinforce the confidentiality and security of this information.
     
     Personal data will be stored for a maximum of five years. Data sent to the Fichero Confirma may be viewed by entities that subscribe to the Fichero Confirma Regulations. There are no plans to transfer data to a third country or international organisation.
     
     In accordance with current data protection regulations, data subjects may exercise their rights of access, rectification, deletion, opposition, limitation of processing, not to be subject to individual automated decisions with legal effects, and portability, by contacting the registered office of the data processor, CONFIRMA SISTEMAS DE INFORMACIÓN, S.L., at the address indicated above. Data subjects may also make use of their right to lodge a complaint with the Supervisory Authority.
     
     CONFIRMA SISTEMAS DE INFORMACIÓN, S.L. has appointed a Data Protection Officer who can be contacted via e-mail at dpo@confirmasistemas.es for any privacy requests related to the Fichero Confirma.
     
     Moreover, with regard to any application for an acquisition of a product or service or when you amend your telephone number, your telephone number may be checked with mobile phone operators in order to detect potential identity theft and to prevent fraud.
  7. Sociedad Española de Sistemas de Pago, S.A. (Iberpay): Within the framework of any request to arrange a product through remote channels in which you have authorised the Bank to assess the transaction risk through the aggregation service, we will share your data with the Iberpay platform to confirm that you are the holder of the aggregated account. The data controllers of the "Iberpay platform" are the member Entities of the National Electronic Clearing System (SNCE), and the data processor is Iberpay S.L.
     
     Furthermore, for purposes of detecting and preventing fraud, the Bank may add your data to a shared banking-transaction fraud-prevention file system, which is managed by Iberpay and for which responsibility is shared by the participating organisations, including the Bank, for detectng, investigating, monitoring and potentially reporting suspicious and fraudulent transactions involving your current or savings account. Data relating to the IBAN number and the holder of the account involved in the presumed suspicious or fraudulent transaction are added to this shared file system and, where applicable, may be made known to the financial organisations that are part of this shared file system, for the sole purpose of detecting, preventing and monitoring fraud. You can view the up-to-date list of the organisations that are part of this shared file system at this link, request additional information and enquire about the key aspects of the shared-responsibility agreement between these organisations by emailing privacidad@gruposantander.es.
     
     The only data that we will transmit to the filing system will be that relating to the IBAN and the holder of the account involved in the unauthorised or suspected fraudulent transaction. This data may be viewed by the other participating institutions. The lawful basis for the processing is the Bank's legitimate interest to detect and prevent fraud in banking transactions involving your account, which is also in the interest of account holders potentially affected by fraud committed by a third party.
     
     The data will be stored in the filing system for a maximum period of 30 days in the case of suspicious transactions, and of one year in the case of unauthorised transactions (when the fraud has been confirmed by the victim). The Bank will automatically erase data included in the shared filing system when they are no longer accurate or do not accurately reflect the situation of the victim.
  8. FrauDfense filing system. The Bank may include your data in a shared filing system for the prevention of fraud in banking transactions, which is managed by FrauDfense, S.L., whose joint data controllers are the member entities of this system, including the Bank, to detect, investigate, control and potentially report payment transactions in respect of which there is evidence as to their fraudulent nature and they involve your current or savings account, or as a result of the unauthorised use of your card (hereinafter referred to as fraudulent transactions). Data relating to the IBAN number of the account, the PAN of the card, and data regarding the fraudulent transaction identified (like, for example, data relating to the device from which the transaction took place, data relating to the account where the transaction was detected or data in respect of which inconsistencies were detected that would imply possible identity theft), will be included in the aforesaid shared filing system. The data may be viewed by the financial institutions affiliated to the FrauDfense filing system for the sole purpose of detecting, preventing and controlling fraud.
     
     An updated list of the member entities of the FrauDfense filing system is available at the following link: https://916087356-1.servicio-online.net/sobre-nosotros1/nuestros-partners. Further information, and the key aspects of the joint data controller agreement signed by these institutions, can be obtained by writing to privacidad@gruposantander.es or by contacting DPO@fraudfense.com.
     
     The legal basis for the processing of your data is the legitimate interest of the Bank in detecting and preventing fraud in banking transactions originating in or destined for your current or savings account, which in turn is in the interest of the holders of the accounts who may be affected by fraud committed by a third party.
     
     The data will be stored in the FrauDfense filing system for a maximum period of one year from the date on which the transaction took place and will be blocked until the expiry of the statute of limitations period for any actions that may arise (as a general rule, for a period of 3 years). The Bank will automatically erase the data included in the FrauDfense filing system when they are no longer accurate or do not truthfully reflect the actual situation of the data subject concerned.
     
     Finally, in addition to the channels provided by the Bank for you to exercise your data protection rights, which you can view in the section “What are your rights when you provide us with your data?”, if you wish you may also send us your request through the data processor to the following address DPO@fraudfense.com.
  9. Other credit institutions, state-owned corporate entities, brokers, collective investment undertakings, venture capital firms and guarantee institutions, trusted third-party service providers, payment service providers, third-party aggregators, payment systems and technology service providers, Notaries, Registrars, valuing companies, digital certificate issuers, administrative agencies and universal postal service operators, in cases where it is necessary for the execution of a contract or provision of a service that you request from us. For example, when you order a transfer to another institution within or outside the European Union, we will disclose, as necessary, your data for the execution of the order, or when risk operations that we grant you are guaranteed and/or subsidised by third-party institutions with which the Bank has entered into a cooperation agreement (for example, the European Investment Fund or the ICO [Instituto de Crédito Oficial – Spanish official credit institution]); when you make a request to us for a transaction via a third party (broker) with which the Bank works; when the contract that you entered into with the Bank must be notarised by a Notary Public or recorded in a Mercantile Registry, a Registry of Movable Goods or Property Registry for a trusted third party; or when, with regard to an application to acquire a service, in order to obtain the documentation and information needed to consider said application, we are required to do so via a digital certificate issuer. Moreover, when processing a mortgage transaction, we will disclose your data to the administrator to calculate and prepare the provision of funds.
  10. Banco Santander service provider: The Bank also works in partnership with some third-party service providers that have access to your personal data and who process this data, as the data processor, on behalf of the Bank as part of their services.
      
      The Bank follows strict criteria when selecting its service providers so as to ensure compliance with its data protection obligations, and it signs data processing agreements with them binding them to the following obligations: applying appropriate technical and organisational measures; processing personal data for the purposes agreed and only in accordance with documented instructions from the Bank; and deleting or returning the data to the Bank once the services have been provided.
      
      Specifically, the Bank will arrange to have third parties provide services in sectors including but not limited to the following: logistics services, legal advice, administration, provider approval, services from management companies not linked to the Santander Group for transmitting or executing shares or units in undertakings for collective investment via specialised technological platforms, multidisciplinary professional services companies, technological service provider companies, software service provider companies, physical security companies, instant messaging service providers and call centre service companies

• Will your personal data be transmitted to third-party countries?
  

• The data processors engaged by the bank may include providers outside of the European Economic Area, with your data being transmitted internationally. To that effect, the Bank will only transfer to third countries (i) if there is an adequacy decision that determines the country to have a level of protection comparable to that of the European Union; (ii) failing that, by applying suitable safeguards to conform with the data protection regulation, such as signing standard contractual clauses or the binding corporate rules. The Data Subject may request further information regarding the aforementioned appropriate safeguards by using the contact information in the section "What are your rights when you provide us with your data?"

  Furthermore, when you request a transaction in which the destination bank account is in a country outside of the European Economic Area, your personal data will be transferred to the institution with which said account is held. In such circumstances, the legitimate basis for the aforementioned transfer is that it is necessary for the execution of the contract between you and the Bank.

• What are your rights when you provide us with your data?
  

• You may exercise your rights of access, portability, rectification, erasure, restriction and objection. You will also have the right not to be subject to automated decision-making and, as such, you will be able to request human intervention in decision-making concerning you by the Bank and express your point of view; you may also contest decisions.

  With regard to processing on the basis of a legitimate interest, you may request information relating to the Bank's assessment, as well as object to any such processing; for the purposes thereof, you must contact the Data Protection Officer/Privacy Office and explain the reason for your objection. It will not be necessary for you to provide any such reason should your objection be in relation to the processing of your data for sales purposes; notification of your wish not to receive sales communications will suffice.
  
  In addition, you may revoke, at any time, the consent that you have given, with no legal effect on any processing carried out prior on the basis of said consent.
  
  To exercise these rights, or for any matter related to the processing of your personal data, please send an email to privacidad@gruposantander.es or send a letter to: C/ Juan Ignacio Luca de Tena, 11-13, 28027 Madrid, Spain (FAO Data Protection Officer/Privacy Office). Where there are reasonable doubts with regard to your identity (for example, where communications are sent from an email address that differs to the one that you provided to the Bank), you will be requested to provide additional information to help us verify your identity. Should you exercise your rights through a representative, you must also provide valid supporting documentation for this representation.
  
  The additional information that you provide to identify yourself will be processed for the purposes of verifying your identity and managing the handling of the right asserted.
  
  Should you exercise your right to access your personal data, please note that you will only receive a copy of the data that is being processed by this entity.
  
  In addition, you may contact the Bank's Data Protection Officer/Privacy Office at the following email address: privacidad@gruposantander.es.
  
  Finally, you can lodge a complaint with the Spanish Data Protection Agency (AEPD). The necessary information is available on its website: www.aepd.es.

The Bank may update this document in the future. The date of its entry into force is provided at the bottom of the document. Check this information periodically to ensure that you are aware of the latest version.

Version: February 19, 2025