Data Protection Regulation

The General Data Protection Regulation (GDPR) is a new European regulation that adapts the management of personal data to new digital environments, such as the internet and mobile apps. Its objective is to guarantee that natural persons own their data and have control over what entities do with them.

The European Union approved the Regulation in 2016. Member States must apply it from 25 May 2018.

Right of the data owners to ask the Bank to give their data to another entity, or to them, if requested, in a structured, commonly used and machine-readable format. Such request can only be made in relation data whose processing is based on consent or a contract, and provided that the processing is carried out by automated means.

Data processing is considered any use of the data that implies the collection, recording, conservation, preparation, modification, consultation, use, blocking, modification or cancellation, as well as the data transfers resulting from communications, consultations, interconnections and transfers.

All companies that have personal data must comply with the Regulations.

If you are a Banco Santander customer, you can make changes to your consents both from the Private Area, as well as from the mobile APP, the Call Centre or at the Branch.

We will need the customer's consent to carry out certain kinds of processing:

Consenting to all processing allows the bank to offer a service that is most adapted to their needs, but they do not have to agree to all consents. Even so, if the customer opts for the latter, the Bank must process their personal data for the maintenance of the product or service that they have taken out and/or legal compliance.

Consenting to all processing allows the bank to offer a service that is most adapted to their needs, but they do not have to agree to all consents. Even so, if the customer opts for the latter, the Bank must process their personal data for the maintenance of the product or service that they have taken out and/or legal compliance.

We will continue to send them marketing, but it will not be personalised, so they will not be adapted to their needs.

In practice, yes. Customers who do not fill in the consents will be understood as having rejected them all, so they will not receive any marketing that can only be personalised by consent.

All customers will receive a communication before 25 May (through the Supernet mailbox, email or letter) in which they will be informed of the processing carried out with their data.

Through Supernet: in the personal area, the customer accesses data portability and chooses what data they want to include. The recipient (themselves or a third party) receives an email with the information and an SMS with a unique password required to request the download of the data. Branches can: either direct the customer to Supernet to carry out this operation or send an email/letter to SRAC in the first instance.

Customers who are registered in Robinson will be marked as opposed to certain kinds of processing.
In any case, a data owner may oppose to the processing of certain data or revoke the consent given..

The customer must send a request to the Privacy Office via post or letter.

The customer has: Right of Access, Right of Rectification, Right of Opposition, Right of Portability, Right of Limitation of Processing, Right of Suppression and Right to not be the subject of a decision based solely on the automated processing of your data. You can also revoke the consent that you have given.

Right that the data owners have in order to obtain information about whether their data is being processed, the purpose of the processing, the origin of the data and the communications/assignments made or planned.

Right that the data owners have to request that any inaccurate or incomplete data be modified.

Right of the data owner to request that a certain personal data processing is not carried out. Data owners may only oppose data processing that is carried out for legitimate interest.

The data owners' right to request that the processing operations that correspond in each case are not applied to their personal data. This right can only be exercised in certain restrictive cases.

Right that allows people to contact the Bank to delete their personal data when they are no longer necessary, when consent is withdrawn, they have been processed illegally, etc. In this case, the entities of the Santander Group must be able to block the data and, subsequently, delete any copy, link and replica of the data. This is all provided that it is not hindering by a legal obligation, or is necessary for the exercise or defence of claims.

Right that allows data owners to request that personal data processing that implies that the Group entities make decisions that significantly affect them automatically and without human intervention is not carried out.