Information on data protection 

Who is the data controller?

Banco Santander, S.A (hereinafter "the Bank" or "Banco Santander").

Postal address: C/ Juan Ignacio Luca de Tena, 11-13, 28027 Madrid, Spain.

Data Protection Officer/Privacy Office contact: privacidad@gruposantander.es

What types of persons are covered by this document?

This document applies to all persons who show an interest in or apply to the Bank for a product or service (pre-customer), as well as to those who have a legal relationship with the Bank, regardless of the type of involvement, whether they are contract holders (customers), guarantors, authorised persons or representatives, among others.

The legal basis on which the processing activities for the main types of data subjects are carried out is as follows: 

Which types of personal data do we collect and process?

1. If you are a customer or have applied to become a customer (pre-customer):

   • Identification and contact information: ID document (Tax ID no., National ID Card no., Foreigner's ID card no., Non-Spanish ID document/Company Tax ID code), full name, customer number, address, residence, telephone numbers and email address.

   • If you have used a handwritten signature in your interaction with the bank to request services and/or formalise transactions, we inform you that we will store your biometric data obtained through the digitalisation of your handwritten signature (such as the stroke, intensity, speed, pressure and acceleration of the graph) and it will be processed exclusively as proof in the event of any repudiation in order to verify by comparison that the signature is yours and therefore perform customer authentication, so as to certify the authenticity of the documents or transactions formalised with the Bank. Should you request the video authentication of your identify during online processes, the pattern of your image, extracted from your photograph, will be processed during the identification process, as well as the image of your ID card.

   • Information regarding your personal characteristics: sex, age, date of birth, marital status, dependents, place of birth and nationality.

   • Data relating to your personal characteristics: gender, age, date of birth, marital status, dependents, place of birth, nationality.
   • Information relating to your social circumstances: hobbies, property and details of the dwelling, estate or premises (such as size, location and energy characteristics) 
   • Academic and professional or employment data: education, qualifications, employment status, activity, profession, professional category, professional association membership.
   • Economic, financial and solvency data: Current accounts and balance, credit scoring, invoicing (self-employed workers), source of income, salary-related financial data.
   • Data relating to transactions of goods and services: catalogue of the banking products contracted by the customer, such as credit or debit cards, funds, mortgages, shareholder status, etc., information from other banks or third-party companies (payment aggregation or initiation services, or payment consolidation services), means of payment and their use. 
   •  Data relating to commercial information: use of channels, contact preferences.
   • Transaction data: income, expenses, balances, payments, transfers, direct debits, receipts, entries and activity in relation to products contracted, including the origin, destination, description and any third parties participating in the transaction, location and the date and time.
   • Information about your location, if you have consented to activate the geolocation service on your device.
   • Data about your online behaviour and preferences: for example, your computer's IP address or your device ID, as well as the pages you visit, browsing habits, device model or online identifiers, under the terms described in our Cookie Policy, available on our website  https://www.bancosantander.es/en/politica-de-cookies.
   • Data you share with us regarding your interests: for example, when you call our advisors, simulate our products and/or services, or when you sign up for our newsletter.
   • Information relating to the devices from which you access your Bank Customer Area: device model and operating system.
   • Audiovisual data: for example, when we record your voice in the context of a telephone conversation with our managers.
   • Sensitive data: if you have provided sensitive data to us within the framework of your relationship with the Bank, we will process your health data related to your disability and other information relating to your vulnerable situation for the purposes established in the regulations on such matters.
   • Data from external sources, as detailed in the section "How do we obtain your data?" 
2. If you are a guarantor:
   • Identifying details: ID document (Tax ID no., National ID Card no., Foreigner's ID card no., Non-Spanish ID document/Company Tax ID code), full name, customer number, address, residence, telephone numbers and email address.
   • If you have used a handwritten signature in your interaction with the Bank to request services and/or formalise transactions, we inform you that we will store your biometric data obtained through the digitalisation of your handwritten signature (such as the stroke, intensity, speed, pressure and acceleration of the graph), and it will be processed exclusively as proof in the event of any repudiation in order to verify by comparison that the signature is yours and therefore perform customer authentication, so as to certify the authenticity of the documents or transactions formalised with the Bank.
   • Personal characteristics: date of birth, place of birth and nationality
   • Social circumstances: properties and details of the dwelling, plot or premises
   • Employment details: employment status, activity, profession and professional category
   • Commercial information: use of channels
   • Data on finances and insurance: Financial-credit scoring, invoicing (self-employed workers), source of income and salary-related financial data.
   • Data from external sources, as detailed in the section "How do we obtain your data?" 
3. In the case of authorised parties or representatives:
   • Identifying characteristic: ID document (Tax ID no., National ID Card no., Foreigner's ID card no., Non-Spanish ID document/Company Tax ID code), full name, customer number, address, residence, telephone numbers and email address.
   • If you have used a handwritten signature in your interaction with the Bank to request services and/or formalise transactions, we inform you that we will store your biometric data obtained through the digitalisation of your handwritten signature (such as the stroke, intensity, speed, pressure and acceleration of the graph) and it will be processed exclusively as proof in the event of any repudiation in order to verify by comparison that the signature is yours and therefore perform customer authentication, so as to certify the authenticity of the documents or transactions formalised with the Bank.
   • Personal characteristics: date of birth, place of birth, nationality
   • Academic and professional data: employment, activity, profession and employee category
   • Commercial information: use of channels
   • Data from external sources, as detailed in the section "How do we obtain your data?" 

Regardless of the nature of your relationship with the Bank, it will not collect or process special categories of data about you (for example, data relating to your health, ethnic origin, religious beliefs or political opinions), unless strictly necessary to manage the contracted or requested service, for example, because you have set up direct debit payments for union dues in an account with our Bank or have specific contractual conditions arising from your vulnerable situation.

Finally, the Bank will not collect or process data from minors, unless they have contracts with the entity, either directly or through their parents or guardians. The processing of data of these minors will be limited exclusively to the maintenance and monitoring of the contracted product or service. 

How do we obtain your data?

The Bank obtains its data from the following sources: 

1. Directly from you, through the information you provide when you apply for, contract, maintain and use our products and/or services or third-party products marketed by us, whether directly or indirectly, and through any of the channels that the Bank makes available to you (branch, phone channel, online services, etc.). Some examples are: through enquiries, transactions, operations, simulations or requests for the aforementioned products or services. Additionally, with your prior consent, we may obtain personal data from you when you browse our websites and mobile applications, through the use of cookies or any other type of online identifier or through the digital fingerprint of your device or terminal.
2. In some cases, such as when contracting a product or service with multiple parties involved or when the owner is a legal entity and you are an attorney-in-fact, representative or employee of that entity, your data could be provided by one of them. In these cases, the third parties must know that prior to communicating your data they are obliged to inform you of the transfer and, where appropriate, to have obtained your authorisation.
3. Exceptionally and for the purpose of fulfilling due diligence obligations regarding anti-money laundering and counter-terrorism financing, we may use information already held by the Bank (for example, salary payment orders made to the Bank by your employer) to verify the information you have provided in the customer identification form, as well as information from other Santander Group entities of which you are a customer. 
4. Internal sources of information, such as data inferred about you based on personal data available as a result of your customer position, relating to financial or credit risk indicators.
5. External sources of information:   
   • Central de Información de Riesgos del Banco de España (Bank of Spain Risk Information Centre, or CIRBE), from which we obtain solvency information about you.
   • Credit information systems to which the Bank is affiliated, such as Asnef-Equifax Servicios de Información sobre Solvencia y Crédito S.L. (Asnef), Experian Bureau de Crédito, S.A. (Experian) and the Register of Unpaid Acceptances (RAI), which provide information on solvency, NPL and, in general, financial or credit risk indicators. 
   • Fraud prevention information systems, such as Sociedad Española de Sistemas de Pago, S.A. (Iberpay), Confirma Sistemas de Información S.L. (Confirma), FrauDfense and telecommunications operators. 
   • Specialised information files or public sources available on the internet relating to the prevention of money laundering and the financing of terrorism, from which the Bank obtains information about its customers who are account holders or involved in the accounts, legal representatives and beneficial owners of the same. 
   • Publicly accessible sources such as newspapers and official bulletins, public records, resolutions of Public Administrations, telephone directories and lists of people belonging to professional associations. 
   • The General Treasury of Social Security (TGSS), to verify the source of income. 
   • The State Tax Administration Agency, in the event that you have provided us with your Secure Verification Code and authorised the Bank to use it in the virtual office of the Tax Agency's website (AEAT), as required to download your tax information, so that the Bank can verify its veracity for the purpose of analysing the application for the transaction in question. 
   • Investment services companies when they deposit cash from their customers in the Bank, for the purpose of determining the basis for calculation of contributions to the Deposit Guarantee Fund of credit institutions. 
   • Third-party companies to which you have given your consent to communicate your personal data to the Bank (for example, insurance companies or entities with which the Bank has collaboration agreements under which they obtain your consent to communicate your personal data to Banco Santander, including social media; Spanish Universities to which you, through their corresponding mobile applications, have given your consent to communicate your personal data to the Bank for commercial purposes; or entities to which you have given your consent for the use of cookies or similar technologies that involve communicating your information collected by means of these technologies to the Bank). 
   • Third-party companies that provide you with services when necessary for the execution of a contract with the Bank or the application of pre-contractual measures requested by you, such as the payment aggregation or initiation service (aggregation service), the payment grouping service, the mortgage prescription service or some other financial or insurance product, a request for information or aggregation of information on accounts or payment services within the framework of a credit application or the verification of the eligibility requirements for the discount or preferential terms applicable to a contracted or requested product or service. 
   • Bank collaborators with whom you have contracted the services prescribed digitally from the Bank, who provide your identifying data (name, surname and tax ID code, and your internet protocol (IP) address) to the extent necessary for compliance with the Bank's tax obligations.
   • Bank collaborators with whom you have contracted the non-financial services prescribed by the Bank, who provide your identification data (National ID document no.) for the purpose of managing and verifying the billing and remuneration obtained by the Bank derived from the agreements signed with said collaborators. 
   • Additionally, if you have given your consent, we may obtain personal data relating to your browsing through websites of companies in the Santander Group or companies providing commercial information, collected through the use of cookies or any other type of online identifier or through the digital fingerprint of your device or terminal. 
   • Your represented party, in the event that you are acting as a representative or authorised person of a company, entity or other natural person. 
   • Appraisal companies, in the event that you provide us with your own appraisal in the context of a mortgage loan application so that we can verify its authenticity automatically through the appraisal company that issued the report. 
   • Administrative agents' offices: should you apply for a loan/mortgage from us, we will obtain information from them about the total costs associated with this transaction, including related transactions, so that you can make an informed decision; this entire process will be undertaken in compliance with the recommendations provided by the Bank of Spain. 
   • If you have given your consent, we may obtain data relating to the insurance policies requested or contracted by you through the Bank as a distribution network of Santander Mediación Operador de Banca-seguros vinculados, S.A. In particular: 
   • Data relating to transactions of goods and services: 
     • Taking out and simulating insurance policies (quotes): information relating to all insurance products taken out (for example, product name, line of business, type and category; premium data, payment method and surcharges; specific terms and conditions, such as capital, coverage, exclusions or waiting periods; loans associated with the insurance; channel used to take out the insurance products).
     • Contractual relationship management: information related to the management, status, performance, and ongoing maintenance of the contracted products, including claims management (for example: receipts issued and their status; contributions and redemptions made; modifications to coverage, number of insured parties, method of payment or other conditions or details of the policy; requests for cancellation and result of retention actions; details about the asset – vehicle, property – or activity insured; opening, cost and status of the claim and its payment, coverage or rejection and the reason; dates associated with all the milestones in the management and development of the policy). 
   • Information regarding the interaction between you and the companies:
     • Verification of service quality: information relating to the quality surveys that the companies submit to you to verify the quality of their different services (channel, content, date and result/response of the surveys).
     • Complaints and claims: information on the reason, date and resolution of the complaints and claims handled.
     • Campaigns and contacts: information related to sales, prevention/loyalty and retention campaigns carried out by the companies (target audience, content/offer, channel, contact and result and related dates), as well as contacts initiated by you (channel, reason, result and contact dates). 

What do we use your personal data for and on what legal basis?

The following details the different purposes of processing by Banco Santander, differentiating between (i) potential and current customers, (ii) guarantors and (iii) authorised signatories or representatives:

1. If you are a customer or have applied to become one:
   1. Managing the pre-contractual and, where applicable, contractual relationship relating to any Bank products and/or services which you take out. 

      When you are interested in any of the products or services offered by the Bank and request information about them and/or the initiation of a contracting process, we will process your personal data in order to assist you and answer your questions or queries, handle your request, carry out the necessary preliminary procedures to proceed with the contracting process (for example, providing you with information and advice regarding the product or service in which you have shown interest or assessing the feasibility of your contracting request) or contact you so that you can continue with the contracting process in the event that you have not been able to complete it.

      Additionally, if you, as a customer of the Bank, carry out simulation processes or request the contracting of any of the products and/or services of third-party companies in which the Santander Group is invested and/or collaborating companies (for example, insurance companies, financial asset managers or venture capital entities) that are marketed by the Bank, we will communicate your data to said entities. We will also communicate your data to said entities if you are a common customer of the Bank and of said entities and the purpose of communicating data is the maintenance and development of the contract that you maintain with the aforementioned entities. In these cases, communication will only affect the limited amount of data that the Bank holds on you that is strictly necessary for the execution of the contract and/or its performance/development, and for said companies to comply with their legal obligations: Tax ID code, gender, age, address and direct debits; and, in some cases, also their risk profile, email, telephone no. and the information necessary to comply with the legal obligations described in section 2 below. The aim is to simplify and expedite the contracting of the products that the Bank markets or distributes from other companies in the Group or third-party companies in which the Group is invested, considering the customer's status as a customer of the Bank; compliance by such companies with the legal obligations to which they are subject; and the companies of which this person is already a customer have their contact details to send them information relevant to their contractual relationship.

      Likewise, in those cases where a customer requests financing through the funds of the Official Credit Institute, the European Investment Bank, the European Investment Fund or Public Administrations, we will process their personal data in order to manage said request and assess whether such financing is processed through funds of the Bank or of the aforementioned entities. Once the financing has been formalised, if applicable, your personal data will be communicated to the Official Credit Institute, the European Investment Bank, the European Investment Fund or the relevant Public Administration, as appropriate, in order to know what part of the loan is being disbursed by the Bank.

      The legal basis for processing is your request for the adoption of pre-contractual measures, aimed at contracting any of the products and/or services offered by the Bank or its Group companies. 

      Additionally, when you proceed to contract any of the Bank's products and/or services (assets, liabilities, financial products, investment products, pension plans, leasing and renting services, etc.), we will process your personal data for the following purposes: 

      • Signing, continuing, making changes to and executing the contract. This also includes processing your personal data for the purposes of arranging the portfolios of the Bank's various customers and assigning a specific manager to each portfolio, and processing the transactional data for the products and/or services that you take out with the Bank, when necessary, in order to check that you fulfil the conditions for signing and subsequently executing the contract.
      • To carry out informational communications strictly related to the products or services contracted by you and their operation, including the verification of unusual transactions.
      • In your case, to carry out the necessary actions to achieve the recovery and payment of any debts you may have with the Bank, including updating the data that has already been provided by the debtor.
      • Register new customers and grant them access to the Bank's digital channels.
      • To provide you with the services you request or that are incorporated into the Bank's digital channels, including the payment aggregation or initiation service (consolidation service), payment grouping services and the performance of transactions and the management of (i) any type of query, claim or incident that may arise from the contractual relationship established and (ii) the services offered by ATMs (for example, withdrawals and deposits into account, payment of taxes and receipts, checking account activity, transfers, mobile top-ups or password recovery). 

      The legal basis for processing is execution of the contract signed between you and the Bank. 

      In addition, the Bank may share information relating to updates to your personal data with Santander Group companies and third-party entities with which the Group collaborates and/or in which it is invested, whose products it markets and/or displays in your Customer Area on the Bank's website or app, or regarding which you can request information from your relationship manager. In other words, if you update your personal information through the Bank, the Bank can provide the updated information to others. You can access the complete list of Group companies and third-party entities collaborating with and/or invested in by the Santander Group, to which we will communicate your data, by requesting it at your branch or at http://bsan.es/sociedades_banco_santander.

      The legal basis for this processing is the legitimate interest in ensuring that all information is kept up to date across all Santander Group entities, as well as those partners and/or investees whose products are marketed by the Group, without requiring Data Subjects to request such updates from each entity individually.

      The Bank may also use your contact details as a shareholder to keep your information up-to-date.

      The legal basis for this processing is the legitimate interest of the Bank in fulfilling its legal obligations and in enabling the shareholder to exercise their rights as such.

      Furthermore, in relation to debt recovery activities, the Bank may obtain additional data than that provided by the debtor at the time of contracting, either directly or through companies with which it contracts this service. This is to facilitate the debtor's location or improve understanding of their ability to pay the debt. It also includes carrying out actions to ascertain debtors' solvency, through access to information regarding their assets and properties. All of this is done with the aim of achieving debt recovery and payment.

      The legal basis for processing is the Bank's legitimate interest in ensuring compliance with the payment obligations previously contracted by its customers with the Bank. 

   2. Compliance with the Bank's legal obligations

      We will process your personal data to comply with the legal obligations applicable to the Bank, such as:

      • Obligations regarding the prevention of money laundering and counter-terrorism financing. 

        To fulfil these obligations, the Bank will process the data necessary to comply with the due diligence obligations established in the applicable regulations, including the communication of strictly necessary data to correspondent banks with which the Bank has agreements and which request it, in order to execute certain specific operations that you have instructed. If you request to register as a customer through the video authentication system (remote registration), the Bank will process your data in order to verify your identity and authenticate you. Similarly, for these purposes, the Bank will share your personal data with other Santander Group companies and third-party entities in which the Group is invested and/or with which it collaborates. These entities have delegated to the Bank the fulfilment of their obligations regarding anti-money laundering and counter-terrorism financing, under the terms provided for in the legislation.

        Additionally, the Bank will process your personal data for the purpose of carrying out continuous monitoring of the business relationship, including review processes to ensure that the data obtained as a result of the application of due diligence measures is kept up-to-date and current. To this end, the Bank will communicate your personal data to other companies in the Santander Group of which you are a customer and will collect your personal data from these companies to process it for the aforementioned purpose.

        Likewise, the Bank may process the data that is necessary for the examination of the transactions carried out that may indicate money laundering or counter-terrorism financing and will carry out the corresponding communications, where appropriate, to the Executive Service of the Commission for the Prevention of Money Laundering and Monetary Offences (SEPBLAC) in connection with (i) the regular submission of transactions that comply with certain parameters set by SEPBLAC or (ii) a request for specific information relating to a particular transaction.

        Finally, in cases where you have authorised it and for the sole purpose of complying with current anti-money laundering legislation, the Bank will consult the General Treasury of Social Security (TGSS) on your behalf for information about your economic activity and will verify this information.

        The legal basis for this processing is the consent given by ticking the box provided for this purpose on the form made available to you.

        In view of the obligations imposed by the aforementioned legislation on the prevention of money laundering, if you do not consent to the consultation or revoke your consent at any time and do not provide the Bank with the necessary documents as evidence of your economic activity by other means, the Bank may proceed to block your account(s) for credit transactions and to their subsequent cancellation. Likewise, in compliance with the same law, the Bank may request documents evidencing the source and destination of the funds before transactions can be carried out. In this case, the Bank may refuse to allow the transaction in question if you fail to provide the required documents. 

      • Tax obligations imposed by the Foreign Account Tax Compliance Act (FATCA) and the Common Reporting Standard (CRS) in relation to the obligation of automatic exchange of information, which obliges the Bank to identify, classify and report certain financial accounts of customers who have legal obligations in the US in the case of FATCA and in the case of CRS to different financial authorities located in the participating jurisdictions of said standard. Likewise, for these purposes, the Bank will share your personal data with other Santander Group companies and third-party entities in which the Group is invested and/or with which it collaborates. These entities market products or services on behalf of the Group and have expressly delegated compliance with these tax obligations to the Bank, in accordance with the relevant regulations.
      • Obligations regarding responsible lending and protection of mortgage debtors, debt restructuring and social housing. For these purposes, the Bank may process your data to verify and assess your solvency and credit risk, establish measures in case you are in a vulnerable situation, assess the default risk of the transactions you maintain – as in the case of new transactions that you request from us – and developing risk models, even taking into account economic and personal information available in companies that provide information on solvency, NPL and, in general, financial or credit risk indicators to which the Bank has access or obtained through the aggregation service when you have consented to it. 

        In some cases, and for the purpose of fulfilling the aforementioned credit risk verification and assessment obligations, when you are a partner or shareholder of a company that is a customer of the Bank or that requests to become one, we will process your identifying details and professional location data to check your possible corporate affiliation with third-party entities. The legal basis for this processing is the Bank's legitimate interest in complying with the regulatory obligations of granting and monitoring loans, through an analysis of the risk and solvency of companies between which there are interrelationships.

      • Legal obligations established in the Securities Markets and Investment Services regulations and other applicable investment regulations, which aim to assess your knowledge and experience in financial markets, financial position and investment objectives and which include the recording of any telephone conversation that ends or may end with the closing of an investment services transaction. Likewise, for these purposes, the Bank will communicate your personal data, in particular the outcome of your financial market knowledge and experience assessment, to other companies in the Santander Group and third-party entities in which the Group is invested and/or with which it collaborates, whose products or services it markets or distributes and that have expressly delegated to the Bank the fulfilment of these investment obligations and that should have this information, under the terms provided for in that regulation.

      Sometimes, to fulfil the obligations mentioned in the two previous points, the Bank uses an automated risk assessment system, which uses a scoring logic that takes its information into account. This system involves applying pre-designed algorithms to each data subject to automatically assign a score according to three different risk levels, defined in the Bank's customer risk classification policy. This classification allows us to comply with regulatory requirements regarding risk monitoring, solvency control, calculation of regulatory capital, accounting regulations (provisions) and responsible lending regulations.

      For example, the Bank may use fully automated means to verify and assess your creditworthiness and credit risk, both to assess the risk of default on existing transactions and in the case of new financing transactions you request. 

      Likewise, and also by way of example, the Bank may make decisions based solely on the automated processing of your data when you complete questionnaires whose purpose is to assess your knowledge, experience, financial position and investment objectives.

      The Bank makes sure this system is checked and updated on a regular basis to prevent any possible discrepancies, errors or inaccuracies in the assessment. Notwithstanding the foregoing, if you do not agree with the outcome of the assessment, you may challenge the decision by providing the information you deem relevant, as well as requesting the personal intervention of one of our risk analysts. 

      • Commercial, corporate, tax and other obligations imposed by supervisory bodies and competent authorities (for example, European Central Bank, Bank of Spain, National Commission for Markets and Competition, National Securities Market Commission, State Tax Administration Agency or Spanish Data Protection Agency).

      The legal basis for these processing activities is compliance with the legal obligations that apply to the Bank.

      The legal basis for processing your biometric data when registering as a customer through the video authentication system is the explicit consent you have given. 
   3. Consultation of credit information systems and communication of defaults to them

      When you apply for a mortgage loan, the Bank may check your information in CIRBE and the credit information systems to which it is affiliated (for example, Experian, Asnef and RAI), in order to assess your solvency and credit risk and assess the viability of your application for a mortgage loan.

      We will also consult the content of the aforementioned credit information systems if the contracts referred to above are entered into and until their termination.

      When you maintain credit risks with the Bank, whether directly (holder) or indirectly (guarantor of a risk product), we will communicate your data, including data relating to the characteristics of the risks, to the CIRBE.

      The legal basis for the consultation and communication to CIRBE and the consultation of credit information systems is compliance with the legal obligations established by the regulations governing the financial system and real estate credit to ensure adherence to the principles of responsible credit and minimisation of credit risk.

      Likewise, we will consult the aforementioned credit information systems when you maintain with us, or request from us, the execution of a contract that involves financing, deferred payments or on-going billing (for example, loans or credit facilities), or a contract that serves as support for overdraft credit (for example, an account), for the same purpose.

      Additionally, in the event of non-payment on your part, such defaults may be reported to the credit information systems to which the Bank adheres, such as Experian, Asnef and RAI, complying with the procedures and guarantees established and recognised by current legislation.

      The legal basis for these processing activities is the legitimate interest of the Bank in ensuring adequate control and prevention of non-payment situations, thereby contributing to safeguarding the financial system and the economy in general. This allows third-party entities to access solvency information when analysing applicants for risky operations, as expressly established in the personal data protection regulations. 

   4. Fraud prevention and investigation 

      We will process and/or communicate your data to third parties, whether or not they are companies of the Santander Group (for example, Confirma, Iberpay and telecommunications operators), to detect and analyse possible fraudulent activities, identify the participants and, where appropriate, carry out the actions that are considered necessary against these actions.

      To achieve this purpose, in cases where you are a common customer of the Bank and other companies of the Santander Group and/or third-party entities in which the Group is invested and/or with which it collaborates, the Bank will communicate your personal data to such companies and entities, in order to guarantee compliance with the Group's management policies relating to the prevention and investigation of fraud. 

      Also, with the aim of preventing this type of practice, we will process your data in order to send you communications related to fraud operations, anticipating possible situations that could cause you harm as a result, for example, of the fraudulent actions of third parties. 

      The legal basis for these processing activities is the legitimate interest of the Bank or the affiliated entities, in cases where we include or consult your data in common fraud prevention files, in preventing, investigating and/or discovering fraud. You can find more information about the entities to which we will disclose your data for this purpose, the terms on which your data will be processed and how to exercise your rights in the section "Who do we disclose your data to?".
   5. Creating commercial profiles

      We will process your data to create your commercial profiles, which will allow us to:

      • Analyse the preferences, behaviours and needs of the Bank's customers in relation to the products and services offered by the Bank, as well as their likelihood of contracting or cancelling products and services.
      • Present you with a personalised offer of financial products and services, as well as insurance products marketed by the Bank and related to the products you have already contracted, taking into account your habits as a customer.
      • To provide you with observations and recommendations on the products and services you have already contracted and others that we believe may be of interest to you.
      • Ensure the early detection of potentially vulnerable customers, in order to assist them by adopting protection and support measures tailored to their personal circumstances.
      • Analyse your transactions and spending habits to provide you with personalised information, advice or warnings aimed at optimising them (such as calculating your carbon footprint, analysing how you are spending your money, calculating your savings capacity, etc.), as well as identifying products and services that could help you do so.
      • Select cultural, music and sporting events sponsored by the Bank or with Bank partner companies, or Santander Group companies that may be of interest to you.
      • If you have subscribed to the Bank's newsletter, analysing your preferences and behaviours in order to provide you with personalised content which we think may be of interest to you. 

      For these purposes, we will only use internal sources of information, i.e. we will only process the information that you provide to us and that is derived from your contractual and commercial relationship with the Bank. This includes transaction data relating to the products and/or services that you have contracted with the Bank; information that you share with us regarding your interests, either through telephone calls with our advisers or through your online behaviour (as detailed in section 13 and, in any case, subject to your consent); simulations; savings rules that you have set up; requests for information; and the contracting of our products and services. This also includes data relating to your savings capacity and level of indebtedness, in order to analyse your patterns and behaviour; data relating to the devices that you use to access the Bank's Customer Area; and geolocation data, where you consent to its collection. Specifically, we will consult the information we have from the management of the services we provide to you or the products you have contracted or continue to contract in the last year, including that resulting from the risk models described in section 2, as well as whether you are a shareholder of the Bank.

      The legal basis for processing, aimed at identifying your needs regarding products, services, recommendations, advice and information that best suit your personal characteristics and habits, is the Bank's legitimate interest in understanding your business needs better, as required to improve its commercial actions and the quality of the service we provide, as well as improving the conditions of products or services that you have taken out or may take out in the future, adjusting them to your needs.

      If you consent, we will enrich your commercial profile prepared by the Bank, sometimes with additional information from external sources (including third parties to whom you have consented to communicate your data, the payment initiation or aggregation service, payment aggregation services and the other sources mentioned in the section "How do we obtain your data?"), so that we can present you with a more personalised offer of our products and services based on that profile.

      This processing of information held by the Bank, derived from your contractual relationship with it and, where applicable, additional information collected from external sources, enables us to carry out more detailed analyses of your preferences, behaviour and needs than those described on the basis of the Bank's legitimate interests. This information will be used to determine which products and services are best suited to you more accurately.

      The additional information that we will process and, where appropriate, collect from external sources will relate to personal characteristics, social circumstances, academic and professional data, employment details, commercial information, location data, economic, financial, and insurance policy data and transactions of goods and services. This includes transactional data from the aggregation service. 

      The legal basis for this processing is the consent given by ticking the box provided for this purpose on the form made available to you.

      In addition, if you give your consent during an insurance simulation or when taking out an insurance product offered by the Bank, you allow the Bank to create a tailored insurance commercial profile designed to identify which insurance products and services best suit your personal characteristics and habits. To create this profile, the Bank will use personal data from your relationship with the insurance companies listed below, together with any commercial profile the Bank holds about you based on your stated preferences. This information will be used for the creation of commercial profiles, as described in this privacy policy.

      The additional information we will process is related to data concerning transactions of goods and services, such as information relating to insurance policy products taken out, and the management, status, changes and maintenance of contracted products, including claim management. It also relates to data concerning your interactions with insurance companies, such as information relating to quality of service verification, complaints and claims, campaigns and contacts.

      The insurance companies whose information will be processed by the Bank and which distribute their insurance policies through the Bank, acting as the Distribution Network of Santander Mediación Operador de Banca-seguros vinculados, S.A. are: Santander Seguros y Reaseguros, Compañía Aseguradora, S.A.; Santander Generales Seguros y Reaseguros, S.A.; Santander Vida Seguros y Reaseguros, S.A.; and Santander MAPFRE Seguros y Reaseguros, S.A.

      The legal basis for processing is the consent given by checking the box provided during the process of simulating or contracting an insurance policy marketed by the Bank.

   6. Inclusion in loyalty programmes, promotions and contests/draws

      We will process your data to make phone calls related to loyalty programmes, send you invitations to events and include you in loyalty programmes, promotions, offers and contests/draws organised by the Bank for its customers, based on products that you have contracted. For example, the Bank may include you in a prize draw in which you can win simply by using a card issued by the Bank as a means of payment for your purchases or by using other services offered by the Bank, during the period that the promotion lasts.

      We will carry out these processing activities both in a general and segmented manner, based on the objective data available to the Bank derived from your relationship with us, including third-party products contracted through the Bank (e.g. insurance policies) or where appropriate, personalised based on your commercial profiles (as detailed in section 5 above), according to your preferences.
      
      The legal basis of processing is the Bank's legitimate interest in ensuring customer engagement and increasing customer satisfaction and loyalty. 
   7. Management of administrative, pre-trial and judicial procedures

      In your case, we will process your personal data for the defence of the Bank's rights and interests in any type of administrative, pre-trial and/or judicial procedure arising from or related to the relationship established with you.

      This processing would find its legal basis in the Bank's legitimate interest to guarantee and exercise its right to effective judicial protection. 

   8. Verification of the quality of services provided

      The Bank processes the personal data for the purpose of reviewing, auditing and improving the quality of the services provided, which includes (i) conducting satisfaction surveys and analysing their results, (ii) recording your voice and/or image and storing the telephone conversation and/or video, only in cases where we explicitly state it, and (iii) conducting market research through surveys, with a view to understanding our customers' perception and opinions regarding existing or new products.

      The legal basis for processing is the Bank's legitimate interest in carrying out a process of constant improvement of the service provided to customers, potential customers, users and any other person who contacts the Bank. A high level of service quality will be ensured in all cases, both on the part of the Bank and the providers of the customer service. 

   9. Preparation of reports about customers or with customers' personal data

      The Bank processes the personal data of its customers to prepare different types of reports:

      • Customer monitoring: non-payment, NPL, refinancing processes, changes in scoring, etc. These reports generally contain aggregated information, but they may occasionally include information about identified customers.
      • Prepare aggregate liquidity and interest reports for internal use and, where appropriate, send to the supervisor.
      • Credit and operational risk.
      • Analysis of the Bank's risk admission activity (financial, non-financial and operational).
      • Conducting audits and reviews of the Bank's internal controls.
      • Impact of NPL on the Bank's Income statement.
      • Monitoring of commercial strategies and other business analyses for monitoring and development purposes, including managing and verifying billing and remuneration obtained by the Bank from agreements with collaborators through which customers are redirected to take out non-financial products or services.
      • Obtaining aggregated information for the preparation of statistical studies and business analyses of various kinds. Examples include information about the use of the private channels made available to customers by the Bank, the most important transactions (e.g. the largest fluctuations in incoming or outgoing balances) and complaints in each of the Bank's branches.
      • Prepare internal reports and other aggregate (e.g. business indicators, operational risk) and statistical reports.
      • Sustainability and energy efficiency analysis. In particular, we will process the data to estimate the carbon footprint calculation from the transactions carried out and to prepare reports or statistics on environmental impact and energy efficiency. 

      The legal basis for these processing activities is the legitimate interest of the Bank in increasing its knowledge of customers, offering them a better service and providing them with better advice regarding the products they have contracted, as well as obtaining information about the state of the business. This contributes to better corporate, strategic and commercial decision-making, and helps the Bank to maintain adequate internal management and oversee the business group to which it belongs.

   10. Prepare statistics and generate analytical models 

       At the Bank, we process our customers' personal data for the purpose of compiling statistics and generating analytical models and in particular: 

       • Generate and develop commercial predictive analytical models.
       • Generate and develop quality control models for personal data and consistency of the quality of internal reports.
       • Prepare statistical studies and business analyses that allow for the improvement of processes and operations.
       • For the monitoring and analysis of the Bank's customer portfolio. 

       In order to minimise the processing of personal data, the Bank uses encryption, aggregation, dissociation, anonymisation and/or pseudonymisation techniques, provided that they do not have a negative impact on the reliability of the results.

       The legal basis applicable to this processing is the legitimate interest of the Bank in gaining knowledge of its business, adjusting its product and service offerings to meet customer needs, and improving its commercial offer by developing and creating predictive and estimative analytical models and algorithms. The aim of all this is to optimise the services provided.

   11. Development of commercial actions

       The Bank will process your personal data to inform you about available products and to carry out commercial actions by post, email and telephone, in a general or segmented way, based on objective data that you have provided or, where appropriate, personalised based on your commercial profiles (as detailed in Section 5 above). These actions will relate to products and/or services offered and marketed by the Bank and may include sending greetings on designated dates.

       The legal basis for this processing is the Bank's legitimate interest in optimising and improving its commercial actions.

       The legal basis for sending commercial communications to customers by electronic means and regarding the Bank's products is found in Article 21.2 of Law 34/2002, of 11 July, on information society services and e-commerce, which authorises the Bank to send these communications when there is a prior contractual relationship, provided that, as the sender, the Bank has lawfully obtained the recipient's contact details and uses them to send commercial communications regarding its products or services that are similar to those initially purchased by the customer.

       The legal basis for sending commercial communications by other means is the legitimate interest of the Bank in keeping you informed of its products and services and those it may be marketing. Please note that in these cases and in compliance with the data protection regulations, before carrying out the commercial activity, the Bank will consult the advertising opt-out systems to check if you have objected or refused to receive advertising related to the financial sector and, if applicable, exclude you, unless you have given us your consent to take into account exclusively your internal preferences by ticking the box provided for this purpose in the form made available to you. You can check the advertising opt-out systems published at https://www.aepd.es/areas-de-actuacion/publicidad-no-deseada

       The legal basis for the development of commercial activities in online environments (as detailed in Section 13: Use of cookies and similar technologies on the Bank's website and app) is the user's consent to the use of cookies on the Bank's website and/or app.

       For the purposes of this privacy policy, "marketed products" refers to financial products distributed by the Bank, such as investment funds, pension plans, factoring and confirming products, deposit accounts and mortgages, and POS terminals.

       Furthermore, if you consent, we will process your personal data for the development of general or segmented commercial activities as well as personalised actions based on your commercial profiles (as detailed in section 5 above), such as to: (i) send you by electronic means (email, SMS, among others) commercial information about products and/or services marketed by the Bank, (ii) offer you third-party products and services, which include those of companies within the Santander Group, companies in which the Santander Group is invested or those marketed by them that are not distributed by the Bank, and inform you of the advantages of third-party products and/or services from which you may benefit as a customer of the Bank and that are not part of the contractual offer. These commercial activities may be carried out via any means, including electronic means (email, fax, SMS, social media, mobile applications, etc.). This consent will remain in effect even after your relationship with the Bank has ended, for a period of 12 months, unless you revoke it.

       For the development of the commercial activities described in the previous paragraph, we will use your personal identification data and those derived from the Profiling described in section 5 above, in accordance with your preferences.

       The collaborating and/or affiliated companies whose products may be the subject of commercial actions belong to the following sectors: financial and insurance, consumer goods, training, education and culture, employment, home, health and beauty, hotel and travel, IT, telecommunications and technology, automotive, advisory services, real estate and construction, leisure and free time, ticket sales for events or similar, security, textiles and fashion, catering, food-fishing and livestock, agri-food, sports, energy, repair and maintenance, transport, logistics, administration, advisory and consulting, machinery and office equipment, commerce, industry, health and social services.

       The legal basis for this processing is the consent given by ticking the boxes provided for this purpose on the form made available to you.

   12. Share your personal data with companies in the Santander Group, companies in which the Santander Group is invested, and companies that collaborate with the Santander Group in undertaking commercial activities.

       If you give your consent, we will disclose your personal data to companies in the Santander Group, as well as to companies in which the Santander Group is invested (for example, insurance companies and financial asset managers) and collaborating companies in the sectors detailed in the previous point. This will allow these companies to carry out general and personalised commercial activities relating to their products and services, or those of the Bank.

       In order for the aforementioned companies to offer you personalised products and services, in addition to your identifying and contact details, we will communicate the data relating to your commercial profiles described in section 5 above to them. These commercial activities may be carried out via any means, including electronic means (email, SMS, social media, mobile applications, etc.). See the section "Who do we share your data with?" for more information.

       The legal basis for this processing is the consent given by ticking the box provided for this purpose on the form made available to you. 

   13. Use of cookies and similar technologies on the Bank's website and app

       The Bank uses its own and third-party cookies and similar technologies on its website and app for the following purposes:

       • To remember information so that the user can access the service with certain characteristics that may differentiate their experience from that of other users.
       • To monitor online sales processes, through the website and the app, with the aim of improving sales processes so that they are more intuitive for the customer.
       • To conduct tests with various stakeholder segments to verify the effectiveness of the modifications introduced in the online sales processes.
       • To analyse user navigation to detect the point at which they abandon the product/service contracting process, to classify users according to how far they have progressed in the process and their propensity to contract. If necessary, to contact the data subjects so they can resume the process.
       • To monitor and analyse user behaviour, including the quantification of ad impacts, to measure activity on the website and app, with the aim of introducing improvements based on the analysis of usage data from service users.
       • To store information on the device regarding user behaviour obtained through continuous observation of their browsing habits, which allows a specific profile to be developed, so that advertising can be shown based on it.
       • To share with third parties a unique identifier created from a cookie identifier or obtained from your encrypted identifying or contact details. This identifier is based on segmentations made with objective data available to the Bank that has been provided by you, and/or based on commercial profiles created by the Bank. We will use this identifier to show you personalised advertising about our products and services on third-party platforms, to monitor and optimise commercial actions, and to enable these third parties to interact with you in accordance with their cookie policies, provided that you have consented to them.
       • Monitor and optimise our commercial activities in order to measure their effectiveness. Recordar información para que el usuario acceda al servicio con determinadas características que pueden diferenciar su experiencia de la de otros usuarios.

       To achieve these purposes, the Bank uses both aggregated and individualised data.

       For more information about the cookies used by the Bank and the type of information collected through them, please see the Cookie Policy. You can also configure your cookie settings here. If you are accessing this document via the app for private customers, you can configure your cookie preferences in the "Cookie Management" section, which is accessible via the "Menu – Personal Area" option. If you are using the app for corporate customers, you can configure your cookie preferences in the "Cookie Settings" section, which is accessible via the "Menu – Security and Privacy" option.

       The legal basis for this processing is the consent given by the user when allowing the use of cookies on the Bank's website and/or app. However, in the case of technical cookies or cookies that are strictly necessary to provide a requested service, the legal basis will be the application of pre-contractual measures requested by you or the performance of a contract to which you are a party. 

2. If you are a guarantor:

   When you act as a guarantor of a customer or potential customer of the Bank, we will process your personal data in accordance with the provisions of sections 1, 2, 3, 4, 5 (with consent), 7, 8, 9, 10, 11, 12 and 13 of section "I. If you are a customer or wish to become a customer". 

3. If you are a representative, authorised person or party involved in a contract:
   1. Processing of contact data for the management of the contractual relationship

      We will process your contact information in order to maintain, manage and execute the contractual relationship established with a customer if you are an authorised person or a party involved in their contract with the Bank (such as a guarantor, attorney-in-fact, usufructuary, guardian, etc.), or if you act as the representative of a natural or legal person.

      The legal basis for the processing described is the performance of the contract in relation to those acting as representatives of natural persons, and the legitimate interest of the Bank in the maintenance, management and performance of the contractual relationship established with said entities. 

   2. Verification of powers of attorney

      We will process your personal data for the purpose of verifying your powers and authority of representation through the verification of powers of attorney.

      The legal basis for this processing is, with respect to those persons acting as authorised persons, the execution of the contract; and, in the case of representatives of legal entities, the legitimate interest of the Bank in maintaining, managing and executing the contractual relationship established with said entities.

      Additionally, we will process your personal data as described in sections 1, 2, 4, 5 (with consent only for authorised parties or those involved in a contract). Representatives are excluded), 7, 8, 9, 10, 11 (processing with consent from representatives or contact persons of legal entities is excluded), 12 (with consent only for authorised persons or parties involved in a contract) and 13 from section "I. If you are a customer or wish to become a customer". 

Is it mandatory to provide your data?

You will be required to provide us with your data if you wish to contract one of the Bank's products or services, and you must ensure that your data is up-to-date at all times to ensure it reflects your current situation. 

What happens if you do not want to give your consent?

If you do not authorise the processing of your data where your consent is requested, or if you wish to withdraw your consent at any time, this will not affect the maintenance or compliance of your contractual relationship with the Bank. Furthermore, please note that, even if you do not authorise the processing of your data, there may be specific cases in which you may receive commercial communications from the Bank, either based on the Bank's legitimate interest (provided you have not objected) or in cases where there is a legal authorisation. 

For how long do we keep your data?

We will process your personal data while the contractual relationship is in effect or as needed for the purpose for which it was collected.

If you cancel all contracts, we will store your data for the purpose of sending you electronic commercial communications regarding products or services offered by the Bank that are similar to those you have contracted, unless you have opted out of receiving these types of communication. 

Likewise, if you have given your consent, we will continue to process your data for the purpose of sending you commercial communications about the Bank's products and/or services, as well as those of third parties, including companies in the Santander Group and those in which it is invested. 

All of this applies for a period of 12 months following the termination of the contractual relationship. 

However, you may object to, as well as revoke your consent for the processing for these purposes at any time, as detailed in "What are your rights when you provide us with your data?". 

When your personal data is no longer necessary for the purposes set out in this document, we will keep it duly blocked, which will mean that the Bank will not carry out any processing other than its storage for making it available to the competent Public Administrations, Judges and Courts or the Public Prosecutor's Office; for the attention of possible liabilities arising from the contractual relationship maintained or those related to the processing of the data. We will keep your data blocked for the periods provided for in the applicable legal provisions or, where appropriate, for the limitation periods of actions arising from the contractual relationships maintained with the Bank and will then proceed to physically delete or completely anonymise your data once these periods have elapsed. 

Who do we share your personal data with?

We share your personal data with:

1. Companies of the Banco Santander Group and third-party entities collaborating and/or held by the Santander Group (for example, insurance companies and financial asset managers). Depending on the purpose of the processing that we have informed you about in this document, we will only communicate your data to third parties in the following circumstances: i) when it is necessary to carry out simulation processes in order to contract any of these entities' products and/or services, to actually contract them and/or to maintain and/or manage the contract that you have with the aforementioned entities; ii) when you give us your consent; iii) when the transfer is based on the legitimate interest of the Bank and/or the third company to which we communicate your data; and iv) when the transfer responds to compliance with a legal obligation. You can access the complete list of Group companies and third-party entities collaborating with and/or invested in by the Santander Group, to which we will communicate your data, by requesting it at your branch or at 

   http://bsan.es/sociedades_banco_santander.

2. Third parties with whom a unique identifier is shared for commercial activities in online environments, as indicated in section 13. Use of cookies and similar technologies on the Bank's website and/or app (for example, advertising platforms): when you provide your consent to the use of cookies on the Bank's website and/or app. You can access the full list of third parties with whom we will share your personal data at the following link.
3. Public administration bodies and private entities, when we have a legal obligation to provide your data (non-exhaustive list prepared for illustrative purposes only): 

   3.1) Central Risk Information Service of the Bank of Spain (CIRBE): In compliance with Law 44/2002 on the Reform of the Financial System, the Bank will communicate your identifying details (either as the holder or as a guarantor) and risk of your banking transactions arranged with us and where applicable, your status as a sole proprietor.

   3.2) Financial ownership file of the Executive Service of the Anti-Money Laundering and Monetary Offences Commission: In compliance with the anti-money laundering and counter-terrorism financing regulations, the Bank is required to share the following information with the State Secretariat for the Economy and Business Affairs: (i) the identifying details of all holders, beneficial owners, representatives or authorised persons, and any other individuals with powers of disposal over current accounts, savings accounts, term deposits, and any other type of payment account, as well as contracts for the rental of safe deposit boxes, regardless of their trade name, together with any modifications made to them; and (ii) the date of opening, cancellation and other mandatory data derived from the aforementioned agreements.

   3.3)Spanish Tax Agency, in compliance with the applicable tax regulations.

   3.4) Authorities or official bodies in other countries, located both outside and within the European Union, within the framework of the fight against terrorism financing and serious forms of organised crime and anti-money laundering, in the cases of fund transfer orders and for compliance with national or international legal, tax and/or fiscal obligations in the event that you have indicated one or more countries of nationality and/or tax residence other than Spain.

   3.5) Auditors of accounts, when the Bank must be audited in compliance with a legal obligation.

   3.6) Deposit Guarantee Fund. For the purpose of calculating contributions to the Deposit Guarantee Fund for Credit Institutions, the Bank will report individualised information on balances corresponding to deposits made by customers.

   3.7) Payment service providers. To ensure the verification of the beneficiary in the context of carrying out a payment transaction, in compliance with European regulations on instant payments in euros (Regulation (EU) 2024/886), the Bank may communicate the beneficiary's identifying details to the payment service providers of the payer of the transfers and to the payer, when there is an almost exact match in the name associated with the account identifier, so that the payer can decide whether or not to authorise the transaction. 

4. Courts and Tribunals and State Security Forces and Corps, when this is imposed by a legal obligation or is necessary for the formulation, exercise or defence of claims, on the basis of the Bank's legitimate interest in guaranteeing its right to effective judicial protection.
5. Lawyers and solicitors, when acting as procedural representatives in court, on the basis of the Bank's legitimate interest in guaranteeing its right to effective judicial protection and legal assistance.
6. Common credit information systems: the Bank may report identifying details and default data to the credit information systems of which it is part, such as Experian, Asnef and RAI. This will always be in compliance with the procedures and guarantees established at any given time, and recognised by current legislation. 
7. Third-party fraud prevention entities, such as Confirma Sistemas de Información S.L. (Confirma) and mobile phone operators. In the context of any request to contract a product or service and/or a financing or deferred payment transaction, the Bank will disclose your data to the "Fichero Confirma" for fraud prevention purposes. 

   The purpose of the filing system is the comparison of applications and transactions registered therein by the participating entities in order to detect potential fraud during the contracting process. This purpose involves assessing the probability of fraud in the application. The joint data controllers are the entities that have subscribed to the Fichero Confirma Regulations, and the data processor is Confirma Sistemas de Información, S.L., with registered office at Avda. de la Industria, 18, TRES CANTOS (28760) MADRID. Applicants can check the list of entities currently adhering to the Confirma Filing System Regulation at www.confirmasistemas.es. The legal basis for processing personal data is the legitimate interest of the joint controllers in preventing fraud (Recital 47 GDPR), to avoid possible negative economic consequences and potential legal breaches by applicants. Consulting the Fichero Confirma is appropriate in view of the purpose pursued, and proportionate in relation to the benefit obtained by the joint controllers and the impact on the privacy of the applicants. Furthermore, the processing of data falls within the reasonable expectations of the interested parties as it is a common practice and occurs within the framework of a hiring request. To avoid harm and negative consequences for applicants, technical and organisational measures have been adopted to reinforce the confidentiality and security of this information.

   The maximum data retention period will be five years. Data sent to the Fichero Confirma may be viewed by entities that comply with the Fichero Confirma's Regulations. The transfer of data to a third country or international organisation is not planned. 

   In accordance with current data protection regulations, data subjects may exercise their rights of access, rectification, deletion, opposition, limitation of processing, not to be subject to individual automated decisions with legal effects, and portability, by contacting the registered office of the data processor, CONFIRMA SISTEMAS DE INFORMACIÓN, S.L., at the address indicated above. Interested parties may also exercise their right to file a complaint with the Supervisory Authority.

   CONFIRMA SISTEMAS DE INFORMACIÓN, S.L. has appointed a Data Protection Officer who can be contacted via email at dpo@confirmasistemas.es, for privacy-related requests concerning the Confirma Filing System. Likewise, in the context of any application for services or when you change your phone number, your phone number may be checked with mobile phone service operators in order to detect possible identity theft and prevent fraud. 
8. Sociedad Española de Sistemas de Pago, S.A. (Iberpay): In the context of any application for an asset product through non-face-to-face channels, in which you have authorised the Bank to assess the risk of the operation through the aggregation service, we will communicate your data to the Iberpay platform in order to verify your ownership of the aggregated account. The entities responsible for processing the "Iberpay platform" are the entities participating in the National Electronic Clearance System (SNCE), with Iberpay S.L. being the data processor.

   Furthermore, for purposes of detecting and preventing fraud, the Bank may add your data to a shared banking-transaction fraud-prevention file system, which is managed by Iberpay and for which responsibility is shared by the participating organisations, including the Bank, for detecting, investigating, monitoring and potentially reporting suspicious and fraudulent transactions involving your current or savings account. Data relating to the IBAN number and the holder of the account involved in the presumed suspicious or fraudulent transaction are added to this shared file system and, where applicable, may be made known to the financial organisations that are part of this shared file system, for the sole purpose of detecting, preventing and monitoring fraud. You can view the up-to-date list of the organisations that are part of this shared file system at the following link: [https://www.iberpay.es/Secciones/04MasServicios/Paginas/PrevencionFraude.aspx] request additional information and enquire about the key aspects of the shared-responsibility agreement between these organisations by sending an email to privacidad@gruposantander.es

   The filing system will only receive information regarding the account holder and IBAN of the account in which the unauthorised or suspected fraudulent transaction was detected, which may be consulted by the other affiliated entities. The basis that legitimises the processing is the legitimate interest of the Bank in the detection and prevention of fraud in banking operations that occur through its account, which in turn benefits the account holders who may be affected by fraud committed by a third party.

   The data will be stored in the filing system for a maximum of thirty days in the case of suspicious transactions and for one year in the case of unauthorised transactions (when the fraud has been confirmed by the affected individual). The Bank will automatically delete the data included in the common filing system when the data ceases to be accurate or does not truthfully correspond to the real situation of the data subject. 

9. FraudFense filing system. The Bank may include your data in a common filing system for the prevention of fraud in banking transactions, managed by FrauDfense, S.L., whose joint controllers are the entities adhering to the filing system, including the Bank, for the detection, investigation, control and possible reporting of payment transactions in which there is evidence of their fraudulent nature committed in your current or savings account or through the unauthorised use of your card (the "fraudulent transactions"). The data included in this common filing system are those relating to the IBAN number of your account, your card's PAN, data relating to the fraudulent transaction identified (such as, for example, data of the device from which the transaction was carried out, the data of the account where the transaction was detected or data related to inconsistencies detected that imply a possible case of identity theft). The data may be consulted by financial entities adhering to the FrauDfense filing system for the sole purpose of detecting, preventing and controlling fraud.

   You can check the updated list of entities adhering to the FrauDfense filing system at https://916087356-1.servicio-online.net/sobre-nosotros1/nuestros-partners and request additional information, as well as the essential aspects of the joint responsibility agreement between the entities, by sending an email to privacidad@gruposantander.es or DPO@fraudfense.com.

   The basis that legitimises the processing of your data is the legitimate interest of the Bank in the detection and prevention of fraud in banking operations originating from or destined for your current or savings account, which in turn benefits the account holders who may be affected by fraud committed by a third party.

   The data will be stored in the FrauDfense filing system for a maximum of one year from the date on which the transaction took place and will remain blocked until the statute of limitations for any actions that may arise expires (as a general rule, for a period of three years). The Bank will automatically delete the data included in the FrauDfense filing system when the data ceases to be accurate or does not truthfully correspond to the real situation of the data subject.

   Finally, in addition to the channels the Bank provides for you to exercise your data protection rights, which you can consult in the section "What are your rights when you provide us with your data?", you can also send your request through the data controller to the following address: DPO@fraudfense.com
10. Other credit institutions, state-owned enterprises, referring companies, collective investment institutions, venture capital companies and guarantors, payment service providers, third-party aggregators, payment systems and technology service providers, Notaries, Registrars, appraisal companies, digital certificate issuers, administrative agencies and universal postal service operators may receive your data where it is necessary for the performance of a contract or the provision of a service requested by you. This includes cases where we transmit your data to execute a transfer order to another institution located inside or outside the European Union; where risk-bearing transactions granted to you are guaranteed and/or subsidised by third parties with whom the Bank has a collaboration agreement, such as the European Investment Fund or the Spanish Official Credit Institute; where you request an operation through a third party (referrer) with whom the Bank collaborates; where the contract you execute with the Bank must be formalised by a public notary or filed with a Commercial Registry, Movable Property Registry or Land Registry; or where a trusted third party must keep it; or where, in the context of a request for contracting and providing us with the necessary documentation or information for its assessment, you ask us to do so through a company issuing digital certificates. Likewise, in the context of processing a mortgage transaction, we will communicate your data to the management company for the calculation and preparation of the provision of funds.
11. Banco Santander service providers: the Bank collaborates with third-party service providers who have access to your personal data and who process said data, as data processors, on behalf of the Bank in their condition as service providers.

    The Bank follows strict criteria for selecting service providers in order to comply with its obligations regarding data protection and undertakes to sign the corresponding data processing contract with them, which will impose on them the following obligations, among others: to apply appropriate technical and organisational measures; to process personal data for the agreed purposes and only in accordance with the Bank's documented instructions; and to delete or return the data to the Bank once the provision of services has ended.

    Specifically, the Bank will arrange the provision of services by third-party providers that carry out their activities, for example and not limited to, the following sectors: logistics services, legal advice, management services, supplier approval, services for the transmission and execution of orders on shares or units of Collective Investment Schemes of managers that are not affiliated with the Santander Group through specialised technological platforms, multidisciplinary professional services companies, technology service providers, IT service providers, physical security companies, instant messaging service providers and call centre service providers. 

Will your personal data be transferred to third countries? 

Among the data processors contracted by the Bank, there may be providers that are not located in the European Economic Area, resulting in an international transfer of your data. To that end, the Bank will only transfer data to third countries (i) if there is an adequacy decision that determines that it is a country with a level of protection comparable to that of the European Union, (ii) failing that, applying appropriate safeguards in accordance with data protection regulations, such as the signing of Standard Contractual Clauses or Binding Corporate Rules. The data subject may request additional information about such appropriate safeguards through the contact methods indicated in the section "What are your rights when you provide us with your data?"

Likewise, when you give us consent to share a unique identifier with third parties, as stated in section 13 "Use of cookies and similar technologies on the Bank's website and app", the unique identifier will be transferred to third parties located in (i) the United Kingdom, according to the EU Commission's adequacy decision of 28 June 2021 or (ii) the United States, provided these third parties adhere to the EU-US Data Privacy Framework referred to in the EU Commission's adequacy decision of 10 July 2023.

In addition, when you request the execution of transactions for bank accounts located in countries outside the European Economic Area, your personal data will be transferred to the entity where the account is held. In such cases, the aforementioned transfer will be legitimate because it is necessary for the execution of the contract signed between you and the Bank. 

What are your rights when you provide us with your data?

You may exercise your rights of access, portability, rectification, erasure, limitation and opposition. Furthermore, you will have the right not to be subject to a decision based solely on automated processing, so you may request human intervention by the Bank in the decision-making process that concerns you, express your point of view, and challenge the decision.

Regarding processing based on legitimate interest, you may request information regarding the weighting procedures carried out by the Bank, as well as object to any such processing, for which you must contact the Data Protection Officer/Privacy Office and explain the reason for your objection. You will not need to state any reason if your objection relates to the processing of your data for commercial purposes; simply inform us of your wish not to receive commercial communications.

Likewise, you may revoke the consent given at any time, without this affecting the legitimacy of the processing carried out previously on the basis of said consent. 

To exercise the aforementioned rights or consult any question relating to the processing of your personal data, you can send an email to privacidad@gruposantander.es or, write to us at C/ Juan Ignacio Luca de Tena, 11-13, 28027 Madrid (A/A. Data Protection Officer/Privacy Office). You can also modify the status of your consents and object to or revoke your objection to the processing carried out by the bank based on its legitimate interest and which we have considered directly objectionable without you having to provide any justification, in the environment of the website or app after you log in (personal area) or by requesting it at any branch. When there are reasonable doubts about your identity (for example, when the communication is made from an email address other than the one the Bank has), you will be asked to provide additional information to help us verify your identity. If you exercise your rights through a representative, you must also provide a valid document as proof of their representation.

The additional information you provide for your identification will be used solely for the purpose of verifying your identity and managing the exercise of your right. If you exercise your right to access your personal data, please note that you will only receive a copy of the data that is being processed by this entity. Additionally, you may contact the Bank's Data Protection Officer/Privacy Office via the following email address: privacidad@gruposantander.es.

Finally, you may file a complaint with the Spanish Data Protection Agency. The necessary information is available on their website:  www.aepd.es.

The Bank may update this document in the future. The date of its entry into force is indicated at the bottom. Please check this information periodically to ensure you are familiar with the latest version.

Who is the data controller?

Banco Santander, S.A (hereinafter "the Bank" or "Banco Santander").

Postal address: C/ Juan Ignacio Luca de Tena, 11-13, 28027 Madrid, Spain.

Data Protection Officer/Privacy Office contact: privacidad@gruposantander.es

What types of persons involved are covered by this document?

This document applies to under age customers, except for those that have sufficiently evidenced their emancipation.

What types of personal data do we collect and process?

• Identification and contact details: Identity document (Spanish tax ID (NIF), Spanish national ID (DNI), foreign registration number (NIE), non-Spanish identity document/corporate tax ID (CIF)), name and surname, customer number, address, residence, telephone numbers, email address. Likewise, when the preference of data collection from the Spanish national ID is selected, a picture of it shall be used, including its photograph.
• Data relating to personal characteristics: gender, age, date of birth, place of birth, nationality.
• Data relating to your social circumstances: hobbies, property and details of your residence, farm or premises (such as size, location and energy features).
• Academic and professional or employment data: level of studies, qualifications, employment status, activity, profession, professional category.
• Economic, financial and solvency data: Current accounts and balance, origin of assets, annual income and origin of it. 
• Data relating to transactions of assets and services: catalogue of all contracted bank products such as credit or debit cards, funds, means of payment, etc. and their use.
• Fiscal data: place of fiscal residence, foreigner’s tax identification number.
• Data relating to sales information: use of channels, contact preferences.
• Transaction data: income, expenses, balances, payments, transfers, direct debits, invoices, notes and movements of contracted products, including the origin, destination, item and third party related to the transaction, location where it is carried out and the date and time.
• Data on your location, if you have consented to activate the geolocation service on your device.
• Data relating to online behaviour: for example, IP of the computer or ID of the device, as well as visits to websites, device model, online identifiers, under the terms described in our Cookies policy, available on our website.
• Data on your interests that you share with us: for example, through a consultation call with our managers, a simulation of our products and/or services or user registration in our Newsletter service.
• Data relating to the devices from which you access the customer area of the Bank: device model and operating system. 
• Audiovisual data: for example, when we record your voice during a telephone conversation with our managers.
• Sensitive data: in the context of your relationship with the Bank, we will process your health data relating to your degree of disability, and other information relating to a situation of vulnerability, for the purposes provided for in the regulations on this matter.
• Data relating to relationships with third parties: for example, information on your father, mother or guardian, if they have processed the registration of the service; or relationship with family members or close relatives with public positions or civil service.
• Information on data from external sources is detailed in the section "How do we obtain your data?". 

How do we get your personal data?

The Bank obtains your data through the following sources:

1. Through the information provided by your father, mother or guardian when he/she requests and contract the service with us, registering you as customer of the Bank.
2. Directly from you, through the information that you provide when you maintain and make use of your products and/or services with us, both directly and indirectly and through any of the channels that the Bank makes available to you (branch, telephone channel, online services, etc.). Examples include: through enquiries, transactions, operations, simulations or applications for such products or services.
3. Directly from you, through the information that you provide when you browse our website and mobile phone application, via the use of cookies or any other type of online identifier or through the fingerprint of your device or terminal. 
4. Exceptionally, and to comply with the due diligence obligations related to anti-money laundering and terrorist financing, we may use the information available to the Bank to verify that the data have been provided in the customer's identification form, and in the information of other entities of the Santander Group of which you are a customer and that are subject to the legal obligations concerning anti-money laundering and terrorist financing.
5. External information sources:
   • Central de Información de Riesgos del Banco de España (Bank of Spain Risk Information Centre, or CIRBE), from which we obtain solvency information about you. 
   • Fraud prevention information systems, such as Sociedad Española de Sistemas de Pago, S.A. (Iberpay), Confirma Sistemas de Información S.L. (Confirma), FrauDfense and telecommunications operators.
   • Specialised information files or public sources available on the internet relating to the prevention of money laundering and terrorist financing, from which the Bank obtains information on its customers who hold or are involved in accounts, legal representatives and beneficial owners of accounts. Publicly accessible sources such as official state bulletins and newspapers, public records, government resolutions, telephone books and lists of persons belonging to professional associations. 

For what purpose and on what lawful basis do we process your personal data?

The different purposes of Banco Santander processing are set out below:

1. Management of the pre-contractual and, where appropriate, contractual relationship with respect to the Bank's services that you've contracted.  

   When any of the Bank's products and/or services are contracted, we will process your personal data for the following purposes:

   • Service maintenance, development and execution. The foregoing also includes the personal data processing to organise the portfolios of different customers of the Bank and assign each of them to a specific manager, and processing of transaction data of products and/or services that you have contracted with the Bank, in the cases that are necessary to verify that you comply with the terms and conditions for the conclusion and subsequent development of the contract.

     In addition, we will communicate your data to other Santander Group companies and third-party affiliates and/or companies that collaborate with Santander Group (for example, financial asset managers or venture capital companies), in the event that you, as a customer of the Bank, carry out simulation processes or request the contracting of any of these entities' products and/or services marketed by the Bank and/or actually contract said products, or in cases where you are a joint customer of the Bank and such entities, when the purpose of the data communication is the maintenance and development of the contract that you hold with the aforementioned entities. In these cases, communication will only affect a limited number of your personal data that the Bank has, particularly, those that are strictly necessary for the conclusion of the contract and/or for its execution/development and compliance by such companies of their legal obligations: name and surnames, tax identification number (NIF), gender, age, domicile and direct debit; and, in some cases, also your email, telephone and information necessary to comply with the legal obligations foreseen in section 2 below. The purpose of this is to make it simpler and more agile to arrange products through the Bank that are marketed or distributed by the Bank but provided by other Group companies or third-party investees, taking your condition as Bank customer into account. compliance by such companies of the legal obligations to which they are subject; and, for those companies of which you are also a customer, to have your contact details in order to send you information relevant to the development of your contractual relationship.  

   • To send out informative communications strictly related to the service that you have contracted and the operation of it, including the verification of unusual account activity.
   • To allow your access to the Bank’s digital channels 
   • To provide you with the services that you request from us or that are incorporated into the Bank's digital channels, and the performance of transactions and the management of (i) any type of query, claim or incident that may arise from the contractual relationship entered into and (ii) the services offered by ATMs (for example, withdrawals and deposits into accounts, payments of taxes and bills, viewing account activity, transfers, mobile top-ups or password recovery). 
   • To manage your participation in any contests, sweepstakes or promotions you register to.

   The lawful basis of this processing is the execution of the contract entered into by the Bank or your request for the adoption of pre-contractual measures aimed at contracting any of the products and/or services offered by the Bank or its Group companies.

   In addition, the Bank may share information associated with the updating of your personal data with the companies, third-party collaborators and/or affiliates of the Santander Group, whose products it markets and/or shows you in your Customer Area of the Bank (website and app) or regarding which you may request information from your manager. In other words, if you update your personal data through the Bank, the Bank may provide the updated data to others. You can view the full list of Group companies and Santander Group third-party partners and/or affiliates to which we disclose your data by requesting it from your branch or via the following link: http://bsan.es/sociedades_banco_santander.

   The lawful basis of this processing is the legitimate interest of having all the information updated in all entities of the Santander Group, as well as in the Group's collaborators and/or affiliates whose products are marketed by the Group, without it being necessary for you to request said update for each of them.

   Likewise, the Bank may offer additional or complementary functionalities related to the contracted products, to enable their management.

   The lawful basis for this processing is the legitimate interest in offering the best service and advice on the contracted products, providing an additional value to customers. 

2. Compliance with the Bank's legal obligations

   We will process your personal data to comply with the legal obligations applicable to the Bank, such as:

   • Anti-money laundering and counter-terrorist financing obligations. 

     To comply with these obligations, the Bank will process the data required to comply with the due diligence obligations set out in the applicable regulation. Likewise, for these purposes, the Bank will share your personal data with other Santander Group companies and to third-party affiliates and/or collaborators of the Group that have delegated compliance with anti-money laundering and counter-terrorist financing obligations to the Bank, under the terms set out in said regulations.

     Additionally, the Bank will process your personal data so as to perform an ongoing monitoring of the business relationship, including review procedures to ensure that the data obtained from implementing the due diligence measures are updated and in force. For this purpose, the Bank will share your personal data with other Santander Group companies of which you are a customer and that are subject to the legal obligations on anti-money laundering and terrorist financing, and, will collect your personal data from such companies to process them for the aforementioned purpose.

     Additionally, the Bank may process data that is necessary to analyse transactions carried out that may present signs of money laundering or terrorist financing, and will carry out the relevant communications, where appropriate, with the Executive Service of the Commission for the Prevention of Money Laundering and Monetary Offenses (SEPBLAC) by (i) regularly reporting on transactions that comply with specific requirements set by SEPBLAC or (ii) requesting specific information on a transaction.  

   • Tax obligations imposed by the Foreign Account Tax Compliance Act (FATCA) and the Common Reporting Standard (CRS) in relation to the automatic exchange of information obligation, which obliges the Bank to identify, classify and report certain financial accounts of customers who have legal obligations in the US in the case of FATCA and, in the case of CRS, to different financial authorities located in the jurisdictions participating in this standard. Likewise, for these purposes, the Bank will communicate your personal data to other Santander Group companies and to third-party affiliates and/or collaborators of the Group whose products or services the Group markets and that have expressly delegated compliance with these tax obligations to the Bank, under the terms set out in said regulations.
   • Commercial, corporate and tax obligations and obligations of any kind imposed by the supervisory bodies and competent authorities (for example, the European Central Bank, the Bank of Spain, the Spanish National Markets and Competition Commission or the Spanish Data Protection Agency).
   • Consultation of credit information systems obligations and disclosure of any data related to them, established by the regulations governing the financial system and real estate credit, in order to comply with the principles of responsible lending and minimisation of credit risk.  
     • When you are the holder of any type of risk, the Bank may consult the information about you that appears in CIRBE and the credit information systems to which it is has access (for example, Experian, Asnef and RAI), in order to evaluate your solvency and credit risk.
     • When you hold credit risks with the Bank, either directly (holder) or indirectly (guarantor of a risk product), we will share your data with the CIRBE, including data relating to the characteristics of the risks. 
       

   The lawful basis for this processing is compliance with the legal obligations applicable to the Bank.  

3. Prevention and investigation of fraud

   We will process and/or share your data with third parties, whether or not they are Santander Group companies (for example, Confirma, Iberpay and telecommunications operators), to detect and analyse possible fraudulent activity, identify and learn about the participants in such activities, and, where appropriate, take relevant action to face such situations.

   For this purpose, in cases in which you are a customer of both the Bank and other Santander Group companies and/or third-party affiliates and/or collaborators of the Group, the Bank will share your personal data with such companies and entities, in order to ensure compliance with the Group's management policies relating to the prevention and investigation of fraud.

   Likewise, in order to prevent this type of practices, we process your data with the aim of sending you informative communications on fraud operations, to anticipate ourselves to possible situations that may cause you harm as a result of, i.e., fraudulent behaviour caused by third parties.

   The lawful basis for this processing is the legitimate interest of the Bank or of participating institutions, when we include or check your data shared filing system for the prevention of fraud, to prevent, investigate and/or discover fraud. You can obtain more information on the entities to which we will share your data to for this purpose, the terms under which data are to be processed and how to exercise your rights under “who we transmit your personal data to?”. 

4. Make recommendations

   If you have the Digital Bank (app) contract activated we will process your data to:

   • Make observations and recommendations on contracted products and services.
   • Perform an analysis of your transactions and spending habits in order to provide you with information, advice or warnings about them in order to optimise them (such as analysing how you're spending your money, calculating your savings capacity, etc.).
   • If you are a user of the Newsletter service or of the Bank's news service, forward content adapted to your personal characteristics (for example, to your age), and contracted products. 

   For these purposes, we will only use internal sources, i.e., we will only process the information that you provide and the one related to your contractual and commercial relationship with the Bank: transaction data of services that you have contracted with the Bank, the information on your interests that you share with us, for example through telephone calls with our managers.

   The lawful basis for this processing, aimed at identifying your needs regarding the products, services, recommendations, advice and information best suited to your personal characteristics is the Bank's legitimate interest in knowing your business better and improving the quality of the service that we provide, as well as improving the conditions of the products or services that you have taken out or may take out in the future. 

5. Commercial actions and loyalty actions, promotions and competitions/draws

   If you have the Digital Bank (app) contract activated we will process your data to make loyalty phone calls, submit invitations to events, and make you part of loyalty actions, promotions, offers and competitions/draws that the Bank promotes among its customers, based on your personal characteristics and contracted services, as well as to send you information on such. For example, the Bank may enter you in a draw in which you may be a winner for simply having used a card issued by the Bank as payment for your purchases or for making use of other services offered by the Bank during the promotion period. We may also offer discounts and offers in restaurants, leisure and other services that might be of your interest.

   Likewise, if you are over 14 years, we can send you commercial information on Bank products and services that are available to you.

   In this sense, we will use the objective data available to the Bank, i.e., identification and contact data or personal characteristic data (i.e., your age) and contracted products and services.

   The lawful basis for this processing is the Bank's legitimate interest in building customer loyalty and increasing customer satisfaction and loyalty. 

6. Management of administrative, preliminary ruling and judicial proceedings

   Where appropriate, we will process your personal data for the defence of the Bank's rights and interests in any administrative, preliminary ruling and/or judicial proceedings arising out of or linked to the relationship with you.

   The lawful basis for such processing lies in the Bank's legitimate interest in guaranteeing and exercising its right to effective legal protection.  
7. To check the quality of the services provided

   The Bank processes the personal data of our customers for the purposes of carrying out procedures to review, audit and improve the quality of the services provided. This includes: (i) performing satisfaction surveys and analyses of the results; (ii) recording your voice and/or image and saving telephone conversations and/or video calls, only in cases where we expressly indicate this to you; (iii) performing market research through surveys, the aim being to ascertain customers' perception and appraisal of existing and new products.

   The lawful basis for this processing is the Bank's legitimate interest in following a process of continuous improvement as regards the services provided to customers, prospective customers, users and any other interested persons who may contact the Bank, and guaranteeing, in any case, that said service is delivered to a high level of quality, on the part of the Bank as well as the suppliers that provide you with customer service. 

8. Preparation of reports on customers or with customers' personal data

   The Bank processes the personal data of our customers in order to prepare reports of a varied nature:

   • Monitoring of customers. Although these reports generally include aggregated information, they may promptly include information on identified customers.
   • To produce liquidity and interest reports at the aggregate level, for internal use and, where appropriate, for submission to the supervisor.
   • Credit and operational risk.
   • Analysis of the Bank's risk acceptance activity (financial, non-financial and operational).
   • Conducting audits and reviews of the Bank's internal control.
   • Impact of non-performing loans on the Bank's profit and loss.
   • Follow-ups on commercial strategies and other business analyses, in order to monitor and develop them.
   • To obtain aggregate information in order to prepare statistical studies and business analyses of various kinds, e.g. on the use of the private channels that the Bank makes available to its customers or on the most significant transactions (e.g. the largest fluctuations in incoming or outgoing balances) and complaints that have been lodged at each of the Bank's branches.
   • To prepare internal reports and other reports of an aggregate (for example, business indicators, operational risk) and statistical nature. 

   The lawful basis for this processing is the Bank's legitimate interest in increasing its knowledge of its customers, in being able to offer them a better service and advice on the products contracted, in obtaining information on the state of the business that contributes to better corporate, strategic and commercial decision-making, and in maintaining adequate internal management of the Bank and of the business group to which it belongs.

9. To produce statistics and create analytical models. 

   At the Bank, we process the personal data of our customers for the purpose of producing statistics and analytical models, and in particular to:  

   • Generate and develop models for personal data quality control and for the consistency of internal reporting quality.
   • Prepare statistical studies and business analyses that help to improve processes and operations.
   • Monitor and analyse the Bank's customer portfolio. 

   In order to minimise the processing of personal data, the Bank uses encryption, aggregation, disassociation, anonymisation and/or pseudonymisation techniques, provided that they do not impair the reliability of the results.  

   The lawful basis for this processing is the Bank's legitimate interest in gaining knowledge of its business and tailoring its product and service offerings to the needs of its customers, and in improving the Bank's commercial offering through the production and development of predictive and estimative analytical models and algorithms, all with the aim of optimising the services provided. 

10. Use of cookies and similar technologies on the Bank's app

    The Bank’s app uses cookies and similar technologies, own and from third parties, to enable the user to navigate through it and use the different existing options or services, including those that are used to enable the App’s management and operation, as well as to provide its functions and services.

    For more information about the cookies used by the Bank and the type of information collected through them, you can consult the Cookies Policy.

    The lawful basis of this processing is the implementation precontract measures requested by you or the execution of a contract in which you are part because they are technical or strictly necessary cookies to provide the requested service by the user.  

Is it compulsory to provide your data?

Provided that you wish to take out a service with the Bank, you will be required to provide your data and ensure that it is kept up to date and, at any given time, corresponds to your current circumstances.  

How long do we keep your data for?

We will process your personal data for as long as the contractual relationship remains valid and remains necessary for the purpose for which it was collected.  

When your personal data become no longer necessary for the purposes set out in this document, we will store it, duly encrypted, which will mean that the Bank will not carry out any processing other than storing the data to make it available for the competent public administrations, judges and courts, or the public prosecutor's office, for any possible liabilities arising from the contractual relationship maintained or related to the data's processing. We will keep your encrypted data for the time frames set out in applicable provisions or, where applicable, in the contractual relationships with the Bank, and physically erase or fully anonymise your data once these time frames have passed.  

Who do we transmit your personal data to?

We transmit your personal data to: 

1. Companies of the Banco Santander Group and third-party partners and/or affiliates of the Santander Group. Depending on the purposes for processing, which we have informed you of in this document, we will only share your data with third parties: i) when doing so is necessary in order to undertake processes to simulate the acquisition of products and/or services from said entities, the actual acquisition of said products and/or services, and/or the maintenance and/or management of the contract in place with the aforementioned entities; ii) when the transfer is based on the Bank's legitimate interest and/or that of the third-party company with which we are sharing your data and, iii) when the transfer is in order to comply with a legal obligation. 

   You can view the full list of Group companies and Santander Group third-party partners and/or affiliates to which we disclose your data by requesting it from your branch or via the following link: http://bsan.es/sociedades_banco_santander.

2. Government agencies and private entities, when there is a legal obligation to disclose it to them (non-exhaustive list):  

   2.1) CIRBE (Servicio Central de Información de Riesgos de Banco de España – Bank of Spain Risk Information Centre): The Bank, in accordance with Law 44/2002 on the reform of the financial system, will disclose your identifying data (whether as a holder or guarantor) and data regarding the risk of the banking transactions you have contracted with us.  

   2.2) Financial ownership files of the Servicio Ejecutivo de la Comisión de Prevención del Blanqueo de Capitales e Infracciones Monetarias (Executive Service of the Commission for the Prevention of Money Laundering and Monetary Offences): The Bank, in accordance with regulations on the prevention of money laundering and countering the financing of terrorism, must disclose the following to the Spanish State Secretariat for the Economy and Business Affairs: (i) identification data of all holders, beneficial owners, representatives or proxies and any other person with powers to dispose of current accounts, savings accounts, deposits with agreed maturity, and any other type of payment account, as well as rental contracts of safe deposit boxes, regardless of their commercial name, as well as any amendments thereto; and (ii) the start date, termination date and other mandatory data with respect to the aforementioned contracts.

   2.3) The Spanish Tax Agency, in accordance with tax legislation.

   2.4) Official bodies and authorities of other countries, both within and outside of the European Union, as part of the fight against terrorist financing, serious forms of organised crime and money laundering, in the case of transfer orders of funds, and to comply with national and international legal and/or tax-related obligations if you have indicated multiple countries of nationality and/or for tax residence other than Spain.

   2.5) Accounts auditors, when the Bank must be audited to satisfy a legal obligation. 

   2.6) Deposit Guarantee Fund. The Bank, for purposes of calculating contributions to the Spanish Deposit Guarantee Fund for Credit Institutions, will disclose, to said Fund, individualised information regarding balances corresponding to the deposits made by customers.

   2.7) Payment service providers. To guarantee the verification of the beneficiary in payment transactions, in accordance with the European regulation on instant payments in Euros (Regulation (EU) 2024/886), the Bank may disclose identification data of the beneficiary to the payment service providers of the payer and to the payer, whenever there is an almost exact match with the name associated to the account’s identifier, so that the payer can decide whether or not to authorise the transaction. 

3. Courts and state law enforcement and security forces, when doing so is required due to a legal obligation or when it is necessary for the preparation, execution or defence of claims, on the basis of the legitimate interest of the Bank to guarantee its right to effective legal protection.
4. Lawyers and legal representatives when acting as procedural representatives before a court, on the basis of the legitimate interest of the Bank to guarantee its right to effective legal protection and legal assistance.
5. Third parties for the prevention of fraud, such as Confirma Sistemas de Información S.L. (Confirma) and mobile phone operators. In the case of any request for the opening or acquisition of a payment product or service and/or a financing or deferred payment operation, the bank will disclose your data to the “Fichero Confirma” (a filing system managed by Confirma) for the prevention of fraud.

   The purpose of the Filing system is for the participant entities to compare the requests and transactions registered so as to detect possible frauds during acquisition. This purpose involves the assessment of the probability of fraud in the application. The joint data controllers are the institutions included in the Confirma filing system. The data processor is Confirma Sistemas de Información, S.L., whose registered address is at Avda. de la Industria, 18, TRES CANTOS, 28760 MADRID, SPAIN. Applicants can see the list of institutions currently included in the Confirma filing system on the website www.confirmasistemas.es. The legal basis for the processing of personal data is the legitimate interest of the joint data controllers in preventing fraud (Recital 47 of the GDPR), and avoiding possible negative financial consequences and any legal breaches on the part of the applicants. Consulting the Confirma filing system is ideally suited to the purpose, and proportional in relation to the benefit obtained by the joint data controllers and the impact on applicants' privacy. Similarly, data processing is among the reasonable expectations of the data subjects as a common practice, and is carried out in the context of an application to enter into a contract. To avoid damage and negative consequences for the applicants, technical and organisational measures have been adopted to strengthen the confidentiality and security of this information.

   The maximum period of time for which the data will be stored is be five years. Data disclosed to the Confirma Filing System can be viewed by the Entities included in the Confirma Filing System. Data transfers to third parties or international bodies is not foreseen.

   In accordance with the current regulation on data protection, interested parties may exercise their rights to access, rectification, erasure, objection, restriction to processing, not being subject to automated individual decisions with legal effects and portability by sending a letter to the data processor, CONFIRMA SISTEMAS DE INFORMACIÓN, S.L., to the address indicated above. Likewise, interested parties may exercise their right to file a claim before the Control Authority. CONFIRMA SISTEMAS DE INFORMACIÓN, S.L. has appointed a Data Protection Officer that can be contacted via email dpo@confirmasistemas.es, for requests concerning privacy of the Confirma Filing System.

   Moreover, with regard to any application for an acquisition of a product or service or when you amend your telephone number, your telephone number may be checked with mobile phone operators in order to detect potential identity theft and to prevent fraud.  
6. Sociedad Española de Sistemas de Pago, S.A. (Iberpay): For purposes of detecting and preventing fraud, the Bank may add your data to a shared filing system for the prevention of fraud in banking transactions, which is managed by Iberpay and for which responsibility is shared by the participating institutions, including the Bank, for the detection, investigation, monitoring and potential reporting of suspicious and fraudulent transactions involving your current or savings account. Data included in such shared file will be those concerning the IBAN number and the holder of the account where the suspicious or fraudulent transaction has been detected and, where appropriate, they may be disclosed to financial institutions that are part of such shared file, solely for the purpose of detecting, preventing and controlling fraud. You may view the up-to-date list of the participating institutions as regards this filing system via the following link: [https://www.iberpay.es/Secciones/04MasServicios/Paginas/PrevencionFraude.aspx] and request additional information and enquire about the core elements of the co-responsibility agreement between said institutions by emailing privacidad@gruposantander.es

   The only data that we will transmit to the filing system will be that relating to the IBAN and the holder of the account involved in the unauthorised or suspected fraudulent transaction. This data may be viewed by the other participating institutions. The lawful basis for the processing is the Bank's legitimate interest to detect and prevent fraud in banking transactions involving your account, which is also in the interest of account holders potentially affected by fraud committed by a third party.

   The data will be stored in the filing system for a maximum period of 30 days in the case of suspicious transactions, and of one year in the case of unauthorised transactions (when the fraud has been confirmed by the victim). The Bank will automatically erase data included in the shared filing system when they are no longer accurate or do not accurately reflect the situation of the victim. 

7. FraudDfense File. The Bank may include your data in the shared filing system for the prevention of fraud in banking transactions, which is managed by FrauDfense, S.L., for which responsibility is shared by the participating institutions, including the Bank, for the detection, investigation, monitoring and potential reporting of payment transactions that may have a fraudulent nature, involving your account, current or savings account or the non-authorised use of your card (hereinafter the fraudulent transactions). Data included in such shared filing system include IBAN number of your account, PAN of your card, data related to the identified fraudulent transactions (i.e., data of the device from which the transaction was made, data of the account where the transaction was detected or data with respect to inconsistencies have been detected that imply a potential identity fraud). Data can be checked by the financial institutions that are part of the FrauDfense File, only for the purpose of detecting, preventing and controlling fraud.

   You can check the updated list of entities that are part of the FrauDfense File in the following link: https://916087356-1.servicio-online.net/sobre-nosotros1/nuestros-partners and request additional information, as well as on essential aspects of the shares responsibility via privacidad@gruposantander.es or contacting DPO@fraudfense.com 

    The lawful basis for the processing of your data is the Bank's legitimate interest to detect and prevent fraud in banking transactions whose origin or destination is your current or savings account, which is also in the interest of account holders potentially affected by fraud committed by a third party.

   Data will be preserved in the FrauDfense file for a maximum of one year as from the date on which the transaction took place and will be blocked up to the end of such statute of limitation of any action that may arise (generally, for 3 years). The Bank will automatically erase data included in the FraudDfense File when they are no longer accurate or do not accurately reflect the situation of the victim.

   Lastly, besides from the channels that the Bank makes available for you to exercise your data protection rights and that you can check under section “What are your rights when you provide us with your data?”, you can also forward your request through the processor via DPO@fraudfense.com La base que legitima el tratamiento de tus datos es el interés legítimo del Banco en la detección y prevención del fraude en las operaciones bancarias con origen o destino en su cuenta corriente o de ahorro, que a su vez redunda en el propio interés de los titulares de las cuentas que pudieran resultar afectados por el fraude cometido por un tercero.  

8. Other credit institutions, state-owned corporate entities, brokers, collective investment undertakings, venture capital firms and guarantee institutions, trusted third-party service providers, payment service providers, third-party aggregators, payment systems and technology service providers, Notaries, Registrars, valuing companies, digital certificate issuers, administrators and universal postal service operators, in cases where it is necessary for the execution of a contract or provision of a service that you request from us. For example, when you order a transfer to another institution within or outside the European Union, we will disclose, as necessary, your data for the execution of the order, when you make a request to us for a transaction via a third party (broker) with which the Bank works; when the contract that you entered into with the Bank must be notarised by a Notary Public or recorded in a Mercantile Registry, a Registry of Movable Goods or Property Registry for a trusted third party; or when, with regard to an application to acquire a service, in order to obtain the documentation and information needed to consider said application, we are required to do so via a digital certificate issuer.

9. Banco Santander service providers: The Bank also works in partnership with some third-party service providers that have access to your personal data and who process this data, as the data processor, on behalf of the Bank as part of their services.

   The Bank follows strict criteria when selecting service providers to ensure compliance with data protection obligations, and it signs data processing agreements with them, binding them to the following obligations, among others: applying appropriate technical and organisational measures; processing personal data for the purposes agreed and only in accordance with documented instructions from the Bank; and deleting or returning the data to the Bank once the services have been provided.

   Specifically, the Bank will arrange to have third parties provide services in sectors including but not limited to the following: logistics services, legal advice, administration, provider approval, services from management companies not linked to the Santander Group for transmitting or executing shares or units in undertakings for collective investment via specialised technological platforms, multidisciplinary professional services companies, technological service provider companies, software service provider companies, physical security companies, instant messaging service providers and call centre service companies. 

Will your personal data be transmitted to third-party countries?

The data processors engaged by the bank may include providers outside of the European Economic Area, with your data being transmitted internationally. To that effect, the Bank will only transfer to third countries (i) if there is an adequacy decision that determines the country to have a level of protection comparable to that of the European Union; (ii) failing that, by applying suitable safeguards to conform with the data protection regulation, such as signing standard contractual clauses or the binding corporate rules. You may request further information regarding the aforementioned appropriate safeguards by using the contact information in the section "What are your rights when you provide us with your data?"

Furthermore, when you request a transaction in which the destination bank account is in a country outside of the European Economic Area, your personal data will be transferred to the institution with which said account is held. In such circumstances, the legitimate basis for the aforementioned transfer is that it is necessary for the execution of the contract between you and the Bank. 

What are your rights when you provide us with your data?

You may exercise your rights of access, portability, rectification, erasure, restriction and objection. You will also have the right not to be subject to automated decision-making and, as such, you will be able to request human intervention in decision-making concerning you by the Bank and express your point of view; you may also contest decisions.

With regard to processing on the basis of a legitimate interest, you may request information relating to the Bank's assessment, as well as object to any such processing; for the purposes thereof, you must contact the Data Protection Officer/Privacy Office and explain the reason for your objection. It will not be necessary for you to provide any such reason should your objection be in relation to the processing of your data for sales purposes; notification of your wish not to receive sales communications will suffice.

To exercise these rights, or for any matter related to the processing of your personal data, please send an email to privacidad@gruposantander.es or send a letter to: C/ Juan Ignacio Luca de Tena, 11-13, 28027 Madrid, Spain (FAO Data Protection Officer/Privacy Office). Where there are reasonable doubts with regard to your identity (for example, where communications are sent from an email address that differs to the one that you provided to the Bank), you will be requested to provide additional information to help us verify your identity.

The additional information that you provide to identify yourself will be processed for the purposes of verifying your identity and managing the handling of the right asserted.

Should you exercise your right to access your personal data, please note that you will only receive a copy of the data that is being processed by this entity.

In addition, you may contact the Bank's Data Protection Officer/Privacy Office at the following email address: privacidad@gruposantander.es.

Finally, you can lodge a complaint with the Spanish Data Protection Agency (AEPD). The necessary information is available on its website: www.aepd.es.

The Bank may update this document in the future. The date of its entry into force is provided at the bottom of the document. Please check this page regularly to ensure that you are familiar with the latest version. 

 Version: December 11, 2025

Who is the data controller?

Banco Santander, S.A ("the Bank" or "Banco Santander").

Postal address: C/ Juan Ignacio Luca de Tena, 11-13, 28027 Madrid.

Data Protection Officer contact: privacidad@gruposantander.es

What types of persons are covered by this document?

This document applies to all individuals who, irrespective of whether they are customers of the Bank or not, request the following from the Bank: (i) to be contacted in relation to a request for information about the Bank's products or services, (ii) to participate in a competition, draw, experience or similar activity organised by the Bank; (iii) to sign up for the Bank's newsletters; (iv) to sign up for any of the non-financial services offered by the Bank (for example, services available at the Work Café) and (v) when they are not customers, to give their consent to the Bank to process their data for commercial purposes. In the case of the Bank's customers, the Bank will process such data for commercial purposes, in accordance with the scope and purposes which have already been set out to and/or consented to by them through their relationship as a customer of the Bank. For these purposes, the Bank may identify you as a customer based on the email address you provide. Should you provide a different address to your registered customer address, except in exceptional cases and justified as needed, where we request your identity document, the Bank may not identify you as a customer and all data will be processed solely in accordance with this data protection policy.

What types of personal data do we collect and process?

• Identification and contact information: full name, address, telephone numbers and email address. In exceptional cases and only when strictly needed to process your request, for example, to check that you are a customer, we will gather information about your ID document (Tax ID no., National ID Card no., Foreigner's ID card no., Non-Spanish ID document/Company Tax ID code).
• Data relating to your personal characteristics: sex and age range.
• Information about your interests that you share with us: for example, when you contact our managers through a consultation call or sign up for a particular experience, prize draw or competition and/or event held or sponsored by the Bank or when you register as a user of any of our non-financial services.
• Academic and professional or employment data: activity, profession and employee category.
• Data about your online behaviour and preferences: for example, pages you visit, browsing habits, your computer's IP address or your mobile device's ID, online identifiers, whether you have consented to the processing described in our Cookies Policy, also available on our website https://www.bancosantander.es/politica-de-cookies. 

How do we obtain your data?

The Bank obtains your data directly from you, through the information you provide when requesting, maintaining and using our services. 

Likewise, the Bank may obtain your data from third-party companies to which you have given consent for the disclosure of your personal data to the Bank. This includes Santander Group companies (for example, management companies) and third-party entities collaborating with and/or affiliated to the Santander Group that you have given consent for these entities to transfer your personal data to the Bank for commercial purposes, and/or for them to use cookies or similar technologies that communicate your information to the Bank. 

What do we use your personal data for and on what legal basis?

The different purposes of processing by Banco Santander are set out below:

1. Handling a request or service for the individual providing the data.

   We will process your personal data for handling your request and/or providing the service that you request, in the following circumstances: (i) when you request to be contacted for the purposes of handling a request for information about your products or services; (ii) to participate in a competition, draw, experience or similar activity organised by the Bank; (iii) to sign up for the Bank's newsletters distribution service, and any requests which may arise from it; or (iv) to register for the services provided by the Bank in Work Café spaces.

   Additionally, when you register for any of our non-financial services, we will process your personal data for the following purposes:

   • To sign up as a new user of the digital platform and to give you access to the services as a registered user.
   • To send you informative communications strictly related to the products or services you have registered for as a user and regarding how to use them.

   Finally, we will process your data to assist you with any type of query, claim or incident arising from the services provided.

   The legal basis for these processing activities is handling your request or providing the service requested by you from the Bank.

2. Compliance with the Bank's legal obligations

   We will process your personal data to comply with the legal obligations applicable to the Bank, such as tax obligations and any other obligations imposed by supervisory bodies and competent authorities.

   The legal basis for these processing activities is compliance with the legal obligations that apply to the Bank.

3. Fraud prevention and investigation

   We will process your data to detect and analyse possible fraudulent activities, identify and know the participants in them and, where appropriate, carry out the actions that are considered necessary.

   The legal basis for these processing activities is the legitimate interest of the Bank in preventing, investigating and/or discovering fraud.

4. Management of administrative, pre-trial and judicial procedures

   In your case, we will process your personal data for the defence of the Bank's rights and interests in any type of administrative, pre-trial and/or judicial procedure arising from or related to the relationship established with you.

   This processing would find its legal basis in the Bank's legitimate interest to guarantee and exercise its right to effective judicial protection.

5. Verification of the quality of services provided

   The Bank processes your personal data for the purpose of reviewing, auditing and improving the quality of the services provided, which includes (i) conducting satisfaction surveys and analysing their results, (ii) recording your voice and/or image and storing the telephone conversation and/or video, only in cases where we explicitly state it, and (iii) conducting market research through in-person surveys, with a view to understanding our customers' perception and opinions regarding our services.

   The legal basis for processing is the Bank's legitimate interest in carrying out a process of constant improvement of the service provided to potential customers and any other interested person who contacts the Bank. A high level of service quality will be ensured in all cases, both on the part of the Bank and the providers of the customer service.

6. Preparation of statistics, internal reports and analytical models.

   At the Bank, we will process your personal data to develop analytical models and reports of various kinds:

   • Generate and develop commercial predictive analytical models.
   • Conduct audits and reviews of the Bank's internal controls.
   • Monitor commercial strategies and other business analyses.
   • Obtain aggregated information for the purpose of conducting statistical studies and business analyses, for example, regarding the use of the channels that the Bank makes available to its customers or potential customers to assist them and complaints related to the services provided by the Bank.
   • Prepare internal reports and other aggregate (e.g. business indicators, operational risk) and statistical reports. 

   The legal basis for these processing activities is the legitimate interest of the Bank in increasing its knowledge of customers and potential customers in order to offer them a better service, obtain information about the state of their businesses to inform better corporate, strategic and commercial decision-making, and maintain adequate internal management of the Bank and its business group. 

7. Segmentation and creation of a commercial profile for marketing activities and personalising services. 

   We will process your personal data as described in the section "What type of personal data do we gather and process?", including online behaviour data and preferences if you have accepted the cookies, to segment or classify you based on objective data available to the Bank to improve commercial activities.

   The legal basis for this processing is the legitimate interest of the Bank in optimising and improving its commercial activities.

   If you are not a customer of the Bank and you have given your consent by ticking the relevant box, the Bank will process your personal data relating to characteristics and interests, and if you have consented to the installation of cookies, your online behaviour and preferences. This is described in the section What type of personal data do we collect and process? Likewise, the Bank may use statistical information from external and/or internal sources (for example, income or revenue statistics obtained from the National Institute of Statistics based on your postcode) to analyse your preferences, behaviour and needs. This allows us to infer your situation in order to select events and/or experiences that we believe may be of interest to you, recommend that you participate in draws or contests organised by the Bank and identify products and services that may interest you most. Our aim is to present you with personalised offers of our products and services, or those of third parties. Moreover, the Bank will process your identification details, in particular, your full name and contact details (your email address and telephone numbers) for marketing activities.

   The commercial profile created by the Bank with your data will be used to present and/or send you personalised offers, by electronic and telephone means, of Santander Group or third-party products and services, companies in which the Group is invested or its collaborators. This includes invitations to participate in events, experiences, draws or contests and for the personalisation of the services that you request from us. For example, if you sign up for the Bank's newsletters, the commercial profile that the Bank creates using your data will be used to personalise them for you by presenting content we think may interest you.

   The collaborating and/or affiliated companies whose products may be the subject of commercial activities belong to the following sectors: financial and insurance, consumer goods, training, education and culture, employment, home, health and beauty, hotel and travel, IT, telecommunications and technology, automotive, advisory services, real estate and construction, leisure and free time, ticket sales for events or similar, security, textiles and fashion, catering, food-fishing and livestock, agri-food, sports, energy, repair and maintenance, transport, logistics, administration, advisory and consulting, machinery and office equipment, commerce, industry, health and social services.

   The legal basis for this processing is the consent given by ticking the box/boxes provided for this purpose on the form made available to you. 
8. Use of cookies and similar technologies on the Bank's website and app

   The Bank uses cookies and similar technologies, both its own and those of third parties, on its website for the following purposes: 

   • Monitor participation in competitions, prize draws or experiences promoted by the Bank through its website, with the aim of improving processes to make them more intuitive for customers.
   • Monitor and analyse user behaviour, including the viewing or interest in published experiences, to measure web activity, with the aim of introducing improvements based on the analysis of usage data from service users.
   • Store information on user behaviour obtained through continuous observation of their browsing habits, which allows a specific profile to be developed, so that advertising can be shown based on it.
   • Share with third parties a unique identifier created from a cookie identifier or obtained from your encrypted identifying or contact details, in order to, based on segmentations made with objective data available to the Bank that have been provided by you and/or your commercial profile created by the Bank, to show you personalised advertising about our products and services on the platforms of said third parties, monitor and optimise commercial activities; and so that these third parties can interact with you in accordance with their own cookie policies, if you have consented to them.
   • Monitor and optimise our commercial activities in order to measure their effectiveness. 

   To achieve these purposes, the Bank uses both aggregated and individualised data. 

   For more information about the cookies used by the Bank and the type of information collected through them, please see the Cookie Policy. You can also configure your cookie settings here.

   The legal basis for this processing is the consent given by the user when allowing the use of cookies on the Bank's website.

Do you have to provide your data?

• You need to provide us with your data so we can manage your request and so you can use the services we are offering you. •
• You register as a potential customer using the email address you provide. This address is used as your unique identifier and is linked to all data processing relating to you, in accordance with this document. Therefore, you should not use any email addresses that you may be shared with others. If you choose to use a shared email account, these third parties will have access to the information that we send you, and we will treat any requests we receive using this identifier as being from you.
• You cannot change the email address connected with any pending request or used with services you have requested or signed up for, as we use your email address as your unique identifier. If you wish to change your email address, you will have to cancel the pending services or requests and reapply for the services or register them again with your new email address, which we will then use as your new identifier.
• Should you not authorise your personal data to be processed in cases where you are asked to provide consent, or should you wish to withdraw it at any given time, this will not affect the processing of the request that you have sent to us or your participation in the draw, competition, experience or similar activity to which you have signed up or the provision of the service for which you have registered.
• In addition, please note that you can unsubscribe from any newsletter you have signed up to at any time by clicking the relevant link or emailing the address at the bottom of each newsletter you receive. 

For how long do we keep your data?

We will process your personal data for as long as is necessary to fulfil the purpose for which it was collected. If you have consented to us processing your data for commercial purposes, we will process it until you withdraw your consent or request its deletion.

When your personal data is no longer necessary for the purposes set out in this document, we will block it, meaning that the Bank will not process it further except to store it for the purpose of making it available to the relevant public administrations, judges, courts or public prosecutor's office in the event of any liabilities arising from the contractual relationship or the processing of the data. We will keep your data blocked for the periods provided for in the applicable legal provisions or, where appropriate, for the limitation periods of actions arising from the contractual relationships maintained with the Bank, and will then proceed to physically delete or completely anonymise your data once these periods have elapsed. 

Who do we share your personal data with?

We share your personal data with:

1. Companies belonging to the Banco Santander Group and third‑party entities that collaborate with and/or are invested in by the Santander Group (for example, insurance companies and financial asset managers). Depending on the data-processing purpose that we have set out to you in this document, we will only share your data with third parties: i) when we need to disclose said data in order to process your request or the service (for example, in some instances, when you are the winner of a draw/competition, we will share your identification and contact data with the Bank's partners for the promotion, so that the prize can be issued and/or delivered to you, or in cases where the prize bears the winner's name [such as tickets to an event], we will disclose your data to the organiser so that the organiser can check that you are the rightful owner); and finally, ii) when we need to disclose them in order to comply with a legal obligation. 
2. Third parties with whom a unique identifier is shared for commercial activities in online environments, as indicated in section 8. Use of cookies and similar technologies on the Bank's website and/or app (for example, advertising platforms): when you provide your consent to the use of cookies on the Bank's website and/or app. You can access the full list of third parties with whom we will share your personal data at the following link.
3. Public Administration bodies, when there is a legal obligation to provide them: 

   3.1) Spanish Tax Agency, in compliance with the applicable tax regulations

   3.2) Competent authorities.
   

4. Courts and Tribunals and State Security Forces and Corps, when this is imposed by a legal obligation or is necessary for the formulation, exercise or defence of claims, on the basis of the Bank's legitimate interest in guaranteeing its right to effective judicial protection.
5. Lawyers and solicitors, when acting as procedural representatives in court, on the basis of the Bank's legitimate interest in guaranteeing its right to effective judicial protection and legal assistance.
6. Notaries, in cases where it is necessary within the framework of their participation in a competition, draw or experience, for example, when the choice of the winner is made before a public notary.
7. Banco Santander service providers: the Bank collaborates with third-party service providers who have access to your personal data and who process said data, as data processors, on behalf of the Bank in their condition as service providers. 

   The Bank follows strict criteria for selecting service providers in order to comply with its obligations regarding data protection and undertakes to sign the corresponding data processing contract with them, which will impose on them the following obligations, among others: to apply appropriate technical and organisational measures; to process personal data for the agreed purposes and only in accordance with the Bank's documented instructions; and to delete or return the data to the Bank once the provision of services has ended.

   Specifically, the Bank will arrange the provision of services by third-party providers operating, including but not limited to, in the following sectors: logistics services, legal advice, management services, supplier certification, multidisciplinary professional services companies, technology service providers, computer service providers, physical security companies, instant messaging service providers and call centre service companies.

Will your personal data be transferred to third countries?

Among the data processors contracted by the Bank, there may be providers that are not located in the European Economic Area, resulting in an international transfer of your data. To that end, the Bank will only transfer data to third countries (i) if there is an adequacy decision that determines that it is a country with a level of protection comparable to that of the European Union, (ii) failing that, applying appropriate safeguards in accordance with data protection regulations, such as the signing of Standard Contractual Clauses or Binding Corporate Rules. The data subject may request additional information about such appropriate safeguards through the contact methods indicated in the section "What are your rights when you provide us with your data?"

Likewise, when you give us consent to share a unique identifier with third parties, as stated in section 8 "Use of cookies and similar technologies on the Bank's website and app", the unique identifier will be transferred to third parties located in (i) the United Kingdom, according to the EU Commission's adequacy decision of 28 June 2021 or (ii) the United States, provided these third parties adhere to the EU-US Data Privacy Framework referred to in the EU Commission's adequacy decision of 10 July 2023. 

What are your rights when you provide us with your data?

You may exercise your rights of access, portability, rectification, erasure, limitation and opposition.

Regarding processing based on legitimate interest, you may request information regarding the weighting procedures carried out by the Bank, as well as object to any such processing, for which you must contact the Data Protection Officer and explain the reason for your objection.

Likewise, you may revoke the consent given at any time, without this affecting the legitimacy of the processing carried out previously on the basis of said consent. To exercise the aforementioned rights or consult any question relating to the processing of your personal data, you can send an email to privacidad@gruposantander.es or, write to us at C/ Juan Ignacio Luca de Tena, 11-13, 28027 Madrid (A/A. Data Protection Officer). When there are reasonable doubts about your identity (for example, when the communication is made from an email address other than the one the Bank has), you will be asked to provide additional information to help us verify your identity. If you exercise your rights through a representative, you must also provide a valid document as proof of their representation.

The additional information you provide for your identification will be used solely for the purpose of verifying your identity and managing the exercise of your right.

If you exercise your right to access your personal data, please note that you will only receive a copy of the data that is being processed by this entity.

Additionally, you may contact the Bank's Data Protection Officer/Privacy Office via the following email address: privacidad@gruposantander.es.

Finally, you may file a complaint with the Spanish Data Protection Agency. The necessary information is available on their website: www.aepd.es

The Bank may update this document in the future. The date of its entry into force is indicated at the bottom. Please check this information periodically to ensure you are familiar with the latest version. Version: December 3, 2024.

Who is the data controller?

Banco Santander, S.A (hereinafter "the Bank" or "Banco Santander").

Postal address: C/ Juan Ignacio Luca de Tena, 11-13, 28027 Madrid, Spain.

Data Protection Officer/Privacy Office contact: privacidad@gruposantander.es

What types of persons are covered by this document?

This document applies to all persons who, despite not necessarily being customers of the Entity, promptly request the Bank to provide a service or carry out an operation, usually cash operations, including, for example, currency exchange, payment orders, receipts or invoices.

What types of personal data do we collect and process?

Identification and contact details: Identity document (Spanish tax ID (NIF), Spanish national ID (DNI), foreign registration number (NIE), non-Spanish identity document/corporate tax ID (CIF)), name and surname, customer number, address, residence, telephone numbers and email address.

If you have used a digitised handwritten signature in your relations with the Bank in order to request services and/or complete transactions, we will retain the data obtained by digitising the handwritten signature (such as the order, intensity, speed, pressure and acceleration of the stroke), which will be used exclusively as evidence in the event of repudiation, in order to verify, by means of comparison, that the signature is yours, thus authenticating the customer in order to accredit the authenticity of the documentation or transaction that you are requesting from the Bank.

The Bank will not collect or process data from minors, unless they have requested a service from the bank or issued an order to the Entity, either directly or on behalf of their parents or guardians. The processing of minors' data shall be limited exclusively to the provision of the service or the execution of the order received.

How do we obtain your data?

The Bank obtains your data through the following sources:

1. Directly from you, through the information that you provide us when you request a service or the execution of an order, through any of the channels that the Bank makes available to you (branch, telephone channel, online services, etc.).
2. In some cases when, for example, you are the beneficiary of a payment, the Payer may provide your data to the Bank. In these cases, such third parties should be aware that, prior to the communication of your data, they have the obligation to inform you of the transfer and, where appropriate, to have obtained your authorisation.
3. External information sources:
   • Specialised information files or public sources available on the internet relating to the prevention of money laundering and the financing of terrorism, from which the Bank obtains information on its customers who hold or are involved in accounts, legal representatives and beneficial owners of accounts.
   • Your client, if you are acting as a representative or an authorised individual for a company, entity or another individual.

For what purposes and on what lawful basis do we process your personal data?

The different purposes of Banco Santander's data processing are set out below:

1. Providing the service or executing the order that you have requested or instructed.
2. The lawful basis for this processing is to execute the service that you have requested from the Bank.
3. Compliance with the Bank's legal obligations.
4. We will process your personal data to comply with the legal obligations applicable to the Bank, such as:
   • Obligations relating to the prevention of money laundering and terrorist financing.
   • To comply with these obligations, the Bank will process the data required to comply with the due diligence obligations set out in the applicable regulation. For these purposes, the Bank will also share your personal data with other Santander Group companies and third-party entities and/or partners of the Group, under the terms provided by this regulation.

     Furthermore, the Bank may process the Data Subjects' data to issue relevant statements to the authorities under the cases established for the purpose, with regard to transactions involving cash, banknotes and cheques issued to the bearer.

     Finally, the Bank may process data that are necessary to analyse operations performed that may present signs of money laundering or terrorist financing, and will carry out the relevant notices, where appropriate, with the Anti-Money Laundering and Monetary Offences (SEPBLAC) Authority by(i) regularly reporting on operations that meet specific requirements set by the SEPBLAC or (ii) requesting specific information on an operation.

   • Commercial, corporate and tax obligations and obligations of any kind imposed by the supervisory bodies and competent authorities (for example, the European Central Bank, the Bank of Spain, the Spanish National Markets and Competition Commission or the Spanish Data Protection Agency).

The lawful basis for this processing is compliance with legal obligations applicable to the Bank. 

1. Prevention and investigation of fraud.
2. We will process and/or communicate your data to third parties, whether or not they are Santander Group companies, to detect and analyse potential fraudulent activity, identify and determine the participants in the same, and, where applicable, carry out any measures deemed necessary.
3. The lawful basis this processing is the Bank's legitimate interest in preventing, investigating and/or discovering fraud.
4. Management of administrative, preliminary ruling and judicial proceedings.
5. In this case, we will process your personal data to protect the rights and interests of the Bank in any type of administrative, preliminary ruling and/or judicial proceedings arising from or linked to the relationship with you.

   The lawful basis for such processing lies in the Bank's legitimate interest in guaranteeing and exercising its right to effective legal protection.

Is it compulsory to provide your data?

It is compulsory for you to provide us with your data insofar as you wish to request a service or an operation from the Bank that requires your identification, in accordance with current regulations.

How long do we keep your data? 

We will process your personal data for as long as they are needed for the purposes for which they were collected.

When your personal data becomes no longer necessary for the purposes set out in this document, we will store it, duly encrypted, which will mean that the Bank will not carry out any processing other than storing the data to make it available for the competent public administrations, judges and courts, or the public prosecutor's office; to support potential liabilities arising from the contractual relationships maintained or related to data processing. We will keep your encrypted data for the time frames set out in the applicable provisions or, where appropriate, in the contractual relationships with the Bank, and physically erase or fully anonymise your data once these time frames have passed.

With whom do we share your data?

We share your personal data with:

1. Companies of the Banco Santander Group. We will only share your data with such third parties when the transfer is necessary to comply with a legal obligation.
2. Government agencies and private entities, when there is a legal obligation to disclose it to them (non-exhaustive list):

   2.1) The Spanish Tax Agency, in accordance with tax legislation.

   2.2) Competent authorities specialised in countering terrorist financing, serious forms of organised crime and anti-money laundering prevention.

3. Courts and state law enforcement and security forces, when doing so is required due to a legal obligation or when it is necessary for the preparation, execution or defence of claims, on the basis of the legitimate interest of the Bank to guarantee its right to effective legal protection.
4. Lawyers and legal representatives, when acting as procedural representatives before a court, on the basis of the legitimate interest of the Bank to guarantee its right to effective legal protection and legal assistance.
5. Other credit entities, in cases where sharing your data is necessary to carry out an order or provide a service that you have requested from us. For example, when you request a transfer to another entity, located outside or within the European Union, we will necessarily communicate your data to carry out the requested order.
6. Banco Santander service providers: The Bank works in partnership with some third-party service providers who have access to your personal data and who process this data, as the data processor, on behalf of the Bank as part of their services.

   The Bank follows strict criteria when selecting its service providers so as to ensure compliance with its data protection obligations, and it signs data processing agreements with them binding them to the following obligations: applying appropriate technical and organisational measures; processing personal data for the purposes agreed and only in accordance with documented instructions from the Bank; and deleting or returning the data to the Bank once the services have been provided.

   Specifically, the Bank will arrange to have third parties provide services in sectors including but not limited to the following: logistics services, legal advice, administration, provider approval, multidisciplinary professional services companies, technological service provider companies, software service provider companies, physical security companies, instant messaging service providers and call centre service companies.

Will your personal data be transferred to third countries?

The data processors engaged by the Bank may include providers outside of the European Economic Area, with your data being transmitted internationally. As such, the Bank has appropriate safeguards of compliance with data protection regulations, including the signing of standard contractual clauses or binding corporate rules. The Data Subject may request further information regarding the aforementioned appropriate safeguards by using the contact information in the section "What are your rights when you provide us with your data?".

Furthermore, when you request a transaction in which the destination bank account is in a country outside of the European Economic Area, your personal data will be transferred to the institution with which said account is held. In such circumstances, the legitimate basis for the aforementioned transfer is that it is necessary to carry out the requested order.

What are your rights when you provide us with your data?

You may exercise your rights of access, portability, rectification, erasure, restriction and objection.

With regard to data processing on the basis of a legitimate interest, you may request information relating to the Bank's assessment, as well as object to any such data processing; for the purposes thereof, you must contact the Data Protection Officer/Privacy Office and explain the reason for your objection.

To exercise these rights, or for any matter related to the processing of your personal data, please send an email to privacidad@gruposantander.es or send a letter to: C/ Juan Ignacio Luca de Tena, 11-13, 28027 Madrid, Spain (FAO Data Protection Officer/Privacy Office). Where there are reasonable doubts with regard to your identity (for example, where communications are sent from an email address that differs to the one that you provided to the Bank), you will be requested to provide additional information to help us verify your identity. Should you exercise your rights through a representative, you must also provide valid supporting documentation for this representation.

The additional information that you provide to identify yourself will be processed for the purposes of verifying your identity and managing the handling of the right asserted.

Should you exercise your right to access your personal data, please note that you will only receive a copy of the data that is being processed by this entity.

In addition, you may contact the Bank's Data Protection Officer/Privacy Office at the following email address: privacidad@gruposantander.es.

Finally, you can lodge a complaint with the Spanish Data Protection Agency (AEPD). The necessary information is available on its website: www.aepd.es

The Bank may update this document in the future. The publication date is provided at the bottom of the document. Please check this page regularly to ensure that you are familiar with the latest version. Version: February 22, 2023

STEP 1. APPLICATION FOR CERTIFICATE OF ACCOUNT OWNERSHIP FOR A DECEASED PERSON

You can find all the information on data protection, including how to exercise your rights, at the following link: https://www.bancosantander.es/informacion-proteccion-datos/proteccion-datos-herederos-beneficiarios.

STEP 2. EXECUTING WILLS

You can find all the information on data protection, including how to exercise your rights, at the following link: https://www.bancosantander.es/informacion-proteccion-datos/protecccion-datos-testamenterias.

Version: February 22, 2023

How to contact the Data Protection Officer?

The Bank has appointed a Data Protection Officer who plays an important role in compliance with the legal data protection framework for all processing operations completed by the entity.

Among other things, the Data Protection Officer is responsible for informing and advising the Bank as well as its employees who perform processing functions of the applicable data protection legislation, as well as ensuring that these regulations, and the Bank's policies in this area, are observed. This includes assigning responsibilities, awareness-raising and training of staff and conducting the corresponding audits.

You can contact the Data Protection Officer at privacidad@gruposantander.es or by writing to Juan Ignacio Luca de Tena 11-13, 28027, Madrid, Spain, to resolve any doubts that you may have regarding the Bank's privacy policy and to ask any questions about the processing of your personal data and, in general, the applicable legislation on personal data protection.

Likewise, you can contact the Data Protection Officer to submit any complaints concerning the processing of your personal data and to exercise your personal data rights.