Privacy Policy

Pursuant to the provisions of applicable personal data protection regulations, in this Data Protection Notice, Banco Santander S.A., (hereinafter, “we” or “Santander”) would like to inform you, about how your personal data is processed, including but not limited to personal data that we process in the context of:

• business to business and/or direct marketing, including the CRM Santander Corporate & Investment Banking (SCIB) application; and
• anti-money laundering, countering the financing of terrorism and international sanctions, including within the Onboarding Process and throughout the business relationship, with a risk-based approach.

In certain circumstances, we may collect information about you even if we do not have a direct relationship with you (for instance, in the course of our relationship with our clients or counterparties). When you provide us with personal data related to other data subjects, please make sure that you inform them about the disclosure of their personal data and invite them to read this Data Protection Notice.

Santander fully complies with regulations governing the protection of personal data and, in particular, with the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (hereinafter, "GDPR"), and any local laws that may apply depending on the country where you are placed, in such a way that any personal information processed, shall be processed in compliance with the legally enforceable safeguards and obligations.

In accordance with applicable regulations, Santander implements appropriate technical and organizational measures to ensure a level of security appropriate to the risk, as well as to prevent personal data from accidental or unlawful destruction, loss, alteration, access or unauthorised disclosure. Likewise, Santander complies with the duty of secrecy and confidentiality regarding the personal data it processes.

We will only process personal data that is adequate, relevant and limited to the purposes for which it was gathered and will only process it strictly as necessary for the purpose for which it was collected.

You may exercise your rights of access, rectification, deletion, objection, portability and limitation of data processing (or any others recognized by law), or ask any questions relating to the processing your personal data under this Data Protection Notice, at any time by sending a written communication to: scibprivacy@gruposantander.com.

The Data Protection Officer is entrusted with monitoring and compliance functions to ensure that the personal data that we process is properly protected and processed in accordance with GDPR and applicable regulations.

If you would like to request information or wish to make a complaint about an infringement of your privacy, you may contact our DPO at privacidad@gruposantander.es.

Without prejudice to any other administrative appeal or judicial action, you have the right to file a claim with the Spanish Data Protection Agency at www.aepd.es.

1. What is the source of the personal data we process?

The personal data we process as a data controller may have been provided either directly by you or by the company to whom you provide services to or represent, and that holds a commercial or contractual relationship with Santander[1].

2. What type of personal and professional data do we process?

As a data controller, we process the following categories of personal data, where applicable:

• Client related parties’ identification data: name and surname, ID copy and signature.
• Professional contact details: address, e-mail address and phone number.
• Personal characteristics data: date of birth, country of residence and nationality.
• Your position or role in the organization you belong to.
• Information collected during your visits to our website (including IP address, login data, browser type and version, device type, time zone setting etc.) and profile and usage data (including passwords to Santander websites, your preferences in receiving marketing information, and information about how you use our website, To learn more about our use of cookies or similar technology please check our cookies policy. https://www.santandercib.com/cookies-policy

1. Management of the contractual and commercial relationship between Santander and the company you work for or represent. Your personal data is processed when it is necessary to enter into or perform a contract to provide our corporate clients with the products and services subscribed to under the applicable contract, where necessary for this purpose, and does not undermine the rights and freedoms of data subjects or creates an imbalance between its rights and those of data subjects. The legal basis is the performance of the contract between the parties and the legitimate interest in contacting the entity you represent.
2. Management of the request for information that you send us through the contact form on the website or by other means (via telephone or e-mail). This processing is necessary to attend and manage your request prior to entering into a contract.
3. To send you commercial offers by electronic means of product and services information similar or equivalent to those that our client contracted. The legal basis for this processing is the legitimate interest of Santander in informing its clients about similar products and services, if you are identified as a contact or representative of a client, and unless you object.
4. Submission of event invitations organized by Santander, or by third parties whose attendance is always voluntary, and which may require additional registration by the data subject. The legal basis for this processing is our legitimate interest in maintaining our commercial relationships with our clients. You may object to receive this type of communications at any time.
5. Submission of surveys concerning quality of a given service. We may send invitations to participate in those surveys, to assess the quality of the service contracted by the company you work for. The legal basis for this processing is the legitimate interest of the Bank in assessing the quality of the services.
6. We monitor operations and transactions to manage, prevent and detect fraud, through an expert analysis with the aim of analyzing the level of risk of our clients, including personal data of its legal representatives, agents, advisors and contractors, based on a legitimate interest recognized by financial regulators and to meet applicable legal obligations.
7. Your personal data is processed where necessary to enable us to comply with the laws to which we are subject, including banking and financial regulations, and anti-money laundering and countering of the financing of terrorism, including measures designed to prevent and combat financial crimes and sanctions regimes (OFAC, UN, EU and OFSI, among others). As part of a banking group, we have a robust system of anti-money laundering and countering of terrorism financing in each of our entities managed centrally, as well as a system for applying local, European and international sanctions which may require the processing of your personal data. In this context, we carry out processing operations, through our Know Your Customer (KYC) process (to identify you, verify your identity and screen your details against sanctions lists, prior to and in the course of our services). We also undertake enhanced due diligence for high-risk clients, Politically Exposed Persons, Client database screening and transaction filtering, reasonably designed to ensure compliance with applicable laws, among others. This includes data of related parties, such as the ultimate beneficial owner/controller, directors or contacts that may be required on a risk-based approach. We carry out these checks when you enter into a relationship with us, but also throughout the relationship we have with you.
8. Authorized representative´s identity and powers conferred verification, as applicable. The personal data provided by the client for this purpose, is based on the execution of pre-contractual measures and, where appropriate, on the management of the contractual relationship.

Your personal data will be processed for the longer of: (i) the commercial or contractual relationship with the company you provide services to or you represent, and as long as you do not exercise your right of deletion; (ii) responding to legal claims or regulatory requests; and (ii) the period required by applicable law.

Most personal data collected in relation to a specific client is retained for the duration of the contractual relationship plus 10 years for information processed subject to anti money laundering regulations.

Once these periods have expired, personal data will be deleted or anonymized.

Your data may be shared between Santander Group entities, where necessary, for the management, maintenance, and control of our contractual or commercial relationships, to comply with our regulatory obligations and to prevent fraud. In this context, the following entities may process your data:

• Banco Santander Totta, S.A. with head office at Rua do Ouro no. 88, 1100-063 Lisboa, PORTUGAL.
• Santander Bank Polska S.A. with head office at al. Jana Pawła II 17, 00-854 Warsaw, POLAND.
• Banco Santander Río S.A. with head office at Av. Juan de Garay 151, Ciudad Autónoma de Buenos Aires, ARGENTINA
• Banco Santander S.A. (Uruguay) with head office at Julio Herrera y Obes 1365, 11100, Montevideo, URUGUAY
• Banco Santander (México), S.A., Institución de Banca Múltiple, with head office at Avenida Prolongación Paseo de la Reforma, número 500, Colonia Lomas de Santa Fe, C.P. 01219, Ciudad de México, MEXICO.
• Banco Santander (Brasil) S.A. with head office at Av. Presidente Juscelino Kubitscheck 2041/2235 - Vila Olímpia - São Paulo / SP, BRAZIL.
• Santander Bank, N.A. with head office at 75, State Street, Boston, 02109 Massachusetts, USA.
• Santander US Capital Markets LLC, with head office at 437 Madison Avenue, New York, 10022 New York, USA.
• Banco Santander-Chile with head office at Bandera, 140 Santiago de Chile 8340455, Región Metropolitana, CHILE.
• Banco Santander de Negocios Colombia S.A. with head office at Calle 93 A No. 13-24, Bogotá, 110221, COLOMBIA.
• Banco Santander (Perú), S.A. with head office at Avenida Ricardo Rivera Navarrete 475, San Isidro, 15046, Lima, PERU.

Each entity acts as a separate data controller and the purpose of this communication is to carry out the tasks described in this Data Protection Notice, which in any case seek to always offer the best service to our business customers.

For the management of our contractual and commercial relationships, we manage a database designed in such a way that not everyone has access to all the data, but that each user is granted different permissions on a need-to-know basis; each entity of the Group visualises and registers the contacts of the employees of the entities with which it has a contractual or commercial relationship (thus, for example, the contact details of the employees of a company in Brazil would be registered by the team of bankers of Santander Brazil, which would be the entity that would have access to these data). However, some manager positions are provided with a global access permission so they can visualize any profile registered if needed.

Furthermore, your data may be communicated to: 

• Spanish Public Administration and Judicial Authorities when we are required in accordance with the legislation in force.
• The Bank of Spain, to which we are obliged to communicate the necessary data to identify clients or representatives which could involve, directly or indirectly, a credit risk. We may process data relating to clients registered at the Bank of Spain, for the purposes of granting and managing credit operations , including the evaluation, and monitoring of the credit risk thereof through screening techniques and expert analysis, as well as to comply with the regulations on risk concentration and any other regulation that, within the scope of prudential supervision of credit institutions, are applicable to us.
• Authorities or official organisms of other countries, located within or outside the European Union, within the framework of the fight against terrorist financing, serious forms of organized crime and money laundering, as well as the Commission for the Prevention of Money Laundering and Monetary Offences assisted by the Executive Service of the Commission (SEPBLAC) and of the Commission Secretariat whose powers are exercised by the Sub-Directorate General of Inspection and Control of Capital Movements. 
• SEPBLAC: the ultimate Beneficial Owner account holders, meaning any natural person who is ultimately responsible for, owns, or controls a client; and its authorised representatives, as well as the data opening or cancellation of the account, and its modifications.

We follow strict criteria when selecting service providers to ensure compliance with data protection obligations and enter into data processing agreements with them, binding them to the following obligations, among others: the enforcement of suitable technical and organisational measures, the processing of personal data for the agreed purposes and following solely our documented instructions, and the erasure or return of data once the provision of services is complete.

The communication of data described above include Santander Group entities located outside the European Economic Area; for those countries that do not have an adequacy decision that determines that it is a country with a level of protection comparable to that of the European Union, Santander Group has put in place appropriate safeguards such as the Standard Contractual Clauses to guarantee that the data subjects have enforceable rights and effective legal actions.

You can obtain further information about the safeguards adopted sending an email to scibprivacy@gruposantander.com.

If we change this Data Protection Notice, we will let you know about the changes by sending you an updated version.  We are committed to protecting and respecting your privacy and will continue to do so in any future changes we make to this Data Protection Notice.

[1] Santander Corporate & Investment Banking may include all the SCIB areas of the different financial institutions that conform Santander Group.