Privacy policy

1 General information

1.1 Our privacy policy is applicable to all information that you provide to us and/or that we collect about you when you use our services. In this policy, you can read more about the information we collect, how we manage your information, how long we store information about you, etc.

2 Data controller

2.1 Santander Consumer Bank is the data controller for the processing of your personal data. Our contact information is:

Santander Consumer Bank AS, Norway
Strandveien 18,
NO-1325 Lysaker
Phone no: +47 21 08 30 00.
Email-address: personvern@santanderconsumer.no
Company reg. no: 983521592

2.2 The general legal framework for our processing of personal information is Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and on the repealing of Directive 95/46/EC and related regulations. Additionally, the Act on supplementary provisions to the regulation on the protection of natural persons with regard to the processing of personal data and on the free movement of such data - the Danish Data Protection Act.

2.3 Santander Consumer Bank's Data Protection Officer is responsible for ensuring compliance with the General Data Protection Regulation and this privacy policy. Our Data Protection Officer can be contacted at the following email address: personvern@santanderconsumer.no

3 Purpose of the processing of your personal data

3.1 Depending on whether you have signed up at the Nordic Development Portal, , we are obliged to process your personal data to such an extent that we can provide the services that you request, and live up to the contractual and legal obligations we have as a company. E.g. for the technical integration. This applies to the handling and administration of your agreement with us in connection with your use of our website, our support and/or in connection with the creation and administration of your user registration. It may also be in connection with the communication we send to you.

3.2 The information we ask you to provide in connection with the creation of a user account for our Development Portal is necessary for us to be able to administer the account, provide services and to send relevant information about the Development Portal to you. The legal basis for the processing is contract execution ref. art. 6 (1) (b).

4 The personal data we process about you

4.1 We collect the following data directly from you:

4.1.1 When you create a profile with us and depending on which services you want to use, we collect the following personal data from you: Name, telephone number, email address and whether you wish to receive marketing newsletters, etc. via email and text message

4.1.2 In addition, we collect your IP address when you browse our website.

4.1.3 Once you have registered you get access to our open API’s.

5 Cookies

5.1 Our website makes use of cookies to manage logins and to collect web statistics. A cookie is a small text file sent from our server to your browser which is stored on your computer's hard drive or your mobile device. Cookies are synonymous with enabling you to use the website more effectively and more easily. We do not process information about user behaviour which is collected via cookies in a way that can connect user behaviour with specific persons. You can set your browser to notify you when you receive a cookie so that you always have the option to decide whether to accept them. You can also choose to completely turn off the function. However, if you do this, the website will not function optimally. Cookies do not contain personal data such as information about your email address, user ID or other personal data in addition to what is stated in this policy. You can read our cookie policy here: https://www.santanderconsumer.no/personvern/informasjonskapsler-og-cookies/

6 How we process your personal data

6.1 Specifically, we use your personal data for various purposes:

• To administer your registration, for example, so we can provide the services that are available and for general communication with you;
• To meet the applicable legal requirements;
• To send you marketing material in accordance with applicable marketing laws;
• If you contact us by telephone the conversations can be recorded to train and develop our employees as well as to document agreements.
• For testing: To optimize our systems, products and services we constantly develop our applications and systems. We do this to optimize security and to offer our users the best possible user experience. As a main rule we use synthetic or anonymized data for such purposes, but in some cases we use masked personal information.

6.1.1 If you are simply a user of our website, we use your personal data to:
• Be able to make certain functionalities available to you on our website;
• Prepare statistics about behaviour on our website;
• Optimise our website's layout.
You can read more about how we place and use cookies, pixels, etc. in our cookie policy https://www.santanderconsumer.no/personvern/informasjonskapsler-og-cookies/

7 Why do we have permission to process data (grounds for processing)?

7.1 When you have registered, we process your personal data for the particular purpose of servicing you. The legal basis for the processing of your personal data is the Data Protection Regulation’s Article 6 (1) (b), what is necessary for us to fulfil our obligations connected to you registration.

7.2 We also have the option of processing your personal data because we have a legitimate interest in processing the information about you, see the General Data Protection Regulation’s Article 6 (1), unless your right to obtain protection of your own standard personal data precedes our legitimate interest in processing your information. When the processing of your data is based on a legitimate interest, you may at any time contact our customer service and ask for access to the balancing test.

7.3 We have a legitimate interest in processing your personal data with reference to Article 6 (1)(f). E.g. we prepare various statistics on website traffic, etc. The information, that we ask you to submit to us and which we collect from interviews and user tests are necessary in order for us to be able to develop relevant, digital experiences from a user perspective. If you choose to reply to us in interviews or surveys, the legal basis for the processing is legitimate interest art. 6 (1) (f)F, where the Bank's interest in improving the Bank's products and services is taken into account.

7.4 If you give consent to receive marketing information from Santander Consumer Bank, our processing of your personal data for use in this marketing will be based on the General Data Protection Regulation’s Article 6 (1)(a).

7.5 If you do not have an account with us but simply use our website, we need - to a limited extent - to administer information about your use of our website. We register the IP addresses which have visited our website. An IP address can be classified as personal data, so when we process your IP address, we do so on the same basis as described above under Section 7.2.

7.6 To some extend we have a legal obligation to process your data according to article 6 (1)(c) to inform you of major changes to the API or if an incident occurs.

8 Using data processors

8.1 Santander Consumer Bank may use data processors in connection with the administration and performance of the services we offer. The categories of data processors we use include providers of IT systems, advertising agencies and market research companies. Our data processors are only given access to data if this is relevant. Examples of some of the biggest processors include Microsoft, Basefarm AS Norway, Banqsoft AS, and Nets AS in Norway and Denmark. You may at any time contact Santander Consumer Bank's customer service if you require a complete list of our data processors.

9 Sharing your data with recipients outside the EU/EEA

9.1 Some of our service providers are located outside the EU/EEA. This means your personal data may be processed in countries outside the EU/EEA on behalf of Santander Consumer Bank. However, this presupposes that:

• The country or the international company in question has an adequate level of protection as established by the European Commission;
• We have entered into a standard agreement on data protection as adopted by the European Commission with the processor of your personal data;
• The recipient in question is certified, see Article 42 of the EU General Data Protection Regulation; or
• The recipient in question has a set of approved Binding Corporate Rules.

9.2 You may at any time request information about or a copy of the necessary guarantees which form the basis for the transfer of personal data to recipients outside the EU/EEA.

10 Storage and deletion of your personal data

10.1 We will store your personal data in accordance with the following rules:

10.2 If you register, all your contact information will be deleted if and when you choose to deregister.

10.3 User tests and interviews will be anonymized at the latest 6 months after you have provided the information to us.

10.4 In the case of users of our website who has not registered we will store the information that we have registered about you for up to two year from the most recent use of the website.

10.5 If you have not registered as user, but receive marketing and/or newsletters based on you having given consent for this, we will store your data for up to one year from the last contact from us or until you notify us that your consent is revoked.

10.6 If you have been in contact with Santander Consumer Bank by telephone, and if you have in connection with this given consent for us to record the conversation, we will save the conversation for up to six months.

11 Your rights

11.1 When contacting Santander Consumer Bank with a request for the exercise of your rights, we must respond to your request within one month in accordance with Article 12(3) of the General Data Protection Regulation. If necessary, this period may be extended by 2 months in special cases when taking into account the complexity and number of requests. If Santander Consumer Bank finds it necessary to implement an extended deadline, you will receive information about this decision along with a reason for the delay. If you want to exercise any of your rights according to GDPR please contact us by email: open.banking@santanderconsumer.no

11.2 Access
You have - in most cases - the right of access to the personal data which we process about you. you can request access to the personal data which we have registered about you by contacting us. We will comply with your request for access as quickly as possible.

11.3 Retraction and deletion
You have the right to request correction, additional processing, deletion or blocking of the personal data we process about you.
Limitation of processing
You have - in special circumstances - the right to request a limited processing of your personal information. Please contact us if you wish for the processing of your personal data to be limited.

11.4 Data portability
You have the right to receive your personal data regarding yourself which you have yourself given us in a structured, widely used and machine-readable format (data portability).

11.5 Right to object
You have the right to request that we do not process your personal information in cases where this processing is based on Article 6 (1)(f) (legitimate interest) and where the legitimate interest is direct marketing. You can at any time exercise the right to object by contacting us.

11.6 Withdrawal of consent
If the processing of your personal data is based on your consent, you have the right to withdraw your consent at any time. Your withdrawal will not affect the legality of the processing which has been carried out before you withdrew your consent.

11.7 If you wish to revoke your consent to Santander Consumer Banks please contact us.

12 Potential consequences of not providing your personal data

12.1 If you do not want to provide us with your contact information, Santander Consumer Bank cannot register you as a user of the Nordic Developer Portal.

13 Security

13.1 At Santander Consumer Bank the processing of personal data is subject to our IT and security policies. Our IT and security policies also contain rules for the implementation of risk assessment and impact analysis of existing as well as new or altered processing activities. We have implemented internal rules and procedures for the maintenance of adequate security from the time when we collect personal data until it is deleted, and similarly, we only allow our processing of personal data to be carried out by data processors who maintain a similarly appropriate security level.

14 Complaints to supervisory authorities

14.1 If you are dissatisfied with our processing of your personal data, you can complain to the Data Protection Agency:

Norwegian Data Protection Agency, Postboks 458 Sentrum, 0105 Oslo; Telephone +47 22 39 69 00 Email: postkasse@datatilsynet.no

Danish Data Protection Agency, Carl Jacobsens vej 35, DK-2500 Valby; Telephone +45 3319 3200; Email: dt@datatilsynet.dk

Swedish Datainspektionen, Drottninggatan 29, plan 5, Box 8114, 104 20 Stockholm; Telephone + 46 08-657 61 00 Email: datainspektionen@datainspektionen.se

15 Updating this policy

15.1 Santander Consumer Bank is obliged to respect the fundamental principles for the protection of personal data and data protection. We therefore regularly review this policy to ensure it is updated and in agreement with applicable principles and legislation. This policy may be changed without notice. Changes to the policy will be announced on our website together with an updated version of the policy. If there are significant changes in this current policy, these will be communicated to you via email, via e-Boks, or via ordinary post.