Data protection policy

The controller of this website is Banco Santander, S.A., with the Tax Identification Code (CIF): A-39000013 and registered office at Paseo de Pereda, 9-12, Santander. This website is for information purposes only, and no personal data are collected herein. If personal data are requested on a microsite of this website for a specific purpose and/or service, the data subject shall also be informed about all elements required by the applicable data protection regulations when the data are collected.

Basic Information on Data Protection

Data Controller Identity: Banco Santander, S.A
Postal address: Avda. de Cantabria s/n, 28660 Boadilla del Monte
Attn. Departamento de Seguridad Física
Data Protection Officer's Contact details:
Purposes and Legal Basis Managing specific services requested by the data subject or complying with legal obligations.
Recipients Data shall not be disclosed to third-party recipients.
Rights Data subjects may exercise their rights of objection, access, portability, rectification, restriction of processing and erasure in respect of their data at any time.
Further information Further information on the basic framework outlined in this table can be found below.

Further information on data protection

Banco Santander, S.A. (hereinafter "the Bank”) is fully compliant with regulations governing the protection of personal data and, in particular, with the REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (hereinafter “GDPR”), in such a way that any personal information supplied by the party concerned (hereinafter the “data subject”) when requesting a specific service for which he/she provides us with his/her data through any microsite of (hereinafter the “Website”) shall be processed in compliance with the legally enforceable safeguards and obligations.

In accordance with the regulations in force, the Bank has implemented technical and organisational measures to guarantee an adequate level of security and to prevent the data provided by the data subject from being lost, misused, altered, accessed by unauthorised parties or stolen. Similarly, the Bank guarantees that it complies with the duty of secrecy and confidentiality with regard to the personal data provided by the data subject via this Website.

In any case, the data subject shall be required to provide personal data in order to receive the service requested.

I.- Who is the Data Controller?

The Data Controller's details are provided below:

  • Name: Banco Santander S.A., with the Tax Identification Code (CIF): A-39000013
  • Data controller's contact details:
  • Postal address: Avda de Cantabria, s/n, 28660 Boadilla del Monte (Madrid)

II-. Who is the Data Protection Officer and how can he/she be contacted?

The Data Protection Officer is entrusted with monitoring and enforcing compliance with the GDPR so as to ensure that the personal data provided by the data subject through the Website are protected.

To contact the Data Protection Officer, data subjects may write to the following e-mail address:

III.- What are the purposes and legal bases of processing your personal data?

  • To manage any requests for specific services that the data subject makes via a web microsite.
  • To comply with legal obligations.

IV.- For how long shall we store the data?

The personal data provided shall be stored for the period necessary for managing the requested service, and subsequently they shall be stored, but locked, for as long as necessary to formulate, exercise and defend any claims arising from the data processing.

V.- Shall the data be disclosed?

With regard to the disclosure of data, data subjects are expressly informed that their personal data shall not be disclosed to third parties, nor shall their data be transferred to third-party countries or international organisations.

VI.- What are your rights when you provide us with your data?
If they wish, data subjects may exercise their rights of access, rectification and erasure, and also to request that the processing of his/her personal data be limited, to object to it, to request that his/her data be transmitted, and not to be subject to automated individual decisions, by writing to the following address: or C/ Juan Ignacio Luca de Tena, 11-13, 28027 Madrid, supplying in all cases their identity card or official document accrediting the identity of the data subject.

Notwithstanding any administrative appeal or legal action that may arise, data subjects may submit their claim to the Spanish Data Protection Agency, especially where they have been unsuccessful in exercising their rights, via the website

Privacy in Santander

In accordance with the principle of accountability that rules the corporate data protection policy, Santander has a specific governance model that ensures compliance with the regulatory requirements on the matter, being Its key component the designated data protection officers in each unit.  

Santander is committed to meet highest standards in terms of personal data protection.  Our corporate standards and procedures, have been inspired by Regulation EU 2016/679 of the European Parliament and of the Council of 27 April 2016 (hereinafter, the “General Data Protection Regulation”) and  the respect for the fundamental right of personal data protection established in the Charter of Fundamental Rights of the European Union. All Group entities carry out measures that guarantee and allow demonstrating compliance with the legal requirements regarding data protection. Banco Santander, S.A., as the parent entity of the Santander Group, has produced a corporate data Protection policy as a reference document, establishing the applicable data protection regime across its affiliates. These are responsible for the preparation and approval, by their corresponding governing bodies, of their own internal regulations, which permit the application in their area of the provisions contained in Group regulations, with any adaptations that are strictly necessary to make them consistent and ensure compliance with the rules, regulations or expectations of their supervisors.

This approval must be validated by the corporate center to ensure consistency with the Group's regulatory framework and internal governance system.


We ensure that the processing of personal data is limited to the specific, explicit and legitimate purposes for those that were collected at source, and that will not be further processed in a manner incompatible with said purposes.

Upon data collection, we inform data subjects in a simple and clear manner so that they can easily understand:

  • The purpose of the processing activity of their personal data.
  • The legal basis of the data processing.
  • The recipients or categories of recipients of personal data.
  • The identity and contact details of the controller and, where applicable, its representative.
  • If applicable, the intention of the controller for transferring personal data to a third country or international organization.
  • Where appropriate, the existence of automated decisions, including profiling.
  • The period during which the personal data will be kept.
  • The possibility of exercising the rights over their personal data and how to proceed.
  • The right to file a claim with the Local Control Authority.
  • When personal data are obtained through third parties, the source from which the personal data come, including publicly accessible sources.
  • The contact details of the data protection officer or person in charge of data protection.


We process your personal data based on the following lawful bases:  

  • Contractual use: necessary for the signing of the contract, for the provision of the service you request.
  • Legal or regulatory use: to comply with applicable legal and tax obligations, such as money laundering prevention and terrorist financing, public security, private security and other regulations that may apply to financial institutions.
  • Express consent (opt-in):
    For those processing activities where the consent of the data subjects t is required in accordance with the provisions of the European Data Protection Regulation and the Organic Law on Personal Data Protection and Guarantee of Digital Rights, we will request the express consent of the data subjects through a box enabled for this purpose in the form that we make available to you, so as to guarantee that you maintain control over your personal data at all times. As an example, among others, the use of third-party and advertising cookies, the communication of your personal data to companies of the Santander Group, companies owned by said Group or its partners for the development of commercial actions or when the processing involves the use of special categories of data.
  • Legitimate interest as long as the necessity of the processing the personal data is balanced against the interests, rights and freedoms of the data subject.


We make sure we process only those personal data that are adequate, relevant and limited to what is necessary in relation to the specific purposes for which they are collected.

We apply all reasonable measures to suppress or rectify all data that may be non-relevant, inaccurate or incomplete, with respect to the said purposes.

We retain personal data only for the time strictly necessary for lawful processing. After that period, the data shall be deleted or, where appropriate, kept locked in accordance with the legal retention periods and limitation periods for the liabilities arising from the processing indicated in the data protection information when providing the data

Our standards ensure and guarantee that the data will be processed with the appropriate level of security, including protection against unauthorized or illicit processing activity and against its loss, destruction or accidental damage, through the application of appropriate technical or organizational measures, such as pseudonymization or encryption of personal data. Likewise, we apply the appropriate measures to guarantee the permanent confidentiality, integrity, availability and resilience of the processing activity systems and services.

We collaborate with third-party service providers who have access to your personal data and to process them on behalf of Group Units as a result of a service provision agreement. In this regard, the Group ensures the suitability of its service providers, who must comply with the principles required by the applicable data protection regulations. To this end, all its units follow strict criteria for the selection and approval of suppliers and sign the corresponding data processing contracts requiring, inter alia, appropriate technical and organizational measures; The processing of personal data for the purposes agreed and only in accordance with our documented instructions; and the deletion or return of the data to the Group upon completion of the provision of the services. We have implemented mechanisms of control that guarantee that third-party service providers and sub-contractors that access personal data by virtue of service provisions, comply with the data protection regulations in force.

When your data are processed outside the European Economic Area, our aim is to ensure that the level of protection guaranteed by the GDPR is not undermined. To this end, we shall adopt the appropriate guarantees provided for in the European Data Protection Regulation

Our staff has been specifically trained on data protection matters and periodically updated as part of our mandatory training programs.  


We have appointed heads of data protection across all our entities to ensure all legal requirements are properly addressed and implemented. In other words, to ensure compliance with the applicable regulations and our data protection internal policies. They are the point of contact with the local supervisory authority and with the data subjects.


You may exercise your rights of access, to data portability, to rectification, to erasure, restriction of processing, to object, and not be the subject of a decision based solely on automated processing. You may also revoke the consent provided at any time.

Your rights may be exercised via any of the channels that we have enabled at entity level. For general data protection matters you can contact: If you still have any issues with the processing of your data we were not able to resolve, you can also file a claim with your local Data Protection Agency.


Zero tolerance policy.

The General Code of Conduct contains the catalog of ethical principles and standards of conduct to govern the performance of all employees of the Santander Group. They are obliged to respect the privacy of all persons, both employees and customers, as well as of any other person whose personal data they have access arising from the Group's own activity, in accordance with the requirements of the Code itself and instructions and policies disseminated by the management of the company in the regular exercise of its powers of organization and management of work

Failure to comply with the ethical principles and rules of conduct relating to privacy may result in labor sanctions, without prejudice to administrative or criminal penalties, as appropriate. The relevant governing bodies shall assess the extent of breaches of internal and external regulations committed by employees and shall decide, in accordance with the rules of misconduct and penalties conventionally provided, on disciplinary measures for contractual breaches or breaches provided for in the rules and, where appropriate, on measures in addition to disciplinary measures, which may also result from non-compliance or irregularity.