Our Privacy Policy

1. Who is the data controller?

GETNET Europe, Entidad de Pago, S.L.U. (hereinafter, “GETNET”)
Avenida de Cantabria, 3 Edificio Alhambra 28660 Boadilla del Monte, Madrid, Spain.
Data Protection Officer contact email address: privacidad.getneteurope@gruposantander.es

2. What personal data do we process? From where is the personal data obtained?

GETNET processes the minimum information necessary to fulfil the purposes set forth below. It is essential that this data reflects your current situation. If it becomes obsolete, you must notify GETNET. 

As a general rule, all data is collected directly from you, because you have provided it directly through a form contained in documents provided, as well as data that is generated as you maintain a relationship with GETNET (such as browsing data). The data that is processed is itemised below: 

• Identification and contact data: full name, national ID card number, address, signature, voice, telephone number and email address. 

• Economic and financial data: bank account details. 

• Commercial data: product contracted, its terms (quotations, economic conditions), validity, existence of payments and non-payments, credit limits. 

• History of contracted products: incidents raised, contacts maintained, contracting history. 

• Browser data: Session ID, behaviour on the website. 

3. For what purposes and what is the legal basis for processing your personal data?

Please be advised that your data will be processed by GETNET for the following purposes and pursuant to the following legal requirements. 

To process your contact requests.

Purpose: if you contact GETNET, your data will be processed for the sole purpose of managing the request. To facilitate contact, GETNET offers users several contact channels (telephone, email, website form, among others), through which requests for information or queries about the services provided can be sent. Only the identification and contact data will be processed, as well as the information that may be provided by you in the request. 

Legal basis: legitimate interest in establishing professional relationships with legal representatives and individual business owners, which enables GETNET to develop its activity. This processing may be opposed by writing to privacidad.getneteurope@gruposantander.com.

Recipients: the data will not be disclosed to third parties.

Retention period: the data will be retained for one year from the date of its collection. However, if a contractual relationship is initiated as a result of this, the data will be retained pursuant to the provisions of the relevant privacy policy. For further details, please see the "Contracting Privacy Policy". 

Sending communications from GETNET.

Purpose: GETNET will process your data for the purpose of sending you commercial communications (mail, telephone, SMS, email, web push , pop-up or any other digital channel available at any given time), for which purpose your identification and contact data will be processed. These communications will refer to products that GETNET offers. Within this process, GETNET will also be able to verify that the campaigns have been sent correctly, the opening statistics and the success rates (e.g. agreements formalised after they have been sent).

Legal basis: consent granted by checking the corresponding box.  

Recipients: data is not communicated to third parties. 

Retention period: as long as consent is not revoked. 

Call recording.

Purpose: your call will be recorded and stored for the purpose of guaranteeing that the service provided meets GETNET's quality standards. These recordings may also be retained as proof of the customer service and information provided as applicable (for example, when the data has been modified or when it has been provided to confirm an agreement). In the latter case, the recordings may be used as evidence in the event of extrajudicial or judicial claims. 
Whenever calls are recorded, you will be expressly informed before the recording begins.
The following data categories will be processed in the recordings: (i) identifying data and contact data (including voice); (ii) economic and financial data; (iii) commercial data; (iv) contracted product history. Please keep in mind that these will depend on the information you provide on the call.  

Legal basis: legitimate interest in having a mechanism that guarantees that there are no deviations in the information provided to customers, to ensure that internal protocols are complied with and to implement improvements in customer service, as well as to have evidence of the actions of our staff, in the event of claims and/or legal proceedings. This interest has a direct impact on management and customer service and is subject to a process of continuous improvement.  This processing is not objectionable as there are compelling reasons to do so.

Recipients: data is not communicated to third parties. 

Retention period: 30 days from the date of collection. 

Use of cookies.

Purpose: statistical, behavioural or usability analysis of the GETNET website. In order to process this data, cookies will be used that enable the information to be collected. Cookies are website instruments that allow users' information to be stored and retrieved for the purpose of offering a better usage and browsing experience.
In this sense, cookies fulfil different functions depending on their nature and how they are implemented on the Website. For example, they may be analytical, functional or even technical. 
Although they often profile users browsing the website, the cookies installed by GETNET do not allow automated decisions that could have legally significant implications for you. 
Legal basis: consent, manifested through the cookie pop-up displayed when accessing the website. This consent may be revoked through the cookie configurator available on this website or by deleting them from your browser. 

Recipients: although the cookies may be directly managed by GETNET, it is possible that third parties also collect information from them. These third parties may be Google, Tealium or Vimeo, among others. 

Retention period: each cookie may be retained for a period that ranges from the web session to two years.

For further information (types of cookies, third parties involved, international transfers, profiling and retention periods), please see the Cookie Policy. 
 

4. Other recipients and international data transfers.

As a general rule, GETNET will only communicate data to third parties in the cases identified. However, data may be communicated to public bodies that GETNET is obliged to notify in order to fulfil its legal obligations (Bank of Spain, Courts and Tribunals, Tax Agency or similar). 

GETNET will collaborate with providers that may have access to your data and that will process the data in the name and on behalf of GETNET. Providers are selected following an exhaustive compliance verification process in order to guarantee adequate control in terms of data protection. An agreement is also signed in which these providers undertake to apply appropriate technical and organisational measures and to process personal data exclusively in accordance with GETNET's documented instructions; and delete or return the data to GETNET. GETNET will contract the provision of services by third parties that carry out their activity, by way of example but not limited to, in the following sectors: technological services, physical security, instant messaging, unpaid debt management entities and call centres.

5. What are your rights?

Below, we inform you of your legal rights. You may exercise your rights by writing to privacidad.getneteurope@gruposantander.com or by post to Av. De Cantabria 3 Edificio Alhambra - 28660 Boadilla del Monte, Madrid. In both cases, you must specify the right exercised and provide valid data that identifies you (for example, your email address), for the sole purpose of identifying you in our systems and validating your identity. 

Pursuant to the law, you have a right to:

• Access: you may obtain confirmation on whether or not GETNET is processing personal data that concerns you and, if so, to know which data is being processed and the purpose for such processing. 
• Rectify: in case of inaccurate data. 
• Deletion: inter alia, when it is no longer necessary for the purposes for which the data was collected.
• Restrict the processing of your data: in which case, it will only be retained for the purpose of exercising or defending claims.
• Oppose the processing: the data controller will cease to process the data, except in the event of compelling legitimate reasons, or for exercising or defence against potential claims. 
• Challenge a decision that has been adopted in a solely automated manner so that it can be reviewed by a person who is a specialist on the matter. 
• Portability of your data, so that it may be sent directly to the entity designated by you in a structured, commonly used and machine-readable format.
• Withdraw the consent that you have previously granted, without this affecting the legality of the processing.

GETNET also has a Data Protection Officer with whom you may communicate to formulate the queries, claims or incidents you deem opportune (e.g. if you do not understand any part of this policy, if you have doubts about GETNET's legitimate interests, if you would like further information about the risks to your privacy or if you have already made a complaint and have not obtained satisfactory response, among others that you consider opportune). To do so, you can write to the registered address or the email address indicated hereinabove. 
You may also file a complaint with the Spanish Data Protection Agency (as the competent data protection supervisory authority), especially if you have not obtained satisfaction in the exercise of your rights, by writing to the Agencia Española de Protección de Datos C/ Jorge Juan, 6 28001 – Madrid, or via the website https://www.aepd.es.

To facilitate the management process, you can manage your claim to the applicable control authority in your country (which will remit to the Spanish Data Protection Agency). In particular: 

• Portugal: Comissão Nacional de Proteção de Dados, located at Av. D. Carlos I, 134, 1º 1200-651 Lisbon, email geral@cnpd.pt
• Germany: Bavarian Authority, located at Präsident des Bayerischen Landesamts für Datenschutzaufsicht Promenade 18 91522 Ansbach, Germany, poststelle@lda.bayern.de
• Poland: Urząd Ochrony Danych Osobowych, ul. Stawki 2, 00-193 Warszawa, email kancelaria@uodo.gov.pl

1. Who is the data controller?

Getnet Europe, Entidad de Pago, S.L.U. (hereinafter, “Getnet”)
Avenida de Cantabria, 3 Edificio Alhambra 28660 Boadilla del Monte, Madrid, Spain. 
Data Protection Officer contact email address: privacidad.getneteurope@gruposantander.es

2. What personal data do we process? From where is the personal data obtained?

GETNET processes the minimum information necessary to fulfil the purposes set forth below. When GETNET acts as a payment entity for the business from which you make the purchase, it collects a series of information to be able to execute the purchase and process the payment for it. Please keep in mind that all the information processed is required to fulfil the purposes for which it is obtained. If the correct data is not provided, GETNET will not be able to make the payment. 
The data may also be obtained in the following ways: 
Data collected directly from you: all data that is generated as a result of paying for the purchase in the shop: 

• Identification and contact details: full name. 
• Transaction data: depending on the payment method chosen, bank account number or card number (tokenised). 
• Payments: amount of the transaction initiated. 

Data obtained from other sources: all data collected from third parties that have information about you. The data that is processed is itemised below: 

• Identification and contact information: telephone number, email, address (provided by the Merchant). 
• Purchase data: amount, date, delivery address (provided by the Merchant). If the purchase is made on an airline, the ticket number, booking number and voucher number will also be processed.
• Data of the device used to make the purchase: IP address, device ID, geolocation, browser and device type (obtained from fraud management providers). 

Please keep in mind that on certain occasions “all data” may be referred to, which includes all of the above. 

3. For what purposes and what is the legal basis for processing your personal data?

Please be advised that your data will be processed by GETNET for the following purposes and pursuant to the following legal requirements. 

Executing the requested transaction. 

Purpose: your data will be processed so that the payment for the purchase or the transaction made can be executed. Specifically, the data is processed to collect payment authorisation. The bank that issued your card (hereinafter, your “Bank”) and the applicable card network (for example, Visa or MasterCard) will intervene in this process). Once the transaction is processed, only information on the transaction's acceptance or rejection will be transmitted to the Merchant. 
In this process, only the transaction and payment data will be processed. 

Legal basis: legitimate interest in providing a service that allows the the data holder to formalise the payment for the products and services that you are interested in buying from or contracting with a certain business.  The data processing is necessary to guarantee that payments are processed with the different participants (card networks and your bank), always pursuant to the applicable sectoral rules and the regulations applicable to Getnet, as an entity supervised by the Bank of Spain. This processing may not be objected to as there are compelling reasons to do so. 

Recipients: your bank and the payment network that applies (Visa, MasterCard or another specific network of some specific cards), all based on the aforementioned legal basis. 

Fraud prevention and management.

Purpose: Getnet must adopt measures to prevent fraudulent transactions. It will therefore process (i) data referring to the transaction, as well as (ii) data from the device used to make the purchase, if the transaction is made in any way other than in person, which will give rise to a score referring to the probability of fraud being committed. This information will in no case enrich the information provided to Getnet.

Legal basis: legitimate interest in attempting to prevent possible negative economic consequences that may arise for GETNET and for third parties, as well as other damages arising from these conducts (personal harm to data subjects or breach of legal obligations, referring to the Customer identification). The analysis carried out includes verifying the transactions, among other indications, that could be observed arising from payment incidents. The assessment of these indications is based on an internal policy that has evaluated and defined the optimal measures to prevent and detect fraudulent conduct, as well as to mitigate the impact on privacy. These measures entail: (i) supervision by an analyst who specialises in assessing suspected fraudulent conduct; and (ii) information remittance if the transaction is included in internal fraud prevention systems. This processing is not objectionable as there are compelling reasons to do so.

Recipients: the data will not be disclosed to third parties.  

Anti-money laundering and counter-terrorism financing. 

Purpose: Getnet will process your data in order to comply with the legal obligations imposed by Law 10/2010 for the purpose of anti-money laundering and counter-terrorism financing. Specifically, the identification and contact data, transactions and payments will be processed to detect transactions that are inconsistent with the activity of the trade and that are likely to be linked to activities related to money laundering or counter- terrorism financing. 
This processing implies that all the transaction data is processed. 

Legal basis: compliance with legal obligations (Law 10/2010, 28 April, on anti-money laundering and counter- terrorism financing.). 

Recipients: in the case of suspicious requirement or transaction, to the Executive Service of the Commission for Anti-Money Laundering Planning Prevention and the State Security Forces and Bodies, Courts and Tribunals and the Competent Administrations. This communication will be made pursuant to legal obligations. 

Dispute and chargeback management.

Purpose: for managing chargebacks, either due to service incidents or because they are transactions not recognised by you, Getnet will process your (i) identification and contact data and (ii) transaction data; and (iii) purchase data. All this to manage the return of the funds and the cancellation of the transaction, if applicable. 
Although they often profile users browsing the website, the cookies installed by GETNET do not allow automated decisions that could have legally significant implications for you. 
Legal basis: legitimate interest in collaborating with your card issuer in resolving any dispute you may have regarding a specific payment. This process will be carried out with the data indicated, as well as with all the information of the purchase provided by the merchant that may be necessary for its investigation, whenever it is required by your Bank. The chargeback is always assessed by your Bank, always pursuant to the rules established by the payment networks (such as Visa or MasterCard). This process is also carried out pursuant to the legal obligations imposed by Royal Decree- Law 19/2018, 23 November, on payment services and other urgent measures on financial matters. 

Recipients: card schemes (e.g. Visa or MasterCard), your bank, the Bank of Spain and other competent public authorities, in order to fulfil the legitimate interest described.  

Audits and compliance verification.

Purpose: all data processed may be consulted for the purposes of carrying out internal controls to verify compliance, as well as audits that may be performed as a result of legal obligations or internal quality processes.

Legal basis: legitimate interest in verifying the adequacy of its processes to meet its legal obligations and internal quality standards for identifying, controlling and mitigating legal or operational risks. This processing is not objectionable as there are compelling reasons to do so. Audits may also be carried out as a result of legal obligations (e.g. auditing of accounts).

Recipients: data may be viewed by entities engaged in the provision of auditing services, for compliance with legal obligations. 

 

4. For how long is your data retained?

GETNET will retain your personal data for the time necessary to fulfil the purpose for which it was collected. Once this period transpires, the data will be blocked, remaining exclusively available to Courts and Tribunals or any other competent Public Administration (for example, anti-money laundering prevention organisations or the Bank of Spain). 
The data will be deleted after the transaction is recorded, pursuant to anti-money laundering prevention regulations. 
 

5. Other recipients and international data transfers.

As a general rule, GETNET will only communicate data to third parties in the cases identified. However, data may be communicated to public bodies that GETNET is obliged to notify in order to fulfil its legal obligations (Bank of Spain, Courts and Tribunals, Tax Agency or similar). 
GETNET will collaborate with providers that may have access to your data and that will process the data in the name and on behalf of GETNET. Providers are selected following an exhaustive compliance verification process in order to guarantee adequate control in terms of data protection. An agreement is also signed in which these providers undertake to apply appropriate technical and organisational measures and to process personal data exclusively in accordance with GETNET's documented instructions; and delete or return the data to GETNET. GETNET will contract the provision of services by third parties that carry out their activity, by way of example but not limited to, in the following sectors: technological services, physical security, instant messaging, unpaid debt management entities and call centres.
Additionally, GETNET has suppliers that will be able to transfer your data to entities located outside the European Economic Area, for the provision of services. In particular, your data may be processed by entities located in the United Kingdom, a state that guarantees an adequate level of protection, according to the Commission Decision of 28 June 2021. Likewise, derived from the provision of intra-group services, the data may be processed by PNMS Merchant Solutions FZ-LLC (located in the United Arab Emirates) and PNMS Merchant Solutions India Private Private Limited (located in India), with which measures have been adopted that guarantee an adequate level of protection, through the signing of Standard Contractual Clauses between the parties. If you wish, you may request further information on the international transfers that we carry out, including a copy of the clauses adopted, by contacting the entity's DPO.

 

6. What are your rights?

Below, we inform you of your legal rights. You may exercise your rights by writing to privacidad.getneteurope@gruposantander.com or by post to Av. De Cantabria 3 Edificio Alhambra - 28660 Boadilla del Monte, Madrid. In both cases, you must specify the right exercised and provide valid data that identifies you (for example, your email address), for the sole purpose of identifying you in our systems and validating your identity. 
Pursuant to the law, you have a right to:

• Access: you may obtain confirmation on whether or not GETNET is processing personal data that concerns you and, if so, to know which data is being processed and the purpose for such processing. 
• Rectify: in case of inaccurate data. 
• Deletion: inter alia, when it is no longer necessary for the purposes for which the data was collected.
• Restrict the processing of your data: in which case, it will only be retained for the purpose of exercising or defending claims.
• Oppose the processing: the data controller will cease to process the data, except in the event of compelling legitimate reasons, or for exercising or defence against potential claims. 
• Challenge a decision that has been adopted in a solely automated manner so that it can be reviewed by a person who is a specialist on the matter. 
• Portability of your data, so that it may be sent directly to the entity designated by you in a structured, commonly used and machine-readable format.
• Withdraw the consent that you have previously granted, without this affecting the legality of the processing.

GETNET also has a Data Protection Officer with whom you may communicate to formulate the queries, claims or incidents you deem opportune (e.g. if you do not understand any part of this policy, if you have doubts about GETNET's legitimate interests, if you would like further information about the risks to your privacy or if you have already made a complaint and have not obtained satisfactory response, among others that you consider opportune). To do so, you can write to the registered address or the email address indicated hereinabove. 
You may also file a complaint with the Spanish Data Protection Agency (as the competent data protection supervisory authority), especially if you have not obtained satisfaction in the exercise of your rights, by writing to the Agencia Española de Protección de Datos C/ Jorge Juan, 6 28001 – Madrid, or via the website https://www.aepd.es.
To facilitate the management process, you can manage your claim to the applicable control authority in your country (which will remit to the Spanish Data Protection Agency). In particular: 

• Portugal: Comissão Nacional de Proteção de Dados, located at Av. D. Carlos I, 134, 1º 1200-651 Lisbon, email geral@cnpd.pt

• Germany: Bavarian Authority, located at Präsident des Bayerischen Landesamts für Datenschutzaufsicht Promenade 18 91522 Ansbach Germany.
• Poland: Urząd Ochrony Danych Osobowych, ul. Stawki 2, 00-193 Warszawa, email kancelaria@uodo.gov.pl

With this document we would like to inform you about how the PagoNxt Group handles and protects your personal data in the context of the recruitment processes carried out by the various entities of the PagoNxt Group. 

1. Who is responsible for processing your personal data

The PagoNxt entity in which you are employed (We) process your personal data as data controller.

PagoNxt entity (controller)	DPO email	Postal address	Supervisory authority
Getnet Europe, Entidad  De Pago S.L.	Privacidad.getneteurope@gruposantander.es	Avda de Cantabria 3 Edificio Alhambra  28660 Boadilla del Monte  (Madrid, España)	AEPD www.aepd.es
PagoNxt Merchant Solutions S.L.	Privacy.merchant@pagonxt.com
Getnet Europe, German Branch	Georg.schroeder@legaldata.law	Balanstraße 71a, 81541 Munich, Germany	Bavarian Authority
PagoNxt Merchant Solutions German Branch

 

 2.    How do we obtain your personal data?

Most of the personal data we process is provided directly to us by you at the start of or during the recruitment process. In some cases, we may receive your data from a third party, for example, in the context of referral programs or through an employment agency or head-hunter. We may also access and process information that you have shared publicly on social networking sites (such as LinkedIn) or other social media, in the latter case only if you are the successful candidate and such information is necessary to assess specific risks with respect to the role. 

3.    What do we process your data for on what legal basis and who may we share the data with?

 

3a) Management of the recruitment process
Purpose	We will process your data to manage your participation on the recruitment process. Related to this processing activity We may in certain cases: Request information related to your employment history issued by official bodies in order to carry out the necessary checks prior to recruitment (e.g., when you are a finalist in the selection process). If you are the chosen candidate and you’ve applied to certain positions, access your public profiles of non-employment social networks for the purpose of assessing specific risks with respect to the function. If you are applying for a position in Germany and if you receive a job offer from us, we might request your Certificate of good conduct (Führungszeugnis) issued by official bodies.
Lawful base	The legal basis for this processing is the application of pre-contractual measures. If we ask you for your employment history issued by official bodies, the processing will be based on our legitimate interest in verifying the truthfulness and experience you state in your application. If we access and process the data you have posted on your public social media profiles because you have been shortlisted and the type of position requires a risk assessment of the function to be performed, the legal basis will be our legitimate interest in complying with any due diligence obligations we may have and in mitigating certain risks associated with the performance of the function. With regards to the Certificate of good conduct, We have a legitimate interest in hiring Employees with good conduct in order to work in sensitive positions when dealing with financial and payment information.
Type and categories of data processed	Contact and identification data (name, surname, address, telephone numbers) Date of birth, Gender, work and educational history, and any other information contained in your CV. Data derived from participation in tests during the selection process (group dynamics, interviews, language tests, etc.). Working life. Data communicated publicly by you on your social media profiles.

 

3b)Resolution and management of queries
Purpose	Answer any queries you may make to us during the selection process and after it.
Lawful base	Our legitimate interest in answering any questions that may arise during the selection process or subsequently.
Type and categories of data processed	Identification and contact data (name, surname, email, telephone). Any data that may be included in the query.

 

3c) Candidate screening if you are applying for a position in Germany
Purpose	In order to confirm that the job applicant can be reliable to work with us, personal data is examined on the basis of sanction lists. The sanctions lists include EU lists (in particular pursuant to the EU regulations 2580/2001, 881/2002, 753/2011). Such verification is conducted via the tool “Worldcheck” before receiving a job offer. For this purpose, personal data is vetted only once.
Lawful base	Our legitimate interest in not being subject to sanctions lists-related fines by hiring employees not included in sanction lists.
Type and categories of data processed	Name and surname Birth date Nationality

 

 4.    Who do we share your data with?

4.1. With service providers

We may share your personal information with companies that provide services to us and with whom we have entered into a data processing agreement in accordance with applicable law. These will process your data on our behalf and following our instructions.

4.2 International transfers of data

We do not directly transfer your data outside the EU. But, among the service providers we have, mainly cloud service providers or certain applications, some offer support for 24/7 incidents, which motivates that, in very limited and specific cases, limited access can occur (in time, form and scope) To your personal data from a location outside the EU. For these cases we have provided adequate guarantees in accordance with the data protection regulations. If you want to request additional information you can do so by contacting the corresponding DPO.

5. How long do we keep your personal data?

We will process your personal data for as long as the selection process lasts and, where appropriate, as necessary to manage queries. Once the process is complete, we will retain your information in case of future opportunities in which you may be interested in a maximum period of one year unless you indicate your wish not to do so (right of objection). After that period and unless you expressly authorize us to keep them for a longer period, we will proceed to block the information and delete it after the period of exercise of actions (5 years).

If you are applying for a job position in Germany, we will process your personal data during the recruitment process. In case you do not receive a job offer from us, we will delete your data after 6 months.
 

6.    What are your personal data rights?

You can exercise the following rights by sending an email to your DPO (you can find their address under the heading “Who is responsible for the processing of your data?”) As well as submitting a complaint to the competent supervisory authority.

RIGHT TO ERASURE

This right allows you to request the deletion of your data provided that certain circumstances are met, such as that the data are not necessary for the purpose for which they were collected or that the processing is based on your consent and you wish to withdraw it.

ACCESS RIGHT

This right will allow you to obtain confirmation of whether your personal data is being processed, which  data is being processed, the details of the processing and to obtain a copy of this data.. 

RECTIFICATION RIGHT

This right allows you to obtain the rectification of your personal data when they are inaccurate and to have incomplete data completed.

RIGHT TO OBJECT

Through this right, you can object to our processing in certain cases, such as when the processing is based on a legitimate interest, a public interest mission or direct marketing.

PORTABILITY

This right complements your right of access and allows you to request that your data be downloaded and where technically feasible transmitted directly to another data controller in a structured, commonly used, and machine-readable format, provided that the processing is based on consent or a contract.

RIGHT TO RESTRICTION OF PROCESSING

This right allows you to ask us to suspend the processing of your data when you contest their accuracy, while we verify their accuracy or if you have exercised your right to object while we check whether your or our legitimate interests prevail.

RIGHT TO OBJECT TO AUTOMATED INDIVIDUAL DECISION MAKING

The right not to be subject to a dec ision based solely on automated processing, including profiling, that produces legal effects on you or similarly significantly affects you.

1. Who is the data controller?

GETNET Europe, Entidad de Pago, S.L.U. (hereinafter, “GETNET”)
Calle Juan Ignacio Luca de Tena, 11 28027,Madrid, Spain. 
Data Protection Officer contact email address: privacidad.GETNETeurope@gruposantander.es

 

2. What personal data des GETNET process? From where is the personal data obtained?

GETNET processes the minimum information necessary for the purposes set forth below. It is essential that this data reflects your current situation. If it becomes obsolete, you must notify GETNET. Please keep in mind that all the information processed is required to fulfil the purposes for which it is obtained. If the correct data is not provided, GETNET will not be able to formalise the agreement. 
Please also remember that in cases in which you act as a representative of a company and provide data from third parties, this Policy must be transferred to each of them. 

GETNET can process the data of the following data subjects: 

• Individual business owners (“self-employed people”) who wish to enter into a business relationship with GETNET. 
• Legal representatives of commercial companies. 
• Company administrators. 

The data may also be obtained in the following ways: 
Data collected directly from you: includes all the data that you provide directly through a form, contained in required documents (for example, deeds), as well as data that is generated as you maintain a relationship with GETNET. The data that is processed is itemised below: 

• Identification and contact data: full name, National ID, address, signature, voice, telephone number and email address. 
• Personal data: marital status, profession, country of birth, country of residence. 
• Economic and financial data: bank account details. 
• Labour and socioeconomic data: professional or labour activity, income or remuneration, family unit, educational level, assets, fiscal data and tax data.
• Commercial data: product contracted, its terms (quotations, economic conditions), validity, existence of payments and non-payments, credit limits. 
• Sociodemographic data: year of birth, province. 
• History of contracted products: incidents raised, contacts maintained, contracting history. 

Data obtained from other sources: all data collected from third parties that have information about you. This information is only obtained when there are legal reasons to do so. The data that is processed is itemised below: 

• Solvency data: information referring to solvency held in the commercial information bureau and public registry (Commercial Registry, Official State Gazette).  
• Data of the device used to formalise the agreement: IP address, device ID, geolocation, browser and device type. 

Please also keep in mind that if you have made an application, the (i) identification and contact information; (ii) personal data; (iii) economic and financial data; and (iv) labour and socioeconomic data will be obtained from the information available in your agreement with Banco Santander and provided to GETNET solely for the purpose of completing the contracting request. 
Please keep in mind that sometimes “all transaction data” may be referred to, which includes all of the above. 
Finally, GETNET will only be able to process your biometric data in this way (facial image) if you have identified yourself in this way. 

If you wish to consult the details of the data processed according to your role, you can consult it below:   

Where does it come from?	What data is collected?	What kind of relationship do you have with GETNET?
		You're self employed	You're a legal representative	You're a company administrator
Directly from you	Identification and contact data	X	X	X
	Personal data	X		X
	Economic and financial data	X		X
	Labour and socio-economic data	X		X
	Commercial	X	X	X
	Socio-demographic	X		X
	Contracted product history	X	X	X
	Biometric	X	X
Obtained from other sources	Solvency	X		X
	Due diligence	X	X	X
	Device used to formalise the agreement	X	X

 

3. For what purposes and what is the legal basis for processing your personal data?   

Please be advised that your data will be processed by GETNET for the following purposes and pursuant to the following legal requirements:

Risk monitoring and assessment.

Purpose: GETNET will process the data in order to identify the applicant's (if self-employed) economic capacity to enter into the agreement, through an automated analysis of the agreement holder. This data is analysed using the following logic: from a statistical study based on GETNET's experience with third parties that have a similar profile, the economic and professional variables that will give rise to the probability of insolvency are evaluated. This generates a score, which is always reviewed by a natural person, who makes the decision about whether or not to accept the agreement, the need to apply additional measures (for example, to request a guarantee) or to reject the transaction. Keep in mind that for this purpose, only variables related to professional life are taken into account. 
In this process, the following data categories are processed for self-employed people and legal representatives: (i) identification and contact details; (ii) personal data; (iii) labour and financial data; (iv) commercial, economic and financial data; (v) contracted product history: as well as (vi) data related to solvency and (vii) details of the device used to contract the agreement. Please keep in mind that, if you have so requested it in the contracting process, this data may be obtained from the data provided in your agreement with Banco Santander. 
 

Additionally, for evaluating and monitoring risks, the (i) identification and contact data; (ii) economic and financial data; and (iii) labour and socio-economic data will be consulted at INFORMA D&B (INFORMA D&B, S.A.U. (S.M.E.), with corporate tax ID No. A80192727 and registered office at Avda. de la Industria. n° 32, 28108 ALCOBENDAS Madrid, with further available information at https://www.informa.es/textos-legales#privacidadbd). 
 

Legal basis: in the case of self-employed people, adoption of pre-contractual measures and execution of the agreement. In the case of legal representatives, GETNET's legal basis in guaranteeing professional contact with the companies that are customers and enabling formalisation of the business relationship. This processing may not be objected to as there are compelling reasons to do so.  
The query to INFORMA D&B will be made within GETNET's legitimate interest to identify compliance with your payment obligations with third parties, before granting the transaction and while monitoring it, in order to guarantee that agreements are only formalised with entities that have the capacity to meet their monetary obligations. This data will only be processed at the time the request is made and as long as the contractual relationship to monitor your risks persists. It will not give rise, on its own, to rejection or termination of the agreement. 

Recipients: not communicated to third parties.

Retention period: for the duration of the agreement and, at the end of the agreement, for six years.

 

Biometric identification. 

Purpose: the data will be processed in order to remotely identify the applicant for the agreement (self-employed or legal representative), in order to ensure that their identity corresponds to that presented in the supporting documentation (national identity document). For this purpose, a video will be recorded in which you will be required to show your national identity document (front and back) and show your image, which will lead to the capture of your biometric data (facial), to contrast it with the photograph of your document. This process will be reviewed by a natural person, who will validate it in all cases.

The following data of self-employed people and legal representatives will be processed: (i) identification and contact details; and (ii) biometric data. 

Legal basis: consent. Please keep in mind that this process is not mandatory, so you will be informed before the data is collected, which you must expressly accept. If you do not consent, you can identify yourself in person if you wish to do so. Remember that you can revoke your consent at any time, without affecting the legality of the processing carried out.

Recipients: your data will not be disclosed to third parties.

Retention period: for the duration of the agreement and, at the end of the agreement, for ten (10) years.

 

Management and maintenance of the contractual relationship.

Purpose: to process your data in order to issue and manage the contracted transaction. This processing involves all the procedures associated with your agreement, for its formalisation, maintenance and termination. Specifically, your data will be processed for the purpose of registering the transaction in the systems, settlement and collecting fees and commissions; the review of compliance with contractual obligations (such as verifying the requirements of the PCI DSS standard or the information available on the website);  providing customer service for queries that you may ask associated with your transaction, including the contact to implement the GETNET services, requests for documentation (such as agreements, certificates or extracts of the transactions generated); record of payments and collections made; managing incidents derived from use, adoption of measures to prevent fraudulent payments, payment claims or other similar actions. Your data may also be processed in order to register you in the internal systems that GETNET offers for monitoring the agreement, as well as preparing reports and statistical analysis of the business. 
GETNET may also contact you to inform you about aspects related to the agreement. These notifications may be derived from legal obligations associated with it (for example, Bank of Spain requirements) and/or strictly linked to your agreement (for example, information about added functionalities of your POS, submission of statements, web registration notification, communications referring to incidents, security codes, transaction confirmations).

Similarly, if necessary, GETNET may process your data to comply with regulatory requirements (for example, application of embargoes or notifying data to competent public bodies). 

In this process, the following data categories are processed for self-employed people and legal representatives: (i) identification and contact details; (ii) personal data; (iii) economic and financial data; (iv) labour and socio-economic data; (v) commercial data; and (vi) history of contracted products.

Legal basis: in the case of self-employed people, execution of the agreement. In the case of legal representatives and guarantors, GETNET's legal basis in guaranteeing professional contact with the companies that are customers. This processing may not be objected to as there are compelling reasons to do so.

Recipients: the data may be communicated to the bank that you have indicated for the purpose of managing payments as well as to the schemes (VISA Mastercard), because it is necessary to do so in order to formalise the agreement. If so required, to the Tax Agency, as a legal obligation.

Retention period: for the duration of the agreement and, at the end of the agreement, for ten (10) years.

 

Fraud prevention and management

Purpose: GETNET must adopt measures to prevent fraudulent contracting during the registration of the agreement and throughout its validity (for example, in the case of requests based on inaccurate data). All the data of your transaction will therefore be processed to analyse the requests, verifying the identity of the requester and any inconsistencies in the information provided. This information may be contrasted with data from public profiles (e.g. to check whether your email address is valid), which will give rise to a score referring to fraud probability. This information will in no case enrich the information provided to GETNET nor will it be used on its own to determine whether the transaction is accepted or rejected.
This process implies that all the data subjects' transaction data can be processed. 

Legal basis: legitimate interest in attempting to prevent possible negative economic consequences that may arise for GETNET and for third parties, as well as other damages arising from these conducts (personal harm to data subjects or breach of legal obligations, referring to Customer identification). The analysis carried out includes verifying the accuracy of the data provided, among other indications that could be observed arising from payment, complaint or claim incidents. The assessment of these indications is based on an internal policy that has evaluated and defined the optimal measures to prevent and detect fraudulent conduct, as well as to mitigate the impact on privacy. These measures imply supervision by an analyst who specialises in assessing suspected fraudulent conduct of the current transaction. This processing may not be objected to as there are compelling reasons to do so.

Recipients: the data will not be disclosed to third parties.

Retention period: the duration of the contractual relationship and, once this has ended, a period of six (6) years.

 

Anti-money laundering and counter-terrorism financing 

Purpose: GETNET will process your data in order to comply with the legal obligations imposed by Law 10/2010 for the purpose of anti-money laundering and counter-terrorism financing. Specifically, the data of self-employed people and legal representatives (i) identification and contact data; (ii) personal and commercial data will be processed in order to: (i) verify the identity of the real account holders, collecting the identity document for consultation if necessary within the framework of the agreement and/or to comply with the legal obligation of identification; (ii) verify the nature of the professional or business activity through your information, the documents provided and information that has been made public through official channels; (iii) identify whether there are people with public or political responsibility and, if so, apply the reinforced due diligence measures in business relations or transactions that are maintained. 
This processing implies that all the data subjects' transaction data is processed.

Legal basis: compliance with legal obligations (Law 10/2010, 28 April, on anti-money laundering and counter-terrorism financing).

Recipients: in the case of suspicious requirement or transaction, to the Executive Service of the Commission for Money Laundering Planning Prevention and the State Security Forces and Bodies, Courts and Tribunals and the Competent Administrations. You are also informed that your personal data will be communicated to other Santander Group companies, together with any relevant information regarding the transaction that enables compliance by these companies in terms of (i) the Group's internal regulations on the matter of financial crime prevention, (ii) their legal obligations regarding anti-money laundering and counter-terrorism financing and (iii) the regulatory report to the supervisory authorities.

Retention period: for the duration of the agreement and, at the end of the agreement, for ten (10) years.

 

Sending advertising messages from GETNET. 

Purpose: GETNET will process your data for the purpose of sending you commercial communications (mail, telephone, SMS, email, web push notifications, pop-up or any other digital channel available at any time). These communications will refer to products that GETNET offers whose features may be of interest because they are similar to previously contracted products. For example, you may receive information regarding improved conditions, discounts or agreements with third parties. 
Therefore, only the data contained in our systems will be processed and, in particular, legal representatives' and self-employed people's data, (i) identification and contact information (to dispatch the product), (ii) commercial data and (iii) the history of contracted products (to determine whether it is an appropriate product for the activity and type of agreement maintained). GETNET will also be able to verify that the campaigns have been sent correctly, the opening statistics and the success rates (e.g. agreements formalised after they have been sent).

Legal basis: You can accept this processing by saying "Yes" or by checking the box enabled for each processing  in the agreement or in the transaction registration. This consent may be revoked at any time by writing to privacidad.GETNETeurope@gruposantander.com or to the registered office.

Recipients: data is not communicated to third parties.

Retention period: as long as the contractual relationship is valid.

 

Sending informative communications about GETNET.

Purpose: to send information referring to GETNET's activity that may be relevant to you or your activity, always within the term of the agreement with GETNET. For example, you may receive information about surveys, prize draws, contests, new features on the website or similar information. 
Therefore, only the data contained in our systems is processed and, specifically, legal representatives' and self-employed people's data, (i) identification and contact information, (ii) commercial data and (iii) the history of contracted products. GETNET will also be able to verify that the campaigns have been sent correctly, the opening statistics and their success rates (e.g. number of participants in a prize draw or increase in website visitors).

Legal basis: legitimate interest to inform about improvements that may be relevant in the contractual relationship maintained with GETNET, provided that the agreement remains in force and that the communication may provide a benefit for you or for the company you represent. GETNET will therefore ensure that only communication of interest is sent that does not entail excessive contact. You may oppose the processing in each communication received, by writing to GETNET's postal address or to privacidad.GETNETeurope@gruposantander.es 

Recipients: not communicated to third parties.

Retention period: as long as the contractual relationship is valid.

 

Data transfer to other Santander Group and/or American Express companies. 

Purpose: as long as you have provided your consent to process this data, GETNET may:

• Communicate your personal data to other Santander Group companies so that they send commercial communications regarding their own products and services. The purpose of this communication is so that these companies can offer products and services that may be of interest to you, even after the agreement is finalised. 
• To communicate your personal data to American Express when you have accepted to do so by checking the box: “Please be advised that by checking the following box you will be registered in marketing programmes to send you information via email and/or text message about offers of goods and financial services, insurance, travel, fashion, accessories, technology and leisure from American Express and from entities selected by it. You may request not to receive any more offers at any time through the Data Protection link that you will find at the bottom of the website www.americanexpress.es or by following the instructions indicated for that purpose in each communication received”. 

Specifically, GETNET will communicate self-employed people's and legal representatives' (i) identification and contact data; and (ii) commercial data. 
Commercial communications may be sent by automated and non-automated means (by post, telephone, SMS, instant messaging applications, email or any other digital channel available at any time).

Legal basis: consent. You can accept this processing by checking the box enabled for each processing in the agreement or in the transaction registration. This consent may be revoked at any time, by contacting privacidad.GETNETeurope@gruposantander.com or at the registered office.

Recipients: The Santander Group companies to which your personal data will be communicated are: Banco Santander, S.A. Santander Mapfre Seguros y Reaseguros, S.A, Santander Corporate & Investment Banking, S.A. All of the above companies are located at Calle Juan Ignacio Luca de Tena 11-13 28027 Madrid, Spain (DPO address privacidad@gruposantander.es).

Retention period: as long as the contractual relationship is valid.

 

Sending commercial communications from third parties outside of GETNET.

Purpose: sending commercial information about third-party products and services with which GETNET has a commercial agreement (by post, telephone, SMS, instant messaging applications, email or any other digital channel available at any time). The communications will cover different sectors, such as: financial, insurance, telecommunications, automotive, energy, real estate, technology, payment processing, digital money entities, venture capital, investment, sale and distribution of goods and services, or others. 
Therefore, only the data contained in our systems is processed and, specifically, legal representatives' and self-employed people's data, (i) identification and contact information, (ii) commercial data and (iii) the history of contracted products. GETNET will also be able to verify that the campaigns have been sent correctly, the opening statistics and their success rates (e.g. number of participants in a prize draw or increase in website visitors).

Legal basis: consent. You can authorise this processing by checking the box provided for this purpose in the agreement or in the transaction registration. This consent may be revoked at any time, by contacting privacidad.GETNETeurope@gruposantander.com or at the registered office.

Recipients: the data will not be disclosed to third parties.

Retention period: as long as the contractual relationship is valid. 

 

Call recording.

Purpose: your call will be recorded and stored for the purpose of guaranteeing that the service provided meets GETNET's quality standards. The recordings may also be retained as proof of the service and information provided. In this case, your (i) identification data (including voice) and (ii) all the data that you provide or that is required to resolve the query made will be processed. 
Whenever calls are recorded, you will be expressly informed before the recording begins.

Legal basis: legitimate interest in having a mechanism that guarantees that there are no deviations in the information provided to customers, ensuring that internal protocols are complied with and improvements to customer service are implemented. This interest has a direct impact on management and customer service and is subject to a process of continuous improvement.  This processing may not be objected to as there are compelling reasons to do so.

Recipients: data is not communicated to third parties.

Retention period: 30 days from the date of its collection. Whenever the call has implications regarding the agreement (e.g. if data is modified), it may be retained as proof of management for three (3) years. 

 

Audits and compliance verification. 

Purpose: all data processed (including calls and videos that may have been recorded) may be consulted for the purposes of carrying out internal controls to verify compliance, as well as audits that may be performed as a result of legal obligations or internal quality processes. All available data may therefore be used.

Legal basis: legitimate interest in verifying the adequacy of its processes to meet its legal obligations and internal quality standards for identifying, controlling and mitigating legal or operational risks. This processing may not be objected to as there are compelling reasons to do so. Audits may also be carried out as a result of legal obligations (e.g. auditing of accounts).

Recipients: data may be viewed by entities engaged in the provision of auditing services.

Retention period: for the duration of the agreement and, at the end of the agreement, for 10 years. 

 

4.    For how long is your data retained? 

GETNET will retain your personal data for the time necessary to fulfil the purpose for which it was collected. Once this period transpires, the data will be blocked, exclusively available to Courts and Tribunals or any other competent Public Administration (for example, money laundering prevention organisations or the Bank of Spain). 
The data will be deleted once the periods identified in each purpose have transpired. Please keep in mind that if the same data is processed for several purposes, it will be retained for the longest period.  

 

5.    Other recipients and international data transfers  

As a general rule, GETNET will only communicate data to third parties in the cases identified However, data may be communicated to public bodies that GETNET is obliged to notify in order to fulfil its legal obligations (Bank of Spain, Courts and Tribunals, Tax Agency or similar).

GETNET will collaborate with providers that may have access to your data and that will process the data in the name and on behalf of GETNET. Providers are selected following an exhaustive compliance verification process in order to guarantee adequate control in terms of data protection. An agreement is also signed in which these providers undertake to apply appropriate technical and organisational measures and to process personal data exclusively in accordance with GETNET's documented instructions; and delete or return the data to GETNET. GETNET will contract the provision of services by third parties that carry out their activity, by way of example and not limitation, in the following sectors: technological services, physical security, instant messaging, unpaid debt management entities and call centres.

Additionally, GETNET has suppliers that will be able to transfer your data to entities located outside the European Economic Area, for the provision of services. In particular, your data may be processed by entities located in the United Kingdom, a state that guarantees an adequate level of protection, according to the Commission Decision of 28 June 2021. Likewise, derived from the provision of intra-group services, the data may be processed by PNMS Merchant Solutions FZ-LLC (located in the United Arab Emirates),PNMS Merchant Solutions India Private Private Limited (located in India) and PagoNxt Merchat Solutions Brasil (located in Brasil), with which measures have been adopted that guarantee an adequate level of protection, through the signing of Standard Contractual Clauses between the parties. If you wish, you may request further information on the international transfers that we carry out, including a copy of the clauses adopted, by contacting the entity's DPO.

 

6.    What are your rights?

Below, we inform you of your legal rights. You may exercise your rights by writing to privacidad.GETNETeurope@ggruposantander.com or by post to Av. De Cantabria 3 Edificio Alhambra - 28660 Boadilla del Monte, Madrid. In both cases, you must specify the right exercised and provide valid data that identifies you (for example, your email address), for the sole purpose of identifying you in our systems and validating your identity. 

Pursuant to the law, you have a right to:

• Access: you may obtain confirmation on whether or not GETNET is processing personal data that concerns you and, if so, to know which data is being processed and the purpose for such processing. 
• Rectify: in case of inaccurate data. 
• Deletion: inter alia, when it is no longer necessary for the purposes for which the data was collected.
• Restrict the processing of your data: in which case, it will only be retained for the purpose of exercising or defending claims.
• Oppose the processing: the data controller will cease to process the data, except in the event of compelling legitimate reasons, or for exercising or defence against potential claims. 
• Challenge a decision that has been adopted in a solely automated manner so that it can be reviewed by a person who is a specialist on the matter. 
• Portability of your data so that it may be sent directly to the entity designated by you in a structured, commonly used and machine-readable format.
• Withdraw the consent that you have previously granted, without this affecting the legality of the processing.

GETNET also has a Data Protection Officer with whom you may communicate to formulate the queries, claims or incidents you deem opportune (e.g. if you do not understand any part of this policy, if you have doubts about GETNET's legitimate interests, if you would like further information about the risks to your privacy or if you have already made a complaint and have not obtained satisfactory response, among others that you consider opportune). To do so, you can write to the registered address or the email address indicated hereinabove. 

You may also file a complaint with the Spanish Data Protection Agency (as the competent data protection supervisory authority), especially if you have not obtained satisfaction in the exercise of your rights, by writing to the Agencia Española de Protección de Datos C/ Jorge Juan, 6 28001 – Madrid, or via the website https://www.aepd.es.

To facilitate the management process, you can manage your claim to the applicable control authority in your country (which will remit to the Spanish Data Protection Agency). In particular:

• Portugal: Comissão Nacional de Proteção de Dados, situada en Av. D. Carlos I, 134, 1º 1200-651 Lisboa, email geral@cnpd.pt
• Germany: Bavarian Authority, situada en Präsident des Bayerischen Landesamts für Datenschutzaufsicht Promenade 18 91522 Ansbach Germany.
• Poland: Urząd Ochrony Danych Osobowych, ul. Stawki 2, 00-193 Warszawa, email kancelaria@uodo.gov.pl