PRIVACY POLICY

1. INTRODUCTION – SCOPE OF APPLICATION

This privacy policy (hereinafter the “ Privacy Policy ” or the “ Policy ”) is intended to regulate and provide information regarding personal data processing carried out by Open Digital Services, S.L., (hereinafter, “ Open Digital Services ” or “ ODS ”), in relation to: (i) users of the website: https://www.opendigitalservices.com (hereinafter, the “ Website” ).

Through this Policy, we will provide you with information regarding the categories of personal data that we process, the means by which we have obtained your personal data, the purposes for which we collect and process your personal data, the legal basis for this processing, the recipients of the data, the length of time data is stored, your legal rights with regard to your personal data, as well as any other privacy information we believe should be provided to you in order to ensure complete transparency at all times.

Please bear in mind that throughout your relationship with us, in addition to providing you with this Privacy Policy, we will inform you of some of the data processing that will take place.

Please take a moment to read and fully understand the contents. If you have any questions, you can contact us using the details below.

1.1 Definitions

To ensure a better understanding of how we process your personal data, in this section we explain the meaning of some key terms that we use throughout this Privacy Policy, many of which are based on the definitions set out in Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016:

• “ GDPR ”: Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data.
• “ Personal data ”: any information that identifies you or could potentially identify you, such as your first and last name(s), national identity number, address, account number, or even data about your behaviour.
• “ Processing of personal data ”: any operation we perform on your personal data, whether automated or not, such as collection, organisation, storage, modification, communication or erasure.
• “ Data controller ”: the natural or legal person who decides why and how your data are processed. In this case, unless we indicate otherwise, the Data controller is Open Digital Services. You can find our identification details in the following section.
• “ Data processor ”: the natural or legal person who processes your data, following the instructions of the Data controller, such as our technology service providers or customer service representatives.
• “ Data subject ”: you or any other natural person who is the subject of the data being processed.
• “ Third parties ”: any natural or legal person other than the Data subject, Open Digital Services and the persons or entities acting under our direct responsibility.
• Consent of the Data subject : this is the expression of the Data subject's will, whereby they freely, specifically, informedly and unequivocally accept that their data will be processed. This is one of the legal bases that allow data processing, as set out in Article 6.1. (a) of the GDPR.
• Performance of a contract or ‘implementation of pre-contractual measures at the request of the Data subject’: This is one of the legal bases that allows data processing, as set out in Article 6.1. (b) of the GDPR. It applies when certain personal data must be processed in order to manage the request or provide the service.
• Legal obligation : when we cite this term as a legitimising basis, we are referring to the legal basis set out in Article 6.1. (c) of the GDPR. This basis can be used when there is a legal obligation that applies to the entity
• Legitimate interest : when we cite this term as a legitimising basis, we are referring to the legal basis set out in Article 6.1. (f) of the GDPR. This basis may be used provided that the interests or fundamental rights and freedoms of the Data subject do not override the interests or fundamental rights and freedoms of the entity or a third party.

2. WHO IS THE CONTROLLER OF YOUR DATA?

Corporate name: Open Digital Services, S.L.

Registered address: Plaza de Santa Bárbara nº 2, 28004, Madrid.

Data controller’s contact details: privacy@opendigitalservices.com .

3. WHAT DATA DO WE PROCESS AT OPEN DIGITAL SERVICES AND HOW DO WE OBTAIN IT?

We will process the following categories of Personal data depending on how you interact with us through the Website and the purposes described in Section 4 below:

• In relation to website users , we may process online identifiers, device data, and browsing habits and preferences collected through cookies and similar technologies. Where an individual contacts us by email at privacy@opendigitalservices.com , we may also process identification and contact data, as well as any other Personal data contained in that communication.
• If you are a candidate applying to a Job vacancy, please refer to the specific Privacy Policy in the Santander Careers webpage. In relation to the reporting channel (Canal Abierto), please refer to the specific Privacy Policy in the Canal Abierto webpage ..

These data are obtained directly through your interaction with the Website.

4. FOR WHAT PURPOSES DO WE PROCESS YOUR PERSONAL DATA?

Depending on the nature of your relationship with us, we will process your Personal data differently. Below, we explain the scope of this processing in each case, including the purposes of the processing and the legal bases applicable.

Please, remember that, at any time, in relation to any of the processing described, you may exercise your data protection rights as set out in Section 8 "What rights do you have with regard to the processing of your personal data?" .

When you access and browse the Website, Open Digital Services processes Personal data relating to you for the following purposes:

• The installation of cookies on your browser in order to analyse visits to the Website, enable certain user preferences and improve your browsing experience, subject, where applicable, to your prior consent. In addition, certain cookies are used for technical purposes necessary for the proper functioning of the Website, based on the legitimate interest pursued by Open Digital Services in ensuring its correct operation. Further information on the use of cookies is available in our Cookies Policy, which can be accessed at the footer of this Website.
• The management and handling of communications or requests received through the email address privacy@opendigitalservices.com , published on the Website, for the purpose of addressing data protection rights requests or responding to queries relating to the processing of personal data. Such processing is carried out on the basis of the legitimate interest of Open Digital Services in properly assisting users and ensuring an adequate response to their requests.

5. HOW LONG DO WE KEEP YOUR PERSONAL DATA?

Open Digital Services will retain your Personal data for as long as necessary to fulfil the purposes for which it was collected, as described in Section 4 , and, where applicable, for the duration of any applicable statutory limitation periods.

Thereafter, your Personal data will be duly blocked for the period necessary, during which its processing will be restricted to storage only, in order to make it available to competent public authorities, judges and courts, or the public prosecutor’s office, in connection with any potential liabilities arising from the contractual relationship maintained with you or from the processing of your personal data. Subsequently, your personal data will be deleted or, where appropriate, irreversibly anonymised.

6. WHO DO WE SHARE YOUR DATA WITH?

Open Digital Services may share your Personal data with the following recipients:

1. Public authorities, official bodies, supervisory and oversight bodies, and competent tax authorities which request said data for the purposes of complying with the regulations in force at any time.
2. Santander Group companies (in accordance with the provisions of Article 42 of the Spanish Commercial Code) to comply with their internal regulations on the prevention of financial crime, their legal obligations with regard to the prevention of money laundering or regulatory reporting to the supervisory authorities.
3. Third-party service providers which may have access to your Personal data, they will process data on our behalf as Data processors, following our instructions at all times and always to provide us with services that we have engaged from them in each case. Specifically, ODS contracts services from third-party providers which operate in sectors including but not limited to the following:, legal advisory services, private valuation/appraisal services, supplier approval, multidisciplinary professional services companies, hosting companies, maintenance-related companies, technology service providers, IT service providers, physical security companies, instant messaging service providers, infrastructure management and maintenance companies, and audit and control companies.

In any case, ODS follows strict selection criteria for third-party service providers in order to comply with our data protection obligations, and we undertake to enter into data processing contracts with them that impose the following obligations, among others: applying appropriate technical and organisational measures; processing personal data for the agreed purposes and only in accordance with our documented instructions; and deleting or returning the data to us once the services have been provided.

In certain cases, the disclosure of Personal data to the recipients for the purposes described above may involve the international transfer of your data outside the European Economic Area. In such cases, ODS has implemented appropriate safeguards to ensure that your Personal data is processed with a level of protection equivalent to that provided within the European Economic Area.

In particular, Open Digital Services relies on the mechanisms provided for under applicable data protection regulations to ensure adequate safeguards, such as the execution of Standard Contractual Clauses approved by the European Commission or reliance on adequacy decisions issued by the European Commission.

You can consult the international data transfers we carry out here or by contacting privacy@opendigitalservices.com .

7. HOW DO WE HANDLE AND SAFEGUARD YOUR PERSONAL DATA?

Open Digital Services ensures that Personal Data are processed in accordance with the principles set out in GDPR, in particular that such data are adequate, relevant and limited to what is necessary in relation to the purposes for which they are collected and processed.

To this end, Open Digital Services adopts appropriate measures to ensure that Personal Data are accurate and, where necessary, kept up to date, and that any data that are inaccurate, incomplete or no longer necessary for the purposes for which they were collected are erased or rectified without undue delay.

Open Digital Services implements appropriate technical and organisational measures designed to ensure a level of security appropriate to the risk, including, as appropriate, measures such as pseudonymisation and encryption of Personal Data, and safeguards to protect against unauthorised or unlawful processing, as well as accidental loss, destruction or damage. Likewise, we apply appropriate measures to guarantee permanent confidentiality, integrity, availability and resilience of the processing activity systems and services.

ODS ensures that its personnel receive specific training in data protection matters and periodically updated as part of our mandatory training programs.

7. WHAT RIGHTS DO YOU HAVE WITH REGARD TO THE PROCESSING OF YOUR PERSONAL DATA?

We can inform you that you have, and can exercise, the following rights:

1. Right of access : you have the right to obtain confirmation as to whether or not ODS is processing personal data about you, and if so, to access said data.
2. Right to data portability : you have the right to receive the personal data you have provided to us in a structured, commonly used and readable format, and to transfer it to another entity.
3. Right to rectification : you have the right to request the rectification of any inaccurate data.
4. Right to erasure : you can request the erasure of the data when, among other reasons, the data is no longer necessary for the purposes for which you gave it to us.
5. Right to object : under certain circumstances, you can object to certain processing of your personal data. In this case, ODS will immediately stop said data processing, in accordance with the applicable regulations.
6. Right to restrict processing : under certain circumstances, which are established by current data protection regulations, you can request restrictions on the processing of your data.
7. Right to withdraw your consent : you may withdraw any consent you have granted at any time. Withdrawing consent will not affect the legality of processing based on the consent prior to its withdrawal.
8. Right not to be subject to automated decisions-making : if you have authorised profiling and this has been carried out entirely by an automated process, you can request the personal involvement of one of our analysts, express your point of view, and contest decisions based on these profiles. At this stage, you can provide any additional documentation that you consider necessary.

You can exercise the aforementioned rights through the following channels:

• Email: privacy@opendigitalservices.com .
• By post: Plaza de Santa Bárbara nº 2, 28004, Madrid.

Finally, you can make a complaint to Open Digital Services and/or the Spanish Data Protection Agency (as the competent supervisory authority with regard to data protection), especially when you are not satisfied with the exercising of your rights, by writing to the aforementioned address(if writing to Open Digital Services), or to C/Jorge Juan, 6, 28001, Madrid, Spain; or through the website www.aepd.es (if writing to the Spanish Data Protection Agency)