DATA PROTECTION NOTES OF SANTANDER FOR THE BILL/RATEN KAUF (as of May 17, 2018)

1.1 Payment methods invoice/instalment purchase

you can only be offered after prior verification of your creditworthiness and in connection with a assignment of the existing claim against you from the invoice/instalment purchase to Santander Consumer Bank AG (hereinafter "Santander"). This credit check and assignment requires the transfer of personal data by the trader to Santander and their processing by Santander.

1.2 Data protection law

Santander Consumer Bank AG Santander-Platz 1 41061 Mönchengladbach District Court Mönchengladbach, HRB 1747 is the "responsible person" within the meaning of Article 4(7) GDPR, in relation to the personal data transmitted to Santander and processed by Santander.

1.3 The contact details of Santander's data protection officer are:

Santander Consumer Bank AG Data Protection Officer Santander-Platz 1 41061 Mönchengladbach E-Mail: datenschutz@santander.de

1.4 Personal Data

in the foregoing, any information relating to an identified or identifiable natural person (also known as the "data subject"). These include, for example, Your name, address or contact details, as well as information about your past payment behaviour or creditworthiness.

1.5 If you have given your consent to check the availability of the payment methods instalment/invoice purchase, the merchant first transmits the following information to Santander for the purposes of the credit check: salutation, name, address, date of birth, billing and delivery address. Santander will process this personal data, as well as any payment experience stored by Santander from a prior installment/invoice purchase between you and the merchant, or you and another merchant offering the payment method of installment/invoice purchase in cooperation with Santander, in order to calculate for the merchant and himself a probability value of the receivables settlement by you. Santander will also transmit this data to CRIF Bürgel GmbH, Radlkoferstr. 2, 81373 Munich in order to obtain a credit report about you in the form of a probability value of the claims settlement, to validate your specified address data and to have your information checked in order to avoid fraud. As part of this check, your address data will also be used to match, for example, available information about known fraud cases or attempts by persons with the same address. The legal basis for this is your consent given in connection with Art. 6 sec. 1 lit. a) GDPR. You cannot be offered the payment method of purchase invoices/instalments without your consent.

1.6 Santander stores this data

and the credit information received about you from the credit reporting agencies in order to prepare your fixed asset as a customer in your own systems in preparation for the invoice/installment purchase, or if the credit report of the credit reporting agencies does not allow an invoice/rate purchase to document the reasons for the rejection. The legal basis for this is Art. 6 (1) lit.b) GDPR. In this context, Santander will also verify whether Santander has already registered you as a customer in order to fulfill your legitimate interest in a correct set of data, and will verify your address details for completeness and accuracy on the basis of the data already collected. The legal basis for this is Art. 6 sec. 1 lit. f) GDPR

1.7 If the invoice/instalment purchase is made,

Santander processes your contract data from the invoice/installment purchase, information about its fulfilment, such as delivery of the goods, as well as information about your payment of the invoices or open claims for the purposes of the collection of claims, or in the case of assignment to third parties such as a debt collection service provider for the purpose of recovery by the latter in order to safeguard the legitimate interests of this third party. The legal basis for this is Art. 6 sec. 1 lit.b) GDPR, or in the case of assignment of the claim to a debt collection service provider Art. 6 sec. 1 lit. f) GDPR in conjunction with Section 402 of the German Civil Code (BGB). In addition, Santander stores information about your timely, delayed or non-payment of the claim from the invoice/instalment purchase in order to safeguard your legitimate interest in the simplified execution of the possibility to offer you the payment method invoice/instalment purchase in cooperation with a trader, i.e. in order to process and use this information in the decision described in section 1.5 above. The legal basis here is Art. 6 sec. 1 lit. f) GDPR.

1.8 If you have given your consent to Santander's commercial address as part of the examination of available payment methods,

Santander will also process your salutation, your name, address, email address and telephone number, the information about the claim resulting from the invoice/instalment purchase and your settlement to inform you about other Santander products to finance and/or replace the claims from the invoice/installment purchase. The legal basis for this is the consent given in connection with Article 6 (1) lit. a) GDPR.

1.9 Your personal data

are transmitted to the technical service providers commissioned by Santander in the context of the execution of the contract, to the information agency described in clause 1.5 above and in the case of assignment to third parties, such as to debt collection service providers, to these third parties.

1.10 Santander stores your personal data

in the event of an instalment/invoice purchase until the full payment of the claim and to the extent necessary until the end of the statutory retention obligation. If there is no invoice/installment purchase after checking the available payment options, Santander will store your data about you as part of the audit, as well as the information provided by the credit bureaus until the expiry of any deadlines for asserting claims of the trader against Santander under the underlying cooperation agreement on the purchase of instalments/invoices. The aforementioned statutory retention obligations may arise in particular from the commercial regulations (in particular Section 257 of the German Commercial Code) for received commercial letters as well as reproduction of sent commercial letters, which also include corresponding e-mails (6 years) as well as from the tax regulations (especially Section 147 AO) for all accounting-relevant documents (6 to 10 years).

1.11 According to the provisions of the GDPR,

as a data subject, you have various rights that you may assert against Santander as the controller. To assert these data subject rights, please contact Santander's data protection officer at the address listed in section 1.3 above. Please understand if the Data Protection Officer asks you to identify yourself as the data subject (e..B. by presenting a copy of your identity card); where such rights are asserted, Santander must, of course, establish that those rights were in fact invoked by the person concerned itself in order to avoid abuse by third parties to the detriment of the person actually concerned.

(a) Under Article 15 GDPR, the data subject has the right to information about the personal data concerning him/her and

    • the processing purposes;
    • the categories of personal data that are processed; And
    • the recipients or categories of recipients to whom the personal data have been or are still being disclosed, in particular for recipients in third countries or international organisations;
    • the planned duration for which the personal data will be stored (if possible) or, if this is not possible, the criteria for determining that duration;
    • if the personal data are not collected from the data subject, all available information on the origin of the data; And
    • the other rights of the persons concerned explained below.

b) As a data subject, you have a right to request from Santander, as the controller, without delay the correction of the inaccurate information stored by Santander as well as the completion of incomplete personal data.

c) The controller has the obligation to delete personal data and the data subject has a right to this if the conditions laid down in Art. 17(1) GDPR are met and none of the exclusion grounds mentioned in Article 17(3) GDPR exists. In the cases standardised in Article 17(2) GDPR, the data subject has the right to be forgotten if Santander, as controller, had previously made the personal data of a data subject public, but is obliged to delete it in accordance with Article 17(1) GDPR.

d) Insofar as the legal basis for the processing of your personal data above is the balance of interests specified in Art. 6 sec. 1 lit. (f) GDPR, you have the right to object to this, after which Santander will review your balance of interests again.

e) You have the right under Article 20 GDPR to receive the personal data concerning you that you have provided to Santander in a structured, common and machine-readable format and you have the right to transmit this data to another controller or to obtain the transfer by Santander, as far as this is technically feasible.

f) You also have the right to revoke a Santander consent at any time with effect for the future. This does not affect the legality of the processing carried out on the basis of consent until revocation. For the revocation, please contact the Data Protection Officer under the contact details specified in clause 1.3.

g) The provision of the personal data described above is a prerequisite for the merchant's offer of the payment method of purchase invoices/instalments in cooperation with Santander.

h) As data subjects, you have a right of appeal to the supervisory authority under Article 77 GDPR if you consider that the processing of your personal data is unlawful.