Santander Shareholders
and Investors Privacy Policy

Additional information on data protection

Banco Santander, S.A. - Relación con Accionistas e Inversores del Banco Santander - (hereinafter, the “Bank”) fully complies with the regulations on personal data protection and, in particular, with REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (hereinafter, “GDPR”). Thus, the processing of the personal information provided by the data subject, who may act on his or her own behalf or on behalf of an individual or legal entity as its representative (hereinafter, the “Shareholder”) to Accionistas e Inversores de Banco Santander S. A. for communications, enquiries, and transactions requiring personal data, on the websites, App, and other channels in his or her capacity as shareholder, shall be carried out in compliance with the applicable legal guarantees and obligations.

The Bank has implemented the appropriate technical and organisational measures to ensure an adequate level of security and to prevent the loss, misuse, alteration, unauthorised access and theft of the data provided by the Shareholder. Likewise, the Bank guarantees that it complies with its duty of secrecy and confidentiality with respect to the personal data provided by the Shareholder on the websites, Apps and other channels through which it provides its data.

The Bank informs that the website is intended exclusively for Shareholders, and therefore registration by data subjects who are not Shareholders is not permitted. In any event, anyone who registers in the website without being a Shareholder does so at their own risk and is responsible for requesting, if they so wish, to unsubscribe from any commercial communications they receive regarding third-party advertising sent by the Shareholder and Investor Relations area.

The communication of personal data by the Shareholder is a necessary requirement for, among other purposes, the Bank to be able to inform the Shareholder of relevant information in his/her capacity as shareholder, of his/her participation in the General Shareholders’ Meeting, of procedures and consultations and of the advantages and promotions that he/ she may enjoy as a shareholder, as well as to be able to make use of certain functionalities offered on the websites, communications and channels exclusively for shareholders.

I.- Who is the Data Controller?

The Data Controller's details are provided below:

• Identity: Banco Santander S.A., with Tax Identification Number A-39000013
• Contact details of the data controller:
• Registered office: Ciudad Grupo Santander. Avda. de Cantabria, Edificio de Pereda 2ª Planta, 28660 Boadilla del Monte (Madrid), Spain.
• Address for notification purposes: Ciudad Grupo Santander. Avda. de Cantabria, Edificio de Pereda 2ª Planta, 28660 Boadilla del Monte (Madrid), Spain.
• Contact e-mail address: protecciondedatosaccionistassan@gruposantander.com

II.- Who is the Data Protection Officer and how can you contact him/her?

The Data Protection Officer is responsible for ensuring compliance with the GDPR in order to guarantee the protection of the personal data provided by the Shareholder through the website.

To contact the Data Protection Officer, the Shareholder may send a communication to the following e-mail address: privacidad@gruposantander.es.

III.- What personal data we process, for what purpose and under which legal basis we process them and how long we keep them.

We process the following personal data:

1. Shareholder data: name and surname(s), ID/passport number, postal and e-mail address, mobile phone number, number of shares and shareholder number, image, voice, age, access codes, the data necessary for the execution of an event or draw or communications or formalities with shareholders and, when the Shareholder gives his/her consent, biometric data of the Shareholder for identification purposes.
2. Contact details of employees of institutional shareholders: name and surname, e-mail address, telephone number and company to which they belong. In order to keep the data up to date, as required by the regulations, the employer and shareholder must inform the Bank if they cease to be an employee or contact person.
   In the event that personal data relating to other natural persons are provided by a third party, the latter must inform them of the content of this Privacy Policy and comply with any other requirements that may be applicable for the correct communication of the personal data to the Bank, without the Bank having to take any additional action in terms of information or consent.

   Personal data are provided to the Bank:

   • By the Banking Institutions and Securities Companies and Agencies in which the Shareholders have their shares deposited, through the entity legally authorised to keep the book-entry register (Sociedad de Gestión de los Sistemas de Registro, Compensación y Liquidación de Valores, S.A. Unipersonal - “Iberclear”).
   • By the Shareholders through the different communication channels.
   • By the Shareholders through the different events or draws in which they participate.

The Bank will process the Shareholder’s data in connection with the following activities:

1. Management of access and, if applicable, registration of the Shareholder on websites and of Shareholders and investors. The Bank will use the Shareholder’s data to manage access and, if applicable, registration, in order to enable the Shareholder to take advantage of the services and functionalities offered on the website. Access to the website will be granted through digital keys.
   • For Shareholders who are customers of Banco Santander, S.A., registration will be carried out using the digital keys to Banco Santander’s online banking.
   • For non-customer Shareholders of Banco Santander, S.A., registration will be carried out using the digital access codes that can be obtained in the following ways:
   • By providing a photocopy of your identity document at a Banco Santander branch in Spain.
   • Requesting video identification. In this case, your image pattern, extracted from your photograph during the identification process and from the photograph included in your identification document, will be processed. This biometric data will be processed on the basis of the consent given by the Shareholder.
   • Using an electronic certificate.

   The legal basis of processing for access management is the execution of the shareholder relationship. The data provided will be retained until you object or unsubscribe from the website or cease to be a Shareholder. After that, your data will be retained for 10 years and then they are to be kept blocked for 5 years, unless for the statute of limitations of any applicable legal actions. Thereafter, it will be permanently deleted.

2. Banco Santander Shareholder Register. The Bank will keep a record of the Shareholder’s identification information (name, surname), shareholding position (number of shares) and contact details (contact telephone number and address). The legal basis for this processing is the performance of the shareholder relationship and, sometimes, compliance with legal obligations. The data provided will be retained until you cease to be a Shareholder. After that, your data will be retained for 10 years and then they are to be kept blocked for 5 years, unless for the statute of limitations of any applicable legal actions. Thereafter, it will be permanently deleted.
3. Institutional communications by the Shareholder and Investor Relations area. The objective is to communicate relevant information related to their status as shareholders, such as inside information, other relevant information, quarterly reports, corporate operations and other institutional communications. The legal basis is the execution of the shareholder relationship itself and, sometimes, compliance with legal obligations.
   In the case of institutional shareholders, the contact data will be processed for the purpose of maintaining the relationship with their employing entity in their capacity as institutional shareholder (including sending communications, handling queries or handling voting / proxy management at the General Shareholders’ Meeting). The legal basis for the processing of the proxy data is the execution of the shareholder relationship with your employing entity Shareholder of the Bank.
   The data provided will be retained until the Shareholder objects or ceases to be a Shareholder. After that, your data will be retained for 10 years and then they are to be kept blocked for 5 years, unless for the statute of limitations of any applicable legal actions. Thereafter, it will be permanently deleted.
4. General Shareholders’ Meeting.
   1. To manage, where applicable, the interventions of those attending the General Shareholders’ Meeting, the vote before and by those attending the General Shareholders’ Meeting and to enable proxy voting and the exercise of the other rights of the shareholder to be granted to a third party. The Bank will use the personal data to manage the interventions of the Shareholders in connection with the General Meeting (including recording it in the minutes of the General Meeting), to process the validly cast vote, as well as the delegation of the vote to a third party and the exercise of the other rights of the shareholder, through any of the means provided for such purpose. The use of video or audio means of participation shall entail the processing of your image and/or voice. Likewise, when casting your vote prior to the General Meeting or granting your proxy by telephone, the Bank may record your data (including your voice) in order to correctly record the proxy and/or vote and accredit your participation. This processing is carried out for the purpose of performing the shareholder relationship and, sometimes, in order to comply with legal obligations. The data provided will be kept for a period of 10 years from the end of the General Meeting. Subsequently, your data will be retained for 10 years and then they are to be kept blocked for 5 years, unless for the statute of limitations of any applicable legal actions. Thereafter, it will be permanently deleted.
   2. Recording and broadcasting of the General Meeting. The Bank may record and broadcast the General Meeting, as well as the interventions submitted by the Shareholders, in order to enable a full and proper broadcasting of the General Meeting to its Shareholders. Such broadcasting may involve third parties having access to data relating to your image and/or voice, if applicable. The legal basis for this processing is compliance with legal and regulatory obligations to allow Shareholders to intervene at the General Meeting and to allow other attendees to follow their interventions, as well as the Bank’s legitimate interest in managing the General Meeting in compliance with the recommendations of good corporate governance and in ensuring the transparency of the deliberations and the results of the voting. You may object to the processing based on legitimate interest through the mechanisms provided on the website where the General Meeting is held, through the use of written means of participation or by the means specified in section “V - What are your rights when you provide us with your data”. In any event, for further information on the processing of your personal data carried out in connection with the General Shareholders’ Meeting, you may refer to the privacy policy included in the relevant announcement of the General Shareholders’ Meeting. The recordings will be kept available for 10 years. After which, your data will be retained for 10 years and then they are to be kept blocked for 5 years, unless for the statute of limitations of any applicable legal actions. Thereafter, it will be permanently deleted.

   Those attending the General Shareholders’ Meeting are informed of the prohibition on the recording and broadcasting of the General Meeting and of any interventions made by shareholders (or their representatives) prior to the General Meeting. The Bank shall not be liable for unauthorised recording and/or dissemination of personal data by those attending the General Meeting or other third parties who may have access to such data.

5. Queries, doubts and/or suggestions raised by the Shareholder through the contact channels.
   1. The Bank will use the personal data to evaluate, manage and respond to queries, doubts and/or suggestions that the Shareholder may raise through the various contact channels (email, telephone, WhatsApp, etc.). This processing may imply that either the Bank or third parties may have access to data relating to your image and voice. The legal basis for this processing is the execution of the shareholder relationship itself and, on occasion, the existence of a legitimate interest consisting of providing due attention and support to its shareholders in compliance with their shareholder relationship.
      With regard to the Bank’s dialogue with users on social networks, this channel is not the ideal one for you to formulate complaints or suggestions. However, in the event that you send us any type of request or complaint via social networks, we will, if necessary, request your consent to transfer your minimum personal data so that they can deal with you and process your request properly.
      The legal basis for this processing is your consent given through the authorisation message you have provided us with through the means of interaction included in the social network. It is important to take into consideration that, when interacting with the Bank through social networks, the terms of use established by the owner of the social network are beyond our control. Therefore, they are not covered by the content of this Privacy Policy. We recommend that you ensure that you are aware of and agree with their legal terms and conditions and privacy rules before continuing to use them or providing any personal information.
      The data provided will be kept for the time necessary for the resolution of the query. After that, they will be kept for a period of 6 years and then your data will be retained for 10 years and then they are to be kept blocked for 5 years, unless for the statute of limitations of any applicable legal actions. Thereafter, it will be permanently deleted.
   2. The Bank may record the shareholder’s personal data, including “voice” data when the shareholder addresses the Bank by telephone, in order to maintain the quality of service and to use the recordings as evidence in and out of court, if necessary. This processing is necessary for the performance of the shareholder relationship itself (this being its legal basis) as well as the satisfaction of the Bank’s legitimate interests such as the verification of compliance with its obligations as an issuing company and the formulation, exercise or defence in any legal proceedings. You may object to the processing based on the legitimate interest indicated. The data provided will be retained until the Shareholder objects or ceases to be a Shareholder. Thereafter your data will be retained for a period of 6 years, After that, your data will be retained for 10 years and then they are to be kept blocked for 5 years, unless for the statute of limitations of any applicable legal actions. Thereafter, it will be permanently deleted.
6. Commercial communications about the Bank’s products and services offered by the Shareholder Relations area. The Bank may use your e-mail address, telephone number and postal address to send you commercial communications about certain advantages and benefits of the Bank (i.e., related to the financial sector), to send you quality surveys offered by the Shareholder and Investor Relations area, which correspond to you as a shareholder, and to invite you to participate in prize draws organised by that area and to invite you to forums and events. The legal basis to send you the aforementioned communications is based on the Bank’s legitimate interest in offering advantages to Shareholders, due to the fact that they hold this status and to promote the Bank’s image. You may object to the processing of your personal data based on legitimate interest. The data provided will be retained until the Shareholder objects or ceases to be a Shareholder and then for a period of 3 years. After that, your data will be retained for 3 years and then they are to be kept blocked for 3 years, unless for the statute of limitations of any applicable legal actions. Thereafter, it will be permanently deleted.
7. Events or forums: to manage their attendance and, where appropriate, to send invitations, confirmations or accreditations for access thereto. When the Shareholder voluntarily decides to participate in such events, the Bank may process his or her personal data and the data necessary for attendance at the event. The legal basis for this processing shall be the performance of the contractual relationship. The data provided will be retained until the end of the event, after which they will be retained for a period of 6 years. Thereafter, they will be blocked for 3 years and then permanently deleted, unless they are to be kept blocked for a longer statute of limitations for any applicable legal actions.
8. Execution of promotions and draws by the Shareholder and Investor Relations area. As indicated in section 7 above, the Bank, on a regular basis, organises promotions, contests and draws exclusively for the Shareholders, so that they may participate and benefit, if applicable, from the prizes offered under the promotions organised. When the Shareholder voluntarily decides to participate in promotions, the Bank may process the Shareholder’s personal data in order to manage his/her participation and to communicate, where appropriate, his/her status as a winner. This processing will be carried out for the execution of the contractual relationship that materialises with the participation in each promotion, draw or competition organised. Participation in these promotions and draws will be taken into account by the Bank in order to send you future communications about other communications and draws, as indicated in purpose 6 of this Privacy Policy. The data provided will be retained for the period necessary for the execution and organisation of each of them. After this, they will be retained for a period of 6 years and then, your data will be retained for 10 years and then they are to be kept blocked for 10 years, unless for the statute of limitations of any applicable legal actions. Thereafter, it will be permanently deleted

In the context of the processing activities described in sections 7 and 8 above, the Bank may process the personal data of third parties accompanying the Shareholder. The legal basis shall be the performance of the contractual relationship. If the Shareholder provides data of third parties, the Shareholder warrants that he/she has duly informed the data subject of the information contained in this Privacy Policy. In the event that the Shareholder is accompanied by a minor under 14 years of age, the Shareholder must also have the authorisation of the holders of parental authority or guardian of the minor under 14 years of age for the processing of the personal data of the said minor.

IV.- Will your data be communicated?

With regard to the communication of data, you are hereby informed that, as a general rule, the Shareholder’s personal information will not be communicated to third parties, nor will it be subject to international transfers of data to third countries or international organisations.

In the event that it is necessary for the data controller to carry out international transfers of personal data outside the European Economic Area, the controller will take the necessary measures to ensure an adequate level of protection (e.g., the signing and execution of the Standard Contractual Clauses approved by the European Commission in 2021 and any additional guarantees that may be necessary). For further information on these measures, please contact us by: (i) writing to protecciondedatosaccionistassan@gruposantander.com or (ii) writing to Ciudad Grupo Santander; Avda. de Cantabria, edificio Pereda 2ª Planta, 28660 Boadilla del Monte (Madrid), Spain.

However, the Shareholder is hereby informed that, in order to comply with the obligation to publish, where required by law, requests for information, clarifications or questions regarding the General Meeting received on the Bank’s website, any request for information, clarification or question submitted to any of the mailboxes provided for the attention of shareholders may be published on the Bank’s website, and that the data associated with such request shall be publicly accessible.

The personal data provided for or at the General Meeting shall be accessible to the notary who attends the General Meeting and may be provided to third parties in the exercise of the right to information provided by law or be accessible to the public insofar as they are included in the documentation available on the Bank’s corporate website (www.santander.com) or are disclosed at the General Meeting, the proceedings of which may be the subject of audio-visual recording and public broadcasting on such website. In particular, the identification data provided by those who attend the General Meeting remotely, together with the interventions that they make, if applicable, through the remote attendance application and the number of shares they own and/or represent, may be accessible by third parties in accordance with the foregoing provisions. By intervening in the General Meeting (remotely), the attendee authorises the audio-visual recording of image and/or voice, as well as the reproduction and/or publication and dissemination of his/her intervention (by audio, video or in writing) in the terms indicated above. Your personal data may also be communicated to the competent authorities in the exercise of their functions.

V.- What are your rights when you provide us with your data?

The shareholder has the following rights:

• Right of access: the right of access to personal data processed by the Bank in accordance with Article 15 of the GDPR.
• Right of rectification: the right to request that the Bank rectify certain personal data of the Shareholder in accordance with Article 16 GDPR.
• Right of objection: the right to object to those processing activities identified in section III above that are based on consent or on the existence of a legitimate interest in accordance with article 21 GDPR. In those cases in which the processing is based on the existence of a legitimate interest, the Shareholder shall have the right to request the balancing test carried out by the Bank. If such processing is also for the purpose of sending the Bank’s own or third parties’ commercial information, the Shareholder may opt-out free of charge and voluntarily (for further information, see https://www.listarobinson.es/). Further information on how to object to the processing of your personal data during the General Meeting can also be found in the relevant announcement of the General Meeting.
• Right of erasure: the right to request the Bank to erase all or part of the Shareholder’s personal data in accordance with Article 17 GDPR.
• Right to restriction of processing: the right to obtain from the Bank the restriction of the processing of your personal data if one of the conditions set out in article 18 of the GDPR is met.
• Right to portability of personal data: the right to receive the data you have provided to the Bank in a structured, commonly used and machine-readable format and to have it transmitted to another controller (or to have it transmitted directly to the new controller, where technically possible), in accordance with Article 20 GDPR.
• The right to withdraw the consent given to carry out the processing identified in section III above, without such revocation having retroactive effects, in accordance with article 7.3 of the GDPR, nor generating any type of negative consequence on the Shareholder or their shareholding relationship.
• The right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects or significantly affects him/her. The Bank informs the Shareholder that it does not make decisions based on automated systems.

These rights may be exercised by sending a written communication to the following address protecciondedatosaccionistassan@gruposantander.com or by post mail to Banco Santander, S.A. - Área de Relación con Accionistas e Inversores-, Ciudad Grupo Santander. Avda de Cantabria, Edificio de Pereda 2ª Planta, 28660 Boadilla del Monte (Madrid), Spain.

Without prejudice to any other administrative remedy or legal action, the Shareholder may in any case file a complaint with the Spanish Data Protection Authority, especially when he/she has not obtained satisfaction in the exercise of his/her rights, through the website www.aepd.es.