SECURITY AND PRIVACY

Bankinter was the first bank to incorporate technology to make life easier for its customers. We also strive to offer you a high level of protection and privacy of your data and operations. So:

• High security standards are implemented and developed to protect the authenticity, confidentiality, integrity and availability of Information Systems from an operational and technical standpoint.
• Online Banking web servers use an Extended Validation Certificate issued by Entrust.
• All information transmitted is encrypted with standard algorithms and keys established on each connection using TLS protocol, and our systems connected to the Internet have been protected by “firewalls” and intrusion detection systems, which would prevent a possible attack by protecting our Online Banking.
• We run regular internal and external Intrusion Tests on our Information Systems.

Bankinter is the first Spanish financial institution to simultaneously receive the ISO 22301:2012 and ISO/ISEC 27001:2013 certificates from the British Standards Institution (BSI). These certifications guarantee the bank's operability and compliance with its requirements regarding the Business Continuity Management System and the Information Security Management System.

1. Every time you sign an transaction, you enter your coordinates using a display panel (this system averts the risk of malware that try to capture information using keystrokes [“KeyLogger”]).
2. You are automatically logged off after 20 minutes of non-use (30 minutes in the Broker). This measure prevents someone else from accessing your data on your computer if you forget to log off (by not clicking on Log Off).
3. We have control systems for custom operating limits, so that a customer cannot carry out operations above a certain amount; and general operating limits, which limit the total amount of transactions that can be carried out through our websites. This measure limits the risk of any loss.
4. You have to change the password the first time you log in so only you know it—to ensure nobody can impersonate you.
5. Your Online Banking username and password must be at least 6 characters long, so they are difficult to guess
6. You can choose not to receive statements of account or regular mail about your banking activity; this also means there is less risk of someone finding out about your financial situation by looking through your mailbox. All statements of account and supporting documents for transactions are available and can be consulted on the website.

We can use the Biometric Login as an access method, based on TouchID technology, Apple FaceID and Android Fingerprint 6.0. We can use this technology to safely store certain data that can only be accessed via fingerprint. This data is stored locally on the device, in a single, secure and fingerprint-protected location, not synchronised in iCloud or copied in any device backups that might be made.

The Touch ID is only accessible on Apple phones from iPhone 5S with iOS8 or higher and on iPads with TouchID. The FaceID mechanism is only available on iPhone X.

Android fingerprint authentication is only available for devices that support fingerprint and Android 6 or higher.

The authentication process applied to the new online banking is based on enabling this secure location after a successful “manual” login through the new App. The user can safely store a unique key for that terminal which is fingerprint or face (FaceID) protected. For later authentication processes, all the user has to do is put the fingerprint on the sensor-button to access the private area directly (without typing in credentials); FaceID authentication is even more transparent for the user, all you need to do is to be facing your phone.

The volume of attempted fraud against us and other banks is increasing every year. These attempts involve emails that request your access details in response to a "Security Issue". Bankinter will never ask you for your access or signature passwords by email or any other means. If you have any doubts about the authenticity of an email in our name, contact Telephone Banking immediately.

Recommendations for your passwords

1. Change your username and password regularly.
2. Include numbers and letters in your username and password. Avoid using real names or things associated with you.
3. Never reveal your password, particularly by email or phone.

Remember: Nobody at Bankinter will ever ask for your password; if this happens, it is an attempt at fraud (phishing, smishing, vishing, etc.). Do not trust emails that request your data, pop-up windows, forms that ask for several codes to sign transactions, even if they seem to be from us.

Recommendations for your connections

1. Do not use the "Autocomplete passwords" option to connect to an entity or service.
2. Do not forget to disconnect from the website once you have finished with it.

Recommendations for your computer

1. Keep your browser version updated.
2. Keep your operating system up to date with the latest updates.
3. Avoid downloading from unknown websites.
4. Always keep your antivirus up to date.

The security of your computer is essential. Your computer should always be up to date.

Regardless of what you use your computer for, it should always be protected with appropriate tools, such as:

• An antivirus, which must always be up to date.
• A firewall.

Check out these free protection tools

Mobile phones can also be infected with a virus. Our advice is:

• Do not breach the manufacturer's security (root/jailbreak).
• Install an antivirus.
• Do not download applications from unofficial sites.
• Be careful about the installation of applications and the permissions you give them.

The browsers you use to access Bankinter Online Banking must be up-to-date, this can help us prevent fraud, as they feature prevention technologies.

Bankinter's processing of your personal data is conducted in compliance with the provisions of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to personal data processing and on the free movement of such data and with Organic Law 3/2018 of 5 December on the Protection of Personal Data and the Guarantee of Digital Rights (hereinafter, the LOPDGDD). Accordingly, we hereby inform you that Bankinter, S.A. ('Bankinter') is the party that controls your data.

As the data controller, Bankinter has the technical, organisational and human resources necessary to guarantee the security and protection of its information systems, as well as the data and information that are stored in them.

We will not transfer your personal data to any third parties, unless it is to comply with a legal obligation or unless you give your consent. However, service providers that Bankinter engages or may engage as data processors may have access to your personal data. In these cases, Bankinter guarantees the confidentiality of the personal data provided to third parties, as well as the implementation of appropriate security measures by these parties. Your personal data will be processed to comply with the applicable legal obligations and with the rights and obligations specified in your contracts with us.

We inform you that, unless you have indicated otherwise, your personal data will be used for the following purposes: (i) to inform you, through any channel (including electronic channels), about products and/or services which are similar to ones that you already have arranged with us and that the Bank wants to promote. (ii) essessing your personal characteristics using data that you have provided or data from your products and/or services so that we can learn more about you and anticipate your financial situation, personal preferences, interests and behaviours. This will enable us to prepare a commercial profile about you and find out which products and/or services that the Bank wants to promote may interest you, personalise marketing actions related to these products and/or services, and create new products and/or services and improve their features.

Provided you have given your consent, we may also process your personal data for the following purposes: (i) To enable Bankinter to send you commercial communications, by any channel (including electronic channels), about products and/or services of Bankinter, of Bankinter Group and its subsidiaries or of companies with which we have partnership agreements, which are not similar in any way to those you have already contracted, (ii) Incorporate your personal data obtained from external sources and evaluate your personal aspects with our own and external data in order to elaborate a commercial profile to know your interest in products and/or services that the Entity is interested in marketing, personalise commercial actions, new products and/or services, as well as improve their characteristics.For this data processing, data from public records, credit information systems, the Central Credit Register of the Bank of Spain (CIRBE), social media, Informa and other sources will be accessed. (iii) To share your personal data with companies in the Bankinter Group and its subsidiaries so that they can offer you products and/or services through different channels (including electronic channels). (iv) Sharing your personal data with Bankinter Group companies and its subsidiaries so that they can evaluate and predict personal aspects of your financial situation, preferences, interests or behaviour, with the aim of drawing up a commercial profile of you.

Personal data to be processed include: (i) data provided by you when you became a Bankinter customer and those you have provided for the contracting of the different products and/or services. (ii) data derived from the provision of the products and/or services you have contracted. (iii) data obtained from third parties when you have given your consent or when permitted by law.

You may exercise your rights of access, rectification, cancellation, opposition, restriction of processing and portability in the cases and within the scope specified in the applicable legislation at any time by calling Telephone Banking on 900 80 20 81, in person by visiting your branch or Bankinter agent, or by writing to: Bankinter, S.A. Operaciones 'Protección de Datos', Pico de San Pedro, 1 Tres Cantos CP 28760, Madrid.

For more information about how Bankinter processes your data, and in particular about the lawful basis for doing so, please refer to Use of personal data' that you can find below If you have any further questions, please contact our Data Protection Officer at the following e-mail address: privacidad@bankinter.es

You can find information on how we obtain your data, why we process them, the legal basis, the recipients of your data, and your rights in Information about the use of your personal data.

Millions of emails are sent every day to try to acquire sensitive data. These emails usually ask users for their personal data with the excuse of a security update or a blocked account.

They take advantage of the trust that users have in their bank.

Remember: your coordinate card, username and password are used for your transactions and for nothing else. If someone asks you for them in our name, be suspicious. It is not us.

Bankinter will never contact you to ask you for your coordinates, username or password. In you are in any doubt, contact Telephone Banking immediately.

Why are we telling you this? Because there have been isolated cases of attempted fraud asking for this information, usually through emails. This criminal technique is called "phishing" and Bankinter does not want you to be affected by it. To help you, here are some tips that are as useful as they are simple:

• If you have connected to our website and you are asked for a coordinate without having started a transaction that would require it, do not do it - it may be a virus.
• Do not open emails that are suspicious without confirming the identity of the sender by phone or in person.
• Always check that the address in your browser bar is Bankinter's.
• Ignore emails and calls that threaten to block your accounts or credit cards if you do not update your data. A bank would never do something like that.
• Do not open attachments from unknown sources.
• Do not open unexpected attachments, even if you think you know where they are from.
• Do not open attachments that are downloaded after clicking on a link in the text of an email.
• Do not open attachments with executable extensions (.exe, .bat, .com, .cmd, .scr, .vbs, etc.).

To protect ourselves against identity theft, we must protect our personal information and our access codes, and everything we use to sign off transactions: our coordinate card and our mobile phone if we have SMS-OTP as the second signature factor.

The first barrier is our password. This must be different to the one we use on other websites and must be sufficiently strong.

A Trojan is malware (a malicious program) that is presented to the user as a seemingly legitimate and harmless program. But when it is executed it performs actions unknown to the user that put the security of the device at risk, such as allowing remote administration of a computer by an attacker. Trojans usually take total control of your equipment by exploiting weaknesses that have not been patched in installed components. The name comes from the famous Trojan horse used by the Greeks as way of getting into Troy.

Once the attacker has control of the infected system, it becomes part of their network of machines, or BotNet. The attackers then usually put their BotNets at the disposal of the highest bidder in black market web pages designed for these purposes. BotNets are used for many purposes. These range from stealing confidential information (account information, email addresses, bank passwords, confidential documents, account numbers, credit card data, etc.) to causing service denials on servers (DDoS).

Viruses are malicious code that is installed on our computers without us noticing. The virus contaminates our computer when we open an infected file, which usually comes to us in an email or when downloading a P2P network program. This contaminated file does not have to be an executable program, there are viruses that can be latent in Excel spreadsheets or Word documents, documents such as PDFs, or even in images. Viruses affect every operating system in use today. They usually act by draining the resources of our computers, causing productivity problems. A clue about a possible infection is that programs that used to work properly now need more resources and time and our computer starts going "slower" than usual.

How can we avoid getting a virus?

• Install an antivirus.
• The antivirus must be set up to update every day.
• We must never install pirated software.
• We should never open files in emails from unknown sources. If the message is suspicious, we should not open it, even if we know where it comes from.