Regulatory Alerts2014-07-30
Circular 4/2014 of the Bank of Spain on the Creation and Modification of Personal Data Files
The Bank of Spain issued Circular 4/2014 to create one new personal data file and modify twenty-two existing files to align with organizational changes and updated legal requirements. The circular updates specific sections of these files, including data purposes, origins, and third-party transfers, while maintaining the reserved nature of information held in the performance of public functions. These modifications replace previous descriptions found in earlier circulars and ensure compliance with the Organic Law on Personal Data Protection.
Skip to main content.
VIEWING THE REGULATION
Index
Full Regulation
Regulation as of a Date
Current Regulation
Circular 4/2014, of July 30, of the Bank of Spain, creating and modifying files with personal data. (BOE of August 11)
The descriptions of the automated files with personal data existing at the Bank of Spain are collected in circulars 2/2005, of February 25; 4/2005, of December 23; 4/2008, of October 31; 1/2011, of January 26; 3/2012, of March 28, and 2/2013, of June 27, in compliance with Article 20 of Organic Law 15/1999, of December 13, on the protection of personal data, and Title V of the Regulation of said Organic Law 15/1999, approved by Royal Decree 1720/2007, of December 21, regarding the creation, modification, or suppression of files by Public Administrations.
Changes in the organizational structure of the Bank, as well as changes in the reference legislation, in some management processes, in the data collected for processing, and in the corresponding information systems, make it necessary to create a new file and modify 22 files.
The modifications of files with personal data collected in this circular affect files created or modified by circulars 2/2005, of February 25; 4/2005, of December 23; 4/2008, of October 31; 1/2011, of January 26; 3/2012, of March 28, and 2/2013, of June 27.
The descriptions of the 22 files that are modified appear in the annex of this circular. These descriptions replace those included in the circular of creation or last modification of the file, as applicable to each file.
Regardless of the potential data recipients listed in the sections "Transfers of personal data" and "Transfers of personal data to third countries," of the descriptions of the files managed by the Bank of Spain by virtue of the public functions entrusted to it by Law 13/1994, of June 1, and in accordance with Article 6 of Legislative Decree 1298/1986, of June 28, as amended by Law 37/1998, of November 16, the data, documents, and information held by the Bank of Spain by virtue of whatever functions laws entrust to it are confidential; however, they may be transferred to the authorities, bodies, or groups enumerated in paragraph 4 of said provision.
Likewise, and by virtue of paragraph 1 of the aforementioned article, the Bank of Spain may communicate information regarding the direction, management, and ownership of credit institutions, as well as that which may facilitate the control of their solvency and any other that may facilitate their supervision or serve to prevent, pursue, or sanction irregular conduct, to those authorities that have similar functions entrusted to them in foreign states.
For all the foregoing, the Bank of Spain, in exercise of the powers conferred by Law 13/1994, of June 1, on the Autonomy of the Bank of Spain, in accordance with the procedure provided therein, has established the following rules:
First Rule.
The file "Balance of Payments and Economic Transactions with the Outside" is modified in the sections "Purpose of the file and intended uses," "Origin of the data," "Groups or categories of interested parties," and "Transfers of personal data." The description appearing in the annex of this circular replaces that of the file of the same name contained in the annex of Circular 4/2008 of the Bank of Spain, of October 31, updating Circular 2/2005, of February 25, on automated files with personal data managed by the Bank of Spain.
Second Rule.
The file "Central of Risk Information" is modified in the sections "Reference legislation," "Purpose of the file and intended uses," "Origin of the data," "Groups or categories of interested parties," "Basic structure of the file and types of personal data included in it," "Processing system," "Transfers of personal data," and "Transfers of personal data to third countries." The description appearing in the annex of this circular replaces that of the file of the same name contained in the annex of Circular 4/2005 of the Bank of Spain, of December 23, updating Circular 2/2005, of February 25, on automated files with personal data managed by the Bank of Spain.
Third Rule.
The file "Declarations of the Bank of Spain Code of Conduct" is modified in the sections "Data Protection Officer of the file" and "Rights of access, rectification, cancellation, and opposition." The description appearing in the annex of this circular replaces that of the file of the same name contained in the annex of Circular 3/2012 of the Bank of Spain, of March 28, creating, modifying, and suppressing files of personal data managed by the Bank of Spain.
Fourth Rule.
The file "Bank of Spain - Manager Entity of the Annotated Public Debt Market" is modified by changing its name to "Manager Entity of the Annotated Public Debt Market," and in the sections "Data Protection Officer of the file," "Reference legislation," "Purpose of the file and intended uses," "Groups or categories of interested parties," "Basic structure of the file and types of personal data included in it," "Processing system," and "Transfers of personal data." The description appearing in the annex of this circular replaces that of the file of the same name contained in the annex of Circular 2/2005, of February 25, on automated files with personal data managed by the Bank of Spain.
Fifth Rule.
The file "Files of the Central of Risk Information" is modified in the sections "Reference legislation," "Purpose of the file and intended uses," "Groups or categories of interested parties," "Basic structure of the file and types of personal data included in it," "Processing system," "Transfers of personal data," and "Transfers of personal data to third countries." The description appearing in the Annex of this Circular replaces that of the file of the same name contained in the annex of Circular 4/2005 of the Bank of Spain, of December 23, updating Circular 2/2005, of February 25, on automated files with personal data managed by the Bank of Spain.
Sixth Rule.
The file "Sanctioning Files" is modified in the sections "Data Protection Officer of the file," "Rights of access, rectification, cancellation, and opposition," "Reference legislation," and "Processing system." The description appearing in the annex of this circular replaces that of the file of the same name contained in the annex of Circular 2/2013 of the Bank of Spain, of June 27, creating and modifying files of personal data.
Seventh Rule.
The file "Management of Supervisory Activity" is modified in the sections "Data Protection Officer of the file," "Rights of access, rectification, cancellation, and opposition," "Purpose of the file and intended uses," "Origin of the data," and "Groups or categories of interested parties." The description appearing in the annex of this circular replaces that of the file of the same name contained in the annex of Circular 4/2008 of the Bank of Spain, of October 31, updating Circular 2/2005, of February 25, on automated files with personal data managed by the Bank of Spain.
Eighth Rule.
The file "Management of Contracting" is modified in the section "Purpose of the file and intended uses." The description appearing in the annex of this circular replaces that of the file of the same name contained in the annex of Circular 2/2013 of the Bank of Spain, of June 27, creating and modifying files of personal data.
Ninth Rule.
The file "Management of the Supervision Staff" is modified in the sections "Data Protection Officer of the file" and "Rights of access, rectification, cancellation, and opposition." The description appearing in the annex of this circular replaces that of the file of the same name contained in the annex of Circular 1/2011 of the Bank of Spain, of January 26, on the creation, modification, and suppression of files with personal data managed by the Bank of Spain.
Tenth Rule.
The file "Information on Large Exposures" is created, whose description appears in the annex of this circular, and it is included among the files managed by the Bank of Spain by virtue of the public functions entrusted to it by Law 13/1994, of June 1, and other applicable legislation.
Eleventh Rule.
The file "Members of Supervisor Colleges" is modified in the sections "Data Protection Officer of the file," "Rights of access, rectification, cancellation, and opposition," and "Type of file." The description appearing in the annex of this circular replaces that of the file of the same name contained in the annex of Circular 3/2012 of the Bank of Spain, of March 28, creating, modifying, and suppressing files of personal data managed by the Bank of Spain.
Twelfth Rule.
The file "Current Account Operations and Deposit of Securities" is modified in the sections "Data Protection Officer of the file," "Purpose of the file and intended uses," "Type of file," "Groups or categories of interested parties," "Basic structure of the file and types of personal data included in it," "Processing system," "Transfers of personal data," and "Transfers of personal data to third countries." The description appearing in the annex of this circular replaces that of the file of the same name contained in the annex of Circular 2/2005, of February 25, on automated files with personal data managed by the Bank of Spain.
The "Transfers of personal data to third countries" refer to financial entities of third countries within the geographic scope of the Single Euro Payments Area (SEPA) and are carried out with the prior consent of the affected party, in accordance with Article 34(e) of Organic Law 15/1999, of December 13.
Thirteenth Rule.
The file "Cash Operations" is modified in the section "Transfers of personal data." The description appearing in the annex of this circular replaces that of the file of the same name contained in the annex of Circular 3/2012 of the Bank of Spain, of March 28, creating, modifying, and suppressing files of personal data managed by the Bank of Spain.
Fourteenth Rule.
The file "Suppliers and Cash Professionals" is modified in the sections "Data Protection Officer of the file" and "Transfers of personal data." The description appearing in the annex of this circular replaces that of the file of the same name contained in the annex of Circular 1/2011 of the Bank of Spain, of January 26, on the creation, modification, and suppression of files with personal data managed by the Bank of Spain.
Fifteenth Rule.
The file "Complaints Service" is modified by changing its name to "Complaints, Complaints, and Inquiries," and in the sections "Data Protection Officer of the file," "Rights of access, rectification, cancellation, and opposition," "Reference legislation," "Purpose of the file and intended uses," "Origin of the data," "Transfers of personal data," and "Transfers of personal data to third countries." The description appearing in the annex of this circular replaces that of the file named "Complaints Service," which appears in the annex of Circular 1/2011 of the Bank of Spain, of January 26, on the creation, modification, and suppression of files with personal data managed by the Bank of Spain.
Sixteenth Rule.
The file "Register of Agents of Credit and Payment Entities" is modified by changing its name to "Register of Agents of Credit Entities, Electronic Money Entities, and Payment Entities," and in the sections "Data Protection Officer of the file," "Rights of access, rectification, cancellation, and opposition," "Reference legislation," "Purpose of the file and intended uses," "Basic structure of the file and types of personal data included in it," and "Transfers of personal data to third countries." The description appearing in the annex of this circular replaces that of the file named "Register of Agents of Credit and Payment Entities," which appears in the annex of Circular 2/2013 of the Bank of Spain, of June 27, creating and modifying files of personal data.
Seventeenth Rule.
The file "Register of Incoming and Outgoing Documents" is modified in the sections "Data Protection Officer of the file," "Rights of access, rectification, cancellation, and opposition," "Reference legislation," and "Basic structure of the file and types of personal data included in it." The description appearing in the annex of this circular replaces that of the file of the same name contained in the annex of Circular 3/2012 of the Bank of Spain, of March 28, creating, modifying, and suppressing files of personal data managed by the Bank of Spain.
Eighteenth Rule.
The file "Register of Professionals Linked to Valuation Companies Supervised by the Bank of Spain" is modified in the sections "Data Protection Officer of the file," "Rights of access, rectification, cancellation, and opposition," "Reference legislation," "Groups or categories of interested parties," "Basic structure of the file and types of personal data included in it," and "Transfers of personal data." The description appearing in the annex of this circular replaces that of the file of the same name contained in the annex of Circular 1/2011 of the Bank of Spain, of January 26, on the creation, modification, and suppression of files with personal data managed by the Bank of Spain.
Nineteenth Rule.
The file "Register of Customer Service and Ombudsman Services" is modified in the sections "Data Protection Officer of the file," "Rights of access, rectification, cancellation, and opposition," "Purpose of the file and intended uses," and "Basic structure of the file and types of personal data included in it." The description appearing in the annex of this circular replaces that of the file of the same name contained in the annex of Circular 1/2011 of the Bank of Spain, of January 26, on the creation, modification, and suppression of files with personal data managed by the Bank of Spain.
Twentieth Rule.
The file "Register of Holders of Establishments Open to the Public for Foreign Currency Exchange" is modified in the sections "Data Protection Officer of the file," "Rights of access, rectification, cancellation, and opposition," "Reference legislation," "Transfers of personal data," and "Transfers of personal data to third countries." The description appearing in the annex of this circular replaces that of the file of the same name contained in the annex of Circular 1/2011 of the Bank of Spain, of January 26, on the creation, modification, and suppression of files with personal data managed by the Bank of Spain.
Twenty-First Rule.
The file "Official Registers of Senior Management of Entities Registered at the Bank of Spain" is modified in the sections "Data Protection Officer of the file," "Rights of access, rectification, cancellation, and opposition," "Reference legislation," "Purpose of the file and intended uses," "Basic structure of the file and types of personal data included in it," and "Transfers of personal data." The description appearing in the annex of this circular replaces that of the file of the same name contained in the annex of Circular 1/2011 of the Bank of Spain, of January 26, on the creation, modification, and suppression of files with personal data managed by the Bank of Spain.
Twenty-Second Rule.
The file "Company Medical Services" is modified in the section "Transfers of personal data" to indicate the obligation to communicate health damages to prevention delegates, established by Law 31/1995, of November 8, on the Prevention of Occupational Risks. The description appearing in the annex of this circular replaces that of the file of the same name contained in the annex of Circular 3/2012 of the Bank of Spain, of March 28, creating, modifying, and suppressing files of personal data managed by the Bank of Spain.
Twenty-Third Rule.
The file "Commercial Companies: Shareholders, Claimants, and Affected Parties" is modified in the sections "Data Protection Officer of the file," "Rights of access, rectification, cancellation, and opposition," "Purpose of the file and intended uses," "Groups or categories of interested parties," "Basic structure of the file and types of personal data included in it," "Transfers of personal data," and "Transfers of personal data to third countries." The description appearing in the annex of this circular replaces that of the file of the same name contained in the annex of Circular 4/2008 of the Bank of Spain, of October 31, updating Circular 2/2005, of February 25, on automated files with personal data managed by the Bank of Spain.
Final Rule.
This circular shall enter into force on the day of its publication in the Official State Bulletin.
FILE
Balance of Payments and Economic Transactions with the Outside
File Manager:
Bank of Spain.
Data Protection Officer of the file:
Statistics Department.
Rights of access, rectification, cancellation, and opposition:
Statistics Department.
C/ Alcalá, 48.
28014 Madrid.
Reference Legislation:
Law 19/2003, of July 4 (BOE, of July 5).
Royal Decree 1816/1991, of December 20 (BOE, of December 27).
Type of File:
Managed by the Bank of Spain by virtue of the public functions entrusted to it by Law 13/1994, of June 1.
Purpose of the file and intended uses:
Preparation of the Balance of Payments, the International Investment Position, and other statistics requested by international organizations. Supervision of external receipts, payments, and transfers.
Type of purpose and intended uses of the file:
Accounting, tax, and administrative management.
Public statistical function.
Administrative procedure.
Origin of the data:
The interested party themselves or their legal representative.
Private entity.
Public Administrations.
Groups or categories of interested parties:
Citizens and residents.
Taxpayers and obligated subjects.
Other groups: holders of transactions with the outside.
Basic structure of the file and types of personal data included in it:
Specially protected data:
Does not include data of this type.
Regarding the commission of infractions:
Data relating to administrative infractions.
Identifying personal data:
Tax ID Card (NIF/DNI).
Name and surname.
Address.
Telephone.
Signature.
Electronic signature.
Other identifying data: position held within the company.
Other classified data:
Economic, financial, and insurance data.
Transactions of goods and services.
Processing System:
Mixed.
Security Measures:
Medium level.
Transfers of personal data:
Public Treasury and Tax Administration.
Other bodies of the State Administration.
Others: Executive Service of the Commission for the Prevention of Money Laundering and Monetary Offenses (Sepblac).
Transfers of personal data to third countries:
No data transfers are planned.
FILE
Central of Risk Information
File Manager:
Bank of Spain.
Data Protection Officer of the file:
Financial Information and Risk Central Department.
Rights of access, rectification, cancellation, and opposition:
Financial Information and Risk Central Department.
C/ Alcalá, 48.
28014 Madrid.
Reference Legislation:
Law 44/2002, of November 22, on measures to reform the financial system, Chapter VI (BOE of November 23).
Order ECO/697/2004, of March 11, on the Central of Risk Information, modified by Order ECO/747/2013, of April 25 (BOE of May 6).
Order ECO/708/2004, of March 11, determining the status of declaring entity for the CIR of the Bank of Spain for the State Anonima Agrarian Guarantee Company.
Circular 3/1995, of September 25, of the Bank of Spain, to credit institutions, on the Central of Risk Information, and subsequent modifications.
Type of File:
Managed by the Bank of Spain by virtue of the public functions entrusted to it by Law 13/1994, of June 1, and other applicable legislation.
Purpose of the file and intended uses:
Generation of risk reports, registration and control of rectification and cancellation rights that applicants exercise regarding the data appearing in the Central of Risk Information.
To provide declaring entities with data necessary for the exercise of their activities.
To provide the Bank of Spain with the prudential supervision of credit institutions and other functions entrusted by Law to said institution.
Type of purpose and intended uses of the file:
Public economic-financial management.
Statistical, historical, or scientific purposes.
Other purposes.
Origin of the data:
Private entity.
The interested party themselves or their legal representative.
Groups or categories of interested parties:
Citizens and residents.
Legal representatives.
Applicants.
Other groups.
Basic structure of the file and types of personal data included in it:
Specially protected data:
Does not include data of this type.
Regarding the commission of infractions:
Does not include data of this type.
Identifying personal data:
Tax ID Card (NIF/DNI).
Name and surname.
Address.
Signature/fingerprint.
Image/voice.
Electronic signature.
Other identifying data: location.
Other classified data:
Personal characteristics.
Processing System:
Mixed.
Security Measures:
Medium level.
Transfers of personal data:
Credit institutions.
Other financial entities.
Legitimate interested parties.
Judicial bodies.
Court of Auditors or equivalent autonomous bodies.
Other bodies of the State Administration.
European Union bodies.
Transfers of personal data to third countries:
No data transfers are planned.
FILE
Declarations of the Bank of Spain Code of Conduct
File Manager:
Bank of Spain.
Data Protection Officer of the file:
General Secretariat.
Rights of access, rectification, cancellation, and opposition:
General Secretariat.
C/ Alcalá, 48.
28014 Madrid.
Reference Legislation:
Organic Law 15/1999, of December 13, on the protection of personal data.
Royal Decree 1720/2007, of December 21, approving the Regulation of Organic Law 15/1999.
Type of File:
Managed by the Bank of Spain by virtue of the public functions entrusted to it by Law 13/1994, of June 1, and other applicable legislation.
Purpose of the file and intended uses:
Management of declarations made by entities adhering to the Bank of Spain Code of Conduct.
Type of purpose and intended uses of the file:
Administrative management.
Origin of the data:
The interested party themselves or their legal representative.
Groups or categories of interested parties:
Entities adhering to the Code of Conduct.
Basic structure of the file and types of personal data included in it:
Specially protected data:
Does not include data of this type.
Regarding the commission of infractions:
Does not include data of this type.
Identifying personal data:
Tax ID Card (NIF/DNI).
Name and surname.
Address.
Telephone.
Signature.
Electronic signature.
Other identifying data: position held within the company.
Other classified data:
Does not include data of this type.
Processing System:
Electronic.
Security Measures:
High level.
Transfers of personal data:
Does not include data of this type.
Transfers of personal data to third countries:
No data transfers are planned.