LogoRegulatory Alerts
2012-03-28

Circular 3/2012 of the Bank of Spain on the creation, modification, and suppression of personal data files

The Bank of Spain issued Circular 3/2012 to update its personal data registry by creating four new files, modifying six existing ones, and suppressing two others in compliance with Spanish data protection laws. The circular establishes specific purposes, data categories, and security measures for files ranging from personnel administration to public supervision and cash operations. It mandates that the descriptions in the annex replace previous records for modified files and enters into force upon publication in the Official State Bulletin.

Banco de Espana logo

Spain

Banco de Espana

Click to view thumbnail

VISUALIZATION OF THE REGULATION

Index

  • Full Regulation
  • Regulation as of a Date
  • Current Regulation

Circular 3/2012, of March 28, of the Bank of Spain, by which personal data files managed by the Bank of Spain are created, modified, and suppressed. (BOE of April 7)

The descriptions of the automated files with personal data existing in the Bank of Spain are collected in Circulars 2/2005, of February 25; 4/2005, of December 23; 4/2008, of October 31, and 1/2011, of January 26, in compliance with what is provided in Article 20 of Organic Law 15/1999, of December 13, on the protection of personal data, and in Title V of the Regulation of said Organic Law 15/1999, approved by Royal Decree 1720/2007, of December 21, on the creation, modification, or suppression of files of Public Administrations.

The change in regulations regarding a file, as well as changes in the organizational structure of the Bank of Spain and in management processes, make it necessary to create four files, modify six more files, and finally suppress two files.

The modifications and suppressions of files with personal data collected in this Circular affect files created or modified by Circulars 2/2005, of February 25; 4/2008, of October 31, and 1/2011, of January 26.

The descriptions of all files that are created or modified appear in the annex of this Circular. For those files that are modified, this description replaces the corresponding description included in the circular of creation or last modification of the file, as applicable to each file.

For all the foregoing, the Bank of Spain, in exercise of the powers conferred upon it by Law 13/1994, of June 1, on the autonomy of the Bank of Spain, in accordance with the procedure provided therein, has established the following rules:

First Rule.

The "Personnel Administration" file is modified in the sections "Purpose of the file and intended uses," "Basic structure of the file and types of data," and "Security measures." This file contains health and union affiliation data, in the format and with the exclusive purpose indicated in Article 81 of the Regulation developing Organic Law 15/1999, of December 13, on the protection of personal data.

Second Rule.

The "Union Affairs and Social Benefits" and "Declarations of the Bank of Spain Code of Conduct" files are modified in the section "Purpose of the file and intended uses."

Third Rule.

The "Integrated Management of the Legal Department" and "Use of Data Display Screens" files are created, whose descriptions, which appear in the annex of this Circular, are incorporated into Annex II, "Internal or Operational Files," of Circular 2/2005, of February 25, "Automated files with personal data managed by the Bank of Spain."

Fourth Rule.

The "Occupational Risk Prevention" file is suppressed. The data from this file have been incorporated into the "Use of Data Display Screens" file, created by this Circular.

Fifth Rule.

The "Document Entry and Exit Register" file is modified in the sections "Reference regulations," "Purpose of the file and intended uses," "Origin of the data," and "Basic structure of the file and types of data."

Sixth Rule.

The "Company Medical Services" file is modified in the sections "Purpose of the file and intended uses," "Origin of the data," "Interested parties or categories," "Basic structure of the file and types of data," "Treatment system," and "Transfers of personal data."

Seventh Rule.

The "Members of Supervisor Colleges" and "Public Key Infrastructure - European System of Central Banks" files are created, whose descriptions, which appear in the annex of this Circular, are incorporated into Annex I, "Files managed by the Bank of Spain by virtue of the public functions entrusted to it by Law 13/1994, of June 1, and other applicable legislation," of Circular 2/2005, of February 25, "Automated files with personal data managed by the Bank of Spain."

Eighth Rule.

The file "Certain Cash Operations" is modified by changing its name to "Cash Operations" and in the sections "Reference regulations," "Purpose of the file and intended uses," and "Transfers of personal data."

Ninth Rule.

The "Foreign Currency Changes" file is suppressed. The data from this file have been incorporated into the "Cash Operations" file, modified by this Circular.

Final Rule.

This Circular will enter into force on the day of its publication in the Official State Bulletin.

ANNEX

File: Personnel Administration

File Manager: Bank of Spain.

Data Protection Officer for the file: Division of Administration and Occupational Risk Prevention.

Rights of access, rectification, cancellation, and opposition: Division of Administration and Occupational Risk Prevention. C/ Alcalá, 48. 28014 Madrid.

Type of file: Internal or operational.

Purpose of the file and intended uses: Personnel administration; hiring and termination of employees; payments to active employees, early retirees, and pensioners; Social Security, and insurance management.

Type of purpose and intended uses of the file:

  • Human resources.
  • Payroll management.
  • Other purposes: management of presence and settlement of expenses for service commission.

Origin of the data:

  • The interested party themselves or their legal representative.
  • Public Administrations.

Interested parties or categories:

  • Employees.
  • Beneficiaries.
  • Other groups: collaborators of the Bank of Spain.

Basic structure of the file and types of personal data included in it:

  • Specially protected data:
    • Union affiliation.
    • Health.
  • Regarding the commission of offenses:
    • Does not include data of this type.
  • Identifying data:
    • NIF/DNI (Tax ID/ID Card).
    • SS/Mutualidad Number (Social Security/Mutual Fund Number).
    • Personnel registration number.
    • Name and Surname.
    • Address.
    • Telephone.
    • Image/Voice.
    • Electronic Signature.
    • Health Card.
    • Other identifying data: email address, place and date of birth, age, nationality.
  • Other classified data:
    • Personal circumstances.
    • Social circumstances.
    • Academic and professional.
    • Employment details.
    • Economic, financial, and insurance.

Treatment system: Mixed.

Security measures: Medium level.

Transfers of personal data:

  • Social Security bodies.
  • Public Treasury and Tax Administration.
  • Judicial bodies.
  • Other bodies of the State Administration.
  • Unions and personnel boards.
  • Sports clubs and federations.
  • Associations and non-profit organizations.
  • Credit entities.
  • Insurance entities.
  • Others: social foresight mutual fund, pension funds, mutual funds for work accidents and occupational diseases.

Transfers of personal data to third countries: No transfers of data are planned.

File: Union Affairs and Social Benefits

File Manager: Bank of Spain.

Data Protection Officer for the file: Division of Labor Relations and Employee Attention.

Rights of access, rectification, cancellation, and opposition: Division of Labor Relations and Employee Attention. C/ Alcalá, 48. 28014 Madrid.

Type of file: Internal or operational.

Purpose of the file and intended uses: Management of union permissions, hours, and appointments, union affiliation, hearing process for union affiliates and electoral processes (union and for personnel representative on the Board of Governors), and management of social benefits (loans, advances, and free time).

Type of purpose and intended uses of the file:

  • Human resources.
  • Other purposes: management of social benefits, union management.

Origin of the data:

  • The interested party themselves or their legal representative.

Interested parties or categories:

  • Employees.
  • Beneficiaries.
  • Other groups: collaborators of the Bank of Spain.

Basic structure of the file and types of personal data included in it:

  • Specially protected data:
    • Union affiliation.
  • Regarding the commission of offenses:
    • Does not include data of this type.
  • Identifying data:
    • NIF/DNI.
    • SS/Mutualidad Number.
    • Personnel registration number.
    • Name and Surname.
    • Address.
    • Telephone.
    • Electronic Signature.
  • Other classified data:
    • Personal circumstances.
    • Social circumstances.
    • Employment details.
    • Economic, financial, and insurance.
    • Transactions of goods and services.
    • Other types of data: union option represented, union position.

Treatment system: Mixed.

Security measures: High level.

Transfers of personal data:

  • Public registers.
  • Judicial bodies.
  • Other bodies of the State Administration.
  • Unions and personnel boards.
  • Professional colleges.
  • Public Treasury and Tax Administration.
  • Notaries, lawyers, and solicitors.
  • Sports clubs and federations.
  • Credit entities.
  • Legitimate interested parties.
  • Insurance entities.
  • Others: presidents of electoral boards and other members of the boards, mutual funds and pension funds, valuation entities, companies concessioned for the management of residences and self-service areas, companies managing food vouchers, travel agencies, and companies organizing leisure activities.

Transfers of personal data to third countries: No transfers of data are planned.

File: Declarations of the Bank of Spain Code of Conduct

File Manager: Bank of Spain.

Data Protection Officer for the file: Internal Audit Department.

Rights of access, rectification, cancellation, and opposition: Internal Audit Department. C/ Alcalá, 48. 28014 Madrid.

Type of file: Internal or operational.

Purpose of the file and intended uses: Archive of declarations made by Bank of Spain employees who are considered, according to the Bank's own code of conduct, to have access to privileged information, so that, when there are justified reasons, they can be used to monitor compliance with the obligations derived from it.

Type of purpose and intended uses of the file:

  • Other purposes.

Origin of the data:

  • The interested party themselves or their legal representative.

Interested parties or categories:

  • Employees.

Basic structure of the file and types of personal data included in it:

  • Specially protected data:
    • Does not include data of this type.
  • Regarding the commission of offenses:
    • Does not include data of this type.
  • Identifying data:
    • NIF/DNI.
    • Personnel registration number.
    • Name and Surname.
  • Other classified data:
    • Employment details.
    • Economic, financial, and insurance.
    • Transactions of goods and services.
    • Other types of data: observations that the declarant considers necessary to point out regarding holdings or operations.

Treatment system: Mixed.

Security measures: Medium level.

Transfers of personal data: No transfers of data are planned.

Transfers of personal data to third countries: No transfers of data are planned.

File: Integrated Management of the Legal Department

File Manager: Bank of Spain.

Data Protection Officer for the file: Legal Department.

Rights of access, rectification, cancellation, and opposition: Legal Department. C/ Alcalá, 48. 28014 Madrid.

Type of file: Internal or operational.

Purpose of the file and intended uses: Management of matters in which the Legal Department intervenes.

Type of purpose and intended uses of the file:

  • Other purposes.

Origin of the data:

  • The interested party themselves or their legal representative.
  • Other natural persons.
  • Private entities.
  • Public Administrations.

Interested parties or categories:

  • Legal representatives.
  • Contact persons.

Basic structure of the file and types of personal data included in it:

  • Specially protected data:
    • Does not include data of this type.
  • Regarding the commission of offenses:
    • Does not include data of this type.
  • Identifying data:
    • NIF/DNI.
    • Name and Surname.
    • Address.
    • Telephone.
  • Other classified data:
    • Transactions of goods and services.
    • Other types of data: those occasionally provided by the interested parties themselves.

Treatment system: Mixed.

Security measures: Basic level.

Transfers of personal data: No transfers of data are planned.

Transfers of personal data to third countries: No transfers of data are planned.

File: Public Key Infrastructure - European System of Central Banks

File Manager: Bank of Spain.

Data Protection Officer for the file: Information Systems Department.

Rights of access, rectification, cancellation, and opposition: Information Systems Department. C/ Alcalá, 48. 28014 Madrid.

Reference regulations: Law 59/2003, of December 19, on electronic signatures.

Type of file: Managed by the Bank of Spain by virtue of the public functions entrusted to it by Law 13/1994, of June 1.

Purpose of the file and intended uses: Registration and management of electronic certificates issued by the Public Key Infrastructure of the European System of Central Banks and provision by the Bank of Spain of electronic certification services.

Type of purpose and intended uses of the file:

  • Provision of electronic certification services.

Origin of the data:

  • The interested party themselves or their legal representative.

Interested parties or categories:

  • Employees.

Basic structure of the file and types of personal data included in it:

  • Specially protected data:
    • Does not include data of this type.
  • Regarding the commission of offenses:
    • Does not include data of this type.
  • Identifying data:
    • NIF/DNI.
    • Personnel registration number.
    • Name and Surname.
    • Signature/Fingerprint.
    • Electronic Signature.
    • Other identifying data: email, user code, date of birth, place of birth.
  • Other classified data:
    • Other types of data: company.

Treatment system: Mixed.

Security measures: Basic level.

Transfers of personal data:

  • Others: European Central Banks.

Transfers of personal data to third countries: No transfers of data are planned.

File: Members of Supervisor Colleges

File Manager: Bank of Spain.

Data Protection Officer for the file: Supervision Planning.

Rights of access, rectification, cancellation, and opposition: Supervision Planning. C/ Alcalá, 48. 28014 Madrid.

Type of file: Managed by the Bank of Spain by virtue of the public functions entrusted to it by Law 13/1994, of June 1.

Purpose of the file and intended uses: To identify the persons who are members of the supervisor colleges for which the General Directorate of Supervision is responsible, to facilitate communication among them.

Type of purpose and intended uses of the file:

  • Other purposes.

Origin of the data:

  • The interested party themselves or their legal representative.

Interested parties or categories:

  • Other groups: employees of supervisory bodies who participate as members in any of the supervisor colleges under the responsibility of the General Directorate of Supervision.

Basic structure of the file and types of personal data included in it:

  • Specially protected data:
    • Does not include data of this type.
  • Regarding the commission of offenses:
    • Does not include data of this type.
  • Identifying data:
    • Name and Surname.
    • Address.
    • Telephone.
    • Image/Voice.
    • Other identifying data: country, supervisory body, position, supervisor college.

Treatment system: Mixed.

Security measures: Medium level.

Transfers of personal data: No transfers of data are planned.

Transfers of personal data to third countries: No transfers of data are planned.

File: Cash Operations

File Manager: Bank of Spain.

Data Protection Officer for the file: Issuance and Cash Department. Bank of Spain Branches.

Rights of access, rectification, cancellation, and opposition: Issuance and Cash Department. C/ Alcalá, 48. 28014 Madrid.

Reference regulations: Order EHA/1439/2006, of May 3, regulating the declaration of payment instrument movements in the context of anti-money laundering prevention. Order EHA/98/2010, of January 25, approving model 171, for the annual informative declaration of deposits, withdrawals of funds, and collections of any document, as well as the physical and logical designs for presentation on media directly readable by computer, and establishing the conditions and procedure for their telematic presentation. Law 58/2003, of December 17, General Tax Law, art. 135, Contradictory expert appraisal.

Type of file: Managed by the Bank of Spain by virtue of the public functions entrusted to it by Law 13/1994, of June 1.

Purpose of the file and intended uses: Administrative and accounting management of cash movements, deposits of diverse typology, foreign currency buy/sell operations, exchange of pesetas for euros, and various circumstances related to banknotes and coins (appraisals, differences, remittances, and exchanges), communication of operations in the context of anti-money laundering prevention.

Type of purpose and intended uses of the file:

  • Accounting, tax, and administrative management.
  • Other purposes.

Origin of the data:

  • The interested party themselves or their legal representative.
  • Private entities.
  • Public Administrations.

Interested parties or categories:

  • Employees.
  • Citizens and residents.
  • Legal representatives.
  • Applicants.
  • Other groups (experts for whose work deposits are made).

Basic structure of the file and types of personal data included in it:

  • Specially protected data:
    • Does not include data of this type.
  • Regarding the commission of offenses:
    • Does not include data of this type.
  • Identifying data:
    • NIF/DNI.
    • Personnel registration number.
    • Name and Surname.
    • Address.
    • Telephone.
    • Signature.
    • Other identifying data (resident card, passport, email address).
  • Other classified data:
    • Personal characteristics.
    • Academic and professional.
    • Economic, financial, and insurance.
    • Transactions of goods and services.
    • Other types of data (operation data).

Treatment system: Mixed.

Security measures: Medium level.

Transfers of personal data:

  • Public Treasury and Tax Administration.
  • Security forces and bodies.
  • Others: Executive Service of the Commission for the Prevention of Money Laundering and Monetary Offenses.

Transfers of personal data to third countries: No transfers of data are planned.

File: Document Entry and Exit Register

File Manager: Bank of Spain.

Data Protection Officer for the file: Technical Secretariat Department.

Rights of access, rectification, cancellation, and opposition: Technical Secretariat Department. C/ Alcalá, 48. 28014 Madrid.

Reference regulations: Internal Circular 2/2010, of December 22, of the General Register, and, under the terms established in the fourth rule of said Circular, articles 38 and concordant articles of Law 30/1992, of November 26, on the legal regime of Public Administrations and the common administrative procedure.

Type of file: Internal or operational.

Purpose of the file and intended uses: Management of document entries and exits in the registers comprising the Bank of Spain's Single General Register System, by noting the entry of requests, writings, and communications addressed to the Bank of Spain presented by third parties, and noting the exit of requests, writings, and communications addressed by any body, unit, or service of the Bank of Spain to other bodies, entities, or individuals.

Type of purpose and intended uses of the file:

  • Administrative procedure.
  • Statistical, historical, or scientific purposes.
  • Other purposes: management of entries or exits of documents noted in the General Register of the Bank of Spain and certification of register acts to respond to queries from users or interested third parties.

Origin of the data:

  • The interested party themselves or their legal representative.
  • Private entities.
  • Public Administrations.

Interested parties or categories:

  • Other groups: senders and recipients of documents registered in the General Register of the Bank of Spain.

Basic structure of the file and types of personal data included in it:

  • Specially protected data:
    • Does not include data of this type.
  • Regarding the commission of offenses:
    • Does not include data of this type.
  • Identifying data:
    • NIF/DNI.
    • Name and Surname.
    • Address.
    • Telephone.
  • Other classified data:
    • Other types of data: subject, brief reference to the generic content of the requests, writings, and communications that are registered, the documentation, packages, or objects accompanying them, and the procedure carried out.

Treatment system: Automated.

Security measures: Basic level.

Transfers of personal data: No transfers of data are planned.

Transfers of personal data to third countries: No transfers of data are planned.

File: Company Medical Services

File Manager: Bank of Spain.

Data Protection Officer for the file: Occupational Risk Prevention Service.

Rights of access, rectification, cancellation, and opposition: Occupational Risk Prevention Service. C/ Alcalá, 48. 28014 Madrid.

Type of file: Internal or operational.

Purpose of the file and intended uses: Management and monitoring of employee health surveillance.

Type of purpose and intended uses of the file:

  • Occupational risk prevention.
  • Clinical history.
  • Other purposes: investigation and management of work accidents.

Origin of the data:

  • The interested party themselves or their legal representative.

Interested parties or categories:

  • Employees.

Basic structure of the file and types of personal data included in it:

  • Specially protected data:
    • Health.
  • Regarding the commission of offenses:
    • Does not include data of this type.
  • Identifying data:
    • NIF/DNI.
    • SS/Mutualidad Number.
    • Personnel registration number.
Share