Cybersecurity assessment and control procedure


  • Detection, analysis and handling of events relating to access to and use of Banco de España's information systems by individuals
  • Carrying out security audits: ethical hacking, vulnerability analysis
  • Activities related to awareness plans
  • Prevention and investigation of breaches by individuals of the regulations applicable to Banco de España, including, employment regulations

Legal basis

  • Compliance with a legal obligation to which the controller is subject pursuant to:
    1. Directive (UE) 2016/1148 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 6 July 2016 concerning measures for a high common level of security of network and information systems across the Union
    2. Royal Decree-Law 12/2018, of 7 September, on network and information systems security.
  • Performance of a contract to which the data subject is party.

Categories of data subjects

  • Employees
  • Students/trainees
  • Other staff providing services to Banco de España
  • Visitors using Banco de España’s information systems

Categories of personal data

  • Identification data: Name, surname, ID number, user code, personal register number, electronic signature
  • Contact data: E-mail
  • Professional and academic data: Administrative unit
  • Technological data: IP address, logs, etc.

Retention period

Personal data shall be retained for the time necessary to fulfil the purpose for which they were collected and to allocate any liability arising from said purpose and from the processing of the data.

Security measures

Security measures provided for in Annex II of Royal Decree 3/2020, of 8 January, which regulates the National Security Scheme in the field of Electronic Administration.


  • Courts of Justice
  • Other competent public authorities

International transfer of data


Data controller

Banco de España
NIF: Q2802472G

Data Protection Officer

Division of Governance and Transparency
Contact formOpens in a new window