Authorisations, fit and proper assessments and senior officers’ register


Processing of authorisations of supervised institutions, fit and proper assessments and registrations with the Senior Officers Register in accordance with the applicable regulations. Notwithstanding the above, the following particularities shall apply to significant institutions subject to the Single Supervisory Mechanism (SSM):

  • For the processing of authorisations, the Banco de España shall act as joint controller with the European Central Bank, in accordance with the distribution of responsibilities set forth in Part V of the SSM Framework Regulation.
  • For the processing of fit and proper assessments, the Banco de España shall act as a data processor on behalf of the European Central Bank, in accordance with the distribution of responsibilities set forth in Part VI of the SSM Framework Regulation except in the following scenarios, where the Banco de España shall act as a separate controller:
    • to keep the Senior Officers Register up to date; and
    • to cross-check the consistency of the data provided for candidates on future fit and proper assessments of institutions subject to the supervision of the Banco de España outside the scope of the SSM.

Legal basis

Performance of a task carried out in the public interest or in the exercise of official authority vested in the Banco de España pursuant to:

  • Law 10/2014, of 26 June, on the regulation, supervision and solvency of credit institutions
  • Council Regulation (EU) No 1024/2013 of 15 October 2013 conferring specific tasks on the European Central Bank concerning policies relating to the prudential supervision of credit institutions
  • Regulation (EU) No 468/2014 of the European Central Bank of 16 April 2014 establishing the framework for cooperation within the Single Supervisory Mechanism between the European Central Bank and national competent authorities and with national designated authorities (SSM Framework Regulation)
  • Law 13/1989, of 26 May, on Credit Cooperatives
  • Law 1/1994, of 11 March, on the legal statute of mutual guarantee institutions
  • Law 5/2015, of 27 April, on the promotion of business financing
  • Royal Decree-Law 19/2018, of 23 November, on payment services and other urgent financial measures
  • Law 21/2011, of 26 July, on electronic money
  • Law 2/1981, of 25 March 1981, on the Regulation of the Mortgage Market
  • Law 5/2019, of 15 March, regulating real estate credit contracts
  • Law 13/1996, of 30 December 1996, on tax, administrative and social measures
  • Law 26/2013, of 27 December, on savings banks and banking foundations.
  • Law 10/2010, of 28 April, on prevention of money laundering and terrorist financing

Categories of data subjects

  • Legal representatives
  • Contact persons
  • Senior Officers undergoing suitability assessment
  • Offending subjects unfit to hold senior positions
  • Promoters
  • Shareholders with significant holdings
  • People with whom the institution has close ties
  • Persons without a position registrable in the Senior Officers’ Register who must be registered in order to record the annotation of disqualification ordered by a Court or Tribunal
  • Providers engaged in exchange services between virtual currencies and fiat currencies as well as custodian wallet providers

 Categories of personal data

  • Identification details: complete name, ID number, passport or resident card number
  • Contact details: email address, postal address, personal address for notification purposes, phone number
  • Academic and professional details: professional background, corporate position and, where applicable, registration as a self-employed worker
  • Economic and financial details: remuneration, bank accounts and transactions, financial information
  • Other personal characteristics: nationality, date and place of birth
  • Other details: data relating to the commission of administrative offenses, existence of relevant criminal and/or enforcement investigations, debarments, disqualifications

Retention period

Data shall be retained for the time necessary to fulfil the purpose for which they were collected and to allocate any liability arising from said purpose and from the processing of the data.

Security measures

Security measures provided for in Annex II of Royal Decree 3/2020, of 8 January, which regulates the National Security Scheme in the field of Electronic Administration.


  • Spanish Stock Exchange Commission (CNMV)
  • ECB and other national competent authorities
  • Courts of Justice
  • Other competent public authorities

International transfers of data

National competent authorities outside the EEA for important reasons of public interest (article 49.1.d) of the GDPR)

Data controller

Banco de España
NIF: Q2802472G

In cases provided for in purpose section:

European Central Bank

Data Protection Officer

Division of Governance and Transparency
Contact formOpens in new window

European Central Bank: Send email: Opens in new window

Exercise of rights and complaints

Regarding processing activities where Banco de España is data controller, you can check whether it is mandatory for you to provide your personal data, as well as the procedure to exercise your rights, withdraw your consent if applicable and lodge a complaint before the Data Protection Officer or the Spanish Data Protection Agency at Banco de España Privacy Policy

Regarding processing activities where the European Central Bank is data controller, you can check this information at European Central Bank Privacy Statement in relation to SSMOpens in new window

Previous Processing of petitions and... Next Social benefits for employe...