Financial IT innovation projects (Sandbox)


  • Pre-assess applications for technological innovation projects applicable to the financial system submitted by promoters in order to access to the sandbox.
  • Sign and execute the testing protocol with the promoters of projects that receive a favorable pre-assessment.
  • Supervise, in a controlled environment, the testing of projects that provide a technology-based innovation applicable to the financial system and manage their exit and possible access gateway to the activity provided for in Article 18 of Law 7/2020.
  • Respond to queries on technological innovation applied to the provision of financial services (art. 20 of Law 7/2020).

Legal basis

  • Consent given by test participants to the processing of their personal data.
  • Performance of a contract to which the data subject is a party.
  • Performance of a task carried out in the public interest or in the exercise of official authority vested in the controller pursuant to Law 7/2020, of 13 November, for the transformation of the financial system.

Categories of data subjects

  • Participants who are natural persons or representatives of participants who are legal entities.
  • Promoters, associates of promoters or representatives of both provided that they are natural persons.
  • Natural persons or representatives of legal persons carrying out consultations provided for in Article 20 of Law 7/2020.

Categories of personal data

  • Identification details: Name, surname, ID number
  • Contact details: E-mail, postal address and telephone.
  • Professional and academic data: Professional position, company, representation details.
  • Economic and financial data: Financial information of the participants derived from the tests carried out in the sandbox.
  • Personal characteristics data: Nationality and age.
  • Technological data: IP address, logs, etc.

Retention period

Data shall be retained for the time necessary to fulfil the purpose for which they were collected and to allocate any liability arising from said purpose and from the processing of the data.

Security measures

Security measures provided for in Annex II of Royal Decree 3/2020, of 8 January, which regulates the National Security Scheme in the field of Electronic Administration.


  • Sandbox supervisory authorities (CNMV and DGSFP)
  • Spanish Data Protection Authority (AEPD)
  • Other competent public authorities, including authorities of other Member States participating in cross-border tests
  • Courts of Justice

International transfers of data


Data controller

Banco de España
NIF: Q2802472G

Data Protection Officer

Division of Governance and Transparency:
Contact formOpens in new window

Exercise of rights and complaints

You can check whether it is mandatory for you to provide your personal data, as well as the procedure to exercise your rights, withdraw your consent if applicable and lodge a complaint before the Data Protection Officer or the Spanish Data Protection Agency at our Privacy Policy

Previous Proceedings handled by the... Next Market conduct claims, comp...