Back

Records of data processing activities

Payments supervision

Purpose

  • Supervision of payment entities, account information service provider entities and electronic money entities, as well as the rest of the payment service providers regarding the provision of such services; verification of compliance with Regulation (EU) No. 2015/751, on exchange rates applied to card payment operations, and management of disciplinary proceedings.
  • Management of serious security operational incidents reported by payment service providers.
  • Assessment of secure corporate payment processes and protocols
  • Processing and resolution of complaints of violations of the rules of management and discipline required of payment service providers.
  • Resolution of queries to payment service providers on the application of authentication standards and management of operational and security risks related to the provision of payment services.

Legal basis

Compliance with a legal obligation applicable to the controller, provided for in the following regulations:

  • Law 13/1994, of June 1, on the autonomy of the Banco de España
  • Directive (EU) 2015/2366 of the European Parliament and of the Council of November 25, 2015 on payment services in the internal market (PSD2);
  • Royal Decree-Law 19/2018, of November 23, on payment services and other urgent measures in financial matters;
  • Royal Decree 736/2019, of December 20, on the legal regime of payment services and payment institutions and by which Royal Decree 778/2012, of May 4, on the legal regime of entities is modified. of electronic money, and Royal Decree 84/2015, of February 13, which develops Law 10/2014, of June 26, on the organization, supervision and solvency of credit institutions;
  • Law 21/2011, of July 26, on electronic money;
  • Royal Decree 778/2012, of May 4, on the legal regime of electronic money institutions;
  • Regulation (EU) No. 2015/751, on exchange rates applied to card payment operations.
  • Delegated Regulation (EU) 2018/389 of the Commission, of November 27, 2017, by which Directive (EU) 2015/2366 of the European Parliament and of the Council is supplemented with regard to technical regulatory standards for authentication reinforced client and common and secure open communication standards;
  • Delegated Regulation (EU) 2021/1722 of the Commission of June 18, 2021, which supplements Directive (EU) 2015/2366 of the European Parliament and of the Council with regard to the regulatory technical standards that specify the framework for cooperation and exchange of information between competent authorities of home and host Member States in the context of supervision of payment institutions and electronic money institutions providing cross-border payment services.

Categories of data subjects

  • Entity contact personnel
  • Senior managers and managers of the entity
  • Complainants and/or denounced.
  • Consultants.

Categories of personal data

  • Identification data: Name, surname, NIF or equivalent.
  • Contact details: Telephone, e-mail address, postal address.
  • Academic and professional data: Position.
  • Economic and financial data: Salary, accounts, transactions, financial information, etc.
  • Data related to the commission of criminal offenses.

Retention period

The data will be kept for the time necessary to fulfill the purpose for which they were collected and to determine the possible responsibilities that may arise from said purpose and the processing of the data. For this purpose, the retention periods must be in line with the document retention policy established by the Banco de España.

Security measures

Security measures provided for in Annex II of Royal Decree 3/2020, of 8 January, which regulates the National Security Scheme in the field of Electronic Administration.

Recipients

  • Courts of Justice
  • Other competent public authorities
  • European Banking Authority

International transfer of data

N/A

Data controller

Banco de España

NIF: Q2802472G

Data Protection Officer

Division of Governance and Transparency
Contact formOpens in new window

Exercise of rights and complaints

You can check whether it is mandatory for you to provide your personal data, as well as the procedure to exercise your rights, withdraw your consent if applicable and lodge a complaint before the Data Protection Officer or the Spanish Data Protection Agency at our Privacy Policy

 

Previous Supervision of institutions... Next Supervision regarding reser...