Legal - Data Protection Policy

Data Protection Policy

1) We respect your privacy and your choices.

2) Data privacy and security are included in our policy.

3) We will not send marketing communications unless requested. They can be requested at any time.

4) We will never offer or transfer your data without express consent.

5) We are committed to transparency concerning the use of your data.

6) We do not use your data without having first informed you or having requested your consent.

7) We respect your rights pursuant to the regulations and in accordance with our own legal and operational responsibilities.

For more information about our privacy practices, below are the types of personal information we may collect or hold about you, how we may use it, with whom we may share it, how we protect it, and how you can exercise your rights with respect to this data.

When you share your Personal Data with us or when we collect personal information about you, we use it in accordance with this Privacy Policy (hereinafter, the "Policy"). If you have any questions or concerns about your personal data, contact us at


Instituto de Crédito Oficial, whose registered office is located at Paseo del Prado, 4 28014 Madrid, Spain, is the controller of the personal data you share with us. Therefore, ICO is responsible for processing the data as set out in the applicable legislation on data protection.


Personal Data refers to any information or data that may identify the subject directly (i.e. your name or surname) or indirectly (i.e. your national identity document or DNI). Personal Data includes information such as email address/postal address/mobile phone number, usernames, profile images, personal preferences, user generated content, and financial information, among others. It may also include unique numerical identifiers such as the IP address of your computer or the MAC address of your mobile phone, as well as the information we obtain through cookies.
This Policy covers all personal data collected and used by ICO.


Remember that before you start using any of our services or features, you should read this Policy, as well as the Terms of Use for the specific section on the corresponding service or feature. This section will contain details as to whether there are any specific conditions for its use, or if specific processing of your Personal Data is required. Failure to provide certain information indicated as mandatory may result in it not being possible to manage your registration as a user or the use of certain features or services available through

What data do we collect from you?
We may collect or receive your data through our websites, forms, applications, devices, and financial products, among others. In some cases, you provide us with your Personal Data directly (for example, when you contact us); in other cases we collect it from you (for example, using cookies to understand how you use our websites/apps) or, in other occasions, indirectly when we receive your data from other third parties, including other entities of the ICO Group.

What is the legal basis for Processing your Personal Data?

  • Your consent;
  • Our legitimate interest, which may be:
    • Statistical analysis: to help us better understand your needs and expectations and, therefore, improve our services, websites/applications/devices, etc.
    • To ensure the operation of our website/applications through technical and functional cookies: keep our tools (websites/applications/devices) safe and secure and guarantee that they work correctly and continuously improve.
    • Profiling
    • Offer customer service.
    • Sending, by electronic means, or other equivalent communication method, invitations to attend events or conferences organised by ICO or by third parties, whose attendance will, in any event, be voluntary and which may require registration by the data subject.
    • Sending surveys related to service quality. ICO may send out surveys related to the quality of the service provided; the data subject is under no obligation to answer.
  • When formally arranging a contract: performing the services requested from us;
  •  Compliance with the legal obligations that the processing of personal data entails;
  • When we collect your Personal Data, mandatory fields are marked with an asterisk. Some of the data we request is necessary to:
    • Comply with our commitment to you;
    • Provide you with the service requested (for example, to provide you with a Newsletter);

What are ICO's types of data processing?



When we send or offer personalised communications or content, we may use techniques known as "profiling" (i.e., any form of automated processing of personal data consisting of using that data to assess certain personal aspects of an individual, in particular to analyse or predict aspects related to personal preferences, interests, economic situation, location, reliability, or transactions made with ICO). This means that we may collect information about you for the purposes of profiling. We gather this information and analyse it to assess and predict your preferences and/or personal interests.

Based on our analysis, we send or show communications and/or content adapted to your interests/needs.

We make you aware that you have the right to object to your personal data being profiled in certain circumstances. For this purpose, see "Rights of the data subject and their exercise" (point 10).


5.1. We may share your personal data within Grupo ICO.
"Who may access to your Personal Data?", your data may be transferred to other companies in the ICO Group on the legal basis of the Group's legitimate interest to comply with its administrative purposes, or on the legal basis of its obligation to keep your details on an erasure list should you ask us not to send you further commercial communications.

5.2. Your personal data may also be processed on our behalf by our trusted third-party suppliers.

Contracts are in place with trusted third parties to carry out a variety of services on our behalf. We only provide them with the information needed for the service, and require that they refrain from using your personal data for any other purpose. We make every effort to ensure that the third parties with whom we work keep the personal data we supply to them secure.


We only keep your Personal Data for as long as needed for the purposes for which it was collected with your express consent, in order to meet your needs or comply with our legal obligations.

To determine how long we keep your Personal Data, we use the following criteria:

  • Personal Data obtained when you contact us regarding a query or claim: Personal Data during the time needed to deal with your query;
  • Personal Data obtained when you gave consent to be sent communications or because it is necessary in accordance with regulations: until the end of the period for which it was required.

We may retain some personal data to comply with our legal or regulatory obligations, as well as to administer our rights (for example, to assert our claims in court) or for statistical or historical purposes.

When we no longer need to use your personal data, it will be removed from our systems and records or anonymised so you can no longer be identified.


We are committed to protecting your Personal Data and take all reasonable measures to do so. We also demand that trusted third parties handling your Personal Data do the same by contract.

We always do our best to protect your Personal Data and, once we have received your personal information, we employ strict procedures and security features to try prevent unauthorised access. As sending information over the internet is not completely secure, we cannot guarantee the security of your data sent via our website. Therefore, any information is sent at your own risk.


Our websites and applications may contain links to and from websites of our associated networks. If you follow a link to any of these websites, please note that these websites have their own privacy policies and we are not responsible for them. Check these policies before sending personal data to these websites.

Some of our websites and applications allow users to submit their own content. Remember that any content sent to one of our social media platforms can be seen publicly, so be careful when providing certain personal information (for example, financial information or your address). We are not responsible for any action taken by other people if you post personal data to our social media platforms and we recommend you do not share that information.

ICO respects your rights to privacy: it is important that you have control over your personal data. We therefore would like to make you aware of the following rights:

Right of information You have the right to clear, transparent and easy to understand information on how we use your personal data and your rights. This information is in this Policy
Right of access You have the right to access the personal data we hold about you (subject to certain limits).
We may charge a reasonable amount, with prior notice, to cover the administrative costs incurred in providing the information.
Clearly unfounded, excessive or repeated requests may not be answered.
To exercise this right, contact us using the details provided under "Contact".
Right of rectification You have the right to have your personal data rectified when it is inaccurate or has ceased to be valid or to complete it when it is incomplete.
To exercise this right, contact us using the details provided under "Contact".
Right of deletion/right to be forgotten   In certain cases, you have the right to have your personal data deleted or removed. It should be noted that this is not an absolute right as we may have legal or legitimate reasons to keep it.
If you would like us to remove your personal data, contact us using the details provided under "Contact".
Right of opposition to direct marketing, including profiling You can unsubscribe from our direct marketing communications at any time.
You can do so by clicking on the "Unsubscribe" link in any email or communication we send you. Otherwise, contact us using the details provided under "Contact".
To file your opposition to profiling, contact us using the details provided under "Contact".
Right to withdraw consent at any time when data processing is based on consent You can withdraw your consent to the processing of your personal data when processing is based on your consent. The withdrawal of consent will not affect the legality of the processing based on your consent prior to its withdrawal. To find out about when processing is based on consent, please consult "What data do we collect from you?", "What is the legal basis for the Processing of your Personal Data?".
Should you wish to withdraw consent, contact us using the details provided under "Contact".
Right to oppose processing based on purposes of legitimate interest You may oppose your data being processed at any time when processing is based on purposes of legitimate interest. To find out when processing is based on legitimate interest, please consult "What data do we collect from you?" "What is the legal basis for the Processing of your Personal Data?".
Should you wish to exercise this right, contact us using the details provided under "Contact".
Right to submit a complaint to a supervisory authority You have the right to submit a complaint to the Spanish Data Protection Agency against ICO's privacy and data protection practices.
Please do not hesitate in contacting us using the details provided under "Contact" before submitting a claim to the data protection supervisory authority.
Right to data portability You have the right to move, copy, or transfer data from our database to another. It is only possible to exercise this right with data you have provided, when processing is based on the execution of a contract or your consent and processing is automated. To find out about when processing is based on a contract or your consent, please consult "What data do we collect from you?", "What is the legal basis for the Processing of your Personal Data?".
For further information, using the details provided under "Contact".
Right of limiting processing

You have the right to request that the processing of your data is limited. If you exercise this right, the processing of your data will be restricted, so that we can store it but we cannot continue using it or processing it.
This right can only be exercised in certain circumstances defined in the General Data Protection Regulation, as follows:

- the accuracy of the personal data is contested by the data subject, for a period enabling the controller to verify the accuracy of the personal data;
- processing is unlawful and the data subject opposes the erasure of the personal data and requests the restriction of its use instead;
- the controller no longer needs the personal data for the purposes of processing, but they are required by the data subject for the establishment, exercise or defence of legal claims;
- the data subject has objected to processing pursuant to Article 21(1) pending the verification of whether the legitimate grounds of the controller prevail over those of the data subject.

Should you wish to exercise this right, contact us using the details provided under "Contact".

If you have any questions about how we process and use your personal data or wish to exercise any of the rights set out, you can notify us via email at, or by writing to the following address: Instituto de Crédito Oficial, Paseo del Prado, 4 -28014 (Madrid) Spain.