Privacy Policy

see the policy

1) We respect your privacy and your choices.

2) The privacy and security of your data is incorporated into our policy.

3) We do not send marketing messages unless requested. They can be requested at any time.

4) We never share or pass on your data without your explicit consent.

5) We are committed to transparency concerning the use of your data.

6) We do not use your data without informing you or requesting your consent.

7) We respect your rights as established by law and in accordance with our own legal and operational obligations.

For more information about our privacy policies, below we set out the types of personal data we may collect or hold concerning you, how we may use them, with whom we may share them, how we protect them, and how you can exercise your rights in relation to these data.

When you share your personal data with us or when we collect personal data concerning you, we use them in accordance with this Privacy Policy (hereinafter the “Policy”). If you have any questions or concerns about your personal data, please contact us at

1. About us

The Instituto de Crédito Oficial (ICO), with registered office at Paseo del Prado, 4 28014 Madrid, Spain is responsible for the personal data you share with us. The ICO is therefore the data controller in accordance with the applicable data protection legislation.

2. Personal data

Personal Data refers to any information or data that can be used to identify you directly (for example, your name or surname) or indirectly (for example, your national identity card or D.N.I). Personal Data include information such as e-mail address / private postal addresses / mobile phone number, user names, profile pictures, personal preferences, user-generated content, financial information, among others. They may also include unique numerical identifiers, such as your computer’s IP address or your mobile device’s MAC address, as well as information we collect through cookies.

This Policy covers all Personal Data collected and used by the ICO.

3. Collection of personal data and purposes of processing

Please remember that before you start using any of our services or features, you should read this Policy, as well as the Terms and Conditions of Use for the specific section that applies to the service or feature in question. The section will state whether there are any particular conditions for its use, or whether any specific processing of your Personal Data is required. Failure to provide certain mandatory information may make it impossible for you to register as a user or access specific features and services available at

What data can we collect from you?

We can collect or receive your data through our websites, forms, applications, devices and financial products, among others. In some cases, you provide us with your Personal Data directly (for example, when you contact us); in other cases, we collect them directly (for example, by using cookies to understand how you use our websites/apps) or sometimes indirectly when we receive your data from third parties, including other ICO Group entities.

What is the legal basis for processing your Personal Data?

  • Your consent;
  • Our legitimate interest, which may be:
    • Generating statistics: to help us better understand your needs and expectations and therefore improve our services, websites/applications/devices, etc.
    • Enabling the functioning of our website/applications through technical and functional cookies: to keep our tools (websites/applications/devices) safe and secure and to ensure their proper functioning and continuous improvement.
    • Offering you our Information Service.
    • Sending by electronic means, or any other equivalent means of communication, invitations to attend events or seminars organised by the ICO, or by third parties; in any case, attendance will be voluntary and may require the data subject to register.
    • Submitting surveys on the quality of service. The ICO may send out surveys on the quality of the service provided, which the data subject is not obliged to complete.
  • In the case of a formalised agreement: to perform the services you request from us
  • Compliance with legal obligations involving the processing of personal data
  • When we collect your Personal Data, we mark the mandatory fields with asterisks. Some of the information we ask you for is necessary for:
    • Fulfilling our commitment to you
    • Providing you with the service you requested (for example, to send you a newsletter)

What are the ICO's different types of data processing?

4. Profiles

When we send or deliver personalised communications or content, we may employ certain methods that qualify as “profiling” (i.e. any automated processing of personal data that involves the use of such data to evaluate specific personal aspects of an individual, particularly for the analysis or prediction of factors related to personal preferences, interests, financial status, location, trustworthiness, or transactions carried out with the ICO). This means that we may collect personal data concerning you in order to carry out this profiling. We centralise this information and analyse it to assess and predict your personal preferences and/or interests.

Based on our analysis, we send or deliver communications and/or content specific to your interests/needs.

Please note that you have the right to object to the processing of your personal data for profiling purposes in certain circumstances. To this end, please refer to section 10, “Rights of the data subject and exercise of these rights.”

5. Who can access your Personal Data?

5.1. We may share your Personal Data within the ICO Group.

“Who may access your Personal Data?” your data may be shared with other ICO Group companies on the legal basis of legitimate interest of the group for administrative purposes and under the legal obligation of maintaining your information on a cancellation list if you have requested not to receive any additional marketing communications.

5.2. Your personal data may also be processed on our behalf by our trusted third party providers.

We enter into agreements with trusted third parties to perform a variety of services on our behalf. We only provide them with the information they need to perform the service, and we require that they do not use your personal data for any other purpose. We make every effort to ensure that all third parties we work with maintain the security of the personal data we provide to them.
6. How long do we keep your personal data?
We only keep your personal data for as long as we need it for the purpose for which it was collected with your explicit consent, in order to meet your needs or to comply with our legal obligations.

To determine the data retention period of your personal data, we use the following criteria:

  • Personal data obtained when contacting us with an query or complaint: for the time necessary to deal with your query;
  • Personal data obtained when giving consent to send communications or because they are necessary according to the regulations: until the purpose for which they were requested has been fulfilled.

We may retain some personal data to comply with our legal or regulatory obligations and to manage our rights (for example, to enforce our claims in court) or for statistical or historical purposes.

When we no longer need to use your personal data, it will be eliminated from our systems and records or made anonymous so that we can no longer identify you.

7. Is your personal data stored securely?

We are committed to protecting your personal data and to taking all reasonable precautions to do so. We contractually require the trusted third parties who handle your personal data to do the same.

We always do our best to protect your Personal Data and once we receive your personal information, we use strict procedures and security features to try to prevent unauthorised access. As the transmission of information via the Internet is not completely secure, we cannot guarantee the security of the data you transmit to our site. Therefore, any transmission is at your own risk.

8. Links to third party sites and social login

Our websites and applications may contain links to and from the websites of our partner networks. If you follow a link to any of these websites, please note that these websites have their own privacy policies and we are not responsible for these policies. Please check these policies before submitting personal data to these websites.

9. Social media and user-generated content

Some of our websites and applications allow users to submit their own content. Please note that any content submitted to any of our social media platforms may be visible to the public, so you must be careful when sharing specific personal data (for example, financial information or details of where you live). We are not responsible for the actions of others connected to personal data posted on our social media platforms and we advise you not to share this kind of information.

10. Rights of the data subject and exercise of these rights

The ICO respects your right to privacy: it is important that you have control over your Personal Data.

In this regard, you have the following rights:

Right to information
  • You have the right to receive clear, transparent, and easy-to-understand information about how we use your Personal Data and about your rights. We provide that information in this policy.
Right of access
  • You have the right of access to the Personal Data we hold about you (within certain limits). We may charge a reasonable fee, subject to prior notice, to cover the administrative costs involved in providing the data. Manifestly unfounded, excessive or repetitive requests may be rejected. To exercise this right, you can contact us using the information provided under “Contacts”.
Right to rectification
  • You have the right to obtain the rectification of your Personal Data at any time if they are inaccurate or if they are no longer valid, or to have them completed it if they are incomplete. To exercise this right,you can contact us using the information provided under “Contacts”.
Right to erasure/be forgotten
  • In certain cases, you have the right to have your Personal Data erased or deleted. It should be noted that this is not an absolute right, as we may have legal or legitimate reasons for retaining the data. If you would like us to erase your Personal Data, you can contact us using the information provided under “Contacts”.
Right to object to direct marketing, including profiling
  • You can unsubscribe from our direct marketing communications at any time. You can unsubscribe by clicking on the “Unsubscribe” link contained in any email or communication we send you. Otherwise, please contact us using the information provided under “Contacts”. To object to profiling,you can contact us using the information provided under “Contacts”.
Right to withdraw consent at any time in cases where the processing of data is based on consent
  • You may withdraw your consent to the processing of your Personal Data in cases where the processing relies on your consent. Withdrawing consent will not affect the lawfulness of processing that occurred before the consent was revoked. For information on when processing relies on consent, please refer to the section “What data do we collect from you?”, “What is the legal basis for processing your Personal Data?”. If you wish to withdraw your consent, you can contact us using the information provided under “Contacts”
Right to object to processing based on the fulfilment of legitimate interests
  • You may object at any time to the processing of your data when this processing is based on the fulfilment of legitimate interests. For information on when processing is based on legitimate interests, please refer to the section “What data do we collect from you?”. “What is the legal basis for processing your Personal Data?” If you wish to exercise this right, you can contact us using the information provided under “Contacts”.
Right to lodge a complaint with a supervisory authority
  • You have the right to lodge a complaint with the Spanish Data Protection Agency about the ICO's privacy and data protection policies. Please do not hesitate to contact us using the information provided under “Contacts” before lodging a complaint with the relevant data protection authority.
Right to data portability
  • You have the right to move, copy or transfer data from our database to another database. This right can be exercised only for data you have supplied when processing relies on contract performance or your consent, and when the processing is automated. For information on when processing is based on a contract or consent, please refer to the section “What data do we collect from you?”, “What is the legal basis for processing your Personal Data?”. For further information, you can contact us using the information provided under “Contacts”.
Right to restriction of processing
  • You have the right to obtain the restriction of the processing of your data. If you exercise this right, the processing of your data will be subject to restriction, allowing us to retain them but no longer use them or process them. This right can only be exercised in certain circumstances defined by the General Data Protection Regulation, as follows: - the accuracy of the personal data is contested by the data subject, for a period enabling the controller to verify the accuracy of the personal data; - the processing is unlawful, and the data subject opposes the deletion of personal data, opting for its restriction of use instead; - the controller no longer needs the personal data for the purposes of the processing, but they are required by the data subject for the establishment, exercise or defence of legal claims; - the data subject has objected to processing pursuant to Article 21(1) pending the verification whether the legitimate grounds of the controller override those of the data subject. If you wish to exercise this right, you can contact us using the information provided under “Contacts”.


If you have any questions about how we process and use your Personal Data or wish to exercise any of your rights, you can let us know by sending an email to or by writing to us at the following address: Instituto de Crédito Oficial, at Paseo del Prado, 4 -28014 (Madrid) Spain.