Data Protection and the Risk Information Centre in Spain

The Risk Information Centre of the Central Bank of Spain (CIRBE) has significant relevance in Spain when it comes to the protection of data. When we say it has a public and confidential character, we do not mean to talk about a common register of defaulters, but of an extensive database where all direct and indirect risks related to the clients of financial institutions, notwithstanding whether or not the holders are up to date with payments.

If one wants to know if someone in particular (whether or not a client) has defaults, how much and with which institutions, this database would not be the most adequate to use. The CIBRE solely informs institutions about information related to their own clients and relevant only to the risks, endorsements and credits without any specification on what type they are and what their present conditions are.

Importantly, when it comes to the protection of personal data, the CIBRE, as a publicly owned database, is excluded from the regime established in Art. 29 of the LOPD. That is why the obligations set in the LOPD are inapplicable, even though the Agency on the Protection of Data (considering that the exclusion does not apply to the rest of the LOPD regarding the responsibility of the companies providing information to the CIBRE) has on numerous proceedings sanctioned the non-compliance with the principle of the quality of the information for both inadmissible discharges as well as for maintaining inaccurate information.

Among the objectives of the CIRBE is providing financial institutions with information relevant to their activity and permitting the Central Bank of Spain to adequately exercise its right of supervision and inspection.

In regards to their performance, financial institutions are obliged to:

  • Declare monthly to the CIRBE all situations of risk to which the financial institution have been subjected
  • Provide necessary information in order to identify the persons with who the abovementioned credit risks are directly or indirectly maintained
  • As well as the features of said persons and risks, without including information specially protected by art. 7 of the LOPD.

In general, the minimum amount to be declared will be 6.000 €. Loans below this amount will not be registered in the CIRBE.

Every month, the CIBRE will inform the declaring institutions of the loan holders declared by them.

Likewise and free of charge, the owners of the data can obtain the information contained in the Central of Risks in order to detect possible mistakes, exercising their rights to access and correction of those mistakes before the institution which has declared them or directly before the National Central Bank.

After the adoption of the Law on Means for the Reformation of the Financial Sector (Law 44/2002), the declaration of information about risks relevant to natural persons in the CIBRE does not require the person’s consent. However, institutions must still inform of the cited obligatory declaration as well as its scope. All of this is without prejudice to the information they are obliged to provide to the individuals by virtue of par. 1 art. 5 of the OLPD.

On the other hand, the institution before which a loan or whatever other risk operation is requested, shall not need express authorization from its clients to accede to the information that the CIBRE has about them, even though it does have to inform them in writing of its right to consult the information.

Finally, and concerning the conservation of the registered information in the CIRBE, the data will be conserved for ten years and deleted thereafter. Still, due to historical, statistic or scientific value, some of this information could be conserved for an indefinite period of time, by means that do not allow the affected to be identified.

This period of conservation differs from the six year period established by art. 41.2 of the RDOLPD concerning the patrimonial credit solvency or default databases.

Cristina Sandoval & Jesús Sánchez

This article is not considered as legal advice

Jesús Sánchez

A Business Law graduate of the Universidad San Pablo (CEU) and a PhD in Consitutional Rights and IT, Jesús Sanchez specialises in IT Law. He is a partner at Áudea, a firm that specialises in the managing the security of information. For any further enquiries please Contact us