Access to the procedures of the CNMV Virtual Office and the information and documentation
submitted to the CNMV require providing personal data that shall be processed by the CNMV, the
latter being the data controller of such personal data. The purpose for processing the data is that
which corresponds to each of the procedures detailed herein. The CNMV is entitled to carry out
this data processing by virtue of its public interest mission, in the exercise of the public powers
conferred on it and in order to comply with applicable legal obligations. Where a legal obligation
exists, the information and documentation submitted, and accordingly, the personal data contained
therein, may be disseminated on the CNMV’s website, and may also be communicated to third
parties (including, inter alia, administrative or judicial authorities, the Public Prosecutor’s Office,
ESMA, other regulators and supervisors). Any international personal data transfers outside the EU
shall be duly legitimised. The personal data provided shall be kept for the period of time
necessary to fulfil the purpose for which they were gathered, to determine any liabilities that may
arise from such purpose, and during the periods established in the regulations on files and
documentation.
The data subject, in accordance with data protection regulations and with the requirements, purposes
and limits established therein, may exercise his or her rights before the Spanish National Securities
Market Commission. The data subject may also, prior to filing a complaint with the Spanish Data
Protection Agency, contact the CNMV’s data protection officer.