1 Previous Considerations

This Privacy Policy is prepared to comply with the provisions of article 13 of the General Data Protection Regulation regarding the information that must be provided to the Data Subjects whose Personal Data has been collected by this Company.

2 Definitions

CNMV: Comisión Nacional del Mercado de Valores.

Company: European Digital Securities Exchange S.V S.A., with N.I.F.: A88474713, LEI code 959800UP9ANDBHTKJ408, with registered office at calle José Abascal 45, 6th floor, 28003, Madrid, Spain, duly authorized as an Investment Firm by the CNMV, registered in the Mercantile Registry of Madrid, volume 39634, folio 8, page M-703427, 1st inscription.

Controller: the Company, as a legal entity that determines the purposes and means of the Processing of Personal Data.

Data Protection Officer: person in charge of advising the Company on privacy matters.

Data Subject: you as an identified or identifiable natural person in respect of whom Personal Data is collected/collected.

Financial Instruments: the financial instruments admitted to trading in the MTF.

General Data Protection Regulation: Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC.

Group: group made up of the Company and other companies that exercise control over the Company or over which the Company exercises control. To determine when there is control, the provisions of article 42 of the Commercial Code will apply.

Investment Firm: has the meaning set out in Article 4.1 of MIFID 2.

Investment Service: these are the services provided in Annex I, Section A, of MIFID 2. For the purposes of this Terms and Conditions of Use, the ancillary services provided in Annex I, Section B, of MIFID 2 are also included, where appropriate.

Issuer: a legal entity whose financial instruments have been admitted to trading on the MTF, or who has requested their admission to trading on the MTF.

MIFID 2: Directive 2014/65/EU of the European Parliament and the Council of 15 May 2014 on markets in financial instruments and amending Directive 2002/92/EC and Directive 2011/61/EU.

MTF: the Multilateral Trading Facility managed by the Company whose commercial name is Portfolio Stock Exchange.

Multilateral Trading Facility: according to article 4.1.(22) of the MIFID 2, means a multilateral system, operated by an Investment Firm or a market operator, which brings together multiple third-party buying and selling interests in financial instruments –in the system and following non-discretionary rules– in a way that results in a contract in accordance with Title II of the MIFID 2.

Personal Data: any information about a Data Subject from which his or her identity can be determined, directly or indirectly, in particular by means of an identifier (e.g., a name, an identification number, location data, or an online identifier); or one or more elements of the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

Processing: means any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

Processor: means a natural or legal person, public authority, agency or other body which processes Personal Data on behalf of the Controller.

Recipient: means a natural or legal person, public authority, agency or another body, to which the Personal Data are disclosed, whether a Third Party or not. However, public authorities which may receive Personal Data in the framework of a particular inquiry in accordance with Union or Member State law shall not be regarded as Recipients; the processing of those data by those public authorities shall be in compliance with the applicable data protection rules according to the purposes of the processing.

Services: the services provided by the Company whether those are Investment Services or not.

Third Party: means a natural or legal person, public authority, agency or body other than the Data Subject, Controller, Processor and persons who, under the direct authority of the Controller or Processor, are authorised to process Personal Data.

Web: Company’s webpage:

3 Identity and contact details of the Controller and the Data Protection Officer

The Controller is the Company. Its contact information for the purposes of exercising the rights recognized in the General Data Protection Regulation and specified in this Privacy Policy are the following:


The Company has a Data Protection Officer whose contact details are those referred to above.

Likewise, for any claim you can contact the Spanish Agency for Data Protection in its capacity as the Spanish control authority (

4 Purposes of Processing and legal basis

We inform you that the purpose of the collection and Processing of Personal Data is the execution and fulfilment of the contractual relationship that you maintain with the Company for the provision of Services by the same, being the execution of the agreement that regulates the aforementioned relationship the legal basis of said Processing, as well as compliance by the Company with the legal obligations imposed on it as provided in section A below.

Additionally, the collection and Processing of Personal Data is also for the purpose of sending you information about the Company’s Services, being the execution of the signed agreement the legal basis for this or, where appropriate, your express consent once previously informed, consent that may be withdrawn at any time by exercising the right of opposition provided in Section 6 (Data Subjects’ rights) of this Privacy Policy and in the manner provided therein.

  • A) Purpose of execution and fulfillment of the contractual relationship for the provision of Services

Specifically, the necessary Personal Data will be collected to:

  1. Provide you with the Services contracted with the Company and, within the scope thereof, make available to you the information prepared by the Issuers on the Financial Instruments admitted to trading in the MTF;
  2. Verify your identity to access the Services offered by the Company in order to prevent and avoid fraudulent behaviour;
  3. Comply with the legal obligations set forth in the regulations for the prevention of money laundering and financing of terrorism and in tax regulations;
  4. Comply with the legal obligations provided for in the regulations applicable to the securities markets, among others, those related to the evaluation of their knowledge and previous experience in the financial markets, or those related to regulatory reporting to the supervisory authorities of the operations executed in the MTF.
  • B) Purpose of information about Services

The necessary Personal Data will be collected to send you commercial communications about Company’ Services, newsletters or the like, or invitations to events.

5 Recipients of the Personal Data

The categories of Recipients to whom the Company may communicate Personal Data of the Data Subjects are:

  1. Authorities, services or other public bodies to which Personal Data is communicated in compliance, by the Company, with the legal obligations imposed on it as provided in Section 4 (Purposes of Processing and legal basis) of this Privacy Policy.
  2. Companies that form part of the Company’s Group and service providers, with whom the Company has signed the corresponding data processing agreement.

6 Data Subjects’ rights

  • Right of access: the Data Subject shall have the right to obtain from the Company confirmation of whether Personal Data Processing is being carried out and, in this case, the right of access to the Personal Data and the following information: purposes of the Processing; categories of Personal Data processed; Recipients to whom Personal Data is communicated; term of conservation of the Personal Data or criteria used for its determination; existence of the right to request rectification, deletion, limitation and opposition; right to file a claim with the Spanish Agency for Data Protection; information available on the origin of the Personal Data in the event that they have not been obtained directly from the Data Subject; and existence of automated decisions.
  • Right of rectification: right for the Company to correct inaccurate Personal Data or to complete incomplete Personal Data.
  • Right of deletion: right for the Company to delete Personal Data in the event that the circumstances provided for in article 17 of the General Data Protection Regulations
  • Right to limitation of Processing: right to request the Company to suspend the Processing of all or some of the Personal Data if the circumstances provided for in article 18 of the General Data Protection Regulation
  • Right to portability: right to receive from the Company the Personal Data that concerns the Data Subject in a structured format, for common use and mechanical reading, and the right to said Personal Data is transmitted to another Controller other than the Company provided that this is technically possible, in cases in which the Processing is based on the consent of the Data Subject and on the execution of a contract and is carried out by automated means.
  • Right to object: right that the Company does not carry out a Processing of Personal Data for direct marketing purposes, including profiling.
  • Right not to be subject to automated individual decision-making: the Data Subject’s right not to be the subject of a decision based solely on automated processing, including profiling, when such decision has a legal effect on the Data Subject or significantly affects, except when the decision is necessary for the conclusion or execution of a contract between the Data Subject and the Company, is authorized by the Law of the Union or of the Member States that applies to the Company and appropriate measures are established to safeguard the rights and freedoms and the legitimate interests of the Data Subject, or is based on the explicit consent of the Data Subject.

The Data Subject may exercise the rights referred to above, by sending an email, to the attention of the Data Protection Officer, to the email address indicated in Section 3 (Identity and contact details of the Controller and the Data Protection Officer) of this Privacy Policy. For these purposes, the Data Subject must send a copy of their National Identity Document or equivalent document with which to prove their identity. The exercise of these rights will be free.

Likewise, the Data Subject may submit a claim regarding the Processing of Personal Data before the Spanish Agency for Data Protection in its capacity as the Spanish control authority (

7 Transfers of Personal Data

In the event that the Company needs to carry out international transfers of Personal Data outside the European Union and, in cases where there is no adequacy decision, there are no adequate guarantees, and there is no reason that justifies it from those provided in Article 49.1 of the General Data Protection Regulation, the Company undertakes to inform the Data Subject of said international transfer of Personal Data in all its terms and of the possible risks involved, and to obtain their prior consent.

8 Period of conservation of Personal Data

The Company will keep the Personal Data during the period of time in which the contractual relationship with the Data Subject is in force and, once it has ended, for as long as is necessary to comply with the legal obligations that are applicable, specifically, and as for example, during a period of 10 years from the termination of the business relationship or the execution of a specific operation, as required by article 25.1 Law 10/2010, of April 28, on the prevention of money laundering and the financing of terrorism.

9 Existence of decisions based solely on automated processing

The Company does not intend to make decisions based solely on the automated processing of Personal Data. However, if they occur, the Company will inform the Data Subject about the applied logic, as well as about the importance and expected consequences of said Processing.

10 Security of Processing

Taking into account the state of the art, the costs of application, and the nature, scope, context and purposes of the Processing, as well as risks of variable probability and severity for the rights and freedoms of the Data Subject, the Company applies appropriate technical and organizational measures to guarantee a level of security appropriate to the risk and to prevent unauthorized or unlawful Processing, or the accidental loss, destruction or damage of Personal Data.

11 Personal Data obtained through the Web

In relation to the Personal Data collected through the Web, we refer you to the Cookies Policy approved by the Company.