Activity log data processing
Performed by ANF AC
TREATMENTS ANF AC
1Registration of certificate requests. - CA
| a) Legal Basis | Contract performance. |
| b) Purposes of treatment | ANF AC, as a Qualified Trust Service Provider, provides the certificate issuance service. This service, for its proper management and administration, requires maintaining a register of requested certificates. |
| c) Collective | Customers of the service contracted to ANF AC. |
| d) Data categories | Content required by the legislation on qualified certificates and those that the interested party expressly requests to be included. Information verification reports. |
| e) Source of data | The interested parties themselves and third party sources consulted to verify the veracity of the information. |
| f) Category of recipients | The ANF AC organisation itself, eIDAS auditors, Control Authority, clients, legal and fiscal obligation. |
| g) Transf. International | No international transfer of data is foreseen. |
| h)Deadline for deletion | They shall be retained for a period necessary to meet the obligations undertaken, and for the period required to be able to prove it. |
| i) Safety measures. | The technical security measures implemented correspond to those provided for in ISO 27001, and security standards related to the ETSI regulations that ANF AC is obliged to comply with in accordance with the eIDAS Regulation. Regulatory compliance. The provisions of the GDPR and Organic Law 3/2018 on data protection are respected. A risk analysis has been performed with the result of a low risk level. |
| j) Responsible entity | ANF CERTIFICATION AUTHORITY. |
| k) EIPD -RESULT | ANF AC 01 - Date: 02/02/2020 - Result risk level: low |
2Registry of electronic signature certificates issued. - CA
| a) Legal basis | Legal obligation Regulation (EU) 910/2014 EIDAS. |
| b) Treatment purposes | ANF AC, as a qualified Trust Service Provider, provides the certificate issuance service. This service, for its proper management and administration, requires maintaining a register of issued certificates. |
| c) Collective | Customers of the service contracted to ANF AC. |
| d) Data categories | Content required by the legislation on qualified certificates and those that the interested party expressly requests to be included. Information verification reports. |
| e) Data source | The interested parties themselves and third party sources consulted to verify the veracity of the information. |
| f) Category of recipients | The ANF AC organisation itself, eIDAS auditors, Control Authority, clients, legal and fiscal obligation. |
| g) Transf. International | No international transfer of data is foreseen. |
| h)Deadline deletion | They shall be retained for a period necessary to meet the obligations undertaken, and for the period required to be able to prove it. |
| i) Safety measures. | The technical security measures implemented correspond to those provided for in ISO 27001, and security standards related to the ETSI regulations that ANF AC is obliged to comply with in accordance with the eIDAS Regulation. Regulatory compliance. The provisions of the GDPR and Organic Law 3/2018 on data protection are respected. A risk analysis has been performed with the result of a low risk level. |
| j) Responsible entity | ANF CERTIFICATION AUTHORITY. |
| k) EIPD -RESULT | ANF AC 01 - Date: 02/02/2020 - Result risk level: low |
3 RR.HH. Registry – AC / EC
| a)Legal Basis | Execution of a contract. If applicable, fulfilment of a legal obligation. |
| b)Treatment purposes | Management of ANF AC's personnel. Personal file. Time and attendance control. Incompatibilities. Training. Prevention of occupational hazards, absenteeism control. Infringements, disciplinary sanctions. Issuing of the payroll, as well as all the products derived from it. Obtaining statistical or monographic studies for the economic management of personnel. |
| c) Collective | ANF AC staff. |
| d) Data categories | Name and surname, DNI/CIF/identifying document, personnel registration number, social security/mutuality number, address, signature and telephone number. Special categories of data: health data (sick leave, occupational accidents and degree of disability, not including diagnoses), trade union membership, for the sole purpose of payment of trade union dues (if applicable), trade union representative (if applicable), own and third party proof of attendance. Data on personal characteristics: Sex, marital status, nationality, age, date and place of birth and family data. Data on family circumstances: Date of registration and leave, licences, permits and authorisations. Academic and professional data: Qualifications, training and professional experience. Details of employment and administrative career. Incompatibilities. Attendance control data: date/time of arrival and departure, reason for absence. Economic-financial data: Payroll economic data, credits, loans, guarantees, tax deductions, reduction of credits corresponding to the previous job (if applicable), judicial withholdings (if applicable), other withholdings (if applicable). Bank details. CV, photocopy of ID card, photocopy of qualifications obtained, reports of references made to third parties, and reports verifying the veracity of the information. |
| e) Source of data | The interested parties themselves and third party sources consulted to obtain employment references and verify the veracity of the information. |
| f) Category of recipients | The ANF AC organisation itself. In addition: Financial institutions. State Tax Administration Agency. Social Security and labour inspection. |
| g) Transf. International | No international transfer of data is foreseen. |
| h) Deadline for deletion | They will be kept for the time necessary to fulfil the purpose for which they were collected and to determine any possible liabilities that may arise from this purpose and from the processing of the data. The provisions of the archives and documentation regulations shall apply. The financial data from this processing activity will be kept in accordance with the provisions of Law 58/2003, of 17 December, on General Taxation. |
| i) Safety measures. | The technical security measures implemented correspond to those provided for in ISO 27001 and security standards related to the ETSI regulations that ANF AC is obliged to comply with in accordance with the eIDAS Regulation. Regulatory compliance. The provisions of the GDPR, Organic Law 3/2018 on data protection, legal regulations in this area and guidelines of the European Data Protection Committee are respected. A risk analysis has been carried out, resulting in a low risk level. |
| j) Responsible entity | ANF CERTIFICATION AUTHORITY. |
| k) EIPD -RESULT | ANF AC 02 - Date: 02/02/2020 - Result risk level: low |
4Role Register.– AC / EC
| a) Legal Basis | Execution of a contract. If applicable, fulfilment of a legal obligation. |
| b) Treatment purposes | Management of labour personnel assigned to ANF AC. Incompatibilities. Training. Prevention of occupational hazards. Infringements, disciplinary sanctions. Issuance of the payroll, as well as all the products derived from it. Obtaining statistical or monographic studies for the economic management of personnel. |
| c) Collective | ANF AC staff and staff under service provision contracts. |
| d) Data categories | Name and surname, DNI/CIF/identifying document, personnel registration number, address, signature and telephone number, e-mail address. Academic and professional data: Qualifications, training and professional experience. Incompatibilities. Time and attendance data: date/time of arrival and departure, reason for absence. CV, photocopy of ID card, photocopy of qualifications obtained. |
| e)Source of data | The person concerned. |
| f) Category of recipients | The ANF AC organisation itself, auditors, control authority, clients, legal and fiscal obligation. |
| g) Transf. International | No international transfer of data is foreseen. |
| h)Deadline for deletion | They shall be retained for a period necessary to meet the obligations undertaken, and for the period required to be able to prove it. |
| i) Safety measures. | The technical security measures implemented correspond to those provided for in ISO 27001, and security standards related to the ETSI regulations that ANF AC is obliged to comply with in accordance with the eIDAS Regulation. Regulatory compliance, especially the Law on Information Society Services and Telecommunications. The provisions of the RGPD and Organic Law 3/2018 on data protection are respected. A risk analysis and a data protection impact assessment have been carried out, resulting in a low risk level. |
| j) Responsible entity | ANF CERTIFICATION AUTHORITY. |
| k) EIPD -RESULT | ANF AC 02 - Date: 02/02/2020 - Result risk level: low |
5Time and Attendance Register. AC / EC
| a) Legal Basis | Compliance with a legal obligation. Royal Legislative Decree 2/2015, of 23 October, approving the revised text of the Workers' Statute Law. |
| b) Treatment purposes | Management of staff, issuance of payroll and compliance with the obligation to record working hours. |
| c) Collective | ANF AC staff. |
| d) Data categories | Name and surname, DNI/CIF/identifying document, personnel registration number, signature. |
| e) Source of data | The person concerned. |
| f) Category of recipients | The ANF AC organisation itself, auditors, control authority, clients, legal and fiscal obligation. |
| g) Transf. International | No international transfer of data is foreseen. |
| h)Deadline for deletion | They shall be retained for a period necessary to meet the obligations undertaken, and for the period required to be able to prove it. |
| i) Safety measures | The technical security measures implemented correspond to those provided for in ISO 27001, and security standards related to the ETSI regulations that ANF AC is obliged to comply with in accordance with the eIDAS Regulation. Regulatory compliance, especially the Law on Information Society Services and Telecommunications. The provisions of the RGPD and Organic Law 3/2018 on data protection are respected. A risk analysis and a data protection impact assessment have been carried out, resulting in a low risk level. |
| j) Responsible entity | ANF CERTIFICATION AUTHORITY. |
| k) EIPD -RESULT | ANF AC 02 - Date: 02/02/2020 - Result risk level: low |
6Registry of certified scans.– AC
| a) Legal Basis | Contract performance. |
| b)Treatment purposes | ANF AC as a qualified Trusted Services Provider, provides the service of certified scans in accordance with the AEAT regulations. This service, for its proper management and administration, requires keeping a record of the scans performed. |
| c) Collective | Customers of the service contracted to ANF AC. |
| d) Category of recipients | Digitalised documents. |
| e) Source of data | Contracting company as data controller. |
| f) Category of recipients | Customers of the service contracted to ANF AC. |
| g) Transf. International | No international transfer of data is foreseen. |
| h) Deadline for deletion | They shall be retained for a period necessary to meet the obligations undertaken, and for the period required to be able to prove it. |
| i)Safety measures | The technical security measures implemented correspond to those required by the data controller, those provided for in ISO 27001, and security standards related to the ETSI regulations that ANF AC is obliged to comply with in accordance with the eIDAS Regulation. Regulatory compliance. The provisions of the GDPR and Organic Law 3/2018 on data protection are respected. A risk analysis has been carried out, resulting in a low risk level. If possible non-compliance with the GDPR is detected, ANF AC assumes responsibility for informing the data controller. A risk analysis has been performed with a low risk level result. |
| j) Responsible entity | ANF CERTIFICATION AUTHORITY. |
| k) EIPD -RESULT | ANF AC 03 - Date: 02/02/2020 - Result risk level: low |
7Register of certified communications. – AC
| a)Legal Basis | Execution of a contract, ANF AC assumes the role of data processor. GDPR: 6.1.b) Processing necessary for the performance of a contract to which the data subject is a party or for the implementation at the request of the data subject of pre-contractual measures. General Data Protection Regulation. |
| b) Treatment purposes | ANF AC as a Qualified Trust Service Provider, provides the certified communications service. This service, for its proper management and administration, requires keeping a record of the communications processed, senders and recipients. |
| c) Collective | Senders and recipients of the certified communications processed by ANF AC. |
| d) Data categories | Name and surname, company to which it belongs, telephone number, e-mail address of the sender Name and surname, company to which it belongs, telephone number, e-mail address of the recipient Content of the communication. Date and time of sending, date and time of delivery, date and time of opening. |
| e) Source of data | Contracting company as data controller. |
| f) Category of recipients | The contracting company and recipients of communications. |
| g) Transf. International | No international transfer of data is foreseen. |
| h) Deadline for deletion | They shall be retained for a period necessary to meet the obligations undertaken, and for the period required to be able to prove it. |
| i) Safety measures | The technical security measures implemented correspond to those required by the data controller, those provided for in ISO 27001, and security standards related to the ETSI regulations that ANF AC is obliged to comply with in accordance with the eIDAS Regulation. Regulatory compliance. The provisions of the GDPR and Organic Law 3/2018 on data protection are respected. A risk analysis has been carried out, resulting in a low risk level. If possible non-compliance with the GDPR is detected, ANF AC assumes responsibility for informing the data controller. A risk analysis has been performed with a low risk level result. |
| j) Responsible entity | ANF CERTIFICATION AUTHORITY. |
| k) EIPD -RESULT | ANF AC 04 - Date: 02/02/2020 - Result risk level: low |
8Register of AR Operators. – AC
| a) Legal Basis | Contract performance. |
| b) Treatment purposes | ANF AC as a qualified Trusted Service Provider, has the collaboration of operators attached to offices that make up the network of On-Site Verification Offices (OVP) and Recognized Registration Authorities (ARR) by ANF AC. With all of them, ANF AC has signed a service provision contract, which requires the proper management of the AR operators' data. |
| c) Collective | ANF AC AR operators. |
| d) Data categories | Name and surname, DNI/CIF/identifying document, address and telephone number. Examination and result of the examination. OVP or ARR entity to which they belong. |
| e) Source of data | Contracting company as data controller. |
| f) Category of recipients | The ANF AC organisation itself, eIDAS auditors, the competent Control Authority. |
| g) Transf. International | No international transfer of data is foreseen. |
| h) Deadline for deletion | When their data are no longer necessary to determine responsibilities in relation to their professional performance, and the accreditation of compliance with the obligations of ANF AC. |
| i) Safety measures | The technical security measures implemented correspond to those required by the data controller, those provided for in ISO 27001, and security standards related to the ETSI regulations that ANF AC is obliged to comply with in accordance with the eIDAS Regulation. Regulatory compliance. The provisions of the GDPR and Organic Law 3/2018 on data protection are respected. A risk analysis has been carried out, resulting in a low risk level. If possible non-compliance with the GDPR is detected, ANF AC assumes responsibility for informing the data controller. |
| j) Responsible entity | ANF CERTIFICATION AUTHORITY. |
| k) EIPD -RESULT | ANF AC 05 - Date: 02/02/2020 - Result risk level: low |
9AR / OVP Dispatches Register. – AC
| a) Legal Basis | Contract performance. |
| b) Treatment purposes | ANF AC as a qualified Trusted Service Provider, has the collaboration of operators attached to offices that make up the network of On-Site Verification Offices (OVP) and Recognized Registration Authorities (RRA) by ANF AC. With all of them, ANF AC has signed a service provision contract, which requires the proper management of their data. |
| c) Collective | Clients (natural persons) and legal representatives of organisations with legal personality. |
| d) Data categories | Name and surname, DNI/CIF/identifying document, Contact details of the client organisation, its representatives. |
| e) Source of data | The person concerned. |
| f) Category of recipients | The ANF AC organisation itself, auditors, control authority, clients, legal and fiscal obligation. |
| g) Transf. International | No international transfer of data is foreseen. |
| h) Deadline for deletion | They shall be retained for a period necessary to meet the obligations undertaken, and for the period required to be able to prove it. |
| i) Safety measures | The technical security measures implemented correspond to those provided for in ISO 27001, and security standards related to the ETSI regulations that ANF AC is obliged to comply with in accordance with the eIDAS Regulation. Regulatory compliance, especially the Law on Information Society Services and Telecommunications. The provisions of the RGPD and Organic Law 3/2018 on data protection are respected. A risk analysis and a data protection impact assessment have been carried out, resulting in a low risk level. |
| j)Responsible entity | ANF CERTIFICATION AUTHORITY. |
| k) EIPD -RESULT | ANF AC 05 - Date: 02/02/2020 - Result risk level: low |
10Register of Disciplinary Files. – AC / EC
| a) Legal Basis | Execution of a contract. If applicable, fulfilment of a legal obligation. |
| b) Treatment purposes | Management of labour personnel assigned to ANF AC. Incompatibilities. Training. Prevention of occupational hazards. Infringements, disciplinary sanctions. |
| c) Collective | ANF AC staff. |
| d) Data categories | Name and surname, DNI/CIF/identifying document, personnel registration number, address, signature and telephone number, e-mail address. Academic and professional data: Qualifications, training and professional experience. Incompatibilities. Time and attendance data: date/time of arrival and departure, reason for absence. CV, photocopy of ID card, photocopy of qualifications obtained. |
| e) Source of data | The person concerned. |
| f) Category of recipients | The ANF AC organisation itself, auditors, control authority, clients, legal and fiscal obligation. |
| g) Transf. International | No international transfer of data is foreseen. |
| h) Deadline for deletion | They shall be retained for a period necessary to meet the obligations undertaken, and for the period required to be able to prove it. |
| i) Safety measures | The technical security measures implemented correspond to those provided for in ISO 27001, and security standards related to the ETSI regulations that ANF AC is obliged to comply with in accordance with the eIDAS Regulation. Regulatory compliance, especially the Law on Information Society Services and Telecommunications. The provisions of the RGPD and Organic Law 3/2018 on data protection are respected. A risk analysis and a data protection impact assessment have been carried out, resulting in a low risk level. |
| j) Responsible entity | ANF CERTIFICATION AUTHORITY. |
| k) EIPD -RESULT | ANF AC 06 - Date: 02/02/2020 - Result risk level: low |
11Registration of RC Complaints. – AC / EC
| a) Legal Basis | Legitimate interest. |
| b) Treatment purposes | ANF AC considers of particular importance to adequately assume its corporate social responsibility. To this end, it makes available to the public in general, and the company's own staff in particular, a register of communications that allows, anonymously, to report facts that contravene the corporate social responsibility policy of the organisation. This register makes it possible to determine which senior management position will be responsible for handling the notification (investigation of the facts, delimitation of responsibilities, and application of measures where appropriate). |
| c) Collective | Clients, workers, general public. |
| d) Data categories | They may include personal data allowing the identification of natural persons, and reports of events that may affect them as victims or perpetrators. |
| e)Source of data | The public in general and the company's own staff in particular. |
| f) Category of recipients | ANF AC senior management, and legal obligation. |
| g) Transf. International | No international transfer of data is foreseen. |
| h) Deadline for deletion | They shall be retained for a period necessary to meet the obligations undertaken, and for the period required to be able to prove it. |
| i) Safety measures | The technical security measures implemented correspond to those provided for in ISO 27001, and security standards related to the ETSI regulations that ANF AC is obliged to comply with in accordance with the eIDAS Regulation. Regulatory compliance, especially the Law on Information Society Services and Telecommunications. The provisions of the RGPD and Organic Law 3/2018 on data protection are respected. A risk analysis and a data protection impact assessment have been carried out, resulting in a low risk level. |
| j)Responsible entity | ANF CERTIFICATION AUTHORITY. |
| k) EIPD -RESULT | ANF AC 06 - Date: 02/02/2020 - Result risk level: low |
12Invoicing and payment records.– AC / EC
| a)Legal Basis | Legitimate interest. |
| b) Treatment purposes | ANF AC in its general activity, provides services that are invoiced and on which a payment control is required, within the administrative and financial management process of the organisation. |
| c) Collective | Individuals and entities that have contracted and received a service from ANF AC. |
| d) Data categories | Name and surname, address, telephone number, email, if applicable, company to which they belong, form and term of payment, VAT number, products or services supplied, amount and payment status. |
| e) Source of data | Contracting company as data controller. |
| f) Category of recipients | Own organisation ANF AC. AEAT. No information is provided to databases for the control of delinquency. |
| g) Transf. International | No international transfer of data is foreseen. |
| h) Deadline for deletion | They shall be kept for a period of three months, after which they shall be destroyed. |
| i) Safety measures | The technical security measures implemented correspond to those required by the data controller, those provided for in ISO 27001, and security standards related to the ETSI regulations that ANF AC is obliged to comply with in accordance with the eIDAS Regulation. Regulatory compliance. The provisions of the GDPR and Organic Law 3/2018 on data protection are respected. A risk analysis has been carried out, resulting in a low risk level. If possible non-compliance with the GDPR is detected, ANF AC assumes responsibility for informing the data controller. A risk analysis has been performed with a low risk level result. |
| j) Responsible entity | ANF CERTIFICATION AUTHORITY. |
| k) EIPD -RESULT | ANF AC 07 - Date: 02/02/2020 - Result risk level: low |
13Customer registration (contact persons). – AC / EC
| a) Legal Basis | Obligation to perform the contract. |
| b)Treatment purposes | ANF AC has a client register, which allows the identification of the organisations with which it maintains a contractual relationship and the contact persons. |
| c) Collective | Clients (natural persons) and legal representatives of organisations with legal personality. |
| d) Data categories | Contact details of the client organisation, its representatives, consumption information, statistical data, accounting information. |
| e) Source of data | Client organisation's own and creditworthiness information obtained from third party sources. |
| f) Category of recipients | The ANF AC organisation itself, auditors, supervisory authority, legal and fiscal obligation. |
| g) Transf. International | No international transfer of data is foreseen. |
| h) Deadline for deletion | They shall be retained for a period necessary to meet the obligations undertaken, and for the period required to be able to prove it. |
| i) Safety measures | The technical security measures implemented correspond to those provided for in ISO 27001, and security standards related to the ETSI regulations that ANF AC is obliged to comply with in accordance with the eIDAS Regulation. Regulatory compliance, especially the Law on Information Society Services and Telecommunications. The provisions of the RGPD and Organic Law 3/2018 on data protection are respected. A risk analysis and a data protection impact assessment have been carried out, resulting in a low risk level. |
| j) Responsible entity | ANF CERTIFICATION AUTHORITY. |
| k) EIPD -RESULT | ANF AC 07 - Date: 02/02/2020 - Result risk level: low |
14Record of training provided (diplomas issued)
| a)Legal Basis | Performance of a contract. GDPR: 6.1.b) Processing necessary for the performance of a contract to which the data subject is party or for the implementation at the request of the data subject of pre-contractual measures. GDPR: 6.1.c) Processing necessary for compliance with a legal obligation applicable to the controller. General Data Protection Regulation. |
| b)Treatment purposes | Management and control of the training activities organized by ANF AC aimed at personnel of the organization itself, such as AR operators of the On-Site Verification Points and ARR Offices, as well as other courses that ANF AC may provide. With all participants, students and teachers, ANF AC has signed the corresponding service provision contract. |
| c) Collective | Teachers and students participating in ANF AC training courses. |
| d) Data categories | Profesores y alumnos: Name and surname(s), ID card, address, telephone number, image, signature. Employment details: organisation or body and position held. Teachers: Academic and professional data: education, qualifications. Economic-financial data: bank details. |
| e) Source of data | Stakeholders. |
| f) Category of recipients | The ANF AC organisation itself, AEPD, ENAC, FUNDAE. In addition, the data of the teachers may appear in brochures or on the ANF AC website as part of the dissemination of training activities. The data of teachers of remunerated activities will be communicated to financial institutions, State Agency of Tax Administration. |
| g) Transf. International | No international transfer of data is foreseen. |
| h) Deadline for deletion | They will be kept for the time necessary to fulfil the purpose for which they were collected and to determine any possible liabilities that may arise from this purpose and from the processing of the data. The provisions of the archives and documentation regulations shall apply. Teachers' data will be kept for future training activities, unless they request their deletion. In the case of remunerated activities, they will be kept in accordance with the provisions of Law 58/2003, of 17 December, General Taxation. |
| i) Safety measures | The technical security measures implemented correspond to those foreseen in ISO 27001, ISO 17024 and security standards related to the ETSI regulation that ANF AC is obliged to comply with in accordance with the eIDAS Regulation. Regulatory compliance. The provisions of the GDPR and Organic Law 3/2018 on data protection are respected. A risk analysis has been performed with a low risk level result. |
| j) Responsible entity | ANF CERTIFICATION AUTHORITY. |
| k) EIPD -RESULT | ANF AC 08 - Date: 02/02/2020 - Result risk level: low |
15ANF AC Campus student registration. – AC / EC
| a) Legal Basis | Contract performance. |
| b) Treatment purposes | A proper management and administration of the ANF AC Campus requires a control of the students who have the right to access and participate in the courses for which they have registered. In addition, it is necessary to manage their participation in the courses./td> |
| c) Collective | Students enrolled in ANF AC training courses: |
| d) Data categories | Name and surname, ID card or other identification document, Belonging to a company. Special categories of data: data corresponding to disability requiring adaptation of the examination. Personal characteristics data: address, telephone number, email address. Academic and professional data: qualifications, training and professional experience. Details of employment and professional experience in data protection. |
| e) Source of data | Stakeholders themselves. |
| f) Category of recipients | The ANF AC organisation itself and, in the case of subsidised training, Fundación Estatal para la Formación en el Empleo - FUNDAE. |
| g) Transf. International | No international transfer of data is foreseen. |
| h)Deadline for deletion | They will be kept for the time necessary to fulfil the purpose for which they were collected and to determine any possible liabilities that may arise from this purpose and from the processing of the data. The provisions of the archives and documentation regulations shall apply. |
| i)Safety measures | The technical security measures implemented correspond to those foreseen in ISO 27001 and security standards related to the ETSI regulation that ANF AC is obliged to comply with in accordance with the eIDAS Regulation. Regulatory compliance. The provisions of the RGPD, Organic Law 3/2018 on data protection, legal regulations in this area and the guidelines of the European Data Protection Committee are respected. A risk analysis has been carried out, resulting in a low risk level. |
| j) Responsible entity | ANF CERTIFICATION AUTHORITY. |
| k) EIPD -RESULT | ANF AC 18 - Date: 02/02/2020 - Result risk level: low |
16Registration of teachers Campus ANF AC. - AC
| a) Legal basis | Obligation to perform the contract. |
| b) Treatment fines | Manage the accesses and permissions of the ANF AC campus teachers. |
| c) Collective | Teachers who teach courses on the ANF AC virtual campus. |
| d) Data Categories. | First name and surname, ID card or other identification document, Membership of a company. Special categories of data: data corresponding to disabilities that require adaptation of the campus. Personal characteristics data: address, telephone, e-mail. Academic and professional data: qualifications, training and professional experience. |
| e) Data processing | Holders |
| f) Target category | The ANF AC organisation itself and, in the case of subsidised training, the State Foundation for Employment Training - FUNDAE. |
| g) International Transfer | No international transfer of data is foreseen |
| h) Deletion period | They shall be kept for the time necessary to comply with the obligations undertaken, and for the time necessary to be able to prove it. |
| i) Security measures | The technical security measures implemented correspond to those provided for in the ISO 27001 standard, and the security standards related to the ETSI regulations that ANF AC is obliged to comply with in accordance with the eIDAS Regulation. Regulatory compliance, especially with the Law on Information Society Services and Telecommunications. The provisions of the GDPR and Organic Law 3/2018 on data protection are respected. A risk analysis and a data protection impact assessment have been carried out, resulting in a low level of risk. |
| j) Responsible entity | Certification authority of the NCA. |
| k) EIPD - Result | ANF AC 08 - Date: 02/02/2020 - Risk level of the outcome: low |
17Biometric control register (physical access). – AC / EC
| a) Legal basis | Legitimate interest |
| b) Fines for processing | Access control to ANF AC facilities. ANF AC carries out an activity that requires privacy and its assets must be protected. All this requires control of the people who access the organisation's facilities. The staff of the organization in its daily activity has a high degree of mobility, with constant entries and exits that must be registered but materially impossible to manage through the physical access log. This register makes it possible to automate control, without capturing fingerprints and without associating it with a specific identity by applying pseudonymisation techniques. This processing does not allow the control of time spent on the premises and therefore cannot be used for other purposes such as productivity or behavioural control. |
| c) Collective. | ANF AC staff. |
| d) Data categories | Registration identification, biometric algorithm encoding. Other data: zone, day and time of entry. |
| e) Data processing | Holders |
| f) Target category | The ANF AC's own organisation. |
| g) International Transfer | No international transfer of data is foreseen. |
| h) Deletion period | The data shall be kept for a period of three months, after which time the data shall be destroyed, unless the organisation so requires. |
| i) Security measures | The technical security measures implemented correspond to those provided for in ISO 27001 and the security standards related to the ETSI regulations that ANF AC is obliged to comply with in accordance with the eIDAS Regulation. Regulatory compliance. The provisions of the GDPR, the Organic Law 3/2018 on data protection, the legal regulations on the matter, the WP160 2/2009 Opinion of the WG29, and the legal report published by the AEPD 2015- 0065 are respected. A risk analysis has been carried out with the result of a low risk level. |
| j) Responsible entity | ANF CERTIFICATION AUTHORITY. |
| k) EIPD -Result | ANF AC 09 - Date: 02/02/2020 - Risk level of the outcome: low |
18Incident logging (security breaches).– AC / EC
| a) Legal basis | Legal obligation (Articles 73 and 74 of the LOPD 3/2018 in relation to Article 33 of the RGPD) and Article 19 of the eIDAS Regulation. |
| b) Fines for processing | The GDPR obliges security controllers to notify the competent data protection supervisory authority and, where appropriate, the data subjects, of security breaches that occur. ANF AC, in order to have an adequate organisational measure to demonstrate compliance with its obligations, manages this Incident Log. |
| c) Collective. | Persons and entities that have contracted and received a service from ANF AC. |
| d) Data Categories. | Scope of the security breach, Processing affected, Effects, Date and time of detection, Identification of possible affected parties, (identification data), Actions taken. Communications made, Date and time of detection, Identification of possible affected parties, (identification data), Actions taken. Communications made, Date and time of notification, Measures taken to avoid recurrence, Communication, if applicable, of the event with information on recommendations for measures to be taken. |
| e) Data procedure | ANF AC, the affected parties themselves, contracted third parties |
| f) Target category | FANF AC's own organisation. AEPD, eIDAS Supervisory Authority and, where applicable, the data subjects concerned. |
| g) International Transfer | No international transfer of data is envisaged. |
| h) Deletion period | They shall be kept for a period of three months, after which time they shall be destroyed. |
| i) Security measures | The technical security measures implemented correspond to those provided for in the ISO 27001, ISO 17024 and ETSI-related security standards that ANF AC is obliged to comply with in accordance with the eIDAS Regulation. The technical security measures implemented correspond to those provided for in the ISO 27001, ISO 17024 and ETSI-related security standards that ANF AC is obliged to comply with in accordance with the eIDAS Regulation. Regulatory compliance. The provisions of the GDPR and the Organic Law 3/2018 on data protection are respected. A risk analysis has been performed with a result of a low risk level. |
| j) Responsible entity | ANF CERTIFICATION AUTHORITY. |
| k) EIPD -Result | ANF AC 10 - Date: 02/02/2020 - Risk level of the outcome: low |
19Register of those affected. - AC / EC
| a) Legal basis | Legal obligation (Articles 74 ñ of the LOPD 3/2018 in relation to Article 34 of the RGPD) |
| b) Purposes of the processing | In accordance with the current legal regulations on data protection ANF AC assumes the obligation to notify data subjects in the event of a security breach for which it is required to manage the information in this regard. |
| c) Collective. | Stakeholders. |
| d) Data Categories. | Identification of possible affected parties, communication, where appropriate, of what has happened with information on the recommendations of the measures to be adopted. Information on the incident detected, date on which it became known, seriousness, measures adopted to resolve it, measures adopted to prevent it from occurring again, among others. |
| e) Origin of the data | ANF AC, the data subjects themselves, auditors, contracted third parties |
| f) Target category | The ANF AC organisation itself, client organisations, disaffected parties, auditors, supervisory authority. Legal obligation. |
| g) International Transfer | International transfers of data are not foreseen. |
| h) Deletion period | The data shall be kept for the period necessary to fulfil the obligations assumed, and for the period required to be able to prove it. |
| i) Security measures. | The technical security measures implemented correspond to those provided for in ISO 27001, and security standards related to the ETSI regulations that ANF AC is obliged to comply with in accordance with the eIDAS Regulation. Regulatory compliance, especially the Law on Information Society Services and Telecommunications. The provisions of the RGPD and Organic Law 3/2018 on data protection are respected. A risk analysis and a data protection impact assessment have been carried out, resulting in a low risk level. |
| j) Responsible entity | ANF CERTIFICATION AUTHORITY |
| k) EIPD - RESULT | ANF AC 10 - Date: 02/02/2020 - Result risk level: low |
20Registration of general telephone calls. – AC / EC
| a) Legal basis | Legitimate interest |
| b) Purposes of the processing | ANF AC provides trust services for transactions that may involve personal liability, such as financial damage if the customer misuses our tools. E.g. giving your PIN to a third party, giving away your private keys, etc. Adequate advice is highly important for your interests. The purpose of this processing is to verify the quality of the service received by our customers, both from the point of view of comprehensible language and the veracity of the information communicated to them, and even to ascertain whether our operators incur any kind of liability. |
| c) Collective. | General public and ANF AC staff. |
| d) Data Categories. | Telephone number, calling party. Recorded voice recording Other data: day and time |
| e) Origin of the data | The interested parties themselves: person contacting and ANF AC operator answering the call |
| f) Target category | The ANF AC organisation itself. |
| g) International transfer | International transfers of data are not foreseen. |
| h) Deletion period | The data shall be kept for the period necessary to fulfil the obligations assumed, and for the period required to be able to prove it. |
| i) Security measures. | The technical security measures implemented correspond to those provided for in ISO 27001, and security standards related to the ETSI regulations that ANF AC is obliged to comply with in accordance with the eIDAS Regulation. Regulatory compliance. The provisions of the RGPD and Organic Law 3/2018 on data protection are respected. A risk analysis has been carried out, resulting in a low risk level. |
| j) Responsible entity | ANF CERTIFICATION AUTHORITY. |
| k) EIPD - RESULT | ANF AC 11 - Date: 02/02/2020 - Result risk level: low |
21Registration of telephone calls revocations. – AC / EC
| a) Legal basis | Legal obligation laid down in Regulation (EU) 910/2014 EIDAS. |
| b) Purposes of processing | ANF AC, in its capacity as a Qualified Trust Service Provider, has the obligation to deal diligently with revocation requests. Certificate holders can carry out this procedure by telephone, provided that it passes the security controls that accredit the identity of the persons. |
| c) Collective. | Certificate holders and ANF AC personnel: |
| d) Data Categories. | Recorded voice over Recorded voice recording Other data: day and time |
| e) Origin of the data | The interested parties themselves, the person contacting and the ANF AC operator answering the call |
| f) Target category | The ANF AC organisation itself. |
| g) International transfer | International transfers of data are not foreseen. |
| h) Deletion period | The data will be kept for a minimum period of 15 years, after which time the data will be destroyed unless required by the organisation. |
| i) Security measures | The technical security measures implemented correspond to those provided for in ISO 27001, and security standards related to the ETSI regulations that ANF AC is obliged to comply with in accordance with the eIDAS Regulation. Regulatory compliance. The provisions of the RGPD and Organic Law 3/2018 on data protection are respected. A risk analysis has been carried out, resulting in a low risk level. |
| j) Responsible entity | ANF CERTIFICATION AUTHORITY. |
| k) EIPD - RESULT | ANF AC 11 - Date: 02/02/2020 - Result risk level: low |
22Registration of telephone calls and contracting. – AC / EC
| a) Legal basis | Execution of a contract |
| b) Purposes of the processing | This processing is carried out for the purpose of accrediting requests for the contracting of services or purchases by customers, the information associated with the service, their conformity in the acquisition, and defence in the event of a complaint. |
| c) Collective. | Public in general and ANF AC staff. |
| d) Data Categories. | Telephone number, calling party. Recorded voice recording Other data: day and time |
| e) Origin of the data | The interested parties themselves: person contacting and ANF AC operator answering the call |
| f) Target category | The ANF AC organisation itself. |
| g) International transfer | International transfers of data are not foreseen. |
| h) Deletion period | The data will be kept for a period of five years, after which time the data will be destroyed unless required by the organisation. |
| i) Security measures | The technical security measures implemented correspond to those provided for in ISO 27001, and security standards related to the ETSI regulations that ANF AC is obliged to comply with in accordance with the eIDAS Regulation |
| i) Security measures. | Regulatory compliance. The provisions of the RGPD and Organic Law 3/2018 on data protection are respected. A risk analysis has been carried out, resulting in a low risk level. |
| j) Responsible entity | ANF CERTIFICATION AUTHORITY. |
| k) EIPD - RESULT | ANF AC 11 - Date: 02/02/2020 - Result risk level: low |
23Registration of high trust PKI operators. - AC
| a) Legal basis | Legitimate interest |
| b) Purposes of the processing | To manage the accesses and powers of highly trusted operators in accordance with security levels. |
| c) Collective | A ANF AC staff. |
| d) Categories of Data. | Data of the authorised operators in ANF AC. Name, surname, mobile phone, IP communication, technical data (browser, version, OS), day and time of accesses, hierarchical level, type of credentials required for authentication (login hash password, electronic certificate). |
| e) Origin of the data | The data subject himself/herself |
| f) Recipient category | The ANF AC organisation itself, auditors, supervisory authority, clients, legal and fiscal obligation. |
| g) International transfers | International transfers of data are not foreseen. |
| h) Period of deletion | The data shall be kept for the period necessary to fulfil the obligations assumed, and for the period required to be able to prove it. |
| i) Security measures. | The technical security measures implemented correspond to those provided for in ISO 27001, and security standards related to the ETSI regulations that ANF AC is obliged to comply with in accordance with the eIDAS Regulation. Regulatory compliance, especially the Law on Information Society Services and Telecommunications. The provisions of the RGPD and Organic Law 3/2018 on data protection are respected. A risk analysis and a data protection impact assessment have been carried out, resulting in a low risk level. |
| j) Responsible entity | ANF CERTIFICATION AUTHORITY |
| k) EIPD - RESULT | ANF AC 12 - Date: 02/02/2020 - Result risk level: low |
24Register of PKI operators.- AC
| a) Legal basis | Legitimate interest |
| b) Purposes of the processing | To manage the accesses and powers of highly trusted operators in accordance with security levels. |
| c) Collective | A ANF AC staff. |
| d) Categories of Data. | Data of the authorised operators in ANF AC. Name, surname, mobile phone, IP communication, technical data (browser, version, OS), day and time of accesses, hierarchical level, type of credentials required for authentication (login hash password, electronic certificate). |
| e) Origin of the data | The data subject himself/herself |
| f) Recipient category | The ANF AC organisation itself, auditors, supervisory authority, clients, legal and fiscal obligation. |
| g) International transfers | International transfers of data are not foreseen. |
| h) Period of deletion | The data shall be kept for the period necessary to fulfil the obligations assumed, and for the period required to be able to prove it. |
| i) Security measures. | The technical security measures implemented correspond to those provided for in ISO 27001, and security standards related to the ETSI regulations that ANF AC is obliged to comply with in accordance with the eIDAS Regulation. Regulatory compliance, especially the Law on Information Society Services and Telecommunications. The provisions of the RGPD and Organic Law 3/2018 on data protection are respected. A risk analysis and a data protection impact assessment have been carried out, resulting in a low risk level. |
| j) Responsible entity | ANF CERTIFICATION AUTHORITY |
| k) EIPD - RESULT | ANF AC 12 - Date: 02/02/2020 - Result risk level: low |
25RDE operators' register.– AC
| a) Legal basis | Legitimate interest |
| b) Purposes of the processing | To manage the accesses and powers of highly trusted operators in accordance with security levels. |
| c) Collective | A ANF AC staff. |
| d) Categories of Data. | Data of the authorised operators in ANF AC. Name, surname, mobile phone, IP communication, technical data (browser, version, OS), day and time of accesses, hierarchical level, type of credentials required for authentication (login hash password, electronic certificate). |
| e) Origin of the data | The data subject himself/herself |
| f) Recipient category | The ANF AC organisation itself, auditors, supervisory authority, clients, legal and fiscal obligation. |
| g) International transfers | International transfers of data are not foreseen |
| h) Period of deletion | The data shall be kept for the period necessary to fulfil the obligations assumed, and for the period required to be able to prove it. |
| i) Security measures. | The technical security measures implemented correspond to those provided for in ISO 27001, and security standards related to the ETSI regulations that ANF AC is obliged to comply with in accordance with the eIDAS Regulation. Regulatory compliance, especially the Law on Information Society Services and Telecommunications. The provisions of the RGPD and Organic Law 3/2018 on data protection are respected. A risk analysis and a data protection impact assessment have been carried out, resulting in a low risk level. |
| j) Responsible entity | ANF CERTIFICATION AUTHORITY |
| k) EIPD - RESULT | ANF AC 12 - Date: 02/02/2020 - Result risk level: low |
26Register of qualified validations. – AC
| a) Legal basis | Legitimate interest |
| b) Purposes of the processing | ANF AC as a Qualified Trust Service Provider must carry out a proper management and administration of the requests and is therefore required to keep a record of the qualified validations |
| c) Collective | Customers of the service contracted to ANF AC |
| d) Data categories. | Customers of the service contracted to ANF AC. Content required by the legislation on qualified certificates and those expressly requested by the data subject to be included. Information verification reports. |
| e) Origin of the data | The data subject himself/herself and third party sources consulted to verify the veracity of the information. |
| f) Recipient category | The ANF AC organisation itself, auditors, control authority, clients, legal and fiscal obligation. |
| g) International transfers | International transfers of data are not foreseen. |
| h) Period of deletion | The data shall be kept for the period necessary to fulfil the obligations assumed, and for the period required to be able to prove it. |
| i) Security measures. | The technical security measures implemented correspond to those provided for in ISO 27001, and security standards related to the ETSI regulations that ANF AC is obliged to comply with in accordance with the eIDAS Regulation. Regulatory compliance, especially the Law on Information Society Services and Telecommunications. The provisions of the RGPD and Organic Law 3/2018 on data protection are respected. A risk analysis and a data protection impact assessment have been carried out, resulting in a low risk level. |
| j) Responsible entity | ANF CERTIFICATION AUTHORITY |
| k) EIPD - RESULT | ANF AC 13 - Date: 02/02/2020 - Result risk level: low |
27Multi-validation platform. - AC
| a) Legal basis | Legal obligation. eIDAS Regulation, Article 33, Qualified Validation Service for Qualified Electronic Signatures. |
| b) Purposes of processing | ANF AC as a Qualified Trust Service Provider, performs the validation of electronic certificates of ANF AC and other CAs. |
| c) Collective | Customers of the service contracted from ANF AC. |
| d) Data categories. | Customers of the service contracted to ANF AC.Content required by the legislation on qualified certificates and those expressly requested by the data subject to be included. Information verification reports, validation reports. |
| e) Origin of the data | The interested parties themselves and third party sources consulted to verify the veracity of the information. |
| f) Target category | The ANF AC organisation itself, auditors, control authority, clients, legal and fiscal obligation. |
| g) International transfers | International transfers of data are not foreseen. |
| h) Period of deletion | The data shall be kept for the period necessary to fulfil the obligations assumed, and for the period required to be able to prove it. |
| i) Security measures. | The technical security measures implemented correspond to those provided for in ISO 27001, and security standards related to the ETSI regulations that ANF AC is obliged to comply with in accordance with the eIDAS Regulation. Regulatory compliance, especially the Law on Information Society Services and Telecommunications. The provisions of the RGPD and Organic Law 3/2018 on data protection are respected. A risk analysis and a data protection impact assessment have been carried out, resulting in a low risk level. |
| j) Responsible entity | ANF CERTIFICATION AUTHORITY |
| k) EIPD - RESULT | ANF AC 13 - Date: 02/02/2020 - Result risk level: low |
28Register contact forms Web.– AC / EC
| a) Legal basis | Legitimate interest |
| b) Purposes of the processing | ANF AC in its general activity, offers the possibility on its website that those persons or companies interested in establishing contact with ANF AC, can register in electronic forms that are published on different pages of its website, according to type of interest (working at ANF AC, commercial interest. Etc.). |
| c) Collective. | Persons with some kind of interest in ANF AC. |
| d) Data Categories. | First and last name, telephone number, email address, company to which they belong, comments. |
| e) Origin of the data | The data subjects themselves. |
| f) Recipient category | The ANF AC organisation itself. |
| g) International transfer | International transfers of data are not foreseen. |
| h) Deletion period | The data shall be kept for a period of three months, after which they shall be destroyed. |
| i) Security measures | The technical security measures implemented correspond to those provided for in ISO 27001 and security standards related to the ETSI regulations that ANF AC is obliged to comply with in accordance with the eIDAS Regulation. Regulatory compliance. The provisions of the RGPD, Organic Law 3/2018 on data protection, legal regulations in this area and guidelines of the European Data Protection Committee are respected. A risk analysis has been carried out, resulting in a low risk level. |
| j) Responsible entity | ANF CERTIFICATION AUTHORITY. |
| k) EIPD - RESULT | ANF AC 14 - Date: 02/02/2020 - Result risk level: low |
29Complaints and suggestions
| a) Legal basis | Legitimate interest |
| b) Purposes of the processing | Recording and processing of complaints and suggestions submitted in relation to the performance of ANF AC in the provision of its services as a Qualified Trust Service Provider, and as a Certification Entity in the DPD-AEPD Scheme. |
| c) Collective. | Persons who address ANF AC and ANF AC staff. |
| d) Data categories. | First and last name, ID card, address, telephone number and signature. Other data: those included in the complaint or suggestion. |
| e) Origin of the data | The data subjects themselves: the person who contacts and the ANF AC operator who answers the call. |
| f) Target category | The ANF AC organisation itself and, as appropriate, legal action, including criminal prosecution |
| g) International Transfer | International transfers of data are not foreseen. |
| h) Deletion period | The data shall be kept for the time necessary to comply with the purpose for which they were collected and to determine any possible liabilities that may arise from said purpose and from the processing of the data. The provisions of the legislation on archives and documentation shall be applicable. |
| i) Security measures. | The technical security measures implemented correspond to those provided for in ISO 27001 and security standards related to the ETSI regulations that ANF AC is obliged to comply with in accordance with the eIDAS Regulation. Regulatory compliance. The provisions of the RGPD, Organic Law 3/2018 on data protection, legal regulations in this area and guidelines of the European Data Protection Committee are respected. A risk analysis has been carried out, resulting in a low risk level. |
| j) Responsible entity | ANF CERTIFICATION AUTHORITY. |
| k) EIPD - RESULT | ANF AC 15 - Date: 02/02/2020 - Result risk level: low |
30Visitor registration. – AC / EC
| a) Legal basis | Legitimate interest |
| b) Purposes of processing | Access control to ANF AC premises. ANF AC carries out an activity that requires privacy and its assets must be protected. All of this requires control of the persons accessing the organisation's facilities |
| c) Collective. | Persons requesting access to the facilities of ANF AC and ANF AC staff. |
| d) Data Categories. | First name and surname, DNI/NIF/company represented and signature. Other data: day and time of entry/exit |
| e) Origin of the data | The data subjects themselves. |
| f) Target category | The ANF AC organisation itself |
| g) International transfer | International transfers of data are not foreseen. |
| h) Deletion period | The data will be kept for a period of three months, after which time the data will be destroyed unless the organisation so requires. |
| i) Security measures. | The technical security measures implemented correspond to those provided for in ISO 27001 and security standards related to ETSI regulations that ANF AC is obliged to comply with in accordance with the eIDAS Regulation. Regulatory compliance. The provisions of the RGPD, Organic Law 3/2018 on data protection, legal regulations in this area and guidelines of the European Data Protection Committee are respected. A risk analysis has been carried out, resulting in a low risk level. |
| j) Responsible entity | ANF CERTIFICATION AUTHORITY. |
| k) EIPD - RESULT | ANF AC 16 - Date: 02/02/2020 - Result risk level: low |
31Register of data processors. – AC / EC
| a) Legal basis | Compliance with legal obligation. Art- 28 point 3 of the RGPD. |
| b) Purposes of the processing | ANF AC, in its general activity, engages the services of third party organisations that collaborate in the processing of data. With all of them it has signed the corresponding contract as data processor. |
| c) Collective. | Entities collaborating in the processing of data contracted by ANF AC |
| d) Categories of Data. | Name and surname of the Director responsible, telephone, email Company name, address, telephone, email Service provision contract Adequacy analysis (Art. 28.1) |
| e) Origin of the data | The data subjects themselves. |
| f) Recipient category | Own ANF AC organisation and compliance with legal obligation |
| g) International Transf. | International data transfers are not foreseen. |
| h) Period of deletion | The data shall be kept for a period necessary to fulfil the obligations assumed, and the period required to be able to prove it. |
| i) Security measures. | The technical security measures implemented correspond to those provided for in ISO 27001 and security standards related to the ETSI regulations that ANF AC is obliged to comply with in accordance with the eIDAS Regulation. i) Technical security measures implemented correspond to those provided for in ISO 27001 and security standards related to ETSI regulations that ANF AC is obliged to comply with in accordance with the eIDAS Regulation. Regulatory compliance. The provisions of the RGPD, Organic Law 3/2018 on data protection, legal regulations in this area and guidelines of the European Data Protection Committee are respected. A risk analysis has been carried out, resulting in a low risk level. |
| j) Responsible entity | ANF CERTIFICATION AUTHORITY. |
| k) EIPD - RESULT | ANF AC 17 - Date: 02/02/2020 - Result risk level: low |
32CCTV System Registration
| a) Legal basis | Legitimate interest | |
| b) Purposes of the processing | Access control to the premises of ANF AC. ANF AC carries out an activity that requires privacy and its assets must be protected. All of this requires control of the persons accessing the organisation's facilities | |
| c) Collective. | Persons accessing the organisation's premises./td> | |
| d) Data Categories. | Image captures and real-time surveillance system without image recording. | |
| e) Data origin | The data subjects themselves. | |
| f) Target category | The ANF AC organisation itself | |
| g) International transfer | International transfers of data are not foreseen. | |
| h) Period of deletion | The data will be kept for a period of one month, after which time the data will be destroyed unless the organisation needs to do so. | |
| i) Security measures. | The technical security measures implemented correspond to those provided for in ISO 27001 and security standards related to ETSI regulations that ANF AC is obliged to comply with in accordance with the eIDAS Regulation.
Regulatory compliance. The provisions of the RGPD, Organic Law 3/2018 on data protection, regulations, and guidelines indicated in the legal reports on this matter published by the AEPD are respected: https://www.aepd.es/media/informes/informe-juridico-rgpd-grabacion-de-imagenes-y-voz-proporcionalidad.pdf https://www.aepd.es/media/informes/informe-juridico-rgpd-camaras-en-tiempo-real.pdf Risk analysis has been performed with a low risk level result. |
|
| j) Responsible entity | ANF CERTIFICATION AUTHORITY. | |
| k) EIPD - RESULT | EIPD 19 - Date: 01/02/2020 - Result risk level: low |
33Register of Training Centres. – EC
| a) Legal basis | Execution of a contract GDPR: 6.1.b) Processing necessary for the performance of a contract to which the data subject is a party or for the implementation at the request of the data subject of pre-contractual measures . GDPR: 6.1.c) Processing necessary for compliance with a legal obligation applicable to the controller. General Data Protection Regulation. |
| b) Purposes of the processing | ANF AC as a Certification Entity in accordance with the AEPD-DPD Certification Scheme, must manage a register of Training Centres with which it has signed a contract and whose training syllabus it has accredited. The training entities must be published on the ANF AC website. |
| c) Collective. | Training entities whose training syllabus has been accredited by ANF AC. |
| d) Data categories. | Name and surname of the Director of the Centre, telephone, email Name and surname(s) of the teacher(s), telephone, email Qualifications of teachers Professional experience of the teachers Incidences and complaints file . AEPD-DPD Certification Scheme compliance monitoring file. |
| e) Origin of the data | The data subjects themselves and third party sources consulted to obtain references and verify the veracity of the information. |
| f) Target category | Public in general and specifically the AEPD. |
| g) International Transf. | International transfers of the data are not envisaged. |
| h) Period of deletion | The data shall be kept for a period necessary to fulfil the obligations assumed, and the period required to be able to prove it. |
| i) Security measures. | The technical security measures implemented correspond to those provided for in ISO 27001, and security standards related to the ETSI regulations that ANF AC is obliged to comply with in accordance with the eIDAS Regulation. Regulatory compliance. The provisions of the RGPD and Organic Law 3/2018 on data protection are respected. A risk analysis has been carried out, resulting in a low risk level. |
| j) Responsible entity | ANF CERTIFICATION AUTHORITY. |
| k) EIPD - RESULT | ANF AC 20 - Date: 02/02/2020 - Result risk level: low |
34Registration Committee of Experts. – EC
| a) Legal basis | Execution of a contract GDPR: 6.1.b) Processing necessary for the performance of a contract to which the data subject is a party or for the implementation at his or her request of pre-contractual measures. GDPR: 6.1.c) Processing necessary for compliance with a legal obligation applicable to the controller. General Data Protection Regulation. |
| b) Purposes of the processing | ANF AC as a Certification Entity in accordance with the AEPD-DPD Certification Scheme, must have a Committee of Experts made up of representative entities, each entity has one or more persons representing it. ANF AC has subscribed the corresponding contractual commitment in accordance with its internal regulations. |
| c) Collective. | Training entities whose training syllabus has been accredited by ANF AC. |
| d) Data categories. | First name and surname, company to which it belongs, telephone number, e-mail address. |
| e) Origin of the data | The interested parties themselves. |
| f) Recipient category | The ANF AC organisation itself, AEPD, ENAC and members of the group itself |
| g) International Transfers | International transfers of data are not foreseen. |
| h) Deletion period | The data shall be kept for the period necessary to fulfil the obligations assumed, and the period required to be able to prove it. |
| i) Security measures | The technical security measures implemented correspond to those provided for in ISO 27001, and security standards related to the ETSI regulations that ANF AC is obliged to comply with in accordance with the eIDAS Regulation. i) Security measures. Regulatory compliance. The provisions of the RGPD and Organic Law 3/2018 on data protection are respected. A risk analysis has been carried out, resulting in a low risk level. |
| j) Responsible entity | ANF CERTIFICATION AUTHORITY. |
| k) EIPD - RESULT | ANF AC 21 - Date: 02/02/2020 - Result risk level: low |
35Register of Suppliers (contact persons). – AC /EC
| a) Legal basis | Contractual performance obligation. |
| b) Purposes of the processing | ANF AC has a register of suppliers, which makes it possible to identify the organisations with which it has a contractual relationship and the contact persons. |
| c) Collective. | Customers (natural person) and legal representatives of organisations with legal personality. |
| d) Categories of Data. | Contact details of the client organisation, its representatives, consumption information, statistical data, accounting information. |
| e) Origin of the data | Own organisation |
| f) Target category | The ANF AC organisation itself, auditors, supervisory authority, clients, legal and fiscal obligation. |
| g) International transfers | International transfers of data are not foreseen. |
| h) Deletion period | The data shall be kept for the period necessary to fulfil the obligations assumed, and for the period required to be able to prove it. |
| i) Security measures. | The technical security measures implemented correspond to those provided for in ISO 27001, and security standards related to the ETSI regulations that ANF AC is obliged to comply with in accordance with the eIDAS Regulation. Regulatory compliance, especially the Law on Information Society Services and Telecommunications. The provisions of the RGPD and Organic Law 3/2018 on data protection are respected. A risk analysis and a data protection impact assessment have been carried out, resulting in a low risk level. |
| j) Responsible entity | ANF CERTIFICATION AUTHORITY |
| k) EIPD - RESULT | EIPD 22 - Date: 01/02/2020 - Result risk level: low |
36Register of DPD candidate registrations. – EC
| a) Legal basis | Execution of a contract |
| b) Purposes of the processing | This is the preliminary step for assessing applications made by candidates for the DPD examination. This is a requirement established in the DPD-AEPD Certification Scheme and which ANF AC has formally assumed before the AEPD. |
| c) Collective. | Candidates for Certified DPD, who submit their application to ANF AC. |
| d) Data Categories. | First name and surname, ID card or other identification document.
Special categories of data: data corresponding to disability requiring adaptation of the examination. Special categories of data: data corresponding to disability requiring adaptation of the examination. Personal data: address, telephone, email. Academic and professional data: qualifications, training and professional experience. Details of employment details and professional experience in data protection. Data relating to other prerequisites - DPD training certificate. Examination registration application details. Report of references made to third party sources for verification of data. |
| e) Data source | The stakeholders themselves and possible references in third party sources carried out by ANF AC to check the information. |
| f) Target category | The organisation itself, the ANF AC assessor, the expert committee in case of assessment, the AEPD and ENAC. |
| g) International transfers | International transfers of data are not foreseen. |
| h) Deletion period | For the entire period required to process the provision of the service, and the period necessary to accredit the correct provision of the same to whoever is responsible. |
| i) Security measures | The technical security measures implemented correspond to those provided for in ISO 27001, and security standards related to the ETSI regulations that ANF AC is obliged to comply with in accordance with the eIDAS Regulation. Regulatory compliance. The provisions of the RGPD and Organic Law 3/2018 on data protection are respected. A risk analysis has been carried out, resulting in a low risk level. |
| j) Responsible entity | ANF CERTIFICATION AUTHORITY. |
| k) EIPD - RESULT | ANF AC 24 - Date: 02/02/2020 - Result risk level: low |
37DPD Candidate Examination Register. – EC
| a) Legal basis | Execution of a contract |
| b) Purposes of processing | To manage the participation of DPD candidates who have taken part in ANF AC exams. This register allows the administration of the examinations taken in order to deal with possible appeals, appeals and accredit compliance with the obligations established in the DPD-AEP Certification Scheme. |
| c) Collective. | Certified DPD Candidates, who have taken an examination at ANF AC. |
| d) Data Categories. | Pseudonymised data subject
- Candidate id code - Assessor id code - Expert id code of the expert assessing the appeal - Examination carried out - Evaluation result - Review and appeal appeal, and the reports generated by the assessors and, if applicable, by the appeal expert. |
| e) Data source | The stakeholders and evaluators themselves. |
| f) Target category | The organisation itself, the evaluator, the Committee of Experts in case of evaluation, the AEPD and ENAC. |
| g) International Transfer | The organisation itself, the evaluator, the Committee of Experts in the case of evaluation, the AEPD and ENAC. |
| h) Deletion period | During the entire period required to process the provision of the service, and the period necessary to accredit the correct provision of the service to whoever is responsible. |
| i) Security measures | The technical security measures implemented correspond to those provided for in ISO 27001, and security standards related to the ETSI regulations that ANF AC is obliged to comply with in accordance with the eIDAS Regulation. Regulatory compliance. The provisions of the RGPD and Organic Law 3/2018 on data protection are respected. A risk analysis has been carried out, resulting in a low risk level. |
| j) Responsible entity | ANF CERTIFICATION AUTHORITY. |
| k) EIPD - RESULT | ANF AC 24 - Date: 02/02/2020 - Result risk level: low |
38Register of certified DPDs. – EC
| a) Legal basis | Execution of a contract
GDPR: 6.1(b) Processing necessary for the performance of a contract to which the data subject is a party or for the implementation at the data subject's request of pre-contractual measures. GDPR: 6.1.c) Processing necessary for compliance with a legal obligation applicable to the controller. General Data Protection Regulation |
| b) Purposes of the processing | To comply with the obligation established by the DPD-AEPD Certification Scheme and which ANF AC has formally assumed before the AEPD. |
| c) Collective. | Data protection officers certified by ANF AC. |
| d) Data categories. | First and last name, ID card, address, and telephone number.
Academic and professional data: Qualifications, training and professional experience.
Details of employment and professional experience in data protection.
Register of complaints, reports drawn up on the activity of data subjects as a result of complaints, Complaints and claims file. Complaints and claims file. File of renewals in accordance with the AEPD-DPD Certification Scheme. |
| e) Origin of the data | The data subjects themselves and third party sources consulted in compliance with the obligations assumed by ANF AC. |
| f) Target category | Specifically AEPD and the general public. |
| g) International transfers | International transfers of the data are not foreseen. |
| h) Time limit for deletion | When your data are no longer necessary to determine responsibilities in relation to your professional performance, and the accreditation of compliance with the obligations of ANF AC. |
| i) Security measures | The technical security measures implemented correspond to those provided for in ISO 27001, and security standards related to the ETSI regulations that ANF AC is obliged to comply with in accordance with the eIDAS Regulation. Regulatory compliance. The provisions of the RGPD and Organic Law 3/2018 on data protection are respected. A risk analysis has been carried out, resulting in a low risk level. |
| j) Responsible entity | ANF CERTIFICATION AUTHORITY. |
| k) EIPD - RESULT | ANF AC 24 - Date: 02/02/2020 - Result risk level: low |
39Evaluator Registration
| a) Legal basis | Execution of a contract GDPR: 6.1.b) Processing necessary for the performance of a contract to which the data subject is a party or for the implementation at his or her request of pre-contractual measures. Privacy of a contract GDPR: 6.1.c) Processing necessary for compliance with a legal obligation applicable to the controller. General Data Protection Regulation. |
| b) Purposes of the processing | ANF AC must hire independent evaluators, with the appropriate experience and training to carry out the review and assessment of DPD candidates, in accordance with the DPD-AEPD Certification Scheme. |
| c) Collective. | Assessors accredited by ANF AC |
| d) Data categories. | First and last name, ID card, address and telephone number. Academic and professional data: Qualifications, training and professional experience. Details of employment and professional experience in data protection. |
| e) Origin of the data | The data subjects themselves, the person contacting and the ANF AC operator answering the call. |
| f) Target category | The ANF AC organisation itself, AEPD and ENAC. |
| g) International transfers | International transfers of data are not foreseen. |
| h) Time limit for deletion | When your data are no longer necessary to determine responsibilities in relation to your professional performance, and the accreditation of compliance with the obligations of ANF AC. |
| i) Security measures | The technical security measures implemented correspond to those provided for in ISO 27001, and security standards related to the ETSI regulations that ANF AC is obliged to comply with in accordance with the eIDAS Regulation. >i) Security measures. Regulatory compliance. The provisions of the RGPD and Organic Law 3/2018 on data protection are respected. A risk analysis has been carried out, resulting in a low risk level. |
| j) Responsible entity | ANF CERTIFICATION AUTHORITY. |
| k) EIPD - RESULT | ANF AC 25 - Date: 02/02/2020 - Result risk level: low |
40Termination Plan
| a) Legal basis | Fulfilment of a legal obligation. Art. 24.2, i) of the eIDAS Regulation and Art. 21 of the Spanish Law on Electronic Signatures. |
| b) Purposes of processing | Treatment operations aimed at compliance with the Cessation Plan. |
| c) Collective. | Users of ANF AC's PCSC services. |
| d) Data Categories. | Data identifying users of PCSC services and operators. |
| e) Origin of the data | The data originate directly from the data subjects. |
| f) Category of recipients | The ANF AC organisation itself, the client organisations from which the data subject is requesting, other PCSCs, auditors, supervisory authority, legal and tax obligation. |
| g) International Transfer | International transfers of data are not foreseen. |
| h) Deletion period | The data shall be kept for the period necessary to fulfil the obligations assumed, and the period required to be able to prove it. |
| i) Security measures | The technical security measures implemented correspond to those provided for in ISO 27001, and security standards related to the ETSI regulations that ANF AC is obliged to comply with in accordance with the eIDAS Regulation.
Regulatory compliance, especially the Law on Information Society Services and Telecommunications. The provisions of the RGPD and Organic Law 3/2018 on Data Protection are respected. A risk analysis and a data protection impact assessment have been carried out, resulting in a low risk level. |
| j) Responsible entity | ANF CERTIFICATION AUTHORITY |
| k) EIPD - RESULT | ANF AC 26 - Date: 02/02/2020 - Result risk level: low |
41Access audit log
| a) Legal basis | Legitimate interest |
| b) Purposes of the processing | ANF AC as a Qualified Trust Service Provider must carry out appropriate access management and administration to ensure security. Whenever someone uses a credential to identify themselves on the platform (login), in the course of access control an audit is managed. |
| c) Collective | Customers, ANF AC staff |
| d) Data categories. | Account involved, Platform, Type of access, Day and Time, Access Attempts, Success/Failure, IP, OS and Browser, Geographical location (if possible). |
| e) Origin of the data | The data subject himself/herself. |
| f) Category of recipients | The ANF AC organisation itself, auditors, supervisory authority, clients, legal and fiscal obligation |
| g) International transfers | International transfers of data are not foreseen. |
| h) Period of deletion | The data shall be kept for the period necessary to fulfil the obligations assumed, and for the period required to be able to prove it. |
| i) Security measures. | The technical security measures implemented correspond to those provided for in ISO 27001, and security standards related to the ETSI regulations that ANF AC is obliged to comply with in accordance with the eIDAS Regulation. Regulatory compliance, especially the Law on Information Society Services and Telecommunications. The provisions of the RGPD and Organic Law 3/2018 on data protection are respected. A risk analysis and a data protection impact assessment have been carried out, resulting in a low risk level. |
| j) Responsible entity | ANF CERTIFICATION AUTHORITY |
| k) EIPD - RESULT | EIPD - Date: 01/02/2020 - Result risk level: low |
42Register of job applications
| a) Legal basis | Consent of the data subject. (Article 6.1 a) of the RGPD.) |
| b) Purposes of the processing | To register job applications at ANF AC, store CVs and consult them for HR in order to comply with the data subject's application. |
| c) Collective | Users outside ANF AC |
| d) Data categories. | First name and surname, e-mail address and curriculum vitae which may contain other information in addition to special category data even though it is not in the interest of the data controller to process the latter. |
| e) Origin of the data | The data subject himself/herself |
| f) Recipient category | The ANF AC organisation itself, auditors, supervisory authority, customers, legal and tax obligation. |
| g) International transfers | International transfers of data are not foreseen. |
| h) Deletion period | The data shall be kept for a period of one year, which is the period necessary to meet the obligations assumed and the period required to be able to accredit it. |
| i) Security measures. | The technical security measures implemented correspond to those provided for in ISO 27001, and security standards related to the ETSI regulations that ANF AC is obliged to comply with in accordance with the eIDAS Regulation. Regulatory compliance, especially the Law on Information Society Services and Telecommunications. The provisions of the RGPD and Organic Law 3/2018 on data protection are respected. Risk analysis has been carried out. |
| j) Responsible entity | ANF CERTIFICATION AUTHORITY |
| k) EIPD - RESULT | Under evaluation. |
