eID eSign® App
eID eSign® App
Through the ANF AC website or applications, no personal data of users are collected without their knowledge. No data is disclosed to third parties except when a disclosure is necessary to comply with applicable law, or other legal or judicial requirements or audit.
Si pulsa sobre un enlace publicado en nuestra Plataforma para acceder a otro sitio Web, tenga en cuenta que el dueño del otro sitio web tendrá su propia Política de Privacidad. Le recomendamos que lea su política, ya que no somos responsables por lo que sucede en ese sitio.
If you have any questions or concerns about this Statement, or any concerns about the way in which we process your personal information, or simply wish to confirm whether we process your personal data, or require assistance in exercising your data protection rights, you may contact our Data Protection Officer,
- E-mail to firstname.lastname@example.org
- Tfno. +34 932 662 614
In addition, if you consider that your request has not been adequately addressed, you can send your complaint to the Spanish Data Protection Agency (AEPD), https://anf.es/registro-de-actividades-tratamiento-de-datos/
For the purposes of the legislation on data protection,
- ANF AC, is responsible for the processing in those personal data processing in which it assumes the responsibility for the collection of information, determines the purpose of the processing and the legal basis that legitimizes it. In particular, all those treatments relating to: customers, suppliers, Partners, OVP or AR operators, DPD candidates, teachers, students of the ANF AC Campus, examiners, supervisors, members of the Committee of Experts, auditors, face-to-face visits, telephone consultation, recipients, newsletter, CV of job applicants, participants in surveys, employees or freelance collaborators.
- ANF AC, is co-responsible for the processing when it receives data from a data controller in order to provide a service that involves the collection of data from other persons, and involves determining the purpose of the processing and the legal basis that legitimizes it. In particular, but not limited to: certified delivery service, certificate and electronic signature validation service, remote identification proof service.
- ANF AC is a processor when it receives data from a controller in order to provide a service whose purpose and legitimacy of the processing of personal data is the decision of the client responsible for the processing. In this intervention, the relationship between ANF AC as processor is established by the corresponding contract. In particular, but not limited to: document storage service, electronic signatures and seals, certified digitalization service and VAT recovery services.
Declaration of responsibility of the General Management of ANF AC,
F. Díaz Vilches
CEO of ANF AC
Headquarters where data processing is performed,Gran Vía de les Corts Catalanes, 996 planta 4ª Barcelona -08018- España
Attention to the public
Monday - Friday
de 9:00 a 14:00 de 15:00 a 18:00
The information we collect and how we do it may vary depending on the products and services used and to which the interested party subscribes and the tools used, also how you have interacted in any of our web platforms, e.g. registering on our Website to request a certificate or a service of ANF AC, or using the services of one of our On-Site Verification Offices, or even using this mobile application.
Also, it is convenient to remind you that some of our services have a specific Privacy Statement, in case you hire or use one of these services, please consult the corresponding privacy statement beforehand.
LThe data we collect and the sources of collection are recorded in the Register of Processing Activities (RAT).
In addition, in this eID eSIGN® application you will find a detailed detail of the information collected automatically "Audit Trails" and "App Description".Category of data
We do not collect or process information from minors, nor information that can be classified as sensitive data categories. It should be noted that;
- The capture of photographs, the recording of a video call and, in particular, the collection of the image of the face obtained from the eDNI, are not used to identify the data subject, but to compare the correspondence of his identity with the documents that identify him. The aim is to avoid any identity theft/impersonation by third parties. In addition, the recording of a video call or telephone call may be used to confirm or reject an adherence to terms and conditions or contractual clauses, or even to confirm or deny an intervention by the person concerned. E.g., the recognition of his signature on the document that is shown or consulted, in any case the interested party will be previously informed and warned that his answer has legal effects.
- The collection of the digitalized signature of the eDNI and the obtaining of the graphometric / biometric signature made by the interested party through this application, is intended to obtain legal evidence to confirm that the interested party gave his express consent, and / or adhered to the content of a contract or other type of document. In this process the behavior pattern (dynamics, inclination, pressure, etc.) is not captured, nor is the information used as an identification tool.
ANF AC does not process information classified as highly sensitive such as: health, sexual orientation, union membership, religion or race.
ANF AC only collects the data minimally necessary for the performance of the treatment. The corresponding classification is recorded in the Register of Processing Activities
Correct / Update
Our goal is to have accurate and updated information. If you consider that the personal data we process does not correspond to reality, we would be grateful if you could inform us.
- E-mail to email@example.com
- Tfno. +34 932 662 614
In order to make corrections and informative updates, we need documentation that proves the reliability of the required changes.
The purpose of the processing of personal data corresponds to each of the processing activities carried out by ANF AC. The legal basis that legitimizes them is published in the Register of Processing Activities (RAT), https://anf.es/registro-de-actividades-tratamiento-de-datos/
In general, it is worth mentioning:Fulfillment of a contract
We need to collect your data and perform a treatment of the same, to comply with the services or products that you have contracted us.Fulfillment of a legal obligation
Much of our activity is framed by laws that we must comply with. The legal framework imposes us the collection of certain data and its treatment, it can even determine the obligation of data transfer. For example, a court order.
When the legal basis for the processing is the fulfillment of a legal obligation, we detail the rule and article in question.
We have a legitimate interest in collecting the information necessary to manage our networks and to understand the use made of them. We must ensure their protection and manage the transactions carried out through them. E.g., logging of LOGs, control of repeated accesses from the same IP in order to determine possible attacks such as DDoS. Or, logging of traceability in certified deliveries (IP, time, etc.) in order to obtain legal evidence of the service provided.
Much of our activity requires the development of internal and external audits that certify compliance with the rules and regulations to which we are subject. ANF AC has a legitimate interest in collecting, preserving and performing an adequate treatment that accredits our compliance with the rules and standards that we must comply with. Even giving access to external auditors.
ANF AC has legitimate interest in keeping you informed about our new products and services, as well as news that we deem of interest according to your profile. All our commercial or marketing information is related to our activity and the relationship we maintain with the interested parties. It is predictable information that will not cause surprise or concern to the recipient.
Remember that opting out of interest-based advertising will not prevent ads from being displayed on ANF AC's corporate website - but they will not be tailored to your interests. ANF AC has reached agreements with entities with Facebook or Google for the performance of online advertising activities, but in no case we have provided personal information.
We use a variety of analytical methods including "Big Data" research and procedures. Big Data is a mathematical technique that allows us to analyze large volumes of data to find hitherto unrevealed patterns and trends. At ANF AC we take very seriously this type of analysis, which is governed by the maxim of full compliance with current regulations and respect for the principle of transparency. In these analyses we only use anonymized and aggregated data so that it is not possible to associate such information with identifiable individuals.
In our Big Data service we obtain anonymized and aggregated reports from third parties that provide them to us. We assure you that it is not possible to link such information to you, nor to any other natural person. For these reports, it must be information generated with at least 15 records as an unavoidable requirement. In no case we aggregate our data to third parties.
Our policy for these initiatives aims to go even further than what is required by law and, in order to comply with our duty of transparency, requires the obligation to provide you with the possibility to express your wish not to have your data taken into account in Big Data initiatives, which you can do at the time of contracting the services, or by communicating it by any telematic or physical means that we make available to you.
We may perform statistical analysis and market research, including monitoring how customers use our networks, products and services anonymously or personally.
ANF AC guarantees the confidentiality of the data collected. No transfer of personal data to third parties is made except,
- Judges and courts, government agencies or other public authorities in case of legal obligation or authorization.
- Third parties where such disclosure is necessary to comply with applicable law or other legal or judicial requirements.
- Inspections conducted by AEPD, or audits conducted by ENAC or external auditors.
- Emergency services in the vital interest of the data subject.
- Third party companies and service providers insofar as their intervention is necessary for the provision of service to ANF AC, acting as data processors in accordance with the instructions issued by ANF AC, being the relationships contractually formalized.
- In addition, for an adequate treatment of the personal data of users, they can be treated within the scope of the companies of the ANF AC Group.
- We will communicate your information, in a reasonable manner, in order to protect us against fraud, defend our rights or our property or protect the interests of our customers.
- We may also need to disclose your information to comply with our obligations to comply with the legal requirements of the authorities. Your personal data should only be provided when we believe in good faith that we are required to do so by law and based on a thorough assessment of all legal requirements.
TThird parties we work with
- When you purchase products and services from ANF AC through a Registration Authority, On-Site Verification Office, or other collaborating organization, we often exchange information with them as part of that relationship and for the purpose of managing your account - for example, to be able to identify your order and to be able to pay those third parties.
Mergers and Acquisitions
- EIn the event that ANF AC is involved in any corporate movement or sale of the contracted activity, if necessary to continue providing services to you, we may provide your data to third parties involved in the merger or acquisition transaction.
We may need to transfer your information to ANF AC Group companies or service providers in countries outside the European Economic Community (EEC), however this transfer will always be made to countries recognized by the EU Commission with adequate security level, or with certified companies that comply with agreements approved by the Commission, e.g. Privacy Shield.
Countries with adequate security level
- Switzerland. Commission Decision 2000/518/EC of 26 July 2000.
- Canada.*Commission Decision 2002/2/EC of December 20, 2001, with respect to entities subject to the scope of application of the Canadian Data Protection Act.
- Argentina. Commission Decision 2003/490/EC of June 30, 2003.
- Guernsey. Commission Decision 2003/821/EC of November 21, 2003.
- Isle of Man. Commission Decision 2004/411/EC of 28 April 2004.
- Jersey. Commission Decision 2008/393/EC of 8 May 2008.
- Feroe Islands. Commission Decision 2010/146/EU of 5 March 2010.
- Andorra. Commission Decision 2010/625/EU of October 19, 2010.
- Israel.Commission Decision 2011/61/EU of January 31, 2011.
- Uruguay. Commission Decision 2012/484/EU of 21 August 2012.
- New Zealand. Commission Decision 2013/65/EU of 19 December 2012.
- United States. Applicable to entities certified under the EU-US Privacy Shield. UNITED STATES. Commission Decision (EU) 2016/1250 of 12 July 2016.
- Japan. Decision of January 23, 2019.
* PIPED Act (Personal Information Protection and Electronic Documents Act).
Federal Privacy Act for private sector organizations in Canada.
If ANF AC needs to send your information to a country that is not part of the EEC or is not included in the list of countries recognized by the EU Commission, we will previously inform you outlining the risks involved in the transfer, we will ensure that your information has adequate security measures, we will require the third party to sign a legal agreement that reflects these standards and recognizes your rights and the effective exercise of them. In addition, if necessary, we will request prior authorization from the Spanish Data Protection Agency (AEPD) in order to be authorized to carry out the international transfer.
The conservation of this evidence is intended to guarantee the rights of the interested parties, to accredit the correct intervention of ANF AC, and to facilitate, if necessary, the performance of audits or judicial expertise.
The personal data provided will be retained for the time necessary to fulfill the purpose for which they are collected, and to determine the possible responsibilities that may arise from the purpose. In addition, it is taken into account the periods established in the archives and documentation regulations.
Whenever possible, ANF AC establishes retention periods that are accessible in the Register of Processing Activities (RAT), https://www.anf.es/en/registro-de-actividades-tratamiento-de-datos/
From a general point of view, all ANF AC computer systems have security measures for the protection of information. The objective is to guarantee the full availability of the information to the interested parties, prevent any undue modification by safeguarding its integrity, and only allow access to authorized persons. All new treatment respects privacy from the design.
ANF AC, submits all its computer systems and organizational means to internal audits and independent auditors against norms and standards of the highest international prestige, we have achieved certifications in accordance with the following standards: ETSI standards corresponding to Regulation (EU) eIDAS, ISO 9001, ISO 27001, ISO 17024, ISO 14001. All certifications and compliance audits obtained by ANF AC are published on our website.
In addition, ANF AC has performed for each treatment a Data Protection Impact Assessment (DPA), with a result of risk level - low - with the application of the corresponding safeguards. In no case ANF AC performs data processing that is not at a low risk level, or on which authorization has been received from the AEPD to assume a higher risk, after performing the corresponding -prior consultation- established in the Regulation (EU) 679/2014 General Data Protection (RGPD).
Generally our services use additional security measures to those publicly disseminated. These additional security measures may vary depending on the service offered, more information is available in the policies corresponding to such services, and do not hesitate to consult us to clarify any issue of your interest.
In some cases, you may be required to register for a particular activity, e.g. a survey, a complaint, or to obtain a particular service. It is possible that part of this registration process consists of the choice of a personal password -PIN-. ANF AC reminds you that you must protect your personal password, especially if it is a PIN (signature activation data). ANF AC in no case stores passwords or PINs, nor has the opportunity to do so; ANF AC uses technology based on SHA256 hash algorithms, which allows performing control processes without the need to have the original key for verification. In case of loss or forgetfulness, ANF AC can only facilitate the restoration of your password, but in the case of PIN it is not even possible to restore it.
ANF AC, by default, activates the configuration of the services at the maximum security level, any action that reduces or limits the security configuration falls under your exclusive responsibility. It is particularly serious if you allow others to access your account, give up the use of your signature device or disclose to third parties your personal password or PIN.
All products and services distributed by ANF AC are configured according to the privacy by default principle. If you disable the security measures included in our products, you do so under your sole responsibility.
ANF AC rejects any responsibility or liability caused by your decision or negligence to breach the required security standards.
Any person has the right to obtain confirmation about the processing that ANF AC performs on their personal data. ANF AC will facilitate to all interested parties the exercise of their rights diligently and free of charge.
The persons affected by data processing carried out by ANF AC, have the right to:
- Request free access to their personal data.
- Request its rectification.
- Request deletion.
- Request the limitation of its processing.
- Oppose the processing.
- Request data portability.
Interested parties may access their personal data, as well as request the rectification of inaccurate data or, where appropriate, request its deletion when, among other reasons, the data is no longer necessary for the purposes for which it was collected. In certain circumstances, interested parties may request the limitation, opposition to the processing and portability of their data. It is reported that the exercise of any right may hinder the legal basis on which the treatment is based, if necessary, appropriate legal measures will be taken. In case of doubt, our Data Protection Delegate will be pleased to answer any questions you may have.
The interested parties if they consider that the processing of personal data concerning them violates the Regulation, have the right to receive attention and assistance from our Data Protection Officer, to file a complaint with the supervisory authority, in this case, the Spanish Data Protection Agency. And also to exercise their right to effective judicial protection.
In case of security incidents that may affect the data subjects whose data we keep, ANF AC undertakes to inform and advise them adequately.
Exercise of Rights
ANF AC, makes available to all interested parties the following means to exercise their rights,
Request sent by mail or personal visit to,
- ANF Certification Authority
- Gran Vía de les Corts Catalanes, 996 planta 4ª Barcelona -08020- España
Telephone call requesting for our Data Protection Officer,
- +34 932 661 614
An electronic form is available on our website,https://anf.es/en/activity-log-data-processing/
By legal imperative you must prove your identity,
- In the case of written request include a photocopy of your ID card, or equivalent legal document.
- In the case of a personal visit, you must show an original and valid ID card or equivalent legal document.
- In case of representation you must have sufficient legal power of attorney.
- If you contact by phone, follow the instructions of our staff, please note that you must be able to access your email account and / or cell phone that you provided at the time of collecting your data.
- If you choose to fill out the electronic form available on our website, you must provide a digital copy of your ID card or equivalent legal document.
- If you do not wish to use our electronic form, you are free to write your request and send it by e-mail.
This document includes the section EXPLANATION OF YOUR RIGHTS, we recommend you to read it when you wish to exercise any of them. In addition, our Data Protection Officer (DPD) will provide you with all the assistance you need to effectively exercise your rights. The exercise of your rights and the support of our DPD is free of charge.
Also, if you wish, you can exercise your rights through a third party representative. Your representative must formally prove this legal capacity, either by notarized power of attorney or document issued and signed by you, including a photocopy of your ID card, or equivalent legal document.
In case you consider that we have not intervened with sufficient diligence or that we have infringed your rights, you may file a complaint with the Spanish Data Protection Agency (AEPD), https://anf.es/registro-de-actividades-tratamiento-de-datos/
In addition, the AEPD provides you with information about your rights, https://anf.es/registro-de-actividades-tratamiento-de-datos/
And, a catalog of common questions at, https://anf.es/registro-de-actividades-tratamiento-de-datos/
EXPLANATION OF YOUR RIGHTS
RIGHT OF ACCESS:
By exercising this right, you request that the right of access to the data processing carried out by the organization be provided free of charge within a maximum period of one month from receipt of this request, that all the information related to Article 15 of the GDPR be sent to you at the above address by mail, in a legible and intelligible form and within the time limit indicated.UYou have the right to know:
- Whether or not we are processing personal data concerning you.
- The origin of your data, if not provided by you.
- The purposes of the processing of your data.
- The categories of data concerned.
- The recipients or categories of recipients to whom the personal data have been or will be disclosed, in particular recipients in third parties or international organizations.
- If possible, the expected retention period of the personal data, or if not, the criteria used to determine this period.
- If automated decisions - including profiling - are made using your personal data, you are informed of the data that has been stored about the data subject.
RIGHT OF RECTIFICATION:
When exercising this right, the right of rectification is requested to be provided free of charge, in accordance with the provisions of Article 16 of the GDPR. It will be necessary to provide the corresponding supporting documents.
- You have the right to have your personal data accurate and current.
- By completing them, if they are incomplete.
- Updating or rectifying them, if they do not conform to the current reality or if they are inaccurate.
RIGHT OF DELETION:
By exercising this right, you request that the right of deletion, or right to be forgotten, be provided free of charge, in accordance with the provisions of Article 17 of the GDPR. This right can be exercised only if:
- The data are no longer necessary for the purposes for which they were collected or processed.
- If the processing was based on express consent, you withdraw your consent and the processing cannot be based on any other legal basis.
- You have previously successfully exercised your right to object to the processing of your data.
- The data have been processed unlawfully.
- The data must be deleted in order to comply with a legal obligation.
The above requirements do not apply if the processing is necessary for the following purposes:
- Exercising the right to freedom of expression and information.
- To comply with a legal obligation.
- For the performance of a task carried out in the public interest by the controller.
- For the formulation, exercise or defense of claims.
RIGHT TO THE LIMITATION OF PROCESSING:
When exercising this right, you request that we provide free of charge the right to the limitation of the indicated processing, in accordance with the provisions of Articles 18 and 19 of the GDPR. That is, that we keep them without using them for the intended purposes, provided that one of the following conditions is met:
- You request the rectification of your personal data, for a period of time that allows us, as the organization responsible for the processing, to verify the accuracy of the data.
- The processing is unlawful and you object to the deletion of the personal data, requesting instead the limitation of use.
- We no longer need your personal data for the purposes of the processing, but you need them for the formulation, exercise or defense of claims.
- If you have objected to the processing while we verify whether the legitimate grounds for processing outweigh your right.
When the processing of personal data has been limited, such data may only be processed, with the exception of their retention, with your consent, for the formulation, exercise or defense of claims, to safeguard the rights of another natural or legal person, or for reasons of essential public interest. Once the limitation of the processing has taken place, you will be informed before the lifting of such limitation.
RIGHT TO DATA PORTABILITY:
By exercising this right you request to be provided free of charge to the limitation of the indicated processing, in accordance with the provisions of Article 20 of the GDPR. We will make available to you the personal data you have provided in a structured, commonly used and machine-readable format. In addition,
- You will have the right to ask us to transmit them directly to another controller where this is technically possible.
You only have this right when:
- We are processing your personal data on the basis of your express consent, or. o
- the legal basis is the performance of a contract, and,
- provided that the processing is carried out by automated means.
RIGHT TO OBJECT:
By exercising this right you request to be provided free of charge to the limitation of the indicated processing, in accordance with the provisions of Articles 21 and 22 of the GDPR. By this right you require us to stop using your personal data.
You can exercise your right to object when the processing has our "legitimate interests" as a legal basis.
If the processing is based on your consent, you can withdraw it and obtain similar effects to the right to object.
RIGHT NOT TO BE SUBJECT TO AUTOMATED DECISIONS:
Based on the processing of your personal data, including profiling.
You can object to being subjected to a decision that has legal effects or otherwise significantly affects you, provided that it was based solely on automated processing of your data and without human intervention.
If you have been subject to a decision of the type described and you disagree, you may request that we review the decision to seek human intervention, express your point of view, or otherwise challenge the decision.
You will not have the right to object when the decision made in an automated manner:
- Is necessary for the conclusion or performance of a contract to which you are a party,
- Is authorized by law and there are adequate measures in place to safeguard your rights and freedoms, or
- Is based on your explicit consent.
TIME LIMIT AND GUARDIANSHIP:
If within the period of one month, ANF Autoridad de Certificación does not communicate to you that it is not appropriate to meet all or part of the exercised right, it is mandatory that:
- The communication is motivated in order to, where appropriate, request the protection of the Spanish Data Protection Agency, under Article 57 of the RGPD.
- If prior to the claim before the Spanish Data Protection Agency, you consider that your rights have not been properly satisfied, you can request an assessment before the Data Protection Delegate.
- E-mail to, firstname.lastname@example.org
- Phone call requesting for our Data Protection Officer, Tfno. +34 932 661 614
For a personal visit, please make an appointment in advance.Gran Vía de les Corts Catalanes, 996 planta 4ª Barcelona -08018- España
Attention to the public
Monday - Friday
de 9:00 a 14:00 de 15:00 a 18:00
Our Data Protection Delegate will advise and assist you in exercising your rights. You can consult him by any of the above mentioned means.
You can submit your complaints through any of the following procedures:
Exercise your data protection rights at https://anf.es/registro-de-actividades-tratamiento-de-datos/
Data protection e-mail,
E-mail SAT Website
E-mail SAT products and services
For personal visit, please make an appointment in advance.
Gran Vía de les Corts Catalanes, 996 planta 4ª Barcelona - 08018 - España
Telephone: +34 932 661 614
Attention to the public
Monday - Friday
from 9:00 to 14:00 from 15:00 to 18:00
In ANF AC we subject to review all our computer systems and organizational resources to internal audits and external audits carried out by independent auditors of the highest international prestige.
The external audits are carried out with a maximum annual periodicity. ANF AC is certified in accordance with the following international norms and standards:
- ETSI standards corresponding to Regulation (EU) eIDAS.
- ISO 9001 Quality for CAs.
- ISO 27001 Management Systems and Information Security.
- ISO 17024 Certification of People.
- ISO 14001 Environmental Management.
All certifications and compliance audits obtained by ANF AC are published on our website. https://anf.es/registro-de-actividades-tratamiento-de-datos/
In addition, ANF AC has performed for each treatment a Data Protection Impact Assessment (DPA), having achieved a level of risk - low - with the application of the corresponding safeguards. In no case ANF AC performs data processing that are not at a low risk level, or on which authorization has been received by the AEPD to assume a higher risk, after performing the corresponding -prior consultation- established in the Regulation (EU) 679/2014 General Data Protection (RGPD).