Privacy Policy

Privacy Policy » Our Privacy Policy

 

Date of publication 02.11.2020
Version 1.4
1Our Privacy Policy.

ANF Autoridad de Certificación (ANF AC), registered in the Registro Nacional del Ministerio del Interior, número 171.443. CIF G-63287510, has prepared this Privacy Policy to inform about its commitment to the protection of personal data, and to describe the criteria concerning the collection, use, storage and disclosure of personal information obtained during visits to the site; personal information obtained during the visits to our web pages, or in the provision of the services carried out in this Web site (hereinafter, "Platform"), as well as the data that are collected in person in paper format, or in the use of the applications and services of ANF AC.

Through this website no personal data are collected from users without their knowledge. No data is disclosed to third parties except when a disclosure is necessary to comply with applicable law, or other legal or judicial requirements or auditing.

Through this website no personal data is collected from users without their knowledge.

If you click on a link posted on our platform to access another website, please note that the owner of the other website will have its own Privacy Policy. We recommend that you read their policy, as we are not responsible for what happens on their site.

REVIEW THIS PRIVACY POLICY BEFORE USING OUR WEBSITE OR ANY OF ANF AC'S APPLICATIONS OR SOLUTIONS. IF YOU DO NOT ACCEPT OUR PRIVACY POLICY DO NOT USE OUR WEBSITE OR OUR SERVICES, WE ONLY COLLECT THE INFORMATION NECESSARY TO PROVIDE THEM IN COMPLIANCE WITH APPLICABLE LAW, THEREFORE, WE WILL NOT BE ABLE TO PROVIDE THEM IN ADEQUATE MANNER. IF YOU PROVIDE ANY PERSONAL INFORMATION, WE UNDERTAKE TO COMPLY WITH THE TERMS OF THIS PRIVACY POLICY.

Periódicamente this Privacy Policy is reviewed in order to keep it permanently updated. We perform a versioning control and the date of publication is reviewed, which corresponds to its entry into force. When a revision of the document is made, during a three-month period the link is marked with the "New” in this case, please consult the changes made in order to determine their acceptance or rejection.

.

It should be noted that some of our services have a specific privacy statement that is complementary to this general Privacy Policy. Specifically you can access the specific statements at,

Specific privacy statements are available at,

.

https://www.anf.es/politica-de-privacidad-productos-servicios 

If you have any questions or concerns about this Privacy Policy, the specific disclosures, or any concerns about how your personal information may have been handled, or simply wish to confirm whether we are processing your personal data, or require assistance in exercising your data protection rights, you may contact our Data Protection Officer, 

.

 

- E-mail to delegadoprotecciondatos@anf.es

- Tfno. +34 932 662 614.

2Who is responsible for the processing of personal data?.

For the purpose of data protection legislation,

  • ANF AC, is responsible for the processing in those personal data processing in which it assumes responsibility for the collection of information, determines the purpose of the processing and the legal basis that legitimizes it. In particular, all those treatments relating to: customers, suppliers, Partners, OVP or AR operators, DPD candidates, teachers, students of the ANF AC Campus, examiners, supervisors, members of the Committee of Experts, auditors, face-to-face visits, telephone consultations, recipients, newsletter, CVs of job applicants, survey participants, employees or freelance collaborators.
  • ANF AC, is co-controller when it receives data from a data controller in order to provide a service that involves the collection of data from other persons, and involves determining the purpose of the processing and the legal basis that legitimizes it. In particular, by way of example only: certified delivery service, certificate and electronic signature validation service, remote identification proof service.
  • ANF AC, is processor when it receives data from a data controller in order to provide a service whose purpose and legitimacy of the processing of personal data is the decision of the client responsible for the processing. In this intervention, the relationship between ANF AC as data processor is established by means of the corresponding contract.
  • Declaration of responsibility of the General Management of ANF AC,

The personal data collected by ANF Autoridad de Certificación [ANF AC] or provided for the provision of a service, are treated confidentially, fulfilling the commitments set out in our Privacy Policy, and respecting the current legislation on data protection, and other regulations related to our activity.

F. Díaz Vilches
CEO of ANF AC

 

Headquarters where data processing is carried out,
Gran Vía de les Corts Catalanes, 996
4th floorª Barcelona -08018- España

Public service
Monday - Friday
from 9:00 to 14:00from 15:00to 18:00

3Personal information we collect about you.

The information we collect and how we collect it may vary depending on the products and services used and subscribed to by the data subject, as well as how you have interacted on any of our web platforms, e.g., registering on our Website to request commercial information, answering surveys, signing up for our mailing list, registering on our Website to request commercial information, answering surveys, subscribing to our mailing list, and so on. E.g. registering on our Website to request commercial information, answering surveys, subscribing to the Newsletter distribution list, interested in working at ANF AC, etc.

Also, it is convenient to remind you that some of our services have a specific Privacy Statement, in the event that hiring or using one of these services previously consult the corresponding privacy statement. 

And it is convenient to remind you that some of our services have a specific Privacy Statement, in the event that hiring or using one of these services previously consult the corresponding privacy statement.

The data we collect and the sources of collection are recorded in the Register of Processing Activities (RAT).

https://www.anf.es/registro-de-actividades-tratamiento-de-datos/

 

Data category

We do not collect or process information from minors, or information that can be classified as sensitive data categories, e.g., in the case of the use of a biomedical signature, we do not collect or process information from minors, or information that can be classified as sensitive data categories, e.g., in the case of the use of a biomedical signature. In the case of the use of biomedical signature, the behavioral pattern (dynamics, inclination, pressure, etc.) is not captured, nor is it used as an identification tool. Neither in the remote identification test service, the image collection is not used as an identification tool, only as a means of verifying the correspondence of the presence of the interested party with the identity document shown and its retention is only intended to prove the correct intervention of ANF AC.

ANF AC does not process information classified as highly sensitive such as: health, sexual orientation, union affiliation, religion or race.

ANF AC only collects the data minimally necessary for the performance of the processing. The corresponding classification is recorded in the Register of Processing Activities (RAT),

ANF AC only collects the data minimally necessary for the performance of the processing.

https://www.anf.es/registro-de-actividades-tratamiento-de-datos/

 

 

Data retention

The personal data provided will be kept for the time necessary to fulfill the purpose for which they are collected, and to determine the possible responsibilities that may arise from the treatment. In addition, account is taken of the periods established in the regulations on archives and documentation.

Whenever possible, ANF AC establishes retention periods, this information is accessible in the Register of Processing Activities (RAT),

https://www.anf.es/registro-de-actividades-tratamiento-de-datos/

 

 

Correct / Update

Our goal is to have accurate and up-to-date information. If you consider that the personal data we process does not correspond to reality, please inform us.

We aim to have accurate and up-to-date information.

- E-mail to delegadoprotecciondatos @anf.es

- Tel. +34 932 662 614.

- Tel.

For corrections and informative updates, we require documentation that proves the reliability of the required changes.

4How do we use your personal information?.

The purpose of the processing of personal data corresponds to each of the processing activities carried out by ANF AC. The legal basis that legitimizes them is published in the Register of Processing Activities (RAT),

.

https://www.anf.es/registro-de-actividades-tratamiento-de-datos/

 

Generally speaking it is worth mentioning:

 

 

Fulfillment of a contract

We need to collect your data and process it, in order to fulfill the services or products you have contracted with us.

 

Fulfillment of a legal obligation

Much of our activity is framed by laws that we must comply with. The legal framework imposes on us the collection of certain data and its processing, it can even determine the obligation to transfer data, e.g. court order.

Much of our activity is framed by laws that we must comply with.

External auditors, evidence that proves compliance A large part of our activity requires the preparation of internal and external audits that prove compliance with the rules and regulations to which we are subject. ANF AC has a legitimate interest in collecting, preserving and carrying out an adequate treatment that accredits our compliance with the rules and standards that we must comply with. Even giving access to external auditors.

 

Legitimate interest

We have a legitimate interest in collecting the information necessary to manage our networks and to understand how our networks are used. We must ensure their protection and manage the transactions carried out through them. For example, logging of LOGs, control of repeated accesses from the same IP in order to determine possible attacks such as DDoS. Or, logging of traceability in certified deliveries (IP, time, etc.) in order to obtain legal evidence of the service provided.

ANF AC has a legal interest in keeping you informed about our new products and services, as well as news that we deem of interest according to your profile. All our commercial or marketing information is related to our activity and the relationship we maintain with the interested parties. It is predictable information that does not cause surprise or concern in the recipient recipient.

In order to provide you with commercial information relevant to you, you may be able to view online advertising based on the use of cookies based on the accesses you have made on our website. This is known as interest-based advertising. The collection of user experience data may occur on our Website, on websites of other ANF AC Group companies, organizations and other online media such as social networks. If you do not want the information we collect through cookies to be used, please see our Cookie Policy to opt out of them.

Remember that opting out of interest-based advertising does not prevent ads from being displayed on ANF AC's corporate website– but will not be tailored to your interests. ANF AC has reached agreements with entities with Facebook or Google for the realization of online advertising activities, but in no case we have provided personal information.

We use a variety of analytics including research and “Big Data” procedures. Big Data is a mathematical technique that allows us to analyze large volumes of data to find hitherto unrevealed patterns and trends. At ANF AC we take very seriously this type of analysis, which is governed by the maximum of full compliance with current regulations and respect for the principle of transparency. In these analyses, we use only anonymized and aggregated data so that it is not possible to associate such information with identifiable individuals.

In our Big Data service we obtain anonymized and aggregated reports from third parties that provide it to us. We assure you that it is not possible to link this information to you or to any other natural person. For these reports, the information must be generated with at least 15 records as an unavoidable requirement. In no case we aggregate our data to third parties.
Our policy for these initiatives aims to go even further than what is required by law and, in order to comply with our duty of transparency, requires the obligation to provide you with the possibility to express your wish not to have your data taken into account in Big Data initiatives, which you can do at the time of contracting the services, or by communicating it by any telematic or physical means that we make available to you.
We may perform statistical analysis and market research, including monitoring how customers use our networks, products and services anonymously or personally.

5How do we share your personal information?

ANF AC, guarantees the confidentiality of the data collected. No assignment of personal data to third parties is made except,

 

General


  • Judges and courts, governmental agencies or other public authorities in case of legal obligation or authorization.
  • Third parties where such disclosure is necessary to comply with applicable law or other legal or judicial requirements.
  • Inspections performed by AEPD, or auditías performed by ENAC or external auditors.
  • Emergency services in the vital interest of the data subject.
  • Emergency services in the vital interest of the data subject.
  • Emergency services in the vital interest of the data subject.
  • Third party companies and service providers insofar as their intervention is necessary for the provision of service to ANF AC, acting as data processors in accordance with the instructions issued by ANF AC, the relationships being contractually formalized.
  • In addition, for an adequate treatment the personal data of the users, can be treated in the scope of the companies of the ANF AC Group.

Fraud control,

  • We will disclose your information, in a reasonable manner, in order to protect against fraud, defend our rights or property, or protect the interests of our customers.
  • We may also need to disclose your information in order to comply with our obligations to comply with the legal requirements of the Your personal data should only be provided when we, in good faith, believe that we are required to do so by law and in accordance with a thorough assessment of all legal requirements.

Third parties with whom we work

  • When you purchase ANF AC products and services through a Registration Authority, On-Site Verification Office, or other type of cooperating organization, we often exchange information with them as part of that relationship and for the purpose of managing your account – for example, to be able to identify your order and be able to pay such third parties.

Mergers and Acquisitions 

  • In the event that ANF AC is involved in any corporate movement or sale of the contracted activity, if necessary to continue providing services, we may provide your data to third parties involved in the merger or acquisition operation.

You can consult the recipients for each of the processing activities in the Register of Processing Activities (RAT),

https://www.anf.es/registro-de-actividades-tratamiento-de-datos/

 

6International Data Transfers.

We may need to transfer your information to ANF AC Group companies or service providers in countries outside the European Economic Community (EEC), however  this transfer will always be made to countries recognized by the EU Commission with adequate security level, or with certified companies that comply with agreements approved by the Commission, e.g. Privacy Shield. Privacy Shield. 

.

Countries with adequate level of security

  • Switzerland. Commission Decision 2000/518/EC of 26 July 2000.
  • Canada.* Commission Decision 2002/2/EC of 20 December 2001 with respect to entities subject to the scope of application of the Canadian Data Protection Act.
  • Argentina. Commission Decision 2003/490/EC, of June 30, 2003.
  • Guernsey. Commission Decision 2003/821/EC of 21 November 2003.
  • Isle of Man. Commission Decision 2004/411/EC of April 28, 2004.
  • Jersey. Commission Decision 2008/393/EC of 8 May 2008.
  • Faroe Islands. Commission Decision 2010/146/EU of 5 March 2010.
  • Andorra. Commission Decision 2010/625/EU of 19 October 2010.
  • Israel. Commission Decision 2011/61/EU of January 31, 2011.
  • Uruguay. Commission Decision 2012/484/EU of 21 August 2012.
  • New Zealand. Commission Decision 2013/65/EU, of December 19, 2012.
  • United States. Applicable to entities certified under the EU-US Privacy Shield. US. Commission Decision (EU) 2016/1250 of July 12, 2016.
  • Japan. Decision of January 23, 2019.

 

 

* PIPED Act (Personal Information Protection and Electronic Documents Act)

Federal privacy law for private sector organizations in Canadaá.

Federal privacy law for private sector organizations in Canada.

If ANF AC needs to send your information to a country that is not part of the EEC or is not included in the list of countries recognized by the EU Commission, we will inform you beforehand by outlining the risks involved; We will inform you in advance of the risks involved in the transfer, ensure that your information is adequately secured, require the third party to enter into a legal agreement that reflects these standards and recognizes your rights and the effective exercise of those rights. In addition, if necessary, we will request prior authorization from the Spanish Data Protection Agency (AEPD) to be authorized to carry out the international transfer.

7How long do we store your personal information?.

The personal data provided will be kept for the time necessary to fulfill the purpose for which they are collected, and to determine the possible responsibilities that may arise from the purpose. In addition, account is taken of the periods established in the regulations on archives and documentation.

Whenever possible, ANF AC establishes retention periods that are accessible in the Register of Processing Activities (RAT),

https://www.anf.es/en/registro-de-actividades-tratamiento-de-datos/

 

8Keeping your personal information safe.

General Aspects

From a general point of view, all ANF AC information systems have security measures for the protection of information. The objective is to guarantee the full availability of the information to the interested parties, prevent any undue modification by safeguarding its integrity, and only allow access to authorized persons. All new processing respects privacy from the design stage.

ANF AC, submits all its information systems and organizational means to internal audits and independent auditors against standards and standards of the highest international prestige, we have achieved certifications in accordance with the following standards: ETSI standards corresponding to Regulation (EU) eIDAS, ISO 9001, ISO 27001, ISO 17024, ISO 14001. All certifications and compliance audits obtained by ANF AC are published on our website.

All certifications and compliance audits obtained by ANF AC are published on our website.

https://www.anf.es/auditorias-de-conformidad/

In addition, ANF AC has carried out a Data Protection Impact Assessment (DPA) for each processing operation, having achieved a level of risk - low - with the application of the corresponding safeguards. In no case does ANF AC process data that is not at a low risk level, or on which authorization has been received from the AEPD to assume a higher risk, after performing the corresponding -prior consultation- established in the Regulation (EU) 679/2014 General Data Protection (RGPD).

 

Specific Services

Generally our services use additional security measures beyond those publicly disclosed. These additional security measures may vary depending on the service offered, more information is available in the policies corresponding to such services, and do not hesitate to consult us to clarify any question of your interest.


In some cases, you may need to register to perform a certain activity, P. (signature activation data). ANF AC in no case stores passwords or PINs, nor has the opportunity to do so; ANF AC uses technology based on digest algorithms -hash- SHA256 which allows performing control processes without the need to have the original key for verification. In case of loss or forgetting, ANF AC can only provide you with the restoration of your password, but in the case of PIN it is not even possible such restoration.


It is your sole responsibility to take any action contrary to the security rules, especially if you allow others to access your account, give up the use of your signature device, or give out your personal password or PIN. Write down this sensitive information in a safe and personal place.
All products and services distributed by ANF AC are configured according to the privacy by default principle. If you disable the security measures included in our products, you do so at your own risk.
ANF AC rejects any responsibility or liability caused by your decision or negligence to breach the required security standards.

9Your rights.

Any person has the right to obtain confirmation about the processing that ANF AC performs on their personal data. ANF AC will facilitate to all interested parties the exercise of their rights diligently and free of charge.

The persons affected by data processing performed by ANF AC, are entitled to:

  • Request free access to their personal data.
  • Request its rectification.
  • Request deletion.
  • Request deletion.
  • Request the limitation of their processing.
  • Request the limitation of their processing.
  • Request the limitation of their processing.
  • To oppose the processing.
  • Request data portability.

Interested parties may access their personal data, as well as request the rectification of inaccurate data or, where appropriate, request its deletion when, among other reasons, the data is no longer necessary for the purposes for which it was collected. In certain circumstances, interested parties may request the limitation, opposition to the processing and portability of their data. It is reported that the exercise of any right may hinder the legal basis on which the treatment is based, if necessary, appropriate legal measures will be taken. In case of doubt our Data Protection Officer will be pleased to answer any questions you consider appropriate to raise.

The interested parties if they consider that the processing of personal data concerning them violates the Regulation, have the right to receive attention and assistance from our Data Protection Officer, to file a complaint with the supervisory authority, in this case, the Spanish Data Protection Agency. And also, to exercise your right to effective judicial protection.

In case of security incidents that may affect the data subjects whose data we keep, ANF AC undertakes to inform and advise them properly.


Exercise of Rights

ANF AC, makes available to all interested parties the following means to exercise their rights,

Application sent by postal mail or personal visit to,

ANF AC.


Please note that by legal imperative, you will have to prove your identity,

  • In the case of written request include a photocopy of your ID card, or equivalent legal document.
  • In the case of a personal visit, you must show an original and valid ID card, or equivalent legal document.
  • In case of representation must have sufficient legal power of attorney.
  • If you contact by phone, follow the instructions of our staff, please note that you must be able to access your email account and / or cell phone that you provided at the time of collecting your data.
  • If you choose to fill in the electronic form for the exercise of rights available on our website, you must provide a digital copy of your ID card, or equivalent legal document.

You can freely draft your request or, if you wish, you can use the Exercise of Rights Form that ANF AC makes available to you as an optional support in the processing,

.

https://www.anf.es/ejercicio-de-derechos/

This document incorporates the section EXPLANATION ABOUT YOUR RIGHTS, we recommend reading it when you wish to exercise any of them.

If you wish, you can exercise your rights through a third party representative. Your representative must formally accredit this legal capacity, either by power of attorney or document issued and signed by you, including a photocopy of your ID card, or equivalent legal document.

EXPLANATION ON YOUR RIGHTS


RIGHT OF ACCESS:

By exercising this right, you request that the right of access to the data processing carried out by the organization be provided free of charge within a maximum period of one month from receipt of this request, that all the information listed in Article 15 of the GDPR be sent to you at the above address by post, in a legible and intelligible form and within the time limit indicated.

You have the right to know:

  • Whether or not we are processing personal data concerning you.
  • The origin of your data, if it was not provided to us by you.
  • The purposes of the processing of your data.
  • The purposes of the processing of your data.
  • The categories of data being processed.
  • The recipients or categories of recipients to whom the personal data have been or will be disclosed, in particular recipients in third parties or international organizations.
  • If possible, the expected retention period of the personal data, or, if not, the criteria used to determine this period.
  • If automated decisions - including profiling - are made using your personal data, you are informed of the data that has been stored about the data subject.

RIGHT OF RECTIFICATION:.

When exercising this right, it is requested that the right of rectification be provided free of charge, in accordance with the provisions of Article 16 of the GDPR. It will be necessary to provide the corresponding supporting documents.

  • You have the right to have your personal data accurate and up to date.
  • By completing them, if they are incomplete.
  • By updating them.
  • Updating or rectifying them, if they do not conform to the current reality or are inaccurate.


RIGHT OF WITHDRAWAL:

By exercising this right, you request that the right to erasure, or right to be forgotten, be provided free of charge in accordance with the provisions of Article 17 of the GDPR. This right can be exercised only if:

  • The data are no longer necessary for the purposes for which they were collected or processed.
  • If the data are no longer necessary for the purposes for which they were collected or processed.
  • If the processing was based on express consent, you withdraw your consent and the processing cannot be supported by any other legal basis.
  • If the processing was based on express consent, you withdraw your consent and the processing cannot be supported by any other legal basis.
  • You have previously successfully exercised the right to object to the processing of your data.
  • You have successfully exercised the right to object to the processing of your data.
  • The data have been processed unlawfully.
  • The data must be deleted.
  • The data must be deleted in order to comply with a legal obligation.

The stated requirements shall not apply as long as the processing is necessary for:

  • Exercise the right to freedom of expression and information.
  • For compliance with a legal obligation,
  • or.
  • for the performance of a task carried out in the public interest by the controller, or
  • for the formulation, exercise or defense of claims
  • .


RIGHT TO LIMITATION OF PROCESSING:
.

When exercising this right, we request that the right to the limitation of the indicated processing be provided free of charge, in accordance with the provisions of Articles 18 and 19 of the GDPR. In other words, that we keep them without using them for the intended purposes, provided that one of the following conditions is met:

  • You request the rectification of your personal data, for a period of time that allows us, as the organization responsible for the processing, to verify the accuracy of your personal data.
  • The processing is unlawful and you object to the deletion of the personal data, requesting instead the limitation of use.
  • We no longer need your personal data for the purposes of the processing, but you need them for the formulation, exercise or defense of claims.
  • If you have objected to the processing while we verify whether the legitimate grounds for processing outweigh your right.

Where the processing of personal data has been limited, such data may only be processed, with the exception of their retention, with your consent, for the formulation, exercise or defense of claims, to safeguard the rights of another natural or legal person, or for reasons of essential public interest. Once the limitation of the processing has taken place, you will be informed before the lifting of such limitation.


RIGHT TO DATA PORTABILITY:.

By exercising this right you request to be provided free of charge to the limitation of the processing indicated, in accordance with the provisions of Article 20 of the RGPD. We will make available to you the personal data provided by you in a structured, commonly used and machine-readable format. In addition,

  • You will have the right to ask us to transmit them directly to another data controller where this is technically possible.

You shall only have this right where:

  • We are processing your personal data on the basis of your express consent, or
  • the lawful basis is the performance of a contract, and,
  • provided that the processing is carried out by automated means.

RIGHT OF OPPOSITION:.

By exercising this right you request to be provided free of charge to the limitation of the indicated processing, in accordance with the provisions of Articles 21 and 22 of the GDPR. By this right you require us to stop using your personal data.

You can exercise your right to object when the processing has our "legitimate interests"as a lawful basis.

If the processing is based on your consent, you may withdraw your consent and obtain similar effects to the right to object.

RIGHT NOT TO BE THE SUBJECT OF AUTOMATED DECISIONS

Based on the processing of your personal data, including profiling

You can object to being subjected to a decision having legal effects or otherwise significantly affecting you, provided that it was based exclusively on automated processing of your data and without human intervention.

If you have been subject to a decision of the type described and you disagree, you may request that we review the decision to seek human intervention, express your views or otherwise challenge that decision.

You will not have the right to object when the decision made in an automated fashion:

  • Is necessary for the conclusion or performance of a contract to which you are a party,
  • It is authorized by law and there are adequate measures in place to safeguard your rights and freedoms, or
  • It is based on your explicit consent.


TERM AND TERM OF RELIEF

If within the period of one month, ANF Autoridad de Certificación does not communicate to you that it is not appropriate to attend all or part of the right exercised, it is mandatory that:

  • The communication is motivated in order to, where appropriate, request the protection of the Spanish Data Protection Agency, under Article 57 of the RGPD.
  • If prior to the claim before the Spanish Data Protection Agency, you consider that your rights have not been properly satisfied, you can request an assessment before the Data Protection Delegate.

10Our Data Protection Officer.

Any person has the right to obtain confirmation about the processing that ANF AC performs on their personal data. ANF AC will facilitate to all interested parties the exercise of their rights diligently and free of charge.

The persons affected by data processing carried out by ANF AC, have the right to:

  • Request free access to your data.
  • Request its rectification.
  • Request suppression.
  • Request the limitation of your treatment.
  • Opposing treatment.
  • Request data portability.

Interested parties may access their personal data, as well as request the rectification of inaccurate data or, where appropriate, request its deletion when, among other reasons, the data is no longer necessary for the purposes for which it was collected. In certain circumstances, interested parties may request the limitation, opposition to the processing and portability of their data. It is reported that the exercise of any right may hinder the legal basis on which the treatment is based, if necessary, appropriate legal measures will be taken. In case of doubt, our Data Protection Delegate will be pleased to answer any questions you may have.

Data subjects, if they consider that the processing of personal data concerning them violates the Regulation, have the right to receive attention and assistance from our Data Protection Officer, to file a complaint with the supervisory authority, in this case, the Spanish Data Protection Agency. And also, to exercise their right to effective judicial protection.

In case of security incidents that may affect the data subjects whose data we keep, ANF AC undertakes to inform and advise them appropriately.

  • Exercise of Rights

ANF AC, makes available to all interested parties the following means to exercise their rights,

  • Application sent by mail or personal visit to,
    • ANF Autoridad de Certificación
    • Gran Vía de les Corts Catalanes, 996 planta 4ª Barcelona -08020- España
  • E-mail to,

delegadoprotecciondatos@anf.es

  • Telephone call requested by our Data Protection Officer,

                                              +34 932 661 614

  • An electronic form is available on our Web site

                                              https://www.anf.es/ejercicio-de-derechos/

 

Please note that by law, you will be required to prove your identity,

  • In the case of a written request, please include a photocopy of your ID card or legal document.
  • In the case of a personal visit, you must show an original and valid ID card or legal document.
  • In case of representation, legal power of attorney must be available.
  • If you contact us by phone, follow the instructions of our staff, please note that you must be able to access your email account and / or cell phone provided at the time of collecting your data.
  • If you choose to fill out the electronic form available on our website, you must provide a digital copy of your ID card or legal document.
  • If you do not wish to use our electronic form, you are free to write your request and send it by e-mail.

This document includes the section EXPLANATION OF YOUR RIGHTS, we recommend you to read it when you wish to exercise any of them. In addition, our Data Protection Officer (DPD) will provide you with all the help you need to effectively exercise your rights. The exercise of your rights and the support of our DPD is free of charge.

You may also, if you wish, exercise your rights through third party representation. Your representative must formally accredit this legal capacity, either by power of attorney or a document issued and signed by you, including a photocopy of your ID card, or equivalent legal document.

If you believe that we have not acted with sufficient diligence or that we have infringed your rights, you may file a complaint with the Spanish Data Protection Agency (AEPD),

 https://sedeagpd.gob.es/sede-electronica-web/vistas/formNuevaReclamacion/reclamacion.jsf

In addition, the AEPD provides you with information about your rights,

https://www.aepd.es/es/derechos-y-deberes/conoce-tus-derechos

And, a catalog of common questions on,

https://www.aepd.es/es/derechos-y-deberes/conoce-tus-derechos

 

EXPLANATION OF YOUR RIGHTS

 

  • RIGHT OF ACCESS:

In exercising this right, it is requested that the right of access to the data processing carried out by the organization is provided free of charge within a maximum period of one month from receipt of this request, that all the information listed in Article 15 of the GDPR is sent to the above address by mail, in a legible and intelligible form and within the time limit indicated.

You have the right to know:

  • Whether or not we are processing personal data concerning you.
  • The origin of your data, if not provided by you.
  • The purposes of the processing of your data.
  • The categories of data involved.
  • The recipients or categories of recipients to whom they were or will be communicated.

Personal data, in particular recipients in third parties or international organizations.

  • If possible, the expected retention period of the personal data, or if not, the criteria used to determine this period
  • If automated decisions - including profiling - are made using your personal data, you are informed of the data stored about the data subject.

 

  • RIGHT OF RECTIFICATION:

When exercising this right, the right of rectification is requested to be provided free of charge, in accordance with the provisions of Article 16 of the RGPD. It will be necessary to provide the corresponding supporting documents.

  • You have the right to keep your personal data accurate and current.
  • Completing them, if they are incomplete.
  • Updating or rectifying them, if they do not conform to the current reality or if they are inaccurate.

 

  • RIGHT OF SUPPRESSION:

By exercising this right, you request that the right to erasure, or right to be forgotten, be provided free of charge, in accordance with the provisions of Article 17 of the GDPR. This right can be exercised only if:

  • The data is no longer necessary for the purposes for which it was collected or processed.
  • If the processing was based on express consent, you withdraw your consent and the processing cannot be based on any other legal basis.
  • You have previously successfully exercised your right to object to the processing of your data.
  • The data have been processed unlawfully.
  • The data must be deleted in order to comply with a legal obligation.

 

Los requerimientos indicados no aplicarán siempre y cuando el tratamiento sea necesario para:

  • Exercise the right to freedom of expression and information.
  • For compliance with a legal obligation, or
  • for the performance of a task carried out in the public interest by the controller, or
  • for the formulation, exercise or defense of claims.

 

  • RIGHT TO LIMITATION OF PROCESSING:

In exercising this right, you request that we provide free of charge the right to limit the processing indicated, in accordance with the provisions of Articles 18 and 19 of the GDPR. That is, that we keep them without using them for the intended purposes, provided that one of the following conditions is met: 

  • You request the rectification of your personal data, for a period of time that allows us, as the organization responsible for the processing, to verify the accuracy of the data.
  • The processing is unlawful and he/she opposes the deletion of the personal data, requesting instead the limitation of use.
  • We no longer need your personal data for the purposes of processing, but you need them for the formulation, exercise or defense of claims.
  • If you have objected to the processing while it is being verified whether the legitimate reasons for processing outweigh your right.

Where the processing of personal data has been restricted, such data may only be processed, with the exception of their retention, with your consent, for the formulation, exercise or defense of claims, to safeguard the rights of another natural or legal person, or for reasons of essential public interest. Once the limitation of the processing has taken place, you will be informed before the lifting of such limitation.

 

  • RIGHT TO DATA PORTABILITY:

By exercising this right you request to be provided free of charge to the limitation of the processing indicated, in accordance with the provisions of Article 20 of the GDPR. We will make available to you the personal data you have provided in a structured, commonly used and machine-readable format. In addition,

  • You have the right to ask us to transfer them directly to another data controller when this is technically feasible.

You are only entitled to this right when: 

  • We are processing your personal data based on your express consent, or
  • the legal basis is the performance of a contract and,
  • provided that the treatment is carried out by means of

 

  • RIGHT OF OPPOSITION:

By exercising this right you request to be provided free of charge to the limitation of the processing indicated, in accordance with the provisions of Articles 21 and 22 of the RGPD. By this right you require us to stop using your personal data.

You can exercise your right to object when the processing is based on our legal basis “interests legitimate”.

If the processing is based on your consent, you can withdraw it and obtain effects similar to the right to object.

 

  • THE RIGHT NOT TO BE SUBJECT TO AUTOMATED DECISIONS

Based on the processing of your personal data, including profiling.

You can object to being subjected to a decision that has legal effect or otherwise significantly affects you, provided that it was based solely on automated processing of your data and without human intervention.

If you have been subject to a decision of the type described above and disagree, you may request that we review the decision for human intervention, express your views, or otherwise challenge the decision. 

You will not have the right to object when the decision taken in automated form:

  • Is necessary for the conclusion or performance of a contract to which you are a party,
  • Is authorized by law and adequate measures are in place to safeguard their rights and freedoms, or
  • is based on your explicit consent.

 

  • TERM AND GUARDIANSHIP

If within one month, ANF Autoridad de Certificación does not communicate that it is not appropriate to fully or partially meet the right exercised, it is mandatory that: 

  • The communication is motivated in order to, if necessary, request the protection of the Spanish Data Protection Agency, under Article 57 of the RGPD.
  • If prior to the claim before the Spanish Data Protection Agency, you consider that your rights have not been properly satisfied, you may request an assessment before the Data Protection Delegate.
11Complaints - complaints.

You can submit your complaints through any of the following procedures:

 

  • Website:

Exercising your data protection rights at,

https://anf.es/en/exercise-of-rights/

  • Denunciations:

https://anf.es/en/complaints-and-claims/

  • Claims:

https://anf.es/en/complaints-and-claims/

  • Notify incidents

https://anf.es/en/complaints-and-claims/

  • Electronic mail data protection,

delegadoprotecciondatos@anf.es

  • E-mail SAT Website

adiaz@anf.es

  • Email SAT products and services

soporte@anf.es

  • For personal visit, previously arrange time

Gran Vía de les Corts Catalanes, 996
floor 4; Barcelona - 08018 - España

Teléfono: +34 932 661 614

Customer Service

Monday - Friday

Monday - Friday

From 9:00 to 14:00 from 15:00 to 18:00

12Information security, audits and data protection impact assessments.

At ANF AC we submit to review all our information systems and organizational means to internal audits and external auditors carried out by independent auditors of the highest international prestige. 

At ANF AC we submit to review all our information systems and organizational means to internal audits and external auditors carried out by independent auditors of the highest international prestige.

External audits are carried out at least annually. ANF AC is certified in compliance against the following international standards and norms:

And the following international standards and norms:

  • ETSI standards corresponding to Regulation (EU) eIDAS.
  • ISO 9001 of Quality for CAs.
  • ISO 27001 Information Management and Security Systems.
  • ISO 17024 Certification of People.
  • ISO 17024 Certification of People.
  • ISO 17024 Certification of People.
  • ISO 17024 Certification of People.
  • ISO 14001 Environmental Management.

All certifications and compliance audits obtained by ANF AC are published on our website. https://anf.es/auditorias-de-conformidad/

In addition, ANF AC has performed a Data Protection Impact Assessment (DPA) for each processing operation, having achieved a level of risk - low - with the application of the corresponding safeguards. In no case ANF AC performs data processing that is not at a low risk level, or on which authorization has been received from the AEPD to assume a higher risk, after performing the corresponding -prior consultation- established in the Regulation (EU) 679/2014 General Data Protection (GDPR).