Sign to Sign
Performed by ANF AC
SIGN-TO-SIGN TREATMENTS
1Sign to Sign administrator registration
| a)Legal basis | Legitimate interest |
| b) Purposes of the treatment | ANF AC as administrator of the platform needs to carry out maintenance work on applications, databases, servers, etc. This registry manages the authorised administrators and their security classification in S2S. |
| c) Collective. | Staff under the direction and responsibility of ANF AC. |
| d)Data categories | Name, surname, mobile phone number, organisation to which it belongs, IP communication, technical data (browser, version, OS), day and time of access, hierarchical level, type of credentials required for authentication (login, password hash, electronic certificate). |
| e) Data source | The interested party itself (super administrator - ANF staff) |
| f) Target category | The ANF AC organisation itself, auditors, supervisory authority, clients, legal and tax obligation. |
| g) International transfers | No international transfer of data is foreseen. |
| h)Deletion period | They shall be retained for a period necessary to meet the obligations undertaken, and for the period required to be able to prove it. |
| i) Security measures | The technical security measures implemented correspond to those foreseen in ISO 27001, and security standards related to the ETSI regulations that ANF AC is obliged to comply with in accordance with the eIDAS Regulation. The technical security measures implemented correspond to those foreseen in ISO 27001, and security standards related to ETSI regulations that ANF AC is obliged to comply with in accordance with the eIDAS Regulation. Regulatory compliance. The provisions of the RGPD and Organic Law 3/2018 on data protection are respected. A risk analysis has been performed with a low risk level result. |
| j) Responsible entity | ANF CERTIFICATION AUTHORITY |
| k) EIPD -RESULT |
ANF AC 27 - 25/12/2019 Result: Low Risk Level
OID 1.3.6.1.4.1.18332.101.80.11.27 |
2S2S operator registration
| a)Legal basis | Interés legítimo |
| b) Purposes of the treatment | Manage the access and authority of authorised operators in accordance with security levels. |
| c)Collective. | Staff under the direction and responsibility of ANF. |
| d) Data categories | Details of authorised Sign to Sign operators. Name, surname, mobile phone, organisation to which they belong, IP communication, technical data (browser, version, OS), day and time of access, hierarchical level, type of credentials required for authentication (login hash password, electronic certificate). |
| e) Data source | ANF AC |
| f) Target category | The ANF AC organisation itself, the auditors, the supervisory authority, legal and tax obligation. |
| g) International transfers | No international transfer of data is foreseen. |
| h) Deletion period | They shall be retained for a period necessary to meet the obligations undertaken, and for the period required to be able to prove it. |
| i) Security measures | The technical security measures implemented correspond to those foreseen in ISO 27001, and security standards related to the ETSI regulations that ANF AC is obliged to comply with in accordance with the eIDAS Regulation.
Regulatory compliance, especially the Law on Information Society Services and Telecommunications. The provisions of the RGPD and Organic Law 3/2018 on data protection are respected. A risk analysis and a data protection impact assessment have been carried out, resulting in a low risk level. |
| j) Responsible entity | ANF CERTIFICATION AUTHORITY |
| k) EIPD -RESULTADO |
ANF AC 27 - 25/12/2019 Result: Low Risk Level
OID 1.3.6.1.4.1.18332.101.80.11.27 |
3Registration of client administrators
| a) Legal basis | Obligation to perform the contract. |
| b) Purposes of the treatment | This registry manages the authorised administrators and their security classification in S2S. |
| c)Collective. | Highly trusted staff of the client. With full access to the administration of your account. |
| d)Data categories | Contact details of the client organisation, its representatives, consumption information, statistical data, accounting information. |
| e) Data source | Client organisation's own and creditworthiness information obtained from third party sources. |
| f) Target category | The ANF AC organisation itself, auditors, supervisory authority, legal and fiscal obligation. |
| g) International transfers | No international transfer of data is foreseen. |
| h)Deletion period | They shall be retained for a period necessary to meet the obligations undertaken, and for the period required to be able to prove it. |
| i) Security measures | The technical security measures implemented correspond to those provided for in ISO 27001, and security standards related to the ETSI regulations that ANF AC is obliged to comply with in accordance with the eIDAS Regulation.
Regulatory compliance, especially the Law on Information Society Services and Telecommunications. The provisions of the RGPD and Organic Law 3/2018 on data protection are respected.
A risk analysis and a data protection impact assessment have been carried out, resulting in a low risk level. |
| j) Responsible entity | Customer |
| k) EIPD -RESULTADO |
ANF AC 27 - 25/12/2019 Result: Low Risk Level
OID 1.3.6.1.4.1.18332.101.80.11.27 |
4Registration of customer operators
| a) Legal basis | Obligation to perform the contract. |
| b) Purposes of the treatment | This registry manages the authorised operators and their security classification, on behalf of the clients of the sign to sign platform. |
| c) Collective. | Staff under the direction and responsibility of the S2S user organisation (Client). Appointed by the user organisation. |
| d)Data categories | Name, surname, mobile phone number, organisation to which it belongs, IP communication, technical data (browser, version, OS), day and time of access, hierarchical level, type of credentials required for authentication (login, password hash, electronic certificate). |
| e) Data source | The client organisation, the stakeholder itself. |
| f)Target category | ANF AC, auditors, supervisory authority, clients, legal and fiscal obligation. |
| g) International transfers | No international transfer of data is foreseen. |
| h) Deletion period | They shall be retained for a period necessary to meet the obligations undertaken, and for the period required to be able to prove it. |
| i) Security measures | According to security level, this operator accesses all Sign to Sign systems, however, that information that is kept encrypted by default by the system, or that has been encrypted by the users themselves, is not accessible to these operators. The technical security measures implemented correspond to those provided for in ISO 27001, and security standards related to the ETSI regulations that ANF AC is obliged to comply with in accordance with the eIDAS Regulation. Regulatory compliance, especially the Law on Information Society Services and Telecommunications. It respects the provisions of the RGPD and Organic Law 3/2018 on data protection. A risk analysis and a data protection impact assessment have been carried out, resulting in a low risk level. |
| j)Responsible entity | The client organisation. |
| k) EIPD -RESULT |
ANF AC 27 - 25/12/2019 Result: Low Risk Level
OID 1.3.6.1.4.1.18332.101.80.11.27 |
5Registration of electronic credentials
| a) Legal basis | Legitimate interest. Following an analysis, this processing has been found to be necessary and proportionate. |
| b) Purposes of the treatment | Manage authorised electronic credentials for access to the Sign to Sign platform, and establish access control levels and security policy. |
| c)Collective. | Individuals and organisations using the Sign to Sign platform, including company operators. |
| d) Data categories | Credential type and identifier, security level, applicable security policy, operator identity, validity status. |
| e) Data source | Sign to Sign platform administrators. |
| f)Target category | Automated systems of the Sign to Sign platform. |
| g) International transfers | No international transfer of data is foreseen. |
| h)Deletion period | They shall be retained for a period necessary to meet the obligations undertaken, and for the period required to be able to prove it. |
| i) Security measures | The technical security measures implemented correspond to those provided for in ISO 27001, and security standards related to the ETSI regulations that ANF AC is obliged to comply with in accordance with the eIDAS Regulation. Regulatory compliance, especially the Law on Information Society Services and Telecommunications. It respects the provisions of the RGPD and Organic Law 3/2018 on data protection. A risk analysis and a data protection impact assessment have been carried out, resulting in a low risk level. |
| j) Responsible entity | ANF CERTIFICATION AUTHORITY |
| k) EIPD -RESULTADO |
ANF AC 27 - 25/12/2019 Result: Low Risk Level
OID 1.3.6.1.4.1.18332.101.80.11.27 |
6Sign to Sign customer registration
| a) Legal basis | .Obligation to perform the contract | .|
| b) Purposes of the treatment | .ANF AC as administrator of the platform has the customer register, which allows to identify the organisations that have contracted the Sign to Sign service, their consumption, billing and payment control, and statistical information. | |
| c) Collective. | .Customers (natural person) and legal representatives of organisations with legal personality. | |
| d) Data categories | .Contact details of the client organisation, its representatives, consumption information, statistical data, accounting information. | |
| e) Data source | .Own client organisation and creditworthiness information obtained from third party sources. | |
| f) Target category | .The ANF AC organisation itself, auditors, supervisory authority, legal and fiscal obligation. | |
| g) International transfers | .International transfers of data are not foreseen. | |
| h) Deletion period | The data shall be kept for the period necessary to fulfil the obligations assumed, and the period required to be able to prove it. | |
| i) Security measures. | Security measures. | The technical security measures implemented correspond to those provided for in ISO 27001, and security standards related to the ETSI regulations that ANF AC is obliged to comply with in accordance with the eIDAS Regulation. Regulatory compliance, especially the Law on Information Society Services and Telecommunications. It respects the provisions of the RGPD and Organic Law 3/2018 on data protection. A risk analysis and a data protection impact assessment have been carried out, resulting in a low risk level. |
| j) Responsible entity | .ANF CERTIFICATION AUTHORITY | |
| k) EIPD - RESULT | .
ANF AC 28 - 25/12/2019 Result: Low risk level.
OID 1.3.6.1.4.1.18332.101.80.11.28 |
7Registration of recipients
| a) Legal basis | .Legitimate interest. Following an analysis, this treatment has proved necessary and proportionate. |
| b) Purposes of processing | .ANF AC or Sign to Sign's client organisations have the ability to order the sending of electronic communications, notifications and document deliveries to recipients with whom they have had a business, personal or other relationship. |
| c) Collective. | .Persons or organisations to whom ANF AC must make a communication, notification or delivery of an electronic document by mandate of a third party. |
| d) Categories of Data. | Contact details and identity of recipients. |
| e) Origin of the data | .The data subjects directly or are provided by our customers. |
| f) Recipient category | The ANF AC organisation itself, the client organisation, auditors, supervisory authority, legal and fiscal obligation | .
| g) International Transfer | .International transfers of data are not foreseen | .
| h) Deletion period | The data shall be kept for the period necessary to fulfil the obligations assumed, and the period required to be able to prove it. |
| i) Security measures | .The technical security measures implemented correspond to those provided for in ISO 27001, and security standards related to the ETSI regulations that ANF AC is obliged to comply with in accordance with the eIDAS Regulation. Regulatory compliance, especially the Law on Information Society Services and Telecommunications. It respects the provisions of the RGPD and Organic Law 3/2018 on data protection. A risk analysis and a data protection impact assessment have been carried out, resulting in a low risk level. |
| j) Responsible entity | .ANF CERTIFICATION AUTHORITY/ customer |
| k) EIPD - RESULT |
ANF AC 28 - 25/12/2019 Result: Low risk level.
OID 1.3.6.1.4.1.18332.101.80.11.28 |
8Billing record
| a) Legal basis | .Contractual performance obligation | .
| b) Purposes of processing | .ANF AC as administrator of the platform has the customer register, which makes it possible to identify the organisations that have contracted the Sign to Sign service, the consumption made, control of invoicing and payments, statistical information. |
| c) Collective | .Clients (natural person) and legal representatives of organisations with legal personality. |
| d) Categories of Data. | Contact details of customers, their representatives, accounting information. |
| e) Data source | Client organisation's own and creditworthiness information obtained from third party sources. |
| f) Target category | .The ANF AC organisation itself, auditors, supervisory authority, legal and fiscal obligation. |
| g) International transfers | .International transfers of data are not foreseen. |
| h) Period of deletion | The data shall be kept for the period necessary to meet the obligations assumed, and the period required to be able to prove it. |
| i) Security measures | .The technical security measures implemented correspond to those provided for in ISO 27001, and security standards related to the ETSI regulations that ANF AC is obliged to comply with in accordance with the eIDAS Regulation. Regulatory compliance, especially the Law on Information Society Services and Telecommunications. It respects the provisions of the RGPD and Organic Law 3/2018 on data protection. A risk analysis and a data protection impact assessment have been carried out, resulting in a low risk level. |
| j) Responsible entity | .ANF CERTIFYING AUTHORITY |
| k) EIPD - RESULT |
ANF AC 28 - 25/12/2019 Result: Low risk level.
OID 1.3.6.1.4.1.18332.101.80.11.28 |
9Delivery schedule registration
| a) Legal basis | .Legitimate interest (After carrying out an analysis, this processing has become necessary and proportionate). In some cases it may be for the performance of contract. |
| b) Purposes of processing | .S2S operators and client organisations have the ability to order the delivery of notices, communications, and electronic document deliveries to recipients with whom they have had some form of business, personal or other relationship. This registry manages the mandates received and the acceptance of ANF AC to carry them out. |
| c) Collective | .ANF Operators, the client organisations of the service and recipients of the service. |
| d) Data Categories. | Delivery codes, details of the text of the communication or notification to be made, where applicable characteristics of the order, hash of the documents received and their identification, contact details and identity of the recipients date of the order. |
| e) Origin of the data | ANF AC (S2S) and S2S client organisations. |
| f) Target category | .The ANF AC organisation itself, the client organisation, recipients, auditors, supervisory authority, legal and fiscal obligation. |
| g) International Transfer | .International transfers of data are not foreseen. |
| h) Deletion period | The data shall be kept for the period necessary to fulfil the obligations assumed, and the period required to be able to prove it. |
| i) Security measures | .The technical security measures implemented correspond to those provided for in ISO 27001, and security standards related to the ETSI regulations that ANF AC is obliged to comply with in accordance with the eIDAS Regulation. Regulatory compliance, especially the Law on Information Society Services and Telecommunications. It respects the provisions of the RGPD and Organic Law 3/2018 on data protection. A risk analysis and a data protection impact assessment have been carried out, resulting in a low risk level. |
| j) Responsible entity | .ANF CERTIFYING AUTHORITY |
| k) EIPD - RESULT | ANF AC 28 - 25/12/2019 Result: Low risk level. |
10Registration of attachments
| a) Legal basis | .Legitimate interest (After carrying out an analysis, this processing has become necessary and proportionate). In some cases it is carried out for the performance of a contract. |
| b) Purposes of processing | .S2S operators and client organisations have the ability to send attachments to electronic documents to recipients with whom they have a business, personal or other relationship. This registry manages attachments that are sent through the S2S platform. |
| c) Collective. | ANF operators, the organisations that are clients of the service and recipients of the service. |
| d) Data Categories. | Delivery codes, details of the text of the communication or notification to be made, where appropriate, characteristics of the order, hash of the documents received and their identification, contact details and identity of the recipients, date of the order. |
| e) Origin of the data | ANF AC (S2S) and S2S client organisations. |
| f) Target category | .The ANF AC organisation itself, the client organisation, recipients, auditors, supervisory authority, legal and fiscal obligation. |
| g) International Transfer | .International transfers of data are not foreseen. |
| h) Deletion period | The data shall be kept for the period necessary to fulfil the obligations assumed, and the period required to be able to prove it. |
| i) Security measures | .The technical security measures implemented correspond to those provided for in ISO 27001, and security standards related to the ETSI regulations that ANF AC is obliged to comply with in accordance with the eIDAS Regulation. Regulatory compliance, especially the Law on Information Society Services and Telecommunications. It respects the provisions of the RGPD and Organic Law 3/2018 on data protection. A risk analysis and a data protection impact assessment have been carried out, resulting in a low risk level. |
| j) Responsible entity | .ANF CERTIFYING AUTHORITY |
| k) EIPD - RESULT |
ANF AC 28 - 25/12/2019 Result: Low risk level.
OID 1.3.6.1.4.1.18332.101.80.11.28 |
11Transaction log
| a) Legal basis | Legitimate interest. After carrying out an analysis, this treatment has been found to be necessary and proportionate.
In some cases for the performance of a contract. |
|
| b) Purposes of processing | .Sign to Sign client organisations have the ability to order the delivery of notices, communications, and electronic document deliveries to recipients with whom they have a business, personal or other relationship. This registry manages the transaction status of each of them. | |
| c) Collective | ANF AC operators, the organisations that are clients of the service and recipients of the service. | |
| d) Data Categories. | Data Categories. | Delivery codes, transaction status, completion dates and attempts made. |
| e) Data origin | ANF AC, Automated Receiving Systems, the recipients of the service themselves. | |
| f) Recipient category | The ANF AC organisation itself, the client organisation, auditors, control authority, legal and fiscal obligation | |
| g) International Transfer | International transfers of data are not foreseen | |
| h) Deletion period | The data shall be kept for the period necessary to fulfil the obligations assumed, and the period required to be able to prove it. | |
| i) Security measures | The information is pseudonymised. The technical security measures implemented correspond to those provided for in ISO 27001, and security standards related to the ETSI regulations that ANF AC is obliged to comply with in accordance with the eIDAS Regulation. Regulatory compliance, especially the Law on Information Society Services and Telecommunications. It respects the provisions of the RGPD and Organic Law 3/2018 on data protection. A risk analysis and a data protection impact assessment have been carried out, resulting in a low risk level. | |
| j) Responsible entity | ANF CERTIFYING AUTHORITY | |
| k) EIPD - RESULT |
ANF AC 28 - 25/12/2019 Result: Low risk level.
OID 1.3.6.1.4.1.18332.101.80.11.28 |
12LOG logging
| a) Legal basis | Legitimate interest | |
| b) Purposes of the processing | In order to monitor the status of the Sign to Sign platform's computer systems, accesses that have occurred and even to detect security breaches or attacks, Sign to Sign servers record a wide variety of events that are stored in the LOG Log. | |
| c) Collective. | Sign to Sign organisation | |
| d) Data categories. | Events, day and time of access and disconnection, IP from which it is accessed, port of access, activity carried out. | |
| e) Origin of the data | General public, client organisations, own operators and Sign to Sign systems. | |
| f) Target category | ANF AC and legal obligation. | |
| g) International transfers | International transfers of data are not foreseen | |
| h) Deletion period | The data shall be kept for the period necessary to fulfil the obligations assumed, and the period required to be able to prove it. | |
| i) Security measures | The technical security measures implemented correspond to those provided for in ISO 27001, and security standards related to the ETSI regulations that ANF AC is obliged to comply with in accordance with the eIDAS Regulation. Regulatory compliance, especially the Law on Information Society Services and Telecommunications. It respects the provisions of the RGPD and Organic Law 3/2018 on data protection. A risk analysis and a data protection impact assessment have been carried out, resulting in a low risk level. | |
| j) Responsible entity | ANF CERTIFYING AUTHORITY | |
| k) EIPD - RESULT |
ANF AC 28 - 25/12/2019 Result: Low risk level.
OID 1.3.6.1.4.1.18332.101.80.11.28 |
13Traceability Register
| a) Legal basis | Legitimate interest. |
| b) Purposes of the processing | .For the purpose of documenting the status of the computer systems of the Sign to Sign platform, as well as the accesses that have occurred. A wide variety of events are recorded and stored in the Log. |
| c) Collective | Client organisation, Sign to Sign |
| d) Data Categories. | Audit trails. Events, day and time of access and disconnection, IP from which it is accessed, port of access, activity carried out. |
| e) Origin of the data | General public, client organisations, own operators and Sign to Sign systems. |
| f) Target category | ANF AC and legal obligation. |
| g) International transfers | International transfers of data are not foreseen |
| h) Period of deletion | The data shall be kept for the period necessary to fulfil the obligations assumed, and the period required to be able to prove it. |
| i) Security measures | The technical security measures implemented correspond to those provided for in ISO 27001, and security standards related to the ETSI regulations that ANF AC is obliged to comply with in accordance with the eIDAS Regulation. Regulatory compliance, especially the Law on Information Society Services and Telecommunications. It respects the provisions of the RGPD and Organic Law 3/2018 on data protection. A risk analysis and a data protection impact assessment have been carried out, resulting in a low risk level. |
| j) Responsible entity | ANF CERTIFYING AUTHORITY |
| k) EIPD - RESULT |
ANF AC 28 - 25/12/2019 Result: Low risk level.
OID 1.3.6.1.4.1.18332.101.80.11.28 |
14Transaction Audit Log
| a) Legal basis | Legitimate interest. |
| b) Purposes of the processing | For the purpose of tracking the use of credentials, use of services, events that the operators of the Sign to Sign platform record. |
| c) Collective. | Individuals and organisations using the Sign to Sign platform, including company operators. |
| d) Data Categories. | Credential used, events, day and time of access and disconnection, IP from which it is accessed, and activity carried out. |
| e) Origin of the data | individuals and organisations using the Sign to Sign platform, including company operators. |
| f) Target category | ANF AC and legal obligation. |
| g) International transfers | International transfers of data are not foreseen. |
| h) Deletion period | The data shall be kept for the period necessary to fulfil the obligations assumed, and the period required to be able to prove it. |
| i) Security measures | The technical security measures implemented correspond to those provided for in ISO 27001, and security standards related to the ETSI regulations that ANF AC is obliged to comply with in accordance with the eIDAS Regulation. Regulatory compliance, especially the Law on Information Society Services and Telecommunications. It respects the provisions of the RGPD and Organic Law 3/2018 on data protection. A risk analysis and a data protection impact assessment have been carried out, resulting in a low risk level. |
| j) Responsible entity | ANF CERTIFYING AUTHORITY |
| k) EIPD - RESULT |
ANF AC 28 - 25/12/2019 Result: Low risk level.
OID 1.3.6.1.4.1.18332.101.80.11.28 |
15Register of consumption
| a) Legal basis | Interés legítimo. In some cases for the execution of a contract. |
| b) Purposes of the processing | To carry out an adequate control of consumption of the Sign to Sign service, both for statistical and accounting purposes. |
| c) Collective. | Individuals and organisations using the Sign to Sign platform, including company operators. |
| d) Data categories | Consumption made, identity of client organisation, identity of operator, date and time of consumption, |
| e) Data origin | Automated services of the Sign to Sign platform. |
| f) Target category | Authorised operators of the client organisation and Sign to Sign itself. |
| g) International Transfer | International transfers of data are not foreseen |
| h) Deletion period | They shall be kept for a period necessary to meet the obligations assumed, and the period required to be able to prove it. |
| i) Security measures. | The technical security measures implemented correspond to those provided for in ISO 27001, and security standards related to the ETSI regulations that ANF AC is obliged to comply with in accordance with the eIDAS Regulation. Regulatory compliance, especially the Law on Information Society Services and Telecommunications. It respects the provisions of the RGPD and Organic Law 3/2018 on data protection. A risk analysis and a data protection impact assessment have been carried out, resulting in a low risk level. |
| j) Responsible entity | ANF CERTIFYING AUTHORITY |
| k) EIPD - RESULT |
ANF AC 28 - 25/12/2019 Result: Low Risk Level
OID 1.3.6.1.4.1.18332.101.80.11.28 |
16Register of incidents
| a) Legal basis | Legal obligation (Articles 73 and 74 of the LOPD 3/2018 in relation to Article 33 of the RGPD) | .
| b) Purposes of the processing | In accordance with the current legal regulations on data protection, information society services and telecommunications, ANF AC assumes the obligation to manage a record of incidents (security breaches) and, where appropriate, notify the control authorities, affected parties, auditors and internal control bodies of the ANF AC organisation itself. |
| c) Collective. | Organisations that are clients and recipients of the service. |
| d) Categories of Data. | Information on the incident detected, date on which it became known, seriousness, measures adopted to resolve it, measures adopted to prevent its recurrence, identification of possible affected parties, communication, if applicable, of the incident with information on the recommendations of the measures to be adopted. |
| e) Origin of the data | ANF AC, the data subjects themselves, auditors, contracted third parties. |
| f) Target category | The ANF AC organisation itself, client organisations, disaffected parties, auditors, supervisory authority. Legal obligation |
| g) International Transfer | International transfers of data are not foreseen |
| h) Deletion period | They shall be kept for a period necessary to meet the obligations assumed, and the period required to be able to prove it. |
| i) Security measures. | The technical security measures implemented correspond to those provided for in ISO 27001, and security standards related to the ETSI regulations that ANF AC is obliged to comply with in accordance with the eIDAS Regulation.
Regulatory compliance, especially the Law on Information Society Services and Telecommunications. The provisions of the RGPD and Organic Law 3/2018 on data protection are respected. Se ha realizado análisis de riesgos y una evaluación de impacto en protección de datos con resultado de nivel de riesgo bajo. |
| j) Responsible entity | ANF CERTIFICATION AUTHORITY |
| k) EIPD - RESULT |
ANF AC 28 - 25/12/2019 Result: Low Risk Level
OID 1.3.6.1.4.1.18332.101.80.11.28 |
17S2S access audit log
| a) Legal basis | Legitimate interest |
| b) Purposes of processing | .ANF AC as a Qualified Trust Service Provider must carry out appropriate access management and administration to ensure security. Whenever someone uses a credential to identify themselves on the platform (login), in the course of access control an audit is managed. |
| c) Collective. | Customers, ANF AC staff |
| d) Data Categories. | Account involved, Platform, Type of access, Day and Time, Access Attempts, Success/Failure, IP, OS and Browser, Geographical location (if possible). |
| e) Origin of the data | The data subject himself/herself. |
| f) Target category | The ANF AC organisation itself, auditors, control authority, clients, legal and fiscal obligation | .
| g) International Transfer | International transfers of data are not foreseen |
| h) Deletion period | They shall be kept for one year and, where appropriate, the time necessary to meet the obligations assumed, and the time required to be able to accredit it. |
| i) Security measures. | The technical security measures implemented correspond to those provided for in ISO 27001, and security standards related to the ETSI regulations that ANF AC is obliged to comply with in accordance with the eIDAS Regulation. Regulatory compliance, especially the Law on Information Society Services and Telecommunications. It respects the provisions of the RGPD and Organic Law 3/2018 on data protection. A risk analysis and a data protection impact assessment have been carried out, resulting in a low risk level. |
| j) Responsible entity | ANF CERTIFICATION AUTHORITY |
| k) EIPD - RESULT |
ANF AC 28 - 25/12/2019 Result: Low Risk Level
OID 1.3.6.1.4.1.18332.101.80.11.28 |
18Registration of electronic documents.
| a) Legal basis | Legitimate interest. In some cases for the performance of a contract. |
| b) Purposes of the processing | Both ANF AC and Sign to Sign client organisations have the ability to order the delivery of electronic documents to recipients with whom they have had some form of business, personal or other relationship. |
| c) Collective. | Individuals or organisations to whom ANF AC must deliver an electronic document by mandate of a third party. |
| d) Data Categories. | When ANF AC processes data in its capacity as data controller, it is aware of the data contained in the documents managed in this registry, therefore, it applies strong encryption in its conservation (data identifying clients, operators and recipients, e-mails, telephone, etc.).
When ANF acts as a processor, it stores and manages electronic documents whose content is not the responsibility of ANF AC and, therefore, is not supervised by ANF AC. ANF AC makes a general recommendation to client organisations to perform strong encryption in all those documents with personal information, making available the corresponding option. |
| e) Origin of the data | Data subjects directly provide ANF with the data involved in this operation, when ANF acts as data controller. The Sign to Sign client organisation. |
| f) Target category | The ANF AC organisation itself, the client organisation, auditors, supervisory authority, legal and fiscal obligation |
| g) International Transfer | International transfers of data are not foreseen |
| h) Deletion period | They shall be kept for a period necessary to meet the obligations assumed, and the period required to be able to prove it. |
| i) Security measures. | The default electronic document is kept with strong encryption on their systems, the delivery of the electronic document to the recipient is done according to the instructions of the client organisation (encrypted or transparent). The information is pseudonymised. The technical security measures implemented correspond to those provided for in ISO 27001, and security standards related to the ETSI regulations that ANF AC is obliged to comply with in accordance with the eIDAS Regulation. Regulatory compliance, especially the Law on Information Society Services and Telecommunications. Compliance with the provisions of the RGPD and Organic Law 3/2018 on data protection. A risk analysis and a data protection impact assessment have been carried out, resulting in a low risk level. |
| j) Responsible entity | ANF CERTIFICATION AUTHORITY |
| k) EIPD - RESULT |
ANF AC 29 - 25/12/2019 Result: Low Risk Level
Anexo IV OID 1.3.6.1.4.1.18332.101.80.11.29 |
192FA registration
| a) Legal basis | Legitimate interest (After analysis it has become necessary and proportionate to carry out this processing). In some cases for the performance of a contract. |
| b) Purposes of processing | In compliance with international security standards (NIST, PCI DSS, etc.) Sign to Sign carries out automated processing of random session key generation, notification of the same to the interested parties, recording of the hash, and subsequent verification for validation. |
| c) Collective. | Individuals or organisations using the Sign to Sign platform. Sign to Sign client organisation and recipients. |
| d) Data Categories. | Identification of the operators concerned, transaction identifier, hash of the 2FA key, date and time, validation result. |
| e) Data origin | Automated 2FA key generation, other automated Sign to Sign systems. Authenticating stakeholders. |
| f) Target category | The ANF AC organisation itself, the client organisation, stakeholders using 2FA, auditors, supervisory authority. Legal obligation. |
| g) International Transfer | International transfers of data are not foreseen. |
| h) Deletion period | They shall be kept for a period necessary to meet the obligations assumed, and the period required to be able to prove it. |
| i) Security measures. | The technical security measures implemented correspond to those provided for in ISO 27001, and security standards related to the ETSI regulations that ANF AC is obliged to comply with in accordance with the eIDAS Regulation. Regulatory compliance, especially the Law on Information Society Services and Telecommunications. It respects the provisions of the RGPD and Organic Law 3/2018 on data protection. A risk analysis and a data protection impact assessment have been carried out, resulting in a low risk level. |
| j) Responsible entity | ANF CERTIFICATION AUTHORITY |
| k) EIPD - RESULT |
ANF AC 29 - 25/12/2019 Result: Low Risk Level
Anexo IV OID 1.3.6.1.4.1.18332.101.80.11.29 |
20Long-term electronic signature/stamp preservation record
| a) Legal basis | Fulfilment of contract. Where appropriate, ANF AC acting as data controller will request explicit consent in case of processing sensitive data. |
| b) Purposes of processing | .In accordance with ETSI standards regarding the long-term preservation of electronic signatures and seals, Sign to Sign records signatures and signed documents, applying to them the technical requirements established by ETSI standards. It also includes the provision and validation of electronic documents. |
| c) Collective. | Individuals or organisations using the Sign to Sign platform. |
| d) Categories of Data. | Electronic documents that have been authenticated by electronic signature. These documents allow the identification of individuals and may include sensitive data.
When ANF AC acts as a processor, it does not perform a supervision of these documents, being the responsibility of the client organisation to establish the criteria of availability (encrypted or transparent). |
| e) Origin of the data | The data subjects themselves, ANF AC, ANF AC client organisations, recipients. |
| f) Target category | The ANF AC organisation itself, the client organisation, auditors, supervisory authority. Legal obligation. |
| g) International Transfer | International transfers of data are not foreseen. |
| h) Period of deletion | They shall be kept for a period necessary to meet the obligations assumed, and the period required to be able to prove it. |
| i) Security measures. | The electronic documentation stored by default is encrypted with strong encryption, and is made available according to the requirements established by the client organisation, with the option for its delivery encrypted with self-executable. The technical security measures implemented correspond to those provided for in ISO 27001, and security standards related to the ETSI regulations that ANF AC is obliged to comply with in accordance with the eIDAS Regulation. Regulatory compliance, especially the Law on Information Society Services and Telecommunications. It respects the provisions of the RGPD and Organic Law 3/2018 on data protection. A risk analysis and a data protection impact assessment have been carried out, resulting in a low risk level. |
| j) Responsible entity | ANF CERTIFICATION AUTHORITY |
| k) EIPD - RESULT |
ANF AC 29 - 25/12/2019 Result: Low Risk Level
Anexo IV OID 1.3.6.1.4.1.18332.101.80.11.29 |
21Register of evidentiary documents
| a) Legal basis | Legitimate interest (Following an analysis, this processing has become necessary and proportionate). Where applicable, for the performance of a contract. |
| b) Purposes of processing | Automated systems generate authenticated supporting documents for all transactions carried out using the Sign to Sign platform. In addition to their safekeeping, this allows them to be made available to the interested parties. |
| c) Collective. | Persons or organisations using the Sign to Sign platform. |
| d) Data Categories. | .Evidentiary documents that have been authenticated by signature or electronic seal, and that accredit the transactions in which Sign to Sign has been involved. These documents allow the identification of persons, and even contact details and general characteristics of the service provided and communication made. |
| e) Origin of the data | Individuals or organisations using the Sign to Sign platform. |
| f) Target category | The ANF AC organisation itself, the client organisation, auditors, supervisory authority. Legal obligation. |
| g) International Transfer | International transfers of data are not foreseen. |
| h) Period of deletion | They shall be kept for a period necessary to meet the obligations assumed, and the period required to be able to prove it. |
| i) Security measures. | The electronic documentation stored by default is encrypted with strong encryption, and is made available according to the requirements established by the client organisation, with the option for its delivery encrypted with self-executable. The technical security measures implemented correspond to those provided for in ISO 27001, and security standards related to the ETSI regulations that ANF AC is obliged to comply with in accordance with the eIDAS Regulation. Regulatory compliance, especially the Law on Information Society Services and Telecommunications. It respects the provisions of the RGPD and Organic Law 3/2018 on data protection. A risk analysis and a data protection impact assessment have been carried out, resulting in a low risk level. |
| j) Responsible entity | ANF CERTIFICATION AUTHORITY |
| k) EIPD - RESULT |
ANF AC 29 - 25/12/2019 Result: Low Risk Level
Anexo IV OID 1.3.6.1.4.1.18332.101.80.11.29 |
22Register of validations
| a) Legal basis | Fulfilment of contract. |
| b) Purposes of processing | At all transactions carried out with the intervention of the Sign to Sign platform, the automated systems generate authenticated supporting documents. In accordance with current legal regulations, before these documents can be trusted, a validation of the authenticity of the document, signature, certificate, time stamp, etc. must be carried out. The result of this validation is a certificate of validation that proves compliance with the verification. |
| c) Collective. | Individuals or organisations using the Sign to Sign platform. |
| d) Data Categories. | Validation result to which an authenticated electronic document is subjected. |
| e) Origin of the data | Individuals or organisations using the Sign to Sign platform. |
| f) Target category | The ANF AC organisation itself, the client organisation, auditors, supervisory authority. Legal obligation. |
| g) International Transfer | International transfers of data are not foreseen. |
| h) Period of deletion | They shall be kept for a period necessary to meet the obligations assumed, and the period required to be able to prove it. |
| i) Security measures. | The electronic documentation stored by default is encrypted with strong encryption, and is made available according to the requirements established by the client organisation, with the option for its delivery encrypted with self-executable. The technical security measures implemented correspond to those provided for in ISO 27001, and security standards related to the ETSI regulations that ANF AC is obliged to comply with in accordance with the eIDAS Regulation. Regulatory compliance, especially the Law on Information Society Services and Telecommunications. It respects the provisions of the RGPD and Organic Law 3/2018 on data protection. A risk analysis and a data protection impact assessment have been carried out, resulting in a low risk level. |
| j) Responsible entity | ANF CERTIFICATION AUTHORITY |
| k) EIPD - RESULT |
ANF AC 29 - 25/12/2019 Result: Low Risk Level
Anexo IV OID 1.3.6.1.4.1.18332.101.80.11.29 |
23Registration of smart pdf templates
| a) Legal basis | Legitimate interest (After carrying out an analysis, this processing has become necessary and proportionate). Where applicable, for the performance of a contract. |
| b) Purposes of processing | Sign to Sign offers the possibility to create smart pdfs, forms that in pdf format can be filled in by third parties and record the information permanently. |
| c) Collective. | Users of the Sign to Sign platform. |
| d) Categories of Data. | They may include personal data allowing the identification of natural persons, and contact details. Sign to Sign does not monitor or control the information outlined in the smart pdf templates. |
| e) Data source | Members of the Sign to Sign organisation. |
| f) Target category | Users of the Sign to Sign platform belonging to ANF AC or S2S client organisations. |
| g) International Transfer | International transfers of data are not foreseen. |
| h) Period of deletion | They shall be kept for a period necessary to meet the obligations assumed, and the period required to be able to prove it. |
| i) Security measures. | The technical security measures implemented correspond to those provided for in ISO 27001, and security standards related to the ETSI regulations that ANF AC is obliged to comply with in accordance with the eIDAS Regulation.
Regulatory compliance, especially the Law on Information Society Services and Telecommunications. It respects the provisions of the RGPD, and Organic Law 3/2018 on data protection. A risk analysis and a data protection impact assessment have been carried out, resulting in a low risk level. |
| j) Responsible entity | ANF CERTIFICATION AUTHORITY |
| k) EIPD - RESULT |
ANF AC 29 - 25/12/2019 Result: Low Risk Level
Anexo IV OID 1.3.6.1.4.1.18332.101.80.11.29 |
24Registro formularios contacto web
| a) Legal basis | Legitimate interest |
| b) Purposes of processing | To provide client organisations, recipients and the general public with a channel for communicating complaints or suggestions that they consider appropriate to communicate to Sign to Sign. This register contains evidence of the communication made, and the action taken on it. |
| c) Collective. | Individuals or organisations wishing to make a complaint or suggestion to Sign to Sign. |
| d) Data Categories. | Contact details, (telephone, email, postal address, web address) identity of the contact person, position, name of the organisation, and any comments you wish to make about the reason for your complaint or suggestion. |
| e) Origin of the data | Interested parties who fill in the web form. |
| f) Target category | The ANF AC organisation itself, auditors, supervisory authority. Legal obligation. |
| g) International Transfer | International transfers of data are not foreseen. |
| h) Period of deletion | They shall be kept for a period necessary to meet the obligations assumed, and the period required to be able to prove it. |
| i) Security measures. | The technical security measures implemented correspond to those provided for in ISO 27001, and security standards related to the ETSI regulations that ANF AC is obliged to comply with in accordance with the eIDAS Regulation. Regulatory compliance, especially the Law on Information Society Services and Telecommunications. It respects the provisions of the RGPD and Organic Law 3/2018 on data protection. A risk analysis and a data protection impact assessment have been carried out, resulting in a low risk level. |
| j) Responsible entity | ANF CERTIFICATION AUTHORITY |
| k) EIPD - RESULT |
ANF AC 30 - 25/12/2019 Result: Low Risk Level
Anexo IV OID 1.3.6.1.4.1.18332.101.80.11.30 |
25Register of complaints and suggestions forms
| a) Legal basis | Legitimate interest |
| b) Purposes of processing | To provide client organisations, recipients and the general public with a channel for communicating complaints or suggestions that they consider appropriate to communicate to Sign to Sign. This register contains evidence of the communication made, and the action taken on it. |
| c) Collective. | Individuals or organisations wishing to make a complaint or suggestion to Sign to Sign |
| d) Data Categories. | Contact details, (telephone, email, postal address, web address) identity of the contact person, position, name of the organisation, and any comments you wish to make about the reason for your complaint or suggestion. |
| e) Origin of the data | Interested parties who fill in the web form. |
| f) Target category | The ANF AC organisation itself, auditors, supervisory authority. Legal obligation. |
| g) International Transfer | International transfers of data are not foreseen. |
| h) Period of deletion | They shall be kept for a period necessary to meet the obligations assumed, and the period required to be able to prove it. |
| i) Security measures. | The technical security measures implemented correspond to those provided for in ISO 27001, and security standards related to the ETSI regulations that ANF AC is obliged to comply with in accordance with the eIDAS Regulation. Regulatory compliance, especially the Law on Information Society Services and Telecommunications. It respects the provisions of the RGPD and Organic Law 3/2018 on data protection. A risk analysis and a data protection impact assessment have been carried out, resulting in a low risk level. |
| j) Responsible entity | ANF CERTIFICATION AUTHORITY |
| k) EIPD - RESULT |
ANF AC 30 - 25/12/2019 Result: Low Risk Level
Anexo IV OID 1.3.6.1.4.1.18332.101.80.11.30 |
26CSR Register(Corporate Social Responsibility)
| a) Legal basis | Legitimate interest |
| b) Purposes of processing | Sign to Sign considers it particularly important to properly assume its corporate social responsibility. To this end, it makes available to the public in general, and to the company's own staff in particular, a register of communications that makes it possible to anonymously report facts that contravene the organisation's corporate social responsibility policy. This register makes it possible to determine which senior management position will be responsible for handling the notification (investigation of the facts, delimitation of responsibilities, and application of measures where appropriate). |
| c) Collective. | Members of the Sign to Sign organisation. |
| d) Categories of Data. | They may include personal data that allow the identification of natural persons, and reports of events that may affect them as victims or perpetrators. |
| e) Data source | Public in general and company staff in particular. |
| f) Category recipients | Highest Sign to Sign address, and legal obligation. |
| g) International Transfer | International transfers of data are not foreseen. |
| h) Period of deletion | They shall be kept for a period necessary to meet the obligations assumed, and the period required to be able to prove it. |
| i) Medidas de seguridad. | Las medidas de seguridad técnica implantadas se corresponden con las previstas en la ISO 27001, y normas de seguridad relacionadas con la normativa ETSI que ANF AC está obligada a cumplir en conformidad con el Reglamento eIDAS.
Cumplimiento normativo, en especial Ley de Servicios de la Sociedad de la Información, y Telecomunicaciones. Se respeta los establecido por el RGPD, y Ley Orgánica 3/2018 protección de datos. Se ha realizado análisis de riesgos y una evaluación de impacto en protección de datos con resultado de nivel de riesgo bajo. |
| j) Responsible entity | ANF CERTIFICATION AUTHORITY |
| k) EIPD - RESULT |
ANF AC 30 - 25/12/2019 Result: Low Risk Level
Anexo IV OID 1.3.6.1.4.1.18332.101.80.11.30 |
27Portability Registration
| a) Legal basis | Fulfilment of a legal obligation. Article 17 of the LO 3/2018, in relation to Article 20 of the RGPD. |
| b) Purposes of processing | To record and manage portability requests. To obtain evidence of identification of applicants and of all operations carried out to meet the request. |
| c) Collective. | Individuals and organisations using the Sign to Sign platform, including company operators. |
| d) Categories of Data. | Those data obtained directly from the data subject or those generated from the service. Transactions ordered, evidentiary documents obtained, etc. Orderer ID, transaction ID, date and time. |
| e) Origin of the data | Sign to Sign platform and from stakeholders directly. |
| f) Target category | Automated systems of the Sign to Sign platform. |
| g) International Transfer | International data transfers are not foreseen |
| h) Deletion period | They shall be kept for a period necessary to meet the obligations assumed, and the period required to be able to prove it. |
| i) Security measures. | The technical security measures implemented correspond to those provided for in ISO 27001, and security standards related to the ETSI regulations that ANF AC is obliged to comply with in accordance with the eIDAS Regulation.
Regulatory compliance, especially the Law on Information Society Services and Telecommunications. The provisions of the RGPD and Organic Law 3/2018 on data protection are respected. A risk analysis and a data protection impact assessment have been carried out, resulting in a low risk level. |
| j) Responsible entity | ANF CERTIFICATION AUTHORITY |
| k) EIPD - RESULT |
ANF AC 31 - 25/12/2019 Result: Low Risk Level
OID 1.3.6.1.4.1.18332.101.80.11.31 |
28Registration of requests for rectification of personal data
| a) Legal basis | Fulfilment of a legal obligation. Article 14 LO 3/2018 in relation to Article 16 of the RGPD. |
| b) Purposes of processing | To record and manage requests for rectification of personal data. To obtain evidence of identification of applicants and of all operations carried out. |
| c) Collective. | Individuals and organisations using the Sign to Sign platform, including company operators. |
| d) Categories of Data. | Incorrect or incomplete personal data of data subjects. (Names, surnames, identification, email, among others). |
| e) Origin of the data | Data provided by the interested parties themselves, by the payers and administration of the Sign to Sign platform. |
| f) Target category | Automated systems of the Sign to Sign platform. |
| g) International Transfer | .International transfers of data are not foreseen. |
| h) Period of deletion | They shall be kept for a period necessary to meet the obligations assumed, and the period required to be able to prove it. |
| i) Security measures |
The technical security measures implemented correspond to those provided for in ISO 27001, and security standards related to the ETSI regulations that ANF AC is obliged to comply with in accordance with the eIDAS Regulation.
Regulatory compliance, especially the Law on Information Society Services and Telecommunications. The provisions of the RGPD and Organic Law 3/2018 on data protection are respected. A risk analysis and a data protection impact assessment have been carried out, resulting in a low risk level. |
| j) Responsible entity | ANF CERTIFICATION AUTHORITY |
| k) EIPD - RESULT |
ANF AC 31 - 25/12/2019 Result: Low Risk Level
OID 1.3.6.1.4.1.18332.101.80.11.31 |
29Register of data processing restrictions
| a) Legal basis | Legal obligation. Article 16 of LO 2/2018. |
| b) Purposes of processing | .To record and manage limitations on the processing of personal data. To obtain evidence of identification of applicants and of all operations carried out in order to comply with the request.
- Control and manage temporarily blocked data. - Control and management of data retention at the request of data subjects. |
| c) Collective. | Individuals and organisations using the Sign to Sign platform, including company operators. |
| d) Categories of Data. | Data of operators, recipients, users of S2s in general Transactions ordered, evidentiary documents obtained, etc.
Data subjects' data challenged for inaccuracy.
Data processed on the basis of a legitimate interest while analysing the prevalence of the data subject's right over the right of the data controller. Data which must be retained if the data subject objects to erasure. |
| e) Origin of the data | The stakeholders themselves and those generated by the Sign to Sign platform. |
| f) Target category | Automated systems of the Sign to Sign platform. |
| g) International Transfer | International transfers of data are not foreseen. |
| h) Period of deletion | They shall be kept for a period necessary to meet the obligations assumed, and the period required to be able to prove it. |
| i) Security measures. | The technical security measures implemented correspond to those provided for in ISO 27001, and security standards related to the ETSI regulations that ANF AC is obliged to comply with in accordance with the eIDAS Regulation.
Regulatory compliance, especially the Law on Information Society Services and Telecommunications. The provisions of the RGPD and Organic Law 3/2018 on data protection are respected. A risk analysis and a data protection impact assessment have been carried out, resulting in a low risk level. |
| j) Responsible entity | ANF CERTIFICATION AUTHORITY |
| k) EIPD - RESULT |
ANF AC 31 - 25/12/2019 Result: Low Risk Level
OID 1.3.6.1.4.1.18332.101.80.11.31 |
30Register of consents
| a) Legal basis | Legal obligation. Article 5.2 and 6.1 c) and Articles 13 and 14 RGPD. Article 22 Law 34/2002 (LSSI). |
| b) Purposes of processing | To record and manage the collection and storage of informed consents.
To have evidence of the information provided to data subjects and their consent. |
| c) Collective. | Individuals and organisations using the Sign to Sign platform, including company operators. |
| d) Data categories. | First name, last name, transaction id, information, date and time, IP, signature. |
| e) Data source | Sign to Sign platform. |
| f) Target category | Automated systems of the Sign to Sign platform. |
| g) International Transfer | International transfers of data are not foreseen. |
| h) Period of deletion | They shall be kept for a period necessary to meet the obligations assumed, and the period required to be able to prove it. |
| i) Security measures. | The technical security measures implemented correspond to those provided for in ISO 27001, and security standards related to the ETSI regulations that ANF AC is obliged to comply with in accordance with the eIDAS Regulation.
Regulatory compliance, especially the Law on Information Society Services and Telecommunications. The provisions of the RGPD and Organic Law 3/2018 on data protection are respected. A risk analysis and a data protection impact assessment have been carried out, resulting in a low risk level. |
| j) Responsible entity | ANF CERTIFICATION AUTHORITY |
| k) EIPD - RESULT |
ANF AC 31 - 25/12/2019 Result: Low Risk Level
OID 1.3.6.1.4.1.18332.101.80.11.31 |
31Opposition registration
| a) Legal basis | Legal obligation. Article 21 and 22 RGPD. Article 22 Law 34/2002 (LSSI). |
| b) Purposes of processing | To record and manage data subjects' objections to the processing of personal data.
Have evidence of information provided to and acceptance by stakeholders. |
| c) Collective. | Individuals and organisations using the Sign to Sign platform, including company operators. |
| d) Data categories. | First and last names of the data subject, transaction id, information, date and time, IP, signature. |
| e) Data source | Sign to Sign platform. |
| f) Target category | Automated systems of the Sign to Sign platform. |
| g) International Transfer | International transfers of data are not foreseen. |
| h) Period of deletion | They shall be kept for a period necessary to meet the obligations assumed, and the period required to be able to prove it. |
| i) Security measures |
The technical security measures implemented correspond to those provided for in ISO 27001, and security standards related to the ETSI regulations that ANF AC is obliged to comply with in accordance with the eIDAS Regulation.
Regulatory compliance, especially the Law on Information Society Services and Telecommunications. The provisions of the RGPD and Organic Law 3/2018 on data protection are respected. A risk analysis and a data protection impact assessment have been carried out, resulting in a low risk level. |
| j) Responsible entity | ANF CERTIFICATION AUTHORITY |
| k) EIPD - RESULT |
ANF AC 31 - 25/12/2019 Result: Low Risk Level
OID 1.3.6.1.4.1.18332.101.80.11.31 |
32Supression Register
| a) Base jurídica | Obligación legal. Artículo 15 LOPD. |
| b) Fines del tratamiento | Registrar y gestionar las supresiones solicitadas por los interesados al tratamiento de los datos personales o por causas legales correspondientes. |
| c) Colectivo. | Personas y organizaciones usuarias de la plataforma Sign to Sign, incluidos operadores de la compañía. |
| d) Categorías de Datos. | Nombres y apellidos del interesado, id de la transacción, información, fecha y hora, IP, firma. |
| e) Procedencia de los datos | Plataforma Sign to Sign. |
| f) Categoría destinatarios | Sistemas automatizados de la plataforma Sign to Sign. |
| g) Transf. Internacional | No están previstas transferencias internacionales de los datos. |
| h) Plazo supresión | Se conservarán durante un periodo necesario para atender las obligaciones asumidas, y el requerido para poder acreditarlo. |
| i) Medidas de seguridad. |
Las medidas de seguridad técnica implantadas se corresponden con las previstas en la ISO 27001, y normas de seguridad relacionadas con la normativa ETSI que ANF AC está obligada a cumplir en conformidad con el Reglamento eIDAS.
Cumplimiento normativo, en especial Ley de Servicios de la Sociedad de la Información, y Telecomunicaciones. Se respeta los establecido por el RGPD, y Ley Orgánica 3/2018 protección de datos. Se ha realizado análisis de riesgos y una evaluación de impacto en protección de datos con resultado de nivel de riesgo bajo. |
| j) Entidad responsable | ANF AUTORIDAD DE CERTIFICACIÓN |
| k) EIPD -RESULTADO |
ANF AC 31 – 25/12/2019 Resultado: Nivel de riesgo bajo
OID 1.3.6.1.4.1.18332.101.80.11.31 |
33SMS registration
| a) Legal basis | Legitimate interest (Following an analysis, this processing has been found to be necessary and proportionate). |
| b) Purposes of processing | .The Sign to Sign platform has the necessary technology to send SMS (Short Message Service) messages to mobile phones.
This technology is used to notify short messages, 2FA keys or even receive 2FA confirmations, replies to sent notifications, or automated instruction orders. |
| c) Collective. | Operators, operators of client organisations and recipients of the service. |
| d) Data Categories. | Mobile phone numbers, transaction identification, short message text, data and traces from automated receiving systems. |
| e) Origin of the data | Automatic reception systems, the interested parties themselves and the client organisation mandating the service. |
| f) Target category | The ANF AC organisation itself, the client organisation, recipients, auditors, supervisory authority, legal and fiscal obligation. |
| g) International Transfer | International transfers of data are not foreseen. |
| h) Period of deletion | They shall be kept for a period necessary to meet the obligations assumed, and the period required to be able to prove it. |
| i) Security measures |
The information is pseudonymised. The technical security measures implemented correspond to those provided for in ISO 27001, and security standards related to the ETSI regulations that ANF AC is obliged to comply with in accordance with the eIDAS Regulation. Regulatory compliance, especially the Law on Information Society Services and Telecommunications. It respects the provisions of the RGPD and Organic Law 3/2018 on data protection. A risk analysis and a data protection impact assessment have been carried out, resulting in a low risk level. |
| j) Responsible entity | ANF CERTIFICATION AUTHORITY |
| k) EIPD - RESULT |
ANF AC 32 - 25/12/2019 Result: Low Risk Level
OID 1.3.6.1.4.1.18332.101.80.11.32 |
34eMail registration
| a) Legal basis | Legitimate interest (After carrying out an analysis it has become necessary and proportionate to carry out this processing). Where applicable, obligation to perform a contract. |
| b) Purposes of processing | .The Sign to Sign platform has the necessary technology to send emails.
This technology is used for the purpose of notifying documents made available, communications, or even to receive responses to notifications sent, commercial notices of news of ANF AC services and general communication channel. |
| c) Collective. | ANF AC Operators, Client organisations of the service and recipients of the service. |
| d) Data Categories. | Email address, transaction ID, message text, data and traces from automated email receiving systems. |
| e) Origin of the data | ANF AC, the automatic reception systems, the recipients of the service themselves, the client organisation mandated to provide the service. |
| f) Target category | The ANF AC organisation itself, the client organisation, recipients, auditors, supervisory authority, legal and fiscal obligation. |
| g) International Transfer | International transfers of data are not foreseen. |
| h) Period of deletion | They shall be kept for a period necessary to meet the obligations assumed, and the period required to be able to prove it. |
| i) Security measures |
The information is pseudonymised. The technical security measures implemented correspond to those provided for in ISO 27001, and security standards related to the ETSI regulations that ANF AC is obliged to comply with in accordance with the eIDAS Regulation. Regulatory compliance, especially the Law on Information Society Services and Telecommunications. It respects the provisions of the RGPD and Organic Law 3/2018 on data protection. A risk analysis and a data protection impact assessment have been carried out, resulting in a low risk level. |
| j) Responsible entity | ANF CERTIFICATION AUTHORITY |
| k) EIPD - RESULT |
ANF AC 32 - 25/12/2019 Result: Low Risk Level
OID 1.3.6.1.4.1.18332.101.80.11.32 |
35IM registration(instant messaging)
| a) Legal basis | The performance of a contract. |
| b) Purposes of processing | The Sign to Sign platform has the necessary technology for sending instant messaging (IM).
This technology is used for the fulfilment of mandates received in order to notify the provision of documents, 2FA notification, or even commercial notices of new ANF AC services. |
| c) Collective. | Organisations that are clients and recipients of the service. |
| d) Categories of Data. | IM address, operator or recipient identification, transaction identification, message text. |
| e) Origin of the data | ANF AC, the recipients of the service themselves, the client organisation mandated to provide the service. |
| f) Target category | The ANF AC organisation itself, the client organisation, recipients, auditors, supervisory authority, legal and fiscal obligation. |
| g) International Transfer | International transfers of data are not foreseen. |
| h) Period of deletion | They shall be kept for a period necessary to meet the obligations assumed, and the period required to be able to prove it. |
| i) Security measures |
The information is pseudonymised. The technical security measures implemented correspond to those provided for in ISO 27001, and security standards related to the ETSI regulations that ANF AC is obliged to comply with in accordance with the eIDAS Regulation. Regulatory compliance, especially the Law on Information Society Services and Telecommunications. It respects the provisions of the RGPD and Organic Law 3/2018 on data protection. A risk analysis and a data protection impact assessment have been carried out, resulting in a low risk level. |
| j) Responsible entity | ANF CERTIFICATION AUTHORITY |
| k) EIPD - RESULT |
ANF AC 32 - 25/12/2019 Result: Low Risk Level
OID 1.3.6.1.4.1.18332.101.80.11.32 |
36Whatsapp Registration
| a) Legal basis | Contractual performance obligation. |
| b) Purposes of processing | The Sign to Sign platform has the necessary technology to send Whatsapp messages. This technology is used for the purpose of notifying the provision of documents, 2FA notification, or even commercial notices of new ANF AC services. |
| c) Collective. | ANF AC, the client organisations of the service and recipients of the service. |
| d) Data Categories. | Mobile phone number, operator or recipient identification, transaction identification, message text |
| e) Origin of the data | ANF AC, the recipients of the service themselves, the client organisation mandated to provide the service. |
| f) Target category | The ANF AC organisation itself, the client organisation, recipients, auditors, control authority, legal and fiscal obligation. |
| g) International Transfer | .International transfers of data are not foreseen. |
| h) Period of deletion | They shall be kept for a period necessary to meet the obligations assumed, and the period required to be able to prove it. |
| i) Security measures |
The information is pseudonymised. The technical security measures implemented correspond to those provided for in ISO 27001, and security standards related to the ETSI regulations that ANF AC is obliged to comply with in accordance with the eIDAS Regulation. Regulatory compliance, especially the Law on Information Society Services and Telecommunications. It respects the provisions of the RGPD and Organic Law 3/2018 on data protection. A risk analysis and a data protection impact assessment have been carried out, resulting in a low risk level. |
| j) Responsible entity | ANF CERTIFICATION AUTHORITY |
| k) EIPD - RESULT |
ANF AC 32 - 25/12/2019 Result: Low Risk Level
OID 1.3.6.1.4.1.18332.101.80.11.32 |
37Peer to Peer Registration
| a) Legal basis | Contractual performance obligation |
| b) Purposes of processing | The Sign to Sign platform has the Peer to Peer technology necessary to establish communications between portable terminals and the Sign to Sign platform.
This technology is used for the purpose of making documents available, their authentication, their communication to the secure Sign to Sign servers or even commercial notices of new ANF AC services. |
| c) Collective. | Organisations that are clients and recipients of the service. |
| d) Data Categories. | Portable device identifier, operator or recipient identification, transaction identification. |
| e) Origin of the data | ANF AC, the service recipients themselves, the client organisation mandated to provide the service. |
| f) Category recipients | The ANF AC organisation itself, the client organisation, recipients, auditors, supervisory authority, legal obligation. |
| g) International Transfer | International transfers of data are not foreseen. |
| h) Period of deletion | They shall be kept for a period necessary to meet the obligations assumed, and the period required to be able to prove it. |
| i) Security measures |
The information is pseudonymised. The technical security measures implemented correspond to those provided for in ISO 27001, and security standards related to the ETSI regulations that ANF AC is obliged to comply with in accordance with the eIDAS Regulation. Regulatory compliance, especially the Law on Information Society Services and Telecommunications. It respects the provisions of the RGPD and Organic Law 3/2018 on data protection. A risk analysis and a data protection impact assessment have been carried out, resulting in a low risk level. |
| j) Responsible entity | ANF CERTIFICATION AUTHORITY |
| k) EIPD - RESULT |
ANF AC 32 - 25/12/2019 Result: Low Risk Level
OID 1.3.6.1.4.1.18332.101.80.11.32 |
38General telephone call logging
| a) Legal basis | Legitimate interest |
| b) Purposes of processing | In order to audit and improve the quality of the services that ANF AC provides to its customers, a recording is made of the telephone calls received and made. They are randomly reviewed to determine the quality of the service provided. |
| c) Collective. | Organisations that are clients of the service, recipients of the service, the general public. |
| d) Categories of Data. | Conversations held on commercial aspects, or of a general business nature. Transaction identifier, telephone number of the interlocutor, date and time. They may contain personal data that allow the identification of the data subject. |
| e) Data source | ANF AC staff, and interlocutors. |
| f) Target category | The ANF AC organisation itself, auditors, supervisory authority. Legal obligation. |
| g) International Transfer | International transfers of data are not foreseen. |
| h) Period of deletion | They shall be kept for a period necessary to meet the obligations assumed, and the period required to be able to prove it. |
| i) Security measures |
The technical security measures implemented correspond to those provided for in ISO 27001, and security standards related to the ETSI regulations that ANF AC is obliged to comply with in accordance with the eIDAS Regulation.
Regulatory compliance, especially the Law on Information Society Services and Telecommunications. Compliance with the RGPD and Organic Law 3/2018 on data protection. Risk analysis and a risk analysis have been carried out. A risk analysis and a data protection impact assessment have been carried out, resulting in a low risk level. |
| j) Responsible entity | ANF CERTIFICATION AUTHORITY |
| k) EIPD - RESULT |
ANF AC 33 - 25/12/2019 Result: Low Risk Level
OID 1.3.6.1.4.1.18332.101.80.11.33 |
39Registration of telephone calls complaints
| a) Legal basis | Legitimate interest |
| b) Purposes of processing | .For the purpose of managing complaints within the framework of the services that ANF AC provides to its customers, a recording is made of the telephone calls received and made. These are reviewed to determine the quality of the service provided. |
| c) Collective. | Organisations that are clients of the service, recipients of the service, the general public. |
| d) Categories of Data. | Conversations held on commercial aspects, or of a general business nature. Transaction identifier, telephone number of the interlocutor, date and time. They may contain personal data that allow the identification of the data subject. |
| e) Data source | ANF AC staff, and interlocutors |
| f) Target category | The ANF AC organisation itself, auditors, supervisory authority. Legal obligation. |
| g) International Transfer | .International transfers of data are not foreseen. |
| h) Period of deletion | They shall be kept for a period necessary to meet the obligations assumed, and the period required to be able to prove it. |
| i) Security measures | The technical security measures implemented correspond to those provided for in ISO 27001, and security standards related to the ETSI regulations that ANF AC is obliged to comply with in accordance with the eIDAS Regulation. Regulatory compliance, especially the Law on Information Society Services and Telecommunications. It respects the provisions of the RGPD and Organic Law 3/2018 on data protection. A risk analysis and a data protection impact assessment have been carried out, resulting in a low risk level. |
| j)Responsible entity | ANF CERTIFICATION AUTHORITY |
| k) EIPD - RESULT |
ANF AC 33 - 25/12/2019 Result: Low Risk Level
OID 1.3.6.1.4.1.18332.101.80.11.33 |
40Registration of telephone calls contracting
| a) Legal basis | Legitimate interest |
| b) Purposes of the processing | In order to obtain evidence of the contracting carried out by a third party, a recording is made of the conversation held, especially regarding the information provided on the characteristics, conditions and price of the service or product contracted, the purchaser's acceptance of the same, and any caveat or mention that the purchaser wishes to record. |
| c) Collective. | Individuals or organisations interested in acquiring Sign to Sign products or services. |
| d) Categories of Data. | Conversations held on commercial aspects, contracting, characteristics, conditions, price and acceptance of the purchase. They may contain personal data that allow the identification of the buyer in the case of a natural person, or of the representative in the case of a legal entity. |
| e) Data source | A ANF AC staff, and buyers |
| f) Target category | The ANF AC organisation itself, purchasers, auditors, supervisory authority. Legal obligation. |
| g) International Transfer | International transfers of data are not foreseen. |
| h) Period of deletion | They shall be kept for a period necessary to meet the obligations assumed, and the period required to be able to prove it. |
| i) Security measures | The technical security measures implemented correspond to those provided for in ISO 27001, and security standards related to the ETSI regulations that ANF AC is obliged to comply with in accordance with the eIDAS Regulation. Regulatory compliance, especially the Law on Information Society Services and Telecommunications. It respects the provisions of the RGPD and Organic Law 3/2018 on data protection. A risk analysis and a data protection impact assessment have been carried out, resulting in a low risk level. |
| j) Responsible entity | ANF CERTIFICATION AUTHORITY |
| k) EIPD - RESULT |
ANF AC 33 - 25/12/2019 Result: Low Risk Level
OID 1.3.6.1.4.1.18332.101.80.11.33 |
41Phone call log notifications
| a) Legal basis | Legitimate interest |
| b) Purposes of processing | .In order to obtain evidence of the notifications received by ANF AC by telephone, the conversation between ANF AC staff and the interlocutors is recorded. |
| c) Collective. | .Individuals or organisations making notifications via telephone to Sign to Sign. |
| d) Data Categories. | Business notifications. They may contain personal data that allow the identification of the notifier. |
| e) Data source | A ANF AC staff, and buyers. |
| f) Target category | The ANF AC organisation itself, purchasers, auditors, supervisory authority. Legal obligation. |
| g) International Transfer | International transfers of data are not foreseen. |
| h) Period of deletion | They shall be kept for a period necessary to meet the obligations assumed, and the period required to be able to prove it. |
| i) Security measures |
The technical security measures implemented correspond to those provided for in ISO 27001, and security standards related to the ETSI regulations that ANF AC is obliged to comply with in accordance with the eIDAS Regulation.
Regulatory compliance, especially the Law on Information Society Services and Telecommunications. It respects the provisions of the RGPD, and Organic Law 3/2018 on data protection. A risk analysis and a data protection impact assessment have been carried out, resulting in a low risk level. |
| j) Responsible entity | ANF CERTIFICATION AUTHORITY |
| k) EIPD - RESULT |
ANF AC 33 - 25/12/2019 Result: Low Risk Level
OID 1.3.6.1.4.1.18332.101.80.11.33 |
42Registration forms contact Web
| a) Legal basis | Legitimate interest |
| b) Purposes of processing | Sign to Sign offers the general public the possibility of requesting customer service staff to contact by telephone or personal visit, for which purpose a communication channel is provided via a web form. The purpose of this data is to establish contact with interested parties and even to send them periodic commercial or technical information on the sector in which they have shown interest. |
| c) Collective. | Individuals or organisations wishing to establish contacts with Sign to Sign. |
| d) Data Categories. | Contact details, (phone, email, postal address, web address) identity of contact person, job title, name of organisation, and any comments you wish to make about why you are interested. |
| e) Origin of the data | Interested parties who fill in the web form. |
| f) Target category | The ANF AC organisation itself, auditors, supervisory authority. Legal obligation. |
| g) International Transfer | International transfers of data are not foreseen. |
| h) Period of deletion | They shall be kept for a period necessary to meet the obligations assumed, and the period required to be able to prove it. |
| i) Security measures |
The technical security measures implemented correspond to those provided for in ISO 27001, and security standards related to the ETSI regulations that ANF AC is obliged to comply with in accordance with the eIDAS Regulation.
Regulatory compliance, especially the Law on Information Society Services and Telecommunications. Compliance with the RGPD and Organic Law 3/2018 on data protection. Risk analysis and a risk analysis have been carried out. A risk analysis and a data protection impact assessment have been carried out, resulting in a low risk level. |
| j) Responsible entity | ANF CERTIFICATION AUTHORITY |
| k) EIPD - RESULT |
ANF AC 33 - 25/12/2019 Result: Low Risk Level
OID 1.3.6.1.4.1.18332.101.80.11.33 |
