Privacy Policy

Date of publication 02/06/2023 version 1.0

1Our Privacy Policy

ANF Certification Authority SL, CIF B87341228, has developed this Privacy Policy to inform about its commitment to the protection of personal data, and to describe the criteria concerning the collection, use, retention and disclosure of personal information obtained during visits to our web pages or in the provision of services carried out on this website (hereinafter Platform); The data collected during visits to our web pages, or in the provision of the services carried out on this website (hereinafter, "Platform"), as well as the data collected in person in paper format, or in the use of the applications and services of ANF Certification Authority.

Througéh no personal data is collected on this website personal character of users without their knowledge. No data is disclosed to third parties except where a disclosure is necessary to comply with applicable law, or other legal or judicial requirements or audit.

If you click on a link posted on our platform to another website, please note that the owner of the other website will have its own privacy policy. We recommend that you read their policy, as we are not responsible for what happens on their site;

PLEASE REVIEW THIS PRIVACY POLICY BEFORE USING OUR WEBSITE OR ANY ANF CERTIFICATION AUTHORITY SL APPLICATIONS OR SOLUTIONS. IF YOU DO NOT ACCEPT OUR PRIVACY POLICY DO NOT USE OUR WEBSITE OR OUR SERVICES, WE ONLY COLLECT THE INFORMATION NECESSARY TO PROVIDE THEM IN COMPLIANCE WITH APPLICABLE LAW, THEREFORE, IT WILL NOT BE POSSIBLE TO PROVIDE THEM IN ADEQUATE MANNER. IF YOU PROVIDE ANY PERSONAL INFORMATION, WE UNDERTAKE TO COMPLY WITH THE TERMS OF THIS PRIVACY POLICY;

This Privacy Policy is periodically reviewed in order to keep it permanently updated. We carry out a versioning check and the date of publication is highlighted, which corresponds to its entry into force. When a revision of the document is made, for a period of three months the link is marked with the notice "New" in that case, please consult the changes made in order to determine its acceptance or rejection.

Please note that some of our services have a specific privacy statement that is supplemental to this general Privacy Policy. Specifically, you can access the specific statements at,

https://www.anf.ac/politica-de-privacidad-productos-servicios 

If you have any questions or concerns about this Privacy Policy, specific statements, or concerns about how your personal information may have been handled, or simply wish to confirm whether we are processing your personal data, or require assistance in exercising your data protection rights, you may contact our Data Protection Officer,

- Tfno. +34 932 662 614.

2Who is the controller of personal data?

For the purpose of data protection legislation,

  • ANF Certification Authority, is responsible for the processing in those personal data processing in which it assumes responsibility for the collection of information, determines the purpose of the processing and the legal basis that legitimizes it. In particular, all those treatments relating to: customers, suppliers, Partners, OVP or AR operators, DPD candidates, teachers, students of the ANF Certification Authority Campus, examiners, supervisors, members of the Committee of Experts, auditors, face-to-face visits, telephone consultations, recipients, newsletter, CVs of job applicants, survey participants, employees or freelance collaborators.
  • ANF Certification Authority, is co-controller when it receives data from a data controller in order to provide a service that involves the collection of data from other persons, and involves determining the purpose of the processing and the legal basis that legitimizes it. In particular, by way of example only: certified delivery service, certificate and electronic signature validation service, remote identification proof service.
  • ANF Certification Authority, is processor when it receives data from a data controller in order to provide a service whose purpose and legitimacy of the processing of personal data is the decision of the client responsible for the processing. In this intervention, the relationship between ANF Certification Authority as data processor is established by means of the corresponding contract.
  • Declaration of responsibility of the General Management of ANF Certification Authority,

The personal data collected by ANF Certification Authority or provided for the provision of a service, are treated confidentially, fulfilling the commitments set out in our Privacy Policy, and respecting the current legislation on data protection, and other regulations related to our activity.

F. Díaz Vilches
CEO of ANF Certification Authority

 

Headquarters where data processing is carried out,
Gran Vía de les Corts Catalanes, 996
4th floorª Barcelona -08018- España

Public service
Monday - Friday
from 9:00 to 14:00from 15:00to 18:00

3Personal information we collect about you

The information we collect and how we collect it may vary depending on the products and services used and subscribed to by the data subject, as well as how you have interacted on any of our web platforms, e.g., registering on our Website to request commercial information, answering surveys, signing up for our mailing list, registering on our Website to request commercial information, answering surveys, subscribing to our mailing list, and so on. E.g. registering on our Website to request commercial information, answering surveys, subscribing to the Newsletter distribution list, interested in working at ANF Certification Authority, etc.

Also, it is convenient to remind you that some of our services have a specific Privacy Statement, in the event that hiring or using one of these services previously consult the corresponding privacy statement. 

And it is convenient to remind you that some of our services have a specific Privacy Statement, in the event that hiring or using one of these services previously consult the corresponding privacy statement.

The data we collect and the sources of collection are recorded in the Register of Processing Activities (RAT).

https://www.anf.ac/registro-de-actividades-tratamiento-de-datos/

 

Data category

We do not collect or process information from minors, or information that can be classified as sensitive data categories, e.g., in the case of the use of a biomedical signature, we do not collect or process information from minors, or information that can be classified as sensitive data categories, e.g., in the case of the use of a biomedical signature. In the case of the use of biomedical signature, the behavioral pattern (dynamics, inclination, pressure, etc.) is not captured, nor is it used as an identification tool. Neither in the remote identification test service, the image collection is not used as an identification tool, only as a means of verifying the correspondence of the presence of the interested party with the identity document shown and its retention is only intended to prove the correct intervention of ANF Certification Authority.

ANF Certification Authority does not process information classified as highly sensitive such as: health, sexual orientation, union affiliation, religion or race.

ANF Certification Authority only collects the data minimally necessary for the performance of the processing. The corresponding classification is recorded in the Register of Processing Activities (RAT),

ANF AC only collects the data minimally necessary for the performance of the processing.

https://www.anf.ac/registro-de-actividades-tratamiento-de-datos/

 

 

Data retention

The personal data provided will be kept for the time necessary to fulfill the purpose for which they are collected, and to determine the possible responsibilities that may arise from the treatment. In addition, account is taken of the periods established in the regulations on archives and documentation.

Whenever possible, ANF Certification Authority establishes retention periods, this information is accessible in the Register of Processing Activities (RAT),

https://www.anf.ac/registro-de-actividades-tratamiento-de-datos/

 

 

Correct / Update

Our goal is to have accurate and up-to-date information. If you consider that the personal data we process does not correspond to reality, please inform us.

We aim to have accurate and up-to-date information.

- E-mail to delegadoprotecciondatos @anf.ac

- Tel. +34 932 662 614.

- Tel.

For corrections and informative updates, we require documentation that proves the reliability of the required changes.

4How do we use your personal information?

The purpose of the processing of personal data corresponds to each of the processing activities carried out by ANF Certification Authority. The legal basis that legitimizes them is published in the Register of Processing Activities (RAT),

.

https://www.anf.ac/registro-de-actividades-tratamiento-de-datos/

 

Generally speaking it is worth mentioning:

 

 

Fulfillment of a contract

We need to collect your data and process it, in order to fulfill the services or products you have contracted with us.

 

Fulfillment of a legal obligation

Much of our activity is framed by laws that we must comply with. The legal framework imposes on us the collection of certain data and its processing, it can even determine the obligation to transfer data, e.g. court order.

Much of our activity is framed by laws that we must comply with.

External auditors, evidence that proves compliance A large part of our activity requires the preparation of internal and external audits that prove compliance with the rules and regulations to which we are subject. ANF Certification Authority has a legitimate interest in collecting, preserving and carrying out an adequate treatment that accredits our compliance with the rules and standards that we must comply with. Even giving access to external auditors.

 

Legitimate interest

We have a legitimate interest in collecting the information necessary to manage our networks and to understand how our networks are used. We must ensure their protection and manage the transactions carried out through them. For example, logging of LOGs, control of repeated accesses from the same IP in order to determine possible attacks such as DDoS. Or, logging of traceability in certified deliveries (IP, time, etc.) in order to obtain legal evidence of the service provided.

ANF Certification Authority has a legal interest in keeping you informed about our new products and services, as well as news that we deem of interest according to your profile. All our commercial or marketing information is related to our activity and the relationship we maintain with the interested parties. It is predictable information that does not cause surprise or concern in the recipient recipient.

In order to provide you with commercial information relevant to you, you may be able to view online advertising based on the use of cookies based on the accesses you have made on our website. This is known as interest-based advertising. The collection of user experience data may occur on our Website, on websites of other ANF Certification Authority Group companies, organizations and other online media such as social networks. If you do not want the information we collect through cookies to be used, please see our Cookie Policy to opt out of them.

Remember that opting out of interest-based advertising does not prevent ads from being displayed on ANF Certification Authoriy's corporate website– but will not be tailored to your interests. ANF Certification Authority has reached agreements with entities with Facebook or Google for the realization of online advertising activities, but in no case we have provided personal information.

We use a variety of analytics including research and “Big Data” procedures. Big Data is a mathematical technique that allows us to analyze large volumes of data to find hitherto unrevealed patterns and trends. At ANF Certification Authority we take very seriously this type of analysis, which is governed by the maximum of full compliance with current regulations and respect for the principle of transparency. In these analyses, we use only anonymized and aggregated data so that it is not possible to associate such information with identifiable individuals.

In our Big Data service we obtain anonymized and aggregated reports from third parties that provide it to us. We assure you that it is not possible to link this information to you or to any other natural person. For these reports, the information must be generated with at least 15 records as an unavoidable requirement. In no case we aggregate our data to third parties.
Our policy for these initiatives aims to go even further than what is required by law and, in order to comply with our duty of transparency, requires the obligation to provide you with the possibility to express your wish not to have your data taken into account in Big Data initiatives, which you can do at the time of contracting the services, or by communicating it by any telematic or physical means that we make available to you.
We may perform statistical analysis and market research, including monitoring how customers use our networks, products and services anonymously or personally.

5How do we share your personal information?

ANF Certification Authority, guarantees the confidentiality of the data collected. No assignment of personal data to third parties is made except,

 

General


  • Judges and courts, governmental agencies or other public authorities in case of legal obligation or authorization.
  • Third parties where such disclosure is necessary to comply with applicable law or other legal or judicial requirements.
  • Inspections performed by AEPD, or auditías performed by ENAC or external auditors.
  • Emergency services in the vital interest of the data subject.
  • Emergency services in the vital interest of the data subject.
  • Emergency services in the vital interest of the data subject.
  • Third party companies and service providers insofar as their intervention is necessary for the provision of service to ANF Certification Authority, acting as data processors in accordance with the instructions issued by ANF Certification Authority, the relationships being contractually formalized.
  • In addition, for an adequate treatment the personal data of the users, can be treated in the scope of the companies of the ANF Group.

Fraud control,

  • We will disclose your information, in a reasonable manner, in order to protect against fraud, defend our rights or property, or protect the interests of our customers.
  • We may also need to disclose your information in order to comply with our obligations to comply with the legal requirements of the Your personal data should only be provided when we, in good faith, believe that we are required to do so by law and in accordance with a thorough assessment of all legal requirements.

Third parties with whom we work

  • When you purchase ANF Certification Authority products and services through a Registration Authority, On-Site Verification Office, or other type of cooperating organization, we often exchange information with them as part of that relationship and for the purpose of managing your account – for example, to be able to identify your order and be able to pay such third parties.

Mergers and Acquisitions 

  • In the event that ANF Certification Authority is involved in any corporate movement or sale of the contracted activity, if necessary to continue providing services, we may provide your data to third parties involved in the merger or acquisition operation.

You can consult the recipients for each of the processing activities in the Register of Processing Activities (RAT),

https://www.anf.ac/registro-de-actividades-tratamiento-de-datos/

 

6International Data Transfers

We may need to transfer your information to ANF Group companies or service providers in countries outside the European Economic Community (EEC), however  this transfer will always be made to countries recognized by the EU Commission with adequate security level, or with certified companies that comply with agreements approved by the Commission, e.g. Privacy Shield. Privacy Shield. 

.

Countries with adequate level of security

  • Switzerland. Commission Decision 2000/518/EC of 26 July 2000.
  • Canada.* Commission Decision 2002/2/EC of 20 December 2001 with respect to entities subject to the scope of application of the Canadian Data Protection Act.
  • Argentina. Commission Decision 2003/490/EC, of June 30, 2003.
  • Guernsey. Commission Decision 2003/821/EC of 21 November 2003.
  • Isle of Man. Commission Decision 2004/411/EC of April 28, 2004.
  • Jersey. Commission Decision 2008/393/EC of 8 May 2008.
  • Faroe Islands. Commission Decision 2010/146/EU of 5 March 2010.
  • Andorra. Commission Decision 2010/625/EU of 19 October 2010.
  • Israel. Commission Decision 2011/61/EU of January 31, 2011.
  • Uruguay. Commission Decision 2012/484/EU of 21 August 2012.
  • New Zealand. Commission Decision 2013/65/EU, of December 19, 2012.
  • United States. Applicable to entities certified under the EU-US Privacy Shield. US. Commission Decision (EU) 2016/1250 of July 12, 2016.
  • Japan. Decision of January 23, 2019.

 

 

* PIPED Act (Personal Information Protection and Electronic Documents Act)

Federal privacy law for private sector organizations in Canadaá.

Federal privacy law for private sector organizations in Canada.

If ANF Certification Authority needs to send your information to a country that is not part of the EEC or is not included in the list of countries recognized by the EU Commission, we will inform you beforehand by outlining the risks involved; We will inform you in advance of the risks involved in the transfer, ensure that your information is adequately secured, require the third party to enter into a legal agreement that reflects these standards and recognizes your rights and the effective exercise of those rights. In addition, if necessary, we will request prior authorization from the Spanish Data Protection Agency (AEPD) to be authorized to carry out the international transfer.

7How long do we store your personal information?

The personal data provided will be kept for the time necessary to fulfill the purpose for which they are collected, and to determine the possible responsibilities that may arise from the purpose. In addition, account is taken of the periods established in the regulations on archives and documentation.

Whenever possible, ANF Certification Authority establishes retention periods that are accessible in the Register of Processing Activities (RAT),

https://www.anf.ac/en/registro-de-actividades-tratamiento-de-datos/

 

8Keeping your personal information safe

General Aspects

From a general point of view, all ANF Certification Authority information systems have security measures for the protection of information. The objective is to guarantee the full availability of the information to the interested parties, prevent any undue modification by safeguarding its integrity, and only allow access to authorized persons. All new processing respects privacy from the design stage.

ANF Certification Authority, submits all its information systems and organizational means to internal audits and independent auditors against standards and standards of the highest international prestige, we have achieved certifications in accordance with the following standards: ETSI standards corresponding to Regulation (EU) eIDAS, ISO 9001, ISO 27001, ISO 17024, ISO 14001. All certifications and compliance audits obtained by ANF Certification Authority are published on our website.

All certifications and compliance audits obtained by ANF Certification Authority are published on our website.

https://www.anf.ac/auditorias-de-conformidad/

In addition, ANF Certification Authority has carried out a Data Protection Impact Assessment (DPA) for each processing operation, having achieved a level of risk - low - with the application of the corresponding safeguards. In no case does ANF Certification Authority process data that is not at a low risk level, or on which authorization has been received from the AEPD to assume a higher risk, after performing the corresponding -prior consultation- established in the Regulation (EU) 679/2014 General Data Protection (RGPD).

 

Specific Services

Generally our services use additional security measures beyond those publicly disclosed. These additional security measures may vary depending on the service offered, more information is available in the policies corresponding to such services, and do not hesitate to consult us to clarify any question of your interest.


In some cases, you may need to register to perform a certain activity, P. (signature activation data). ANF Certification Authority in no case stores passwords or PINs, nor has the opportunity to do so; ANF Certification Authority uses technology based on digest algorithms -hash- SHA256 which allows performing control processes without the need to have the original key for verification. In case of loss or forgetting, ANF Certification Authority can only provide you with the restoration of your password, but in the case of PIN it is not even possible such restoration.


It is your sole responsibility to take any action contrary to the security rules, especially if you allow others to access your account, give up the use of your signature device, or give out your personal password or PIN. Write down this sensitive information in a safe and personal place.
All products and services distributed by ANF Certification Authority are configured according to the privacy by default principle. If you disable the security measures included in our products, you do so at your own risk.
ANF Certification Authority rejects any responsibility or liability caused by your decision or negligence to breach the required security standards.

9Your rights

Any person has the right to obtain confirmation about the processing that ANF AC performs on their personal data. ANF AC will facilitate to all interested parties the exercise of their rights diligently and free of charge.

The persons affected by data processing performed by ANF AC, are entitled to:

  • Request free access to their personal data.
  • Request its rectification.
  • Request deletion.
  • Request deletion.
  • Request the limitation of their processing.
  • Request the limitation of their processing.
  • Request the limitation of their processing.
  • To oppose the processing.
  • Request data portability.

Interested parties may access their personal data, as well as request the rectification of inaccurate data or, where appropriate, request its deletion when, among other reasons, the data is no longer necessary for the purposes for which it was collected. In certain circumstances, interested parties may request the limitation, opposition to the processing and portability of their data. It is reported that the exercise of any right may hinder the legal basis on which the treatment is based, if necessary, appropriate legal measures will be taken. In case of doubt our Data Protection Officer will be pleased to answer any questions you consider appropriate to raise.

The interested parties if they consider that the processing of personal data concerning them violates the Regulation, have the right to receive attention and assistance from our Data Protection Officer, to file a complaint with the supervisory authority, in this case, the Spanish Data Protection Agency. And also, to exercise your right to effective judicial protection.

In case of security incidents that may affect the data subjects whose data we keep, ANF AC undertakes to inform and advise them properly.


Exercise of Rights

ANF AC, makes available to all interested parties the following means to exercise their rights,

Application sent by postal mail or personal visit to,

ANF AC.


Please note that by legal imperative, you will have to prove your identity,

  • In the case of written request include a photocopy of your ID card, or equivalent legal document.
  • In the case of a personal visit, you must show an original and valid ID card, or equivalent legal document.
  • In case of representation must have sufficient legal power of attorney.
  • If you contact by phone, follow the instructions of our staff, please note that you must be able to access your email account and / or cell phone that you provided at the time of collecting your data.
  • If you choose to fill in the electronic form for the exercise of rights available on our website, you must provide a digital copy of your ID card, or equivalent legal document.

You can freely draft your request or, if you wish, you can use the Exercise of Rights Form that ANF Certification Authority makes available to you as an optional support in the processing,

.

https://www.anf.ac/ejercicio-de-derechos/

This document incorporates the section EXPLANATION ABOUT YOUR RIGHTS, we recommend reading it when you wish to exercise any of them.

If you wish, you can exercise your rights through a third party representative. Your representative must formally accredit this legal capacity, either by power of attorney or document issued and signed by you, including a photocopy of your ID card, or equivalent legal document.

EXPLANATION ON YOUR RIGHTS


RIGHT OF ACCESS:

By exercising this right, you request that the right of access to the data processing carried out by the organization be provided free of charge within a maximum period of one month from receipt of this request, that all the information listed in Article 15 of the GDPR be sent to you at the above address by post, in a legible and intelligible form and within the time limit indicated.

You have the right to know:

  • Whether or not we are processing personal data concerning you.
  • The origin of your data, if it was not provided to us by you.
  • The purposes of the processing of your data.
  • The purposes of the processing of your data.
  • The categories of data being processed.
  • The recipients or categories of recipients to whom the personal data have been or will be disclosed, in particular recipients in third parties or international organizations.
  • If possible, the expected retention period of the personal data, or, if not, the criteria used to determine this period.
  • If automated decisions - including profiling - are made using your personal data, you are informed of the data that has been stored about the data subject.

RIGHT OF RECTIFICATION:.

When exercising this right, it is requested that the right of rectification be provided free of charge, in accordance with the provisions of Article 16 of the GDPR. It will be necessary to provide the corresponding supporting documents.

  • You have the right to have your personal data accurate and up to date.
  • By completing them, if they are incomplete.
  • By updating them.
  • Updating or rectifying them, if they do not conform to the current reality or are inaccurate.


RIGHT OF WITHDRAWAL:

By exercising this right, you request that the right to erasure, or right to be forgotten, be provided free of charge in accordance with the provisions of Article 17 of the GDPR. This right can be exercised only if:

  • The data are no longer necessary for the purposes for which they were collected or processed.
  • If the data are no longer necessary for the purposes for which they were collected or processed.
  • If the processing was based on express consent, you withdraw your consent and the processing cannot be supported by any other legal basis.
  • If the processing was based on express consent, you withdraw your consent and the processing cannot be supported by any other legal basis.
  • You have previously successfully exercised the right to object to the processing of your data.
  • You have successfully exercised the right to object to the processing of your data.
  • The data have been processed unlawfully.
  • The data must be deleted.
  • The data must be deleted in order to comply with a legal obligation.

The stated requirements shall not apply as long as the processing is necessary for:

  • Exercise the right to freedom of expression and information.
  • For compliance with a legal obligation,
  • or.
  • for the performance of a task carried out in the public interest by the controller, or
  • for the formulation, exercise or defense of claims
  • .


RIGHT TO LIMITATION OF PROCESSING:
.

When exercising this right, we request that the right to the limitation of the indicated processing be provided free of charge, in accordance with the provisions of Articles 18 and 19 of the GDPR. In other words, that we keep them without using them for the intended purposes, provided that one of the following conditions is met:

  • You request the rectification of your personal data, for a period of time that allows us, as the organization responsible for the processing, to verify the accuracy of your personal data.
  • The processing is unlawful and you object to the deletion of the personal data, requesting instead the limitation of use.
  • We no longer need your personal data for the purposes of the processing, but you need them for the formulation, exercise or defense of claims.
  • If you have objected to the processing while we verify whether the legitimate grounds for processing outweigh your right.

Where the processing of personal data has been limited, such data may only be processed, with the exception of their retention, with your consent, for the formulation, exercise or defense of claims, to safeguard the rights of another natural or legal person, or for reasons of essential public interest. Once the limitation of the processing has taken place, you will be informed before the lifting of such limitation.


RIGHT TO DATA PORTABILITY:.

By exercising this right you request to be provided free of charge to the limitation of the processing indicated, in accordance with the provisions of Article 20 of the RGPD. We will make available to you the personal data provided by you in a structured, commonly used and machine-readable format. In addition,

  • You will have the right to ask us to transmit them directly to another data controller where this is technically possible.

You shall only have this right where:

  • We are processing your personal data on the basis of your express consent, or
  • the lawful basis is the performance of a contract, and,
  • provided that the processing is carried out by automated means.

RIGHT OF OPPOSITION:.

By exercising this right you request to be provided free of charge to the limitation of the indicated processing, in accordance with the provisions of Articles 21 and 22 of the GDPR. By this right you require us to stop using your personal data.

You can exercise your right to object when the processing has our "legitimate interests"as a lawful basis.

If the processing is based on your consent, you may withdraw your consent and obtain similar effects to the right to object.

RIGHT NOT TO BE THE SUBJECT OF AUTOMATED DECISIONS

Based on the processing of your personal data, including profiling

You can object to being subjected to a decision having legal effects or otherwise significantly affecting you, provided that it was based exclusively on automated processing of your data and without human intervention.

If you have been subject to a decision of the type described and you disagree, you may request that we review the decision to seek human intervention, express your views or otherwise challenge that decision.

You will not have the right to object when the decision made in an automated fashion:

  • Is necessary for the conclusion or performance of a contract to which you are a party,
  • It is authorized by law and there are adequate measures in place to safeguard your rights and freedoms, or
  • It is based on your explicit consent.


TERM AND TERM OF RELIEF

If within the period of one month, ANF Certification Authority does not communicate to you that it is not appropriate to attend all or part of the right exercised, it is mandatory that:

  • The communication is motivated in order to, where appropriate, request the protection of the Spanish Data Protection Agency, under Article 57 of the RGPD.
  • If prior to the claim before the Spanish Data Protection Agency, you consider that your rights have not been properly satisfied, you can request an assessment before the Data Protection Delegate.

10Our Data Protection Officer

Any person has the right to obtain confirmation about the processing that ANF Certification Authority performs on their personal data. ANF Certification Authority will facilitate to all interested parties the exercise of their rights diligently and free of charge.

The persons affected by data processing carried out by ANF Certification Authority, have the right to:

  • Request free access to your data.
  • Request its rectification.
  • Request suppression.
  • Request the limitation of your treatment.
  • Opposing treatment.
  • Request data portability.

Interested parties may access their personal data, as well as request the rectification of inaccurate data or, where appropriate, request its deletion when, among other reasons, the data is no longer necessary for the purposes for which it was collected. In certain circumstances, interested parties may request the limitation, opposition to the processing and portability of their data. It is reported that the exercise of any right may hinder the legal basis on which the treatment is based, if necessary, appropriate legal measures will be taken. In case of doubt, our Data Protection Delegate will be pleased to answer any questions you may have.

Data subjects, if they consider that the processing of personal data concerning them violates the Regulation, have the right to receive attention and assistance from our Data Protection Officer, to file a complaint with the supervisory authority, in this case, the Spanish Data Protection Agency. And also, to exercise their right to effective judicial protection.

In case of security incidents that may affect the data subjects whose data we keep, ANF Certification Authority undertakes to inform and advise them appropriately.

  • Exercise of Rights

ANF AC, makes available to all interested parties the following means to exercise their rights,

  • Application sent by mail or personal visit to,
    • ANF Certification Authoriy
    • Gran Vía de les Corts Catalanes, 996 planta 4ª Barcelona -08020- España
  • E-mail to,

delegadoprotecciondatos@anf.ac

  • Telephone call requested by our Data Protection Officer,

                                              +34 932 661 614

  • An electronic form is available on our Web site

                                              https://www.anf.ac/ejercicio-de-derechos/

 

Please note that by law, you will be required to prove your identity,

  • In the case of a written request, please include a photocopy of your ID card or legal document.
  • In the case of a personal visit, you must show an original and valid ID card or legal document.
  • In case of representation, legal power of attorney must be available.
  • If you contact us by phone, follow the instructions of our staff, please note that you must be able to access your email account and / or cell phone provided at the time of collecting your data.
  • If you choose to fill out the electronic form available on our website, you must provide a digital copy of your ID card or legal document.
  • If you do not wish to use our electronic form, you are free to write your request and send it by e-mail.

This document includes the section EXPLANATION OF YOUR RIGHTS, we recommend you to read it when you wish to exercise any of them. In addition, our Data Protection Officer (DPD) will provide you with all the help you need to effectively exercise your rights. The exercise of your rights and the support of our DPD is free of charge.

You may also, if you wish, exercise your rights through third party representation. Your representative must formally accredit this legal capacity, either by power of attorney or a document issued and signed by you, including a photocopy of your ID card, or equivalent legal document.

If you believe that we have not acted with sufficient diligence or that we have infringed your rights, you may file a complaint with the Spanish Data Protection Agency (AEPD),

 https://sedeagpd.gob.es/sede-electronica-web/vistas/formNuevaReclamacion/reclamacion.jsf

In addition, the AEPD provides you with information about your rights,

https://www.aepd.es/es/derechos-y-deberes/conoce-tus-derechos

And, a catalog of common questions on,

https://www.aepd.es/es/derechos-y-deberes/conoce-tus-derechos

 

EXPLANATION OF YOUR RIGHTS

 

  • RIGHT OF ACCESS:

In exercising this right, it is requested that the right of access to the data processing carried out by the organization is provided free of charge within a maximum period of one month from receipt of this request, that all the information listed in Article 15 of the GDPR is sent to the above address by mail, in a legible and intelligible form and within the time limit indicated.

You have the right to know:

  • Whether or not we are processing personal data concerning you.
  • The origin of your data, if not provided by you.
  • The purposes of the processing of your data.
  • The categories of data involved.
  • The recipients or categories of recipients to whom they were or will be communicated.

Personal data, in particular recipients in third parties or international organizations.

  • If possible, the expected retention period of the personal data, or if not, the criteria used to determine this period
  • If automated decisions - including profiling - are made using your personal data, you are informed of the data stored about the data subject.

 

  • RIGHT OF RECTIFICATION:

When exercising this right, the right of rectification is requested to be provided free of charge, in accordance with the provisions of Article 16 of the RGPD. It will be necessary to provide the corresponding supporting documents.

  • You have the right to keep your personal data accurate and current.
  • Completing them, if they are incomplete.
  • Updating or rectifying them, if they do not conform to the current reality or if they are inaccurate.

 

  • RIGHT OF SUPPRESSION:

By exercising this right, you request that the right to erasure, or right to be forgotten, be provided free of charge, in accordance with the provisions of Article 17 of the GDPR. This right can be exercised only if:

  • The data is no longer necessary for the purposes for which it was collected or processed.
  • If the processing was based on express consent, you withdraw your consent and the processing cannot be based on any other legal basis.
  • You have previously successfully exercised your right to object to the processing of your data.
  • The data have been processed unlawfully.
  • The data must be deleted in order to comply with a legal obligation.

 

Los requerimientos indicados no aplicarán siempre y cuando el tratamiento sea necesario para:

  • Exercise the right to freedom of expression and information.
  • For compliance with a legal obligation, or
  • for the performance of a task carried out in the public interest by the controller, or
  • for the formulation, exercise or defense of claims.

 

  • RIGHT TO LIMITATION OF PROCESSING:

In exercising this right, you request that we provide free of charge the right to limit the processing indicated, in accordance with the provisions of Articles 18 and 19 of the GDPR. That is, that we keep them without using them for the intended purposes, provided that one of the following conditions is met: 

  • You request the rectification of your personal data, for a period of time that allows us, as the organization responsible for the processing, to verify the accuracy of the data.
  • The processing is unlawful and he/she opposes the deletion of the personal data, requesting instead the limitation of use.
  • We no longer need your personal data for the purposes of processing, but you need them for the formulation, exercise or defense of claims.
  • If you have objected to the processing while it is being verified whether the legitimate reasons for processing outweigh your right.

Where the processing of personal data has been restricted, such data may only be processed, with the exception of their retention, with your consent, for the formulation, exercise or defense of claims, to safeguard the rights of another natural or legal person, or for reasons of essential public interest. Once the limitation of the processing has taken place, you will be informed before the lifting of such limitation.

 

  • RIGHT TO DATA PORTABILITY:

By exercising this right you request to be provided free of charge to the limitation of the processing indicated, in accordance with the provisions of Article 20 of the GDPR. We will make available to you the personal data you have provided in a structured, commonly used and machine-readable format. In addition,

  • You have the right to ask us to transfer them directly to another data controller when this is technically feasible.

You are only entitled to this right when: 

  • We are processing your personal data based on your express consent, or
  • the legal basis is the performance of a contract and,
  • provided that the treatment is carried out by means of

 

  • RIGHT OF OPPOSITION:

By exercising this right you request to be provided free of charge to the limitation of the processing indicated, in accordance with the provisions of Articles 21 and 22 of the RGPD. By this right you require us to stop using your personal data.

You can exercise your right to object when the processing is based on our legal basis “interests legitimate”.

If the processing is based on your consent, you can withdraw it and obtain effects similar to the right to object.

 

  • THE RIGHT NOT TO BE SUBJECT TO AUTOMATED DECISIONS

Based on the processing of your personal data, including profiling.

You can object to being subjected to a decision that has legal effect or otherwise significantly affects you, provided that it was based solely on automated processing of your data and without human intervention.

If you have been subject to a decision of the type described above and disagree, you may request that we review the decision for human intervention, express your views, or otherwise challenge the decision. 

You will not have the right to object when the decision taken in automated form:

  • Is necessary for the conclusion or performance of a contract to which you are a party,
  • Is authorized by law and adequate measures are in place to safeguard their rights and freedoms, or
  • is based on your explicit consent.

 

  • TERM AND GUARDIANSHIP

If within one month, ANF Certificación Authority does not communicate that it is not appropriate to fully or partially meet the right exercised, it is mandatory that: 

  • The communication is motivated in order to, if necessary, request the protection of the Spanish Data Protection Agency, under Article 57 of the RGPD.
  • If prior to the claim before the Spanish Data Protection Agency, you consider that your rights have not been properly satisfied, you may request an assessment before the Data Protection Delegate.
11Reclamaciones - denuncias

You can submit your complaints through any of the following procedures:

 

  • Website:

Exercising your data protection rights at,

https://anf.sac/en/exercise-of-rights/

  • Denunciations:

https://anf.ac/en/complaints-and-claims/

  • Claims:

https://anf.ac/en/complaints-and-claims/

  • Notify incidents

https://anf.ac/en/complaints-and-claims/

  • Electronic mail data protection,

delegadoprotecciondatos@anf.ac

  • E-mail SAT Website

adiaz@anf.ac

  • Email SAT products and services

soporte@anf.ac

  • For personal visit, previously arrange time

Gran Vía de les Corts Catalanes, 996
floor 4; Barcelona - 08018 - España

Teléfono: +34 932 661 614

Customer Service

Monday - Friday

Monday - Friday

From 9:00 to 14:00 from 15:00 to 18:00