Data processing activities performed by ANF Certification Authority:
TREATMENTS ANF Certification Authority
1Registration of certificate requests. - Certification Authority
| a) Legal basis | Execution of a contract. |
| c) Collective. | Customers of the service contracted to ANF Certification Authority. |
| d) Data Categories. | Content required by the legislation on certificates and those expressly requested by the interested party to be incorporated. Information verification reports. |
| e) Source of data | The interested parties themselves and third party sources consulted to verify the veracity of the information. |
| f) Target Category | The organization itself ANF Certification Authority, Control Authority, customers, legal and tax obligation. |
| g) International Transf. | No international transfer of data is foreseen. |
| h) Deadline for deletion | They shall be kept for a period necessary to meet the obligations assumed, and the period required to be able to prove it.. |
| j) Responsible entity | ANF Certification Authority. |
| k) EIPD - RESULT | ANF Certification Authority 01 - Date: 02/02/2020 - Risk level score: low |
2Register of electronic signature certificates issued. – Certification Authority
| a) Legal basis | |
| c) Collective. | Customers of the service contracted to ANF Certification Authority. |
| d) Data Categories. | Content required by the legislation on certificates and those expressly requested by the interested party to be incorporated. Information verification reports. |
| e) Source of data | The interested parties themselves and third party sources consulted to verify the veracity of the information. |
| f) Target Category | The organization itself ANF Certification Authority, Control Authority, customers, legal and tax obligation. |
| g) International Transf. | No international transfer of data is foreseen. |
| h) Deadline for deletion | They shall be kept for a period necessary to meet the obligations assumed, and the period required to be able to prove it. |
| i) Safety measures. | |
| j) Responsible entity | ANF Certification Authority. |
| k) EIPD -RESULT | ANF Certification Authority 01 - Date: 02/02/2020 - Risk level score: low |
3HR Registration. – Certification Authority
| a) Legal basis | Execution of a contract. If applicable, compliance with a legal obligation. |
| b) Treatment purposes | Management of labor personnel, assigned to ANF Certification Authority. Personal file. Schedule control. Incompatibilities. Training. Prevention of occupational hazards, absenteeism control. Infractions, disciplinary sanctions. Issuance of payroll, as well as all the products derived from it. Obtaining statistical or monographic studies destined to the economic management of the personnel.. |
| c) Collective. | Personal laboral de ANF Certification Authority. |
| d) Data Categories. | Name and surname, DNI/CIF/identifying document, personnel registration number, Social Security/Mutuality number, address, signature and telephone number. Special categories of data: health data (sick leave, occupational accidents and degree of disability, without including diagnoses), union membership, for the sole purpose of payment of union dues (if applicable), union representative (if applicable), proof of attendance of own and third parties. Personal characteristics data: Sex, marital status, nationality, age, date and place of birth and family data. Family circumstances data: Date of registration and leave, licenses, permits and authorizations. Academic and professional data: Degrees, training and professional experience. Details of employment and administrative career. Incompatibilities. Attendance control data: date/time of arrival and departure, reason for absence. Economic-financial data: Payroll economic data, credits, loans, guarantees, tax deductions, reduction of credits corresponding to the previous job (if applicable), judicial withholdings (if applicable), other withholdings (if applicable). Bank details. CV, photocopy of ID card, photocopy of qualifications obtained, reports of references made to third parties, and reports verifying the veracity of the information. |
| e) Source of data | The interested parties themselves and third party sources consulted to obtain employment references and verify the veracity of the information.. |
| f) Target Category | The ANF Certification Authority organization itself. In addition: Financial entities. State Agency of Tax Administration. Social Security and labor inspection. |
| g) International Transf. | No international transfer of data is foreseen. |
| h) Deadline for deletion | They will be kept for the time necessary to fulfill the purpose for which they were collected and to determine the possible responsibilities that may arise from that purpose and the processing of the data. The provisions of the archives and documentation regulations shall apply. The economic data of this processing activity will be kept under the provisions of Law 58/2003, of 17 December, General Taxation. |
| i) Safety measures. | |
| j) Responsible entity | ANF Certification Authority. |
| k) EIPD -RESULT | ANF Certification Authority 02 - Date: 02/02/2020 - Risk level score: low |
4Role Registration. – Certification Authority
| a) Legal basis | Execution of a contract. If applicable, fulfillment of a legal obligation. |
| b) Treatment purposes | Management of labor personnel, assigned to ANF Certification Authority. Incompatibilities. Training. Prevention of occupational hazards. Infractions, disciplinary sanctions. Issuance of the payroll, as well as all the products derived from it. Obtaining statistical or monographic studies destined to the economic management of the personnel. |
| c) Collective. | ANF Certification Authority employees and personnel under service provision contracts. |
| d) Data Categories. | Name and surname, DNI/CIF/identifying document, personnel registration number, address, signature and telephone number, e-mail. Academic and professional data: Qualifications, training and professional experience. Incompatibilities. Attendance control data: date/time of arrival and departure, reason for absence. CV, photocopy of ID card, photocopy of qualifications obtained. |
| e) Source of data | The interested party himself. |
| f) Target Category | The organization itself ANF Certification Authority, auditors, control authority, clients, legal and fiscal obligation. |
| g) International Transf | No international transfer of data is foreseen. |
| h) Deadline for deletion | They shall be kept for a period necessary to meet the obligations assumed, and the period required to be able to prove it. |
| i) Safety measures. | The technical security measures implemented correspond to those provided for in ISO 27001, and security standards related to ETSI regulations that ANF Certification Authority. Regulatory compliance, especially the Law of Information Society Services and Telecommunications. It respects the provisions of the RGPD, and Organic Law 3/2018 data protection. A risk analysis and a data protection impact assessment have been carried out, resulting in a low risk level. |
| j) Responsible entity | ANF Certification Authority. |
| k) EIPD -RESULT | ANF Certification Authority 02 - Date: 02/02/2020 - Risk level score: low |
5Time and Attendance Record. Certification Authority
| a) Legal basis | Compliance with a legal obligation. Royal Legislative Decree 2/2015, of October 23, 2015, approving the revised text of the Workers' Statute Law. |
| b) Treatment purposes | Management of labor personnel, issuance of payroll and compliance with the obligation to record working days. |
| c) Collective | Labor personnel of ANF Certification Authority. |
| d) Data Categories | Name and surname, DNI/CIF/identifying document, personnel registration number, signature. |
| e) Source of data | The interested party himself. |
| f) Target Category | The ANF Certification Authority organization itself, auditors, supervisory authority, clients, legal and fiscal obligation. |
| g) International Transf. | No international transfer of data is foreseen. |
| h) Deadline for deletion | They shall be kept for a period necessary to meet the obligations assumed, and the period required to be able to prove it. |
| i) Safety measures | The technical security measures implemented correspond to those provided for in ISO 27001, and security standards related to ETSI regulations that ANF Certification Authority. Regulatory compliance, especially the Law of Information Society Services and Telecommunications. It respects the provisions of the RGPD, and Organic Law 3/2018 data protection. A risk analysis and a data protection impact assessment have been carried out, resulting in a low risk level. |
| j) Responsible entity | ANF Certification Authority. |
| k) EIPD -RESULT | ANF Certification Authority 02 - Date: 02/02/2020 - Risk level score: low |
6Register of certified scans. – Certification Authority
| a) Legal basis | Ejecución de un contrato. |
| c) Collective | Customers of the service contracted to ANF Certification Authority. |
| d) Data Categories | Digitized documents. |
| e) Source of data | Contracting company in its capacity as data controller. |
| f) Target Category | Customers of the service contracted to ANF Certification Authority. |
| g) International Transf. | No international transfer of data is foreseen. |
| h) Deadline for deletion | They shall be kept for a period necessary to meet the obligations assumed, and the period required to be able to prove it. |
| i) Safety measures. | The technical security measures implemented correspond to those required by the data controller, those foreseen in ISO 27001, and security standards related to the ETSI regulations that ANF Certification Authority. has implemented. Regulatory compliance. It respects the provisions of the RGPD, and Organic Law 3/2018 data protection. A risk analysis has been performed with a low risk level result. If possible non-compliance with the RGPD is detected, ANF Certification Authority assumes the responsibility to inform the data controller. Risk analysis has been performed with a low risk level result. |
| j) Responsible entity | ANF Certification Authority. |
| k) EIPD -RESULT | ANF Certification Authority 03 - Date: 02/02/2020 - Risk level score: low |
7Record of certified communications. – Certification Authority
| c) Collective | Senders and addressees of certified communications processed by ANF Certification Authority. |
| d) Data Categories | Name and surname, company to which it belongs, telephone number, e-mail address of sender Name and surname, company to which it belongs, telephone number, e-mail address of addressee Content of the communication. Date and time of dispatch, date and time of delivery, date and time of opening. |
| e) Source of data | Contracting company in its capacity as data controller. |
| f) Target Category | The contracting company and recipients of communications. |
| g) International Transf. | No international transfer of data is foreseen. |
| h) Deadline for deletion | They shall be kept for a period necessary to meet the obligations assumed, and the period required to be able to prove it. |
| i) Safety measures. | The technical security measures implemented correspond to those required by the data controller, those foreseen in ISO 27001, and security standards related to the ETSI regulations that ANF Certification Authority. has implemented. Regulatory compliance. It respects the provisions of the RGPD, and Organic Law 3/2018 data protection. A risk analysis has been performed with a low risk level result. If possible non-compliance with the RGPD is detected, ANF Certification Authority assumes the responsibility to inform the data controller. Risk analysis has been performed with a low risk level result. |
| j) Responsible entity | ANF Certification Authority. |
| k) EIPD -RESULT | ANF Certification Authority 04 - Date: 02/02/2020 - Risk level score: low |
8Registration of Disciplinary Files. – Certification Authority
| a) Legal basis | Execution of a contract. If applicable, fulfillment of a legal obligation. |
| b) Treatment purposes | Gestión del personal laboral, destinado a ANF Certification Authority. Incompatibilidades. Formación. Prevención de riesgos laborales. Infracciones, sanciones disciplinarias. |
| c) Collective | Labor personnel of ANF Certification Authority. |
| d) Data Categories | Name and surname, DNI/CIF/identifying document, personnel registration number, address, signature and telephone number, e-mail. Academic and professional data: Qualifications, training and professional experience. Incompatibilities. Attendance control data: date/time of arrival and departure, reason for absence. CV, photocopy of ID card, photocopy of qualifications obtained. |
| e) Source of data | The interested party himself. |
| f) Target Category | The ANF Certification Authority organization itself, auditors, supervisory authority, clients, legal and fiscal obligation. |
| g) International Transf. | No international transfer of data is foreseen. |
| h) Deadline for deletion | They shall be kept for a period necessary to meet the obligations assumed, and the period required to be able to prove it. |
| i) Safety measures | The technical security measures implemented correspond to those provided for in ISO 27001, and security standards related to ETSI regulations that ANF Certification Authority. Regulatory compliance, especially the Law of Information Society Services and Telecommunications. It respects the provisions of the RGPD, and Organic Law 3/2018 data protection. A risk analysis and a data protection impact assessment have been carried out, resulting in a low risk level. |
| j) Responsible entity | ANF Certification Authority. |
| k) EIPD -RESULT | ANF Certification Authority 06 - Date: 02/02/2020 - Risk level score: low |
9Registration of RC Complaints. – Certification Authority
| a) Legal basis | Legitimate interest. |
| b) Treatment purposes | ANF Certification Authority considers of special importance to adequately assume its corporate social responsibility. To this end, it makes available to the public in general, and the company's own staff in particular, a register of communications that allows, anonymously, to report facts that contravene the corporate social responsibility policy of the organization. This register makes it possible to determine which senior management position will be responsible for managing the notification (investigation of the facts, delimitation of responsibilities, and application of measures if necessary). |
| c) Collective | Customers, employees, general public. |
| d) Data Categories | They may include personal data that allow the identification of individuals, and reports of events that may affect them as victims or perpetrators. |
| e) Source of data | General public and company staff in particular. |
| f) Target Category | Senior management of ANF Certification Authority, and legal obligation. |
| g) International Transf. | No international transfer of data is foreseen. |
| h) Deadline for deletion | They shall be kept for a period necessary to meet the obligations assumed, and the period required to be able to prove it. |
| i) Safety measures. | The technical security measures implemented correspond to those provided for in ISO 27001, and security standards related to ETSI regulations that ANF Certification Authority. Regulatory compliance, especially the Law of Information Society Services and Telecommunications. It respects the provisions of the RGPD, and Organic Law 3/2018 data protection. A risk analysis and a data protection impact assessment have been carried out, resulting in a low risk level. |
| j) Responsible entity | ANF Certification Authority |
| k) EIPD -RESULT | ANF Certification Authority 06 - Date: 02/02/2020 - Risk level score: low |
10Invoicing and payment records. – Certification Authority
| a) Legal basis | Legitimate interest. |
| b) Treatment purposes | ANF Certification Authority in its general activity, provides services that are invoiced and on which a payment control is required, within the administrative and financial management process of the organization.. |
| c) Collective | Individuals and entities that have contracted and received a service from ANF Certification Authority. |
| d) Data Categories | Name and surname, address, telephone number, email, if applicable, company to which they belong, form and term of payment, VAT number, products or services supplied, amount and payment status. |
| e) Source of data | Contracting company in its capacity as data controller. |
| f) Target Category | Own organization ANF Certification Authority. AEAT. No information is provided to BBDD of delinquency control. |
| g) International Transf. | No international transfer of data is foreseen. |
| h) Deadline for deletion | They will be kept for a period of three months, after which they will be destroyed. |
| i) Safety measures. | The technical security measures implemented correspond to those required by the data controller, those provided for in ISO 27001, and security standards related to the ETSI regulations that ANF Certification Authority is obliged to comply with in accordance with the eIDAS Regulation. Regulatory compliance. It respects the provisions of the RGPD, and Organic Law 3/2018 data protection. A risk analysis has been performed with the result of a low risk level. If possible non-compliance with the RGPD is detected, ANF Certification Authority assumes the responsibility to inform the data controller. Risk analysis has been performed with a low risk level result. |
| j) Responsible entity | ANF Certification Authority. |
| k) EIPD -RESULT | ANF Certification Authority 07 - Date: 02/02/2020 - Risk level score: low |
11Customer registration (contact persons)
| a) Legal Basis | Obligation to perform the contract. |
| b)Treatment purposes | ANF Certification Authority has a client register, which allows the identification of the organisations with which it maintains a contractual relationship and the contact persons. |
| c) Collective | Clients (natural persons) and legal representatives of organisations with legal personality. |
| d) Data categories | Contact details of the client organisation, its representatives, consumption information, statistical data, accounting information. |
| e) Source of data | Client organisation's own and creditworthiness information obtained from third party sources. |
| f) Category of recipients | The ANF Certification Authority organisation itself, auditors, supervisory authority, legal and fiscal obligation. |
| g) Transf. International | No international transfer of data is foreseen. |
| h) Deadline for deletion | They shall be retained for a period necessary to meet the obligations undertaken, and for the period required to be able to prove it. |
| i) Safety measures | The technical security measures implemented correspond to those provided for in ISO 27001, and security standards related to the ETSI regulations that ANF Certification Authority is obliged to comply with in accordance with the eIDAS Regulation. Regulatory compliance, especially the Law on Information Society Services and Telecommunications. The provisions of the RGPD and Organic Law 3/2018 on data protection are respected. A risk analysis and a data protection impact assessment have been carried out, resulting in a low risk level. |
| j) Responsible entity | ANF CERTIFICATION AUTHORITY. |
| k) EIPD -RESULT | ANF AC 07 - Date: 02/02/2020 - Result risk level: low |
12Record of training provided (diplomas issued)
| a)Legal Basis | Performance of a contract. GDPR: 6.1.b) Processing necessary for the performance of a contract to which the data subject is party or for the implementation at the request of the data subject of pre-contractual measures. GDPR: 6.1.c) Processing necessary for compliance with a legal obligation applicable to the controller. General Data Protection Regulation. |
| b)Treatment purposes | Management and control of the training activities organized by ANF Certification Authority aimed at personnel of the organization itself, such as AR operators of the On-Site Verification Points and ARR Offices, as well as other courses that ANF Certification Authority may provide. With all participants, students and teachers, ANF Certification Authority has signed the corresponding service provision contract. |
| c) Collective | Teachers and students participating in ANF Certification Authority training courses. |
| d) Data categories | Profesores y alumnos: Name and surname(s), ID card, address, telephone number, image, signature. Employment details: organisation or body and position held. Teachers: Academic and professional data: education, qualifications. Economic-financial data: bank details. |
| e) Source of data | Stakeholders. |
| f) Category of recipients | The ANF Certification Authority organisation itself, AEPD, ENAC, FUNDAE. In addition, the data of the teachers may appear in brochures or on the ANF Certification Authority website as part of the dissemination of training activities. The data of teachers of remunerated activities will be communicated to financial institutions, State Agency of Tax Administration. |
| g) Transf. International | No international transfer of data is foreseen. |
| h) Deadline for deletion | They will be kept for the time necessary to fulfil the purpose for which they were collected and to determine any possible liabilities that may arise from this purpose and from the processing of the data. The provisions of the archives and documentation regulations shall apply. Teachers' data will be kept for future training activities, unless they request their deletion. In the case of remunerated activities, they will be kept in accordance with the provisions of Law 58/2003, of 17 December, General Taxation. |
| i) Safety measures | The technical security measures implemented correspond to those foreseen in ISO 27001, ISO 17024 and security standards related to the ETSI regulation that ANF Certification Authority is obliged to comply with in accordance with the eIDAS Regulation. Regulatory compliance. The provisions of the GDPR and Organic Law 3/2018 on data protection are respected. A risk analysis has been performed with a low risk level result. |
| j) Responsible entity | ANF CERTIFICATION AUTHORITY. |
| k) EIPD -RESULT | ANF Certification Authority 08 - Date: 02/02/2020 - Result risk level: low |
13Certification Authority Campus student registration.
| a) Legal Basis | Contract performance. |
| b) Treatment purposes | A proper management and administration of the ANF Certification Authority Campus requires a control of the students who have the right to access and participate in the courses for which they have registered. In addition, it is necessary to manage their participation in the courses./td> |
| c) Collective | Students enrolled in ANF Certification Authority training courses: |
| d) Data categories | Name and surname, ID card or other identification document, Belonging to a company. Special categories of data: data corresponding to disability requiring adaptation of the examination. Personal characteristics data: address, telephone number, email address. Academic and professional data: qualifications, training and professional experience. Details of employment and professional experience in data protection. |
| e) Source of data | Stakeholders themselves. |
| f) Category of recipients | The ANF Certification Authority organisation itself and, in the case of subsidised training, Fundación Estatal para la Formación en el Empleo - FUNDAE. |
| g) Transf. International | No international transfer of data is foreseen. |
| h)Deadline for deletion | They will be kept for the time necessary to fulfil the purpose for which they were collected and to determine any possible liabilities that may arise from this purpose and from the processing of the data. The provisions of the archives and documentation regulations shall apply. |
| i)Safety measures | The technical security measures implemented correspond to those foreseen in ISO 27001 and security standards related to the ETSI regulation that ANF Certification Authority is obliged to comply with in accordance with the eIDAS Regulation. Regulatory compliance. The provisions of the RGPD, Organic Law 3/2018 on data protection, legal regulations in this area and the guidelines of the European Data Protection Committee are respected. A risk analysis has been carried out, resulting in a low risk level. |
| j) Responsible entity | ANF CERTIFICATION AUTHORITY. |
| k) EIPD -RESULT | ANF Certification Authority 18 - Date: 02/02/2020 - Result risk level: low |
14Registration of teachers Campus Certification Authority
| a) Legal basis | Obligation to perform the contract. |
| b) Treatment fines | Manage the accesses and permissions of the ANF Certification Authority campus teachers. |
| c) Collective | Teachers who teach courses on the ANF Certification Authority virtual campus. |
| d) Data Categories. | First name and surname, ID card or other identification document, Membership of a company. Special categories of data: data corresponding to disabilities that require adaptation of the campus. Personal characteristics data: address, telephone, e-mail. Academic and professional data: qualifications, training and professional experience. |
| e) Data processing | Holders |
| f) Target category | The ANF Certification Authority organisation itself and, in the case of subsidised training, the State Foundation for Employment Training - FUNDAE. |
| g) International Transfer | No international transfer of data is foreseen |
| h) Deletion period | They shall be kept for the time necessary to comply with the obligations undertaken, and for the time necessary to be able to prove it. |
| i) Security measures | The technical security measures implemented correspond to those provided for in the ISO 27001 standard, and the security standards related to the ETSI regulations that ANF Certification Authority is obliged to comply with in accordance with the eIDAS Regulation. Regulatory compliance, especially with the Law on Information Society Services and Telecommunications. The provisions of the GDPR and Organic Law 3/2018 on data protection are respected. A risk analysis and a data protection impact assessment have been carried out, resulting in a low level of risk. |
| j) Responsible entity | Certification authority of the NCA. |
| k) EIPD - Result | ANF Certification Authority 08 - Date: 02/02/2020 - Risk level of the outcome: low |
15Biometric control register (physical access).
| a) Legal basis | Legitimate interest |
| b) Fines for processing | Access control to ANF Certification Authority facilities. ANF Certification Authority carries out an activity that requires privacy and its assets must be protected. All this requires control of the people who access the organisation's facilities. The staff of the organization in its daily activity has a high degree of mobility, with constant entries and exits that must be registered but materially impossible to manage through the physical access log. This register makes it possible to automate control, without capturing fingerprints and without associating it with a specific identity by applying pseudonymisation techniques. This processing does not allow the control of time spent on the premises and therefore cannot be used for other purposes such as productivity or behavioural control. |
| c) Collective. | ANF Certification Authority staff. |
| d) Data categories | Registration identification, biometric algorithm encoding. Other data: zone, day and time of entry. |
| e) Data processing | Holders |
| f) Target category | The ANF Certification Authority's own organisation. |
| g) International Transfer | No international transfer of data is foreseen. |
| h) Deletion period | The data shall be kept for a period of three months, after which time the data shall be destroyed, unless the organisation so requires. |
| i) Security measures | The technical security measures implemented correspond to those provided for in ISO 27001 and the security standards related to the ETSI regulations that ANF Certification Authority is obliged to comply with in accordance with the eIDAS Regulation. Regulatory compliance. The provisions of the GDPR, the Organic Law 3/2018 on data protection, the legal regulations on the matter, the WP160 2/2009 Opinion of the WG29, and the legal report published by the AEPD 2015- 0065 are respected. A risk analysis has been carried out with the result of a low risk level. |
| j) Responsible entity | ANF CERTIFICATION AUTHORITY. |
| k) EIPD -Result | ANF Certification Authority 09 - Date: 02/02/2020 - Risk level of the outcome: low |
16Incident logging (security breaches).
| a) Legal basis | Legal obligation (Articles 73 and 74 of the LOPD 3/2018 in relation to Article 33 of the RGPD) and Article 19 of the eIDAS Regulation. |
| b) Fines for processing | The GDPR obliges security controllers to notify the competent data protection supervisory authority and, where appropriate, the data subjects, of security breaches that occur. ANF Certification Authority, in order to have an adequate organisational measure to demonstrate compliance with its obligations, manages this Incident Log. |
| c) Collective. | Persons and entities that have contracted and received a service from ANF Certification Authority. |
| d) Data Categories. | Scope of the security breach, Processing affected, Effects, Date and time of detection, Identification of possible affected parties, (identification data), Actions taken. Communications made, Date and time of detection, Identification of possible affected parties, (identification data), Actions taken. Communications made, Date and time of notification, Measures taken to avoid recurrence, Communication, if applicable, of the event with information on recommendations for measures to be taken. |
| e) Data procedure | ANF Certification Authority, the affected parties themselves, contracted third parties |
| f) Target category | FANF Certification Authority's own organisation. AEPD, eIDAS Supervisory Authority and, where applicable, the data subjects concerned. |
| g) International Transfer | No international transfer of data is envisaged. |
| h) Deletion period | They shall be kept for a period of three months, after which time they shall be destroyed. |
| i) Security measures | The technical security measures implemented correspond to those provided for in the ISO 27001, ISO 17024 and ETSI-related security standards that ANF Certification Authority is obliged to comply with in accordance with the eIDAS Regulation. The technical security measures implemented correspond to those provided for in the ISO 27001, ISO 17024 and ETSI-related security standards that ANF Certification Authority is obliged to comply with in accordance with the eIDAS Regulation. Regulatory compliance. The provisions of the GDPR and the Organic Law 3/2018 on data protection are respected. A risk analysis has been performed with a result of a low risk level. |
| j) Responsible entity | ANF CERTIFICATION AUTHORITY. |
| k) EIPD -Result | ANF Certification Authority 10 - Date: 02/02/2020 - Risk level of the outcome: low |
17Register of those affected.
| a) Legal basis | Legal obligation (Articles 74 ñ of the LOPD 3/2018 in relation to Article 34 of the RGPD) |
| b) Purposes of the processing | In accordance with the current legal regulations on data protection ANF Certification Authority assumes the obligation to notify data subjects in the event of a security breach for which it is required to manage the information in this regard. |
| c) Collective | Stakeholders. |
| d) Data Categories | Identification of possible affected parties, communication, where appropriate, of what has happened with information on the recommendations of the measures to be adopted. Information on the incident detected, date on which it became known, seriousness, measures adopted to resolve it, measures adopted to prevent it from occurring again, among others. |
| e) Origin of the data | ANF Certification Authority, the data subjects themselves, auditors, contracted third parties |
| f) Target category | The ANF Certification Authority organisation itself, client organisations, disaffected parties, auditors, supervisory authority. Legal obligation. |
| g) International Transfer | International transfers of data are not foreseen. |
| h) Deletion period | The data shall be kept for the period necessary to fulfil the obligations assumed, and for the period required to be able to prove it. |
| i) Security measures | The technical security measures implemented correspond to those provided for in ISO 27001, and security standards related to the ETSI regulations that ANF Certification Authority is obliged to comply with in accordance with the eIDAS Regulation. Regulatory compliance, especially the Law on Information Society Services and Telecommunications. The provisions of the RGPD and Organic Law 3/2018 on data protection are respected. A risk analysis and a data protection impact assessment have been carried out, resulting in a low risk level. |
| j) Responsible entity | ANF CERTIFICATION AUTHORITY |
| k) EIPD - RESULT | ANF Certification Authority 10 - Date: 02/02/2020 - Result risk level: low |
18Registration of telephone calls revocations.
| a) Legal basis | Legal obligation laid down in Regulation (EU) 910/2014 EIDAS. |
| b) Purposes of processing | ANF Certification Authority, in its capacity as a Qualified Trust Service Provider, has the obligation to deal diligently with revocation requests. Certificate holders can carry out this procedure by telephone, provided that it passes the security controls that accredit the identity of the persons. |
| c) Collective | Certificate holders and ANF Certification Authority personnel: |
| d) Data Categories | Recorded voice over Recorded voice recording Other data: day and time |
| e) Origin of the data | The interested parties themselves, the person contacting and the ANF Certification Authority operator answering the call |
| f) Target category | The ANF Certification Authority organisation itself. |
| g) International transfer | International transfers of data are not foreseen. |
| h) Deletion period | The data will be kept for a minimum period of 15 years, after which time the data will be destroyed unless required by the organisation. |
| i) Security measures | The technical security measures implemented correspond to those provided for in ISO 27001, and security standards related to the ETSI regulations that ANF Certification Authority is obliged to comply with in accordance with the eIDAS Regulation. Regulatory compliance. The provisions of the RGPD and Organic Law 3/2018 on data protection are respected. A risk analysis has been carried out, resulting in a low risk level. |
| j) Responsible entity | ANF CERTIFICATION AUTHORITY. |
| k) EIPD - RESULT | ANF Certification Authority 11 - Date: 02/02/2020 - Result risk level: low |
19Registration of telephone calls revocations. – Certification Authority
| a) Legal basis | |
| c) Collective | Certificate holders and personnel of ANF Certification Authority: |
| d) Data Categories | Telephone number, calling party. Recorded voice-over Other data: date and time |
| e) Source of data | The interested parties themselves, the person who contacts and the ANF Certification Authority operator who answers the call. |
| f) Target Category | The organization itself ANF Certification Authority. |
| g) International Transf. | No international transfer of data is foreseen. |
| h) Deadline for deletion | They will be kept for a minimum period of 15 years, after which time the data will be destroyed unless required by the organization. |
| i) Safety measures. | The technical security measures implemented correspond to those foreseen in ISO 27001, and security standards related to the ETSI standards that ANF Certification Authority. Regulatory compliance. The provisions of the RGPD and Organic Law 3/2018 on data protection are respected. A risk analysis has been performed with a low risk level result. |
| j) Responsible entity | ANF Certification Authority . |
| k) EIPD -RESULT | ANF Certification Authority 11 - Date: 02/02/2020 - Risk level score: low |
20Registration of telephone calls and hiring. – Certification Authority
| a) Legal basis | Execution of a contract. |
| b) Treatment purposes | This processing is carried out in order to accredit requests for services or purchases from customers, the information associated with the service, their conformity in the acquisition, and defense in the event of a claim. |
| c) Collective | General public and employees of ANF Certification Authority. |
| d) Data Categories | Telephone number, calling party. Recorded voice-over Other data: date and time |
| e) Source of data | The interested parties themselves: the person who contacts and the ANF Certification Authority operator who answers the call. |
| f) Target Category | The organization itself ANF Certification Authority. |
| g) International Transf. | No international transfer of data is foreseen. |
| h) Deadline for deletion | They will be kept for a period of five years, after which time the data will be destroyed unless required by the organization. |
| i) Safety measures | The technical security measures implemented correspond to those foreseen in ISO 27001, and security standards related to the ETSI standards that ANF Certification Authority. Regulatory compliance. The provisions of the RGPD and Organic Law 3/2018 on data protection are respected. A risk analysis has been carried out with the result of a low risk level. |
| j) Responsible entity | ANF Certification Authority. |
| k) EIPD -RESULT | ANF Certification Authority 11 - Date: 02/02/2020 - Risk level score: low |
21Registration of high confidence PKI operators. - Certification Authority
| a) Legal basis | Legitimate interest |
| c) Collective | Labor personnel of ANF Certification Authority. |
| d) Data Categories | Data of the authorized operators in ANF Certification Authority. Name, surname, cell phone, IP communication, technical data (browser, version, OS), day and time of access, hierarchical level, type of credentials required for authentication (login hash password, electronic certificate). |
| e) Source of data | The interested party himself. |
| f) Target Category | The ANF Certification Authority organization itself, auditors, supervisory authority, clients, legal and fiscal obligation. |
| g) International Transf. | No international transfer of data is foreseen. |
| h) Deadline for deletion | They shall be kept for a period necessary to meet the obligations assumed, and the period required to be able to prove it. |
| i) Safety measures. | The technical security measures implemented correspond to those foreseen in ISO 27001, and security standards related to the ETSI regulations that ANF Certification Authority has implemented. Regulatory compliance, especially the Law of Information Society Services and Telecommunications. It respects the provisions of the RGPD, and Organic Law 3/2018 data protection. A risk analysis and a data protection impact assessment have been carried out, resulting in a low risk level. |
| j) Responsible entity | ANF Certification Authority. |
| k) EIPD -RESULT | ANF Certification Authority 12 - Date: 02/02/2020 - Risk level score: low |
22Registration of PKI operators. - Certification Authority
| a) Legal basis | Legitimate interest |
| c) Collective | Labor personnel of ANF Certification Authority. |
| d) Data Categories | Data of the authorized operators in ANF Certification Authority. Name, surname, cell phone, IP communication, technical data (browser, version, OS), day and time of access, hierarchical level, type of credentials required for authentication (login hash password, electronic certificate). |
| e) Source of data | The interested party himself. |
| f) Target Category | The ANF Certification Authority organization itself, auditors, supervisory authority, clients, legal and fiscal obligation. |
| g) International Transf. | No international transfer of data is foreseen. |
| h) Deadline for deletion | They shall be kept for a period necessary to meet the obligations assumed, and the period required to be able to prove it. |
| i) Safety measures. | The technical security measures implemented correspond to those foreseen in ISO 27001, and security standards related to the ETSI regulations that ANF Certification Authority has implemented. Regulatory compliance, especially the Law of Information Society Services and Telecommunications. It respects the provisions of the RGPD, and Organic Law 3/2018 data protection. A risk analysis and a data protection impact assessment have been carried out, resulting in a low risk level. |
| j) Responsible entity | ANF Certification Authority. |
| k) EIPD -RESULT | ANF Certification Authority 12 - Date: 02/02/2020 - Risk level score: low |
23RDE operator registration. – Certification Authority
| a) Legal basis | Legitimate interest |
| c) Collective | Labor personnel of ANF Certification Authority. |
| d) Data Categories | Data of the authorized operators in ANF Certification Authority. Name, surname, cell phone, IP communication, technical data (browser, version, OS), day and time of access, hierarchical level, type of credentials required for authentication (login hash password, electronic certificate). |
| e) Source of data | El propio interesado. |
| f) Target Category | The ANF Certification Authority organization itself, auditors, supervisory authority, clients, legal and fiscal obligation. |
| g) International Transf. | No international transfer of data is foreseen. |
| h) Deadline for deletion | They shall be kept for a period necessary to meet the obligations assumed, and the period required to be able to prove it. |
| i) Safety measures. | The technical security measures implemented correspond to those foreseen in ISO 27001, and security standards related to the ETSI regulations that ANF Certification Authority has implemented. Regulatory compliance, especially the Law of Information Society Services and Telecommunications. It respects the provisions of the RGPD, and Organic Law 3/2018 data protection. A risk analysis and a data protection impact assessment have been carried out, resulting in a low risk level. |
| j) Responsible entity | ANF Certification Authority. |
| k) EIPD -RESULT | ANF Certification Authority 12 - Date: 02/02/2020 - Risk level score: low |
24Registration forms contact Web. – Certification Authority
| a) Legal basis | Legitimate interest. |
| b) Treatment purposes | ANF Certification Authority in its general activity, offers the possibility in its web site that those persons or companies interested in establishing a contact with ANF Certification Authority, can register in electronic forms that are published in different pages of its web site, according to type of interest (to work in ANF Certification Authority, commercial interest, etc.). |
| c) Collective | People with an interest in ANF Certification Authority. |
| d) Data Categories | Name and surname, phone number, email address, company to which they belong, comments. |
| e) Source of data | Stakeholders themselves. |
| f) Target Category | The organization itself ANF Certification Authority. |
| g) International Transf. | No international transfer of data is foreseen. |
| h) Deadline for deletion | They will be kept for a period of three months, after which they will be destroyed. |
| i) Safety measures | The technical security measures implemented correspond to those provided for in ISO 27001 and security standards related to the ETSI regulations that ANF Certification Authority. Regulatory compliance. The provisions of the RGPD, Organic Law 3/2018 on data protection, legal regulations in this area and guidelines of the European Data Protection Committee are respected. A risk analysis has been performed with the result of a low risk level. |
| j) Responsible entity | ANF Certification Authority. |
| k) EIPD -RESULT | ANF Certification Authority 14 - Date: 02/02/2020 - Risk level score: low |
25Complaints and suggestions
| c) Collective | Persons who address ANF Certification Authority and ANF Certification Authority's employees. |
| d) Data Categories | Name and surname, DNI/NIF/identifying document, address, telephone and signature. Other data: those included in the complaint or suggestion. |
| e) Source of data | The interested parties themselves: the person who contacts and the ANF Certification Authority operator who answers the call. |
| f) Target Category | The ANF Certification Authority organization itself and, as appropriate, legal action, including criminal prosecution. |
| g) International Transf. | No international transfer of data is foreseen. |
| h) Deadline for deletion | They will be kept for the time necessary to fulfill the purpose for which they were collected and to determine the possible responsibilities that may arise from that purpose and the processing of the data. The provisions of the archives and documentation regulations shall apply. |
| i) Safety measures. | The technical security measures implemented correspond to those provided for in ISO 27001 and security standards related to the ETSI regulations that ANF Certification Authority. Regulatory compliance. The provisions of the RGPD, Organic Law 3/2018 on data protection, legal regulations in this area and guidelines of the European Data Protection Committee are respected. A risk analysis has been performed with the result of a low risk level. |
| j) Responsible entity | ANF Certification Authority. |
| k) EIPD -RESULT | ANF Certification Authority 15 - Date: 02/02/2020 - Risk level score: low |
26Visitor registration. – Certification Authority
| a) Legal basis | Legitimate interest. |
| b) Treatment purposes | Certification Authority. ANF Certification Authority performs an activity that requires privacy and its assets must be protected. All this requires a control of the people who access the facilities of the organization. |
| c) Collective | Persons requesting access to ANF Certification Authority facilities and ANF Certification Authority personnel. |
| d) Data Categories | Name and surname, DNI/NIF/company you represent and signature. Other information: day and time of entry / exit |
| e) Source of data | Stakeholders themselves. |
| f) Target Category | The organization itself ANF Certification Authority. |
| g) International Transf. | No international transfer of data is foreseen. |
| h) Deadline for deletion | They will be kept for a period of three months, after which the data will be destroyed unless required by the organization. |
| i) Safety measures. | The technical security measures implemented correspond to those provided for in ISO 27001 and security standards related to the ETSI regulations that ANF Certification Authority. Regulatory compliance. The provisions of the RGPD, Organic Law 3/2018 on data protection, legal regulations in this area and guidelines of the European Data Protection Committee are respected. A risk analysis has been performed with the result of a low risk level. |
| j) Responsible entity | ANF Certification Authority. |
| k) EIPD -RESULT | ANF Certification Authority 16 - Date: 02/02/2020 - Risk level score: low |
27Register of data processors. – Certification Authority
| a) Legal basis | Compliance with legal obligation. Art- 28 point 3 of the RGPD. |
| b) Treatment purposes | ANF Certification Authority in its general activity, hires the services of third party organizations that collaborate in the processing of data. With all of them it has signed the corresponding contract as data processor. |
| c) Collective | Entities collaborating in the processing of data contracted by ANF Certification Authority. |
| d) Data Categories | Name and surname of the Director in charge, telephone, email Name and surname of contact person phone, e-mail Company name, address, phone number, email, web site Service contract. Adequacy analysis (Art. 28.1) |
| e) Source of data | Stakeholders themselves. |
| f) Target Category | Own organization ANF Certification Authority and compliance with legal obligation. |
| g) International Transf. | No international transfer of data is foreseen. |
| h) Deadline for deletion | They shall be kept for a period necessary to meet the obligations assumed, and the period required to be able to prove it. |
| i) Safety measures. | The technical security measures implemented correspond to those provided for in ISO 27001 and security standards related to the ETSI regulations that ANF Certification Authority. Regulatory compliance. The provisions of the RGPD, Organic Law 3/2018 on data protection, legal regulations in this area and guidelines of the European Data Protection Committee are respected. A risk analysis has been performed with the result of a low risk level. |
| j) Responsible entity | ANF Certification Authority. |
| k) EIPD -RESULT | ANF Certification Authority 17 - Date: 02/02/2020 - Risk level score: low |
28Register of Suppliers (contact persons)
| a) Legal basis | Contractual performance obligation. |
| b) Purposes of the processing | ANF Certification Authority has a register of suppliers, which makes it possible to identify the organisations with which it has a contractual relationship and the contact persons. |
| c) Collective. | Customers (natural person) and legal representatives of organisations with legal personality. |
| d) Categories of Data. | Contact details of the client organisation, its representatives, consumption information, statistical data, accounting information. |
| e) Origin of the data | Own organisation |
| f) Target category | The ANF Certification Authority organisation itself, auditors, supervisory authority, clients, legal and fiscal obligation. |
| g) International transfers | International transfers of data are not foreseen. |
| h) Deletion period | The data shall be kept for the period necessary to fulfil the obligations assumed, and for the period required to be able to prove it. |
| i) Security measures. | The technical security measures implemented correspond to those provided for in ISO 27001, and security standards related to the ETSI regulations that ANF Certification Authority is obliged to comply with in accordance with the eIDAS Regulation. Regulatory compliance, especially the Law on Information Society Services and Telecommunications. The provisions of the RGPD and Organic Law 3/2018 on data protection are respected. A risk analysis and a data protection impact assessment have been carried out, resulting in a low risk level. |
| j) Responsible entity | ANF CERTIFICATION AUTHORITY |
| k) EIPD - RESULT | EIPD 22 - Date: 01/02/2020 - Result risk level: low |
29Termination Plan
| a) Legal basis | Fulfilment of a legal obligation. Art. 24.2, i) of the eIDAS Regulation and Art. 21 of the Spanish Law on Electronic Signatures. |
| b) Purposes of processing | Treatment operations aimed at compliance with the Cessation Plan. |
| c) Collective. | Users of ANF Certification Authority services. |
| d) Data Categories. | Data identifying users of services and operators. |
| e) Origin of the data | The data originate directly from the data subjects. |
| f) Category of recipients | The ANF Certification Authority organisation itself, the client organisations from which the data subject is requesting, other PCSCs, auditors, supervisory authority, legal and tax obligation. |
| g) International Transfer | International transfers of data are not foreseen. |
| h) Deletion period | The data shall be kept for the period necessary to fulfil the obligations assumed, and the period required to be able to prove it. |
| i) Security measures | The technical security measures implemented correspond to those provided for in ISO 27001, and security standards related to the ETSI regulations that ANF Certification Authority is obliged to comply with in accordance with the eIDAS Regulation.
Regulatory compliance, especially the Law on Information Society Services and Telecommunications. The provisions of the RGPD and Organic Law 3/2018 on Data Protection are respected. A risk analysis and a data protection impact assessment have been carried out, resulting in a low risk level. |
| j) Responsible entity | ANF CERTIFICATION AUTHORITY |
| k) EIPD - RESULT | ANF Certification Authority 26 - Date: 02/02/2020 - Result risk level: low |
30Access audit log
| a) Legal basis | Legitimate interest |
| b) Purposes of the processing | ANF Certification Authority as a Qualified Trust Service Provider must carry out appropriate access management and administration to ensure security. Whenever someone uses a credential to identify themselves on the platform (login), in the course of access control an audit is managed. |
| c) Collective | Customers, ANF Certification Authority staff |
| d) Data categories. | Account involved, Platform, Type of access, Day and Time, Access Attempts, Success/Failure, IP, OS and Browser, Geographical location (if possible). |
| e) Origin of the data | The data subject himself/herself. |
| f) Category of recipients | The ANF Certification Authority organisation itself, auditors, supervisory authority, clients, legal and fiscal obligation |
| g) International transfers | International transfers of data are not foreseen. |
| h) Period of deletion | The data shall be kept for the period necessary to fulfil the obligations assumed, and for the period required to be able to prove it. |
| i) Security measures. | The technical security measures implemented correspond to those provided for in ISO 27001, and security standards related to the ETSI regulations that ANF Certification Authority is obliged to comply with in accordance with the eIDAS Regulation. Regulatory compliance, especially the Law on Information Society Services and Telecommunications. The provisions of the RGPD and Organic Law 3/2018 on data protection are respected. A risk analysis and a data protection impact assessment have been carried out, resulting in a low risk level. |
| j) Responsible entity | ANF CERTIFICATION AUTHORITY |
| k) EIPD - RESULT | EIPD - Date: 01/02/2020 - Result risk level: low |
31Register of job applications
| a) Legal basis | Consent of the data subject. (Article 6.1 a) of the RGPD.) |
| b) Purposes of the processing | To register job applications at ANF Certification Authority, store CVs and consult them for HR in order to comply with the data subject's application. |
| c) Collective | Users outside ANF Certification Authority |
| d) Data categories. | First name and surname, e-mail address and curriculum vitae which may contain other information in addition to special category data even though it is not in the interest of the data controller to process the latter. |
| e) Origin of the data | The data subject himself/herself |
| f) Recipient category | The ANF Certification Authority organisation itself, auditors, supervisory authority, customers, legal and tax obligation. |
| g) International transfers | International transfers of data are not foreseen. |
| h) Deletion period | The data shall be kept for a period of one year, which is the period necessary to meet the obligations assumed and the period required to be able to accredit it. |
| i) Security measures. | The technical security measures implemented correspond to those provided for in ISO 27001, and security standards related to the ETSI regulations that ANF Certification Authority is obliged to comply with in accordance with the eIDAS Regulation. Regulatory compliance, especially the Law on Information Society Services and Telecommunications. The provisions of the RGPD and Organic Law 3/2018 on data protection are respected. Risk analysis has been carried out. |
| j) Responsible entity | ANF CERTIFICATION AUTHORITY |
| k) EIPD - RESULT | Under evaluation. |
