Our privacy policy and cookies

1Our Privacy Policy

ANF Certification Authority (ANF AC), has developed this Privacy Policy to inform about its commitment toward the protection of personal data, and to describe the criteria related to the collection, use, conservation and dissemination of personal information obtained during visits to our web pages, or in the provision of the services that are carried out on this website (hereinafter, "platform") as well as the data are collected in person in paper format.

Through this website, personal data are not collected without users' knowledge nor are transferred to third parties.

If you follow a link from our website to another website, please be aware that the owner of the other website will have their own privacy and cookie policies. We recommend you to read said policies as we are not responsible for what happens on your site.

If you have any questions or comments about this Privacy Policy, or any concern about the way in which your personal information has been managed, or simply want to confirm if we process your data, you can contact our Data Protection Officer.

─ Email to: delegadoprotecciondatos@anf.es ,
─ Phone: 902 902 172.

CHECK THIS PRIVACY POLICY BEFORE USING OUR WEBSITE. IF YOU DO NOT ACCEPT OUR PRIVACY POLICY, DO NOT USE OUR WEBSITE. IF YOU PROVIDE ANY KIND OF PERSONAL INFORMATION, WE COMMIT YOU TO COMPLY WITH THE TERMS OF THIS PRIVACY POLICY.

This Privacy Policy is periodically reviewed in order to keep it permanently updated. We carry out a versioning control and review the effective publication date. When a document revision is made, the link is marked as “New” during a period of three months, please consult the changes made in order to determine its acceptance or rejection.

2Who is responsible for the processing of personal data?

ANF Certification Authority (ANF AC) is responsible for the processing of personal data.
It has been constituted under Organic Law 1/2002 March 22nd, and written in the Ministry of the Interior with national number 171.443 and company tax code G-63287510.

• Statement of responsibility of the General Directorate of ANF AC

The personal data collected by ANF Certification Authority (ANF AC), are treated confidentially, complying with the commitments established in our Privacy Policy, the current legislation on data protection and other standards related to our activity.

Florencio Díaz Vilches
ANF AC CEO

Headquarters where data processing takes place:

Barcelona Gran Vía de les Corts Catalanes, 996 4th floor
Barcelona -08018- Spain
Telephone: 902 902 172.

Customer Service
From Mondays to Fridays
from 9:00 a.m. to 14:00 p.m. from 15:00 p.m. to 18:00 p.m.

3Personal information we collect about you

The information we collect about you and how we do it may vary depending on the products and services you use and those you subscribe, also on how you interacted with the platform even if you are not a customer, e.g. by registering on our website to request commercial information, answering surveys, etc.

Likewise, it is convenient that you know that some of our services have a specific Privacy Policy that we will let you know in the event that you hire or use said services.

The data we collect about you and the sources of collection are recorded in the Data-Processing Activities Registry.

Categories of personal data
We do not collect or process personal data of children, or information that can be classified as sensitive data, e.g. in the case of biometric signature use, the pattern of behavior (dynamics, inclination, pressure, etc.) is not captured. We neither collect or process classified personal data concerning health, sexual orientation, trade union membership, religion or race.

ANF AC only collects the data that are minimally necessary for the processing. The corresponding classification is recorded in the .Data-Processing Activities Registry

Data storage
The personal data provided will be store for the time necessary to fulfill the purpose for which they were collected, and to determine the possible responsibilities that may arise from the purpose. In addition, the periods established in the regulations on files and documentation are taken into account.

Whenever possible, ANF AC establishes storage periods that are accessible in the Data-Processing Activities Registry.

Correct / Update
Users are offered the following options to change and modify the information provided.

  1. The Personal File section of your Profile allows registered users to change or modify the information provided above.
  2. Some services may contain a section called “Administration” from which users can change or modify the information previously provided for that service.
  3. In order to obtain assistance to remove or change the above selections, you can also send an email to:

webmaster@anf.es

If the information affects essential personal data or attributes, ANF AC may require documentation to verify the accuracy of the new data.

4How do we use your personal data?

The purpose of the processing of personal data corresponds to each of the processing activities carried out by ANF AC. The legal basis that legitimizes them are published in the .Data-Processing Activities Registry

ANF AC may use your personal data to:

Formalize the contract with us and allow its subsequent execution
We need to collect your data and perform their processing in order to comply with the services or products contracted by you.

Compliance with a legal obligation
Much of our activity is framed by laws that we must comply with. The legal framework imposes on us the collection of certain data and its processing; it can even determine the obligation to transfer said data, e.g. under a judicial order.

External audits/
Evidences that prove compliance with our activity requires the development of internal and external audits that accredit compliance with the standards and regulations. ANF AC has a legitimate interest in collecting, preserving and carrying out an adequate processing that proves our compliance with the norms and standards that we must comply with, even when external auditors have access to the information provided by our customers.

Manage our networks and understand the use of the network
The objective is to protect our networks and manage the transactions made through them, for example, repeated access from the same IP in order to detect possible hacker attacks. It also allows traceability record in certified deliveries (IP, time, etc.) in order to obtain legal evidence of the service provided.

Marketing and profile generation
In the event that you are our costumer, partner or you have registered on our website, ANF AC has a legitimate interest in keeping you informed about our new products and services, as well as news that we consider of interest according to your profile. We adapt these messages according to the types of products and services you have contracted, using the telematic means you have outlined for personal use, e.g. email, SMS, WhatsApp, push messages, phone, etc.

We can even send you newsletters or invite you to take part in surveys or commercial promotions of our services.

ANF AC does not make automated decisions.

Online advertising
In order to provide you relevant commercial information, you can access targeted advertising based on the use of cookies. This is known as interest-based advertising. This service can be provided by our website or websites of other companies of ANF AC Group, organizations and other online media such as social networks. If you do not want the information we obtain through cookies to be used, consult our Cookies Policy to exclude them.

Remember that the voluntary exclusion of interest-based advertising will not prevent ads from showing – but will not adapt to your interests. ANF AC has reached agreements with entities such as Facebook or Google to carry out interest-based advertising activities but in no case we have provided personal information.

Research and analysis (Big Data)
We use a variety of analytical methods, including "Big Data". Big Data is a mathematical technique that allows to analyze large volumes of data in order to reveal patterns, trends, and associations, especially relating to human behavior and interactions. ANF AC applies this type of analysis and make sure it takes place under compliance with current regulations and the principle of transparency. To perform these analysis we use only anonymised and aggregated data so that it is not possible to associate such information with identifiable natural persons.

Through our Big Data service we obtain anonymous and aggregated reports from third parties. ANF AC makes sure that it is not possible to link such information with costumers, or with another natural person. As an essential requirement, the information gathered to prepare this reports should come from 15 registries at least. In no case we add our data to third parties.

Our policy related to these initiatives aims to go even further than what is required by regulations and, in order to fulfill our duty of transparency, requires the obligation to provide customers with the possibility to refuse that the data provided by them are taken into account in Big Data initiatives. This refusal can be expressed at the time of contracting the services, or can be communicated by any telematic or physical means that we put at your disposal.

We use Big Data reports to:
Perform statistical analysis and market research, including monitoring how customers use our networks, products and services anonymously or personally.

5How do we share your personal information?

ANF AC, guarantees the confidentiality of the data collected. In the case where it is necessary, ANF AC may share information about you with:

General

  • judges and courts, government agencies or other public authorities in case of obligation or legal authorization;
  • third parties where a disclosure of this type is necessary to comply with the law applicable or other legal or judicial requirements;
  • inspections carried out by the Spanish Data Protection Agency, or audits carried out by the National Accreditation Body or external auditors;
  • emergency services for the vital interest of the interested party;
  • third-party companies and service providers as soon as their intervention is necessary for the provision of service to ANF AC, acting as processors in accordance with the instructions issued by ANF AC, through the corresponding contract relationship.
  • Furthermore, for an adequate processing the personal data provided can be processed within the scope of the companies of the ANF AC Group.

Fraud control

  • We will transfer your personal data, in a reasonable manner, in order to protect us against fraud, defend our rights or our properties or protect the interests of our customers.
  • We may also need to communicate your information to comply with our obligations to the requirements of the authorities. Your personal data should only be provided when, in good faith, we believe that we are required to do so according to the law and according to a thorough evaluation of all legal requirements.

Third parties we work with

  • When you purchase products and services from ANF AC through a Registration Authority, an Identity Verification Office, or other collaborating organization, we often exchange information with them as part of that relationship and in order to manage your account - for example, to be able to identify your order and pay to these third parties.

Mergers and Acquisitions

  • In the event that Vodafone is involved in in a market movement or sale of the contracted activity, if necessary to continue providing services, we may provide your data to third parties involved in the merger or acquisition operation.

    You can consult the recipients for each of the processing activities in the Registro de Actividades del TratamientoData-Processing Activities Registry.

6International Data Transfers

We may need to transfer your information to companies of the ANF AC Group or to service providers in countries outside the European Economic Community (EEC), however this transfer will always be made to countries recognized by the EU Commission with appropriate security level, or with certified companies that comply with agreements approved by the Commission, e.g. Privacy Shield.

Countries which ensure an adequate level of protection
- Switzerland. Commission Decision 2000/518 / EC of July 26, 2000.
- Canada.* Commission Decision 2002/2 / EC of December 20, 2001, regarding entities subject to the scope of the Canadian data protection law.
- Argentina. Commission Decision 2003/490 / EC of June 30, 2003.
- Guernsey. Commission Decision 2003/490 / EC of June 30, 2003.
- Isle of Man Commission Decision 2004/411 / EC of April 28, 2004.
- Jersey. Commission Decision 2008/393 / EC of May 8, 2008.
- Faroe Islands. Commission Decision 2010/146 / EU of March 5, 2010.
- Andorra. Commission Decision 2010/625 / EU of October 19, 2010.
- Israel. Commission Decision 2011/61 / EU of January 31, 2011.
- Uruguay. Commission Decision 2012/484 / EU of August 21, 2012.
- New Zealand. Commission Decision 2013/65 / EU of December 19, 2012..
- United States. Applicable to entities certified under the EU-US Privacy Shield. Commission Decision (EU) 2016/1250 of July 12, 2016.
- Japan. Decision of January 23, 2019.

* PIPED Act (Personal Information Protection and Electronic Documents Act)
Federal privacy law for private-sector organizations in Canada.

If ANF AC needs to send your information to a country that is not part of the EEC or is not included in the list of countries recognized by the EU Commission, we will inform you beforehand by describing the risks involved in the transfer, we will ensure that your personal data are protected by adequate security measures. We will also ask the third party to enter into a legal agreement that reflects those standards and recognizes your rights and the effective exercise thereof. In addition, if necessary, we will request in advance, the authorization of the Spanish Data Protection Agency to be authorized to make the international transfer.

7How long we store your personal information?

The personal data provided will be store for the time necessary to fulfill the purpose for which they were collected, and to determine the possible responsibilities that may arise from the purpose. In addition, the periods established in the regulations on files and documentation are taken into account.

Whenever possible, ANF AC establishes storage periods that are accessible in the Data-Processing Activities Registry.

8Saving your personal information securely

General features
From a general point of view, all computer systems of ANF AC count on security measures for the protection of information. The objective is to guarantee the full availability of the information to interested parties, prevent any undue modification by safeguarding its integrity, and only allow access to authorized persons.

ANF AC, submits all its computer systems and organizational means to internal audits and independent auditors to norms and standards of international renowned prestige, such as ETSI standards in compliance with Regulation (EU) eIDAS, ISO 9001, ISO 27001, ISO 17024. All certifications and audits of conformity results are set out on ANF AC's website.

In addition, ANF AC has carried out an Impact Assessment related to data processing and its protection, having achieved an acceptable level of risks with application of the corresponding safeguards. In no case does ANF AC carry out data processing that is not at an acceptable risk level, or on which authorization has been received from the Spanish Data Protection Agency to assume a higher risk.

Specific Services
Our services usually count on additional security measures to those contemplated in the public area of the platform. These additional security measures may vary depending on the service offered. More information is available in the policies corresponding to those services, so do not hesitate to contact us to clarify any question of your interest.

In some cases, you may need to register to perform a particular activity, e.g. a survey, a claim, or to obtain a specific service. It may be that part of this registration process consists in the choice of a personal password -PIN-. ANF AC reminds you to protect your personal password, especially if it is a PIN (signature activation data). In no case ANF AC stores passwords or PINs, nor does it have the opportunity to do so. ANF AC uses the latest generation of hash technology. In case of loss or forgetfulness, ANF AC can only facilitate the restoration of your password, but in the case of a PIN even said restoration it is not possible.

It falls under your exclusive responsibility any action contrary to the security rules in particular, if you allow other people to access your account, give up the use of your signature device, or report your personal password or PIN.
Write down this sensitive information in a safe and personal place.

All products and services distributed by ANF AC are configured according to the default privacy principle. If you deactivate the security measures included in our products, you do so under your sole responsibility.

ANF AC disclaims any responsibility or obligation caused by your decision or negligence to violate the required safety regulations.

9Your rights

Anyone has the right to obtain confirmation about the personal data processing performed by ANF AC. ANF AC will facilitate all interested parties to exercise their rights diligently and free of charge.

People affected by data processing carried out by ANF AC, have the following rights:

  • right of access by the data subject
  • right to request rectification
  • right to request erasure (‘right to be forgotten’)
  • right to request restriction of processing
  • right to object
  • right to request data portability

Those interested may access their personal data, as well as request the rectification of inaccurate data or, where appropriate, request its deletion when, among other reasons, the data are no longer necessary for the purposes that were collected. In certain circumstances, the interested parties may request the restriction of processing and portability of their data. It is reported that the exercise of any right may hinder the legal basis on which the processing is based, where appropriate, the legal measures will be taken. In case of doubt, our Data Protection Officer will gladly answer the questions that you consider appropriate.

In case of security incidents that may affect the interested parties whose data we guard, ANF AC undertakes to inform and advise them adequately.


• Exercise of Rights

ANF AC, makes available to all interested parties the following means to exercise their rights:

Request sent by postal mail or personal visit to:


Please note that due to legal imperative, you must prove your identity:

  • In the case of a written request, include a photocopy of your ID, or equivalent legal document.
  • In the case of a personal visit, you must show original and current ID, or equivalent legal document.
  • In case of legal representative, you should have sufficient legal power.
  • If you contact us by phone, follow the instructions of our staff and keep in mind that you must be able to access your email account and / or mobile phone provided at the time of collecting your personal data.
  • If you make your mind to complete the electronic form related to exercise of rights available on our website, you must provide a digital copy of your ID, or equivalent legal document.

You can freely write your request or, if you wish, you can use the Rights Exercise Form that ANF AC makes available to you as optional support under the following link:

  • An electronic form is available on our website:
    https://www.anf.es/en/ejercicio-de-derechos/

    This document incorporates the section EXPLANATION ON YOUR RIGHTS. We recommend you to read it at the time you wish to exercise any of them.

    If you wish you can exercise your rights through a third party acting as a representative. This representative must formally prove legal capacity, either by power of attorney or document issued and signed by you, including photocopy of your ID, or equivalent legal document.



    EXPLANATION ON YOUR RIGHTS

    • RIGHT OF ACCESS:

    When exercising this right, it is requested that the right of access to the data processing that the organization carries out within a maximum period of one month from the receipt of this request, this information must be sent by mail and free of charges to the address indicated above according to the article 15 of the GDPR, it must be sent in a legible and intelligible way and within the indicated term.

    You have the right to know:

    • Whether or not we are processing personal data that concerns you.
    • The source of your data, if you did not provide it to us.
    • The purposes of the processing of your personal data.
    • The categories of personal data concerned.
    • The recipients or categories of recipient to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organizations.
    • Where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period.
    • The existence of automated decision-making, including profiling, by using your personal data. In such a case you will be informed of the data that has been stored by the interested party.

    • RIGHT TO RECTIFICATION:

    When exercising this right, it is requested that the right to rectification be provided free of charge, in accordance with the provisions of article 16 of the GDPR. It will be necessary to provide the corresponding supporting documents.

    • You have the right to the accuracy and updating of your personal data.
    • Completing them, if they were incomplete.
    • Updating or rectifying them, if they do not conform to current reality or are inaccurate.


    • RIGHT TO ERASURE (‘RIGHT TO BE FORGOTTEN’)

    By exercising this right, you request that the right to erasure, or right to be forgotten, be provided free of charge, in accordance with the provisions of article 17 of the GDPR. This right can be exercised only if:

    • The personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed.
    • If processing was based on the express consent, you withdraw the consent and the processing cannot be covered by another legal grounds.
    • You have previously successfully exercised the right to object to the processing of your data.
    • Your personal data have been unlawfully processed.
    • The data must be erased for the fulfillment of a legal obligation.

    The indicated requirements will not apply as long as the processing is necessary to:

    • Exercise the right to freedom of expression and information.
    • For the fulfillment of a legal obligation, or
    • For the fulfillment of a mission carried out in the public interest by the person responsible for the processing, or
    • For the formulation, exercise or defense of legal claims.


    • RIGHT TO RESTRICTION OF PROCESSING

    When exercising this right, it is requested that the right to the restriction of the indicated processing be provided free of charge, in accordance with the provisions of articles 18 and 19 of the GDPR. That is, that we keep them without using them for the intended purposes, as long as any of the following conditions are met:

    • You request the rectification of your personal data, during a period that allows us, as the organization responsible for the processing, to verify their accuracy
    • The processing is unlawful and you oppose the erasure of personal data, requesting instead the restriction of its use.
    • We no longer need your personal data for the purposes of the processing, but you need them for the formulation, exercise or defense of legal claims.
    • You have opposed the processing while checking if the legitimate grounds for treating them prevail over your right.

    Where processing has been restricted, such personal data shall, with the exception of storage, only be processed with the data subject's consent or for the establishment, exercise or defense of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest. Once the restriction of processing has occurred, you will be informed before the lifting of such restriction.


    • RIGHT TO DATA PORTABILITY

    When exercising this right, it is requested that it be provided free of charge to the restriction of the indicated processing, in accordance with the provisions of article 20 of the GDPR. We will put at your disposal the personal data that you have provided in a structured format, commonly used and mechanical reading. Furthermore:

    • You will have the right to request they are transmitted directly from one controller to another, where technically feasible.

    You will only have this right when:

    • We are processing your personal data based on your express consent, or
    • The legal basis is the fulfillment of a contract and,
    • The processing is carried out by automated means.

    • RIGHT TO OBJECT:

    When exercising this right, it is requested that it be provided free of charge to the restriction of the indicated processing, in accordance with the provisions of articles 21 and 22 of the GDPR. Through this right, officers are required to stop using your personal data.

    You can exercise your right to object when the processing of your personal data is based on your legitimate interests..

    If the processing is based on your consent, you can withdraw it and obtain effects similar to the right to object.


    • RIGHT TO OBJECT AND AUTOMATED INDIVIDUAL DECISION-MAKING

    Based on the processing of your personal data, including profiling.

    The data subject shall have the right not to be subject to a decision with legal effects or otherwise affecting you in a significant way, provided that it has been based exclusively on the automated processing of your data and without human intervention.

    If you have been subject to a decision of the type described and you do not agree, you can request that we review the decision to seek human intervention, express your point of view or challenge that decision in any way.

    You will not have the right to object when the decision automatically taken is:

    • Necessary for the conclusion or execution of your contract,
    • Authorized by law and there are adequate measures to safeguard your legitimate interests and freedoms, or
    • Based on your explicit consent.


    • DEADLINE AND GUARDIANSHIP

    If, within one month, ANF Certification Authority does not inform you that it is not appropriate to fully or partially address the right exercised, it is mandatory that:

    • The communication is motivated in order to, whenever appropriate, request the protection of the Spanish Data Protection Agency, under Article 57 of the GDPR.
    • If, prior to the legal claim before the Spanish Data Protection Agency, you consider that your rights have not been properly satisfied, you may request an assessment before the Data Protection Officer.

  • 10Our Data Protection Officer

    Contact information:

    For personal visit you should previously arrange time.

    • Barcelona
      Gran Vía de les Corts Catalanes, 996 4th floor
      Barcelona - 08020 - Spain
      Telephone: 902 902 172

    Customer service
    From Mondays to Fridays
    from 9:00 a.m. to 2:00 p.m/ from 3:00 p.m. to 6:00 p.m.

    Our Data Protection Officer will advise and guide you in the exercise of your rights. You can consult the Data Protection Officer by any of the means described above.

    11Claims - complaints

    You can file your claims using any of the following procedures:

    12Information security, audits and impact assessments in data protection

    ANF AC, submits all its computer systems and organizational means to internal audits and independent auditors to norms and standards of international renowned prestige.

    External audits are carried out at least once a year. ANF AC is certified in compliance with the following international standards:

    • ETSI standards in compliance with the requirements laid down in eIDAS Regulation
    • ISO 9001, Quality Management System
    • ISO 27001, Information Security Management System.
    • ISO/IEC 17024: Conformity assessment - General requirements for bodies operating certification of persons

    All certifications and audits of conformity results are set out on ANF AC's website:
    https://www.anf.es/en/acreditaciones/

    In addition, ANF AC has carried out an Impact Assessment related to data processing and its protection, having achieved an acceptable level of risks with application of the corresponding safeguards. In no case does ANF AC carry out data processing that is not at an acceptable risk level, or on which authorization has been received from the Spanish Data Protection Agency to assume a higher risk.

    ANF AC services are officially accredited and published under the following link:
    https://www.anf.es/en/acreditaciones/

    English