Privacy Policy

Date of publication 02.11.2020 version 1.4
1Our Privacy Policy


ANF Certification Authority (ANF AC), registered in the National Registry of the Ministry of the Interior,

No. 171,443. CIF G-63287510, has prepared this Privacy Policy to inform about your commitment to the protection of personal data, and to describe the criteria regarding the collection, use, preservation and disclosure of personalinformation obtained during visits our web pages, or in the provision of services that is carried out on this website(hereinafter, "Platform"), as well as the data that is collected in person in paper format, or in the use of theapplications and services of ANF AC.

Through this website no personal data is collected from users without their knowledge.

No data is transferred to third parties except when a disclosure is necessary to comply with applicable law, or other legal or judicialrequirements or auditing.

If you click on a link published on our platform to access another website, keep in mind

that the owner of the other website will have its own Privacy Policy. We recommend that you read his policy as we are notresponsible for what happens on your site.


Periodically this Privacy Policy is revised in order to keep it permanently updated. We carry out a version control and the publication date is reviewed, which corresponds to its entry into force. When a review of the document is carried out, during a period of three months the link is marked with thereview " Novelty "In that case, please check the changes made in order to to determine its acceptance or rejection. 

It is necessary to state that some of our services have a privacy statement specific that is complementary to this general Privacy Policy. Specifically you can access to the specificdeclarations in,

If you have any questions or concerns about this Privacy Policy, the specific statements, or any concerns aboutthe way in which your personal information has been managed, or you simply want to confirm if we process yourpersonal data, or need help

To exercise your data protection rights, you can contact our Delegate of Data Protection, 

- Email to

- Phone +34 932 662 614.

2Who is responsible for the processing of personal data?

For the purposes of data protection legislation, 

  • ANF AC, is responsible for the treatment in those processing of personal data in the which assumes responsibility for the collection of information, determines the end of the treatment and the legal basis that legitimizes it. Inparticular, all those treatments related to: clients, suppliers, Partners, OVP or AR operators, DPD candidates, professors, Campus students from ANF AC, examiners, supervisors, members of the Committee of Experts, auditors, visits face-to-face, telephone inquiries,newsletter recipients, CV of job applicants, survey participants, employees or freelance collaborators.
  • ANF AC, is co-controller of the treatment when you receive data from a person in charge of the treatment in order toprovide a service that involves the collection of data from other people, and It implies determining the purpose of the treatment and the legal basis that legitimizes it. In particular, in a merely illustrative: certifieddelivery service, certificate validation service and electronic signatures, remote identification test service.
  • ANF AC, is in charge of the treatment when you receive data from a data controller in order to provide a service whose purpose and legitimacy of the processing of personal data is the decision of the client responsiblefor the treatment. In this intervention, the relationship between ANF AC as In charge of the treatment is established by means of the corresponding contract.
  • Statement of responsibility of the General Directorate of ANF AC,

The personal data collected by ANF Certification Authority [ANF AC] or supplied for the provision of a service, are treatedconfidentially,complying with the commitments established in our Privacy Policy, and respecting current legislation on data protection, andother regulations related to our activity.

Díaz Vilches



Headquarters in which data processing is carried out,
Gran Vía de les Corts Catalanes, 996
4th floor Barcelona -08018- Spain 


Public attention
Monday to Friday
from 9 o'clock to 14:00 from 15:00 to 18:00


3Personal information we collect

The information we collect and how we do it may vary depending on the products and services. used and to which the interested party subscribes, also howthey have interacted in any of the our web platforms, e.g. by registering on our Website to request commercial information, answering surveys, signing up for the Newsletter distribution list, interested in working in ANFAC, etc

Likewise, it is convenient to remind you that some of our services have a Declaration of Specific privacy, in the event that you hire or use one of these services, previously consult the corresponding privacy statement. 

The data that we collect and the sources of collection appear in the Register of Activities of the Treatment (RAT).



Data category

We do not collect or process information from minors, or information that can be classified

as categories of sensitive data, e.g. in the case of use of biometric signature, the pattern is not captured behavior (dynamics,inclination, pressure, etc.), nor is it used as an identification instrument. Either

In the remote identification test service, the image collection is used as an instrument of identification, only as a means of verifying the correspondence of the presence of the interested party with the document of identity that shows and, its conservation is only intended to prove the correct intervention of ANF AC.

ANF AC does not process information classified as highly sensitive of the type: health, sexual orientation, unionaffiliation, religion or race.

ANF AC only collects the data minimally necessary to carry out the treatment. The corresponding classificationappears in the Registry of Treatment Activities (RAT),


Data retention

The personal data provided will be kept for the time necessary to comply with the purpose for which they are collected, and to determine the possible responsibilities that may be derive from the treatment.In addition, the periods established in the regulations of files and documentation.

Whenever possible, ANF AC establishes conservation periods, this information is accessible in the Treatment Activities Registry(RAT), 


Correct / Update

Our goal is to have accurate and up-to-date information. If the personal data that we process consider that they do notadjust to reality, we would appreciate if you inform us.


- Email to

- Phone +34 932 662 614.


To make corrections and informative updates, we need documentation that proves the reliability of requiredchanges.


4How do we use your personal information?


The purpose of the processing of personal data corresponds to each of the activities of treatment carried out by ANF AC. The legal basis that legitimizes them is published in the Register of Activities Treatment (RAT),


In general, it should be noted:


Fulfillment of a contract

We need to collect your data and process them, to comply with the services or products that you have contracted with us.

Compliance with a legal obligation

Much of our activity is framed by laws that we must comply with. The legal framework imposes the collection of certain data and its treatment, it can even determine the obligation to transfer of data, eg court order.

External audits, evidences that prove compliance A large part of our activity requires the preparation of internal and externalaudits that certify compliance with the rules and regulations to those of us who are subjected. ANF AC has a legitimate interest in collecting, conserving and processing appropriate that certifiesour conformity with the norms and standards that we must comply with. Even giving access to external auditors.

Legitimate interest

We have a legitimate interest in collecting the information necessary to manage our networks and understand the use made ofthem. We must guarantee their protection and manage transactions made through them. For example, logging, access control repeated from the same IP in order to determine possible attacks such as DDoS. Or, record of traceability in certified deliveries (IP, time, etc) in order to obtain legal evidence of the service provided.

ANF AC has a legitimate interest in keeping you informed about our new products and services, thus as news that we deem of interest according to your profile. All our commercial or marketing information It is related to our activity andthe relationship we maintain with the interested parties. It is information foreseeable that it will not cause surprise or concern in thereceiving recipient. 

In order to provide you with relevant commercial information for you, you can view online advertising based on the use of cookies according to the accesses you have made on our website. This is known as interest-based advertising. The collectionof data on user experience can occur on our Website, on websites of other companies of the ANF AC Group, of organizations and from other online communication media such as social networks. If you do not want the information that We obtain through cookies isused, see our Cookies Policy to exclude them.

Remember that opting out of interest-based advertising will not prevent your ads from are displayed on the ANF AC corporate website - but they will not be adapted to your interests. ANF AC has arrived to agreements withentities with Facebook or Google to carry out online advertising activities but in no case have we provided personal information. 

We use a variety of analytical methods including investigations and "Big Data" procedures. Big Data is a mathematicaltechnique that allows you to analyze large volumes of data to find the hitherto undisclosed patterns and trends. At ANFAC we take this type of analysis that is governed by the maximum of total compliance with current regulations and by respect for principle of transparency.In these analyzes we only use anonymized and aggregated data so that it is not possible to associate said information with identifiable natural persons. 

In our Big Data service we obtain anonymous and aggregated reports from third parties that they make it easy for us. We assure you that it is not possible to link said information with you, or with another person physical. For these reports, itmust be information generated with at least 15 records such as inescapable requirement. In no case do we add our data to third parties.

Our policy for these initiatives aims to go even further than what is required in the regulations and, for the sake of to comply with our duty oftransparency, requires the obligation to facilitate the possibility that you can express your wish so that your data is not taken into account in Big Data initiatives, which you can carry out at thetime of contracting the services, or communicating it by any telematic or physical means that we put at your disposal.

We can perform statistical analysis and market research, including monitoring of how customers use ournetworks, products and services anonymously or personally.

5How do we share your personal information?

ANF AC, guarantees the confidentiality of the data collected. No data is transferred to personal

to third parties except, 


  • Judges and courts, government agencies or other types of public authorities in case of legalobligation or authorization;
  • third parties where such a disclosure is necessary to comply with applicable law or other legal orjudicial requirements;
  • Inspections carried out by AEPD, or audits carried out by ENAC or external auditors;
  • emergency services for the vital interest of the interested party;
  • third-party companies and service providers as soon as their intervention is necessary for the provision ofservice to ANF AC, who act as managers of the

treatment in accordance with the instructions issued by ANF AC, being the relationships formalizedcontractually.

  • In addition, for an adequate treatment the personal data of the users, can be Treaties within thescope of the ANF AC Group

 Fraud control,

  • We will disclose your information, in a reasonable manner, in order to protect against fraud, defend ourrights or our property or protect the interests of our clients.
  • We may also need to disclose your information to comply with our Obligations to thelegal requirements of the Your data personal should only be provided when, in good faith, we believe that we are obliged to do so according to thelaw and according to a thorough evaluation of all Legal requirements.

Third parties we work with

  • When you acquire products and services from ANF AC through a Registration Authority, a On-site VerificationOffice, or other collaborating organization, often we exchange information with them as part of that relationship and in order to manage your account - for example, tobe able to identify your order and be able to pay to said third parties. 

Fusions and acquisitions


  • In the event that ANF AC is immersed in any corporate movement or sale of the contracted activity, ifnecessary to continue providing services, we can provide their data to third parties involved in the merger or acquisition operation.

. You can check the recipients for each of the treatment activities in the Registry of TreatmentActivities (RAT),


6International Data Transfers

We may need to transfer your information to companies of the ANF AC Group or to providers of services in countries outside the European Economic Community (EEC), notwithstanding this Transfer will always be made to countries recognized by the EU Commission with a security level appropriate, or with certified companies that comply with agreements approved by the Commission, eg Shield Of privacy.

Countries with adequate security level

  • Commission Decision 2000/518 / EC of July 26, 2000.
  • * Decision 2002/2 / EC of the Commission, of December 20, 2001, regarding the entities subject to the scope ofCanadian data protection law.
  • Decision 2003/490 / EC of the Commission, of June 30, 2003.
  • Decision 2003/821 / EC of the Commission, of November 21, 2003.
  • Isle of Decision 2004/411 / EC of the Commission, of April 28, 2004.
  • Decision 2008/393 / EC of the Commission, of May 8, 2008.
  • Faroe Commission Decision 2010/146 / EU, of March 5, 2010.
  • Decision 2010/625 / EU of the Commission, of October 19, 2010.
  • Decision 2011/61 / EU of the Commission, of January 31, 2011.
  • Decision 2012/484 / EU of the Commission, of August 21, 2012.
  • New Commission Decision 2013/65 / EU, of December 19, 2012.
  • Applicable to entities certified under the EU-US Privacy Shield. Decision (EU)2016/1250 of the Commission, of 12 July 2016.
  • Decision of January 23, 2019.

* PIPED Act ( Personal Information Protection and Electronic Documents Act)

Federal Privacy Act for Private Sector Organizations of Canada.


If ANF AC needs to send your information to a country that is not part of the EEC or is not included in the list of countries recognized by the EU Commission, we will inform you in advance by reviewing the risks involved in thetransfer, we will ensure that your information has measures adequate security measures, we will require the third party to enter into a legal agreement that reflects these standards and recognize theirrights and the effective exercise of them. Also, in the event that necessary, we will request prior authorization from the Spanish Agency for the Protection of Data (AEPD) to beauthorized to make the international transfer.

7How long do we keep your personal information?

The personal data provided will be kept for the time necessary to comply with the purpose for which they are collected, and to determine the possible responsibilities that may be derive from the purpose.In addition, the periods established in the regulations of files and documentation.

Whenever possible, ANF AC establishes retention periods that are accessible in the Registry of Treatment Activities (RAT),


8Keeping your personal information secure

General features

From a general point of view, all ANF AC computer systems have measures of security for the protection of information. The objective is to guarantee the full availability of the information to the interestedparties, prevent any undue modification while safeguarding its integrity, and only allow access to authorized persons. All newtreatment respects privacy from design. 

ANF AC, submits all its computer systems and organizational means to internal audits and independent auditors against norms and standards of the highest international prestige, we have achieved certifications in accordance with thefollowing standards: ETSI standards corresponding to the Regulation (EU) eIDAS, ISO 9001, ISO 27001, ISO 17024, ISO 14001. All certifications and audits of conformityobtained by ANF AC are published on our website.


In addition, ANF AC has carried out an Impact Assessment on Data Protection for each treatment (EIPD), havingachieved a level of risks -low- with the application of the corresponding safeguards. In no case does ANF AC carry outdata processing that is not at risk level low, or for which authorization has been received from the AEPD to assume a greater risk, after making the corresponding -previous consultation- established in Regulation (EU) 679/2014 General Data Protection (RGPD).

Specific Services

Generally, our services use security measures in addition to those published publicly. These additional security measures may vary depending on the service offered, plus information is available inthe policies corresponding to said services, and do not hesitate to consult us to clarify any question of your interest.

In some cases, you may need to register to perform a certain activity, e.g. a survey, a claim, or to obtaina particular service. It is possible that part of said The registration process consists of choosing a personal password –PIN-. ANF AC reminds you that You must protect yourpersonal password especially if it is a PIN ( signature activation data). ANF AC in no case stores passwords or PINs, nordoes it have the opportunity to do so; ANF AC uses technology based on digestion algorithms –hash- SHA256 which allows to carry out control processes without having to have theoriginal key for verification. In case of loss or forgetfulness, ANF AC can only facilitate the restoration of your password, but in the case of PIN it is not possible even said restoration.

Any action contrary to the safety regulations in

In particular, if you allow other people to access your account, give up the use of your signature device, or informs you of your personalpassword or your PIN. Write down this information in a safe and personal place sensitive.

All the products and services distributed by ANF AC are configured according to the principle of privacy by default. If youdisable the security measures included in our products, performed under your sole responsibility.

ANF AC rejects any responsibility or obligation caused by its decision or negligence of Failure to comply with therequired safety regulations.

9Your rights

Anyone has the right to obtain confirmation about the treatments that ANF AC carries out from your personal information. ANF AC will facilitate to all interested parties the exercise of their rights in a manner diligent and gratuitous.

People affected by data processing carried out by ANF AC, have the right to:

  • Request free access to your personal
  • Request its rectification
  • Request deletion
  • Request the limitation of your treatment
  • Object to treatment
  • Request data portability 

Interested parties may access their personal data, as well as request the rectification of the inaccurate data or, where appropriate, request its deletion when, among other reasons, the data is no longer necessary for the purposesfor which they were collected. In certain circumstances, the interested parties may request the limitation, opposition to the treatment andportability of your data. It is reported that exercise of any right may hinder the legal basis on which the treatment is based, where appropriate, They will adopt theappropriate legal measures. In case of doubt, our Data Protection Officer He will gladly answer the questions that hedeems appropriate to raise.

Interested parties if they consider that the processing of personal data that concerns them violates the Regulation, they have theright to receive attention and help from our Data Protection Delegate, to file a claim with the control authority, in this case, the Spanish Protection Agency of data. And also,exercise your right to effective judicial protection.

In case of security incidents that may affect the interested parties whose data we keep, ANF AC undertakes to informand advise them appropriately.

  • Exercise of Rights

ANF AC, makes the following means available to all interested parties to exercise their rights,

  • Request sent by post or personal visit to,
    • ANF Certification Authority
    • Gran Vía de les Corts Catalanes, 996 4th floor Barcelona -08020- Spain
  • Email to,

  • Telephone call requesting by our Data Protection Delegate,

+ 34 932 661 614

  • An electronic form is available on our website

Keep in mind that by legal imperative, you must prove your identity,

  • In the case of a written request, include a photocopy of your ID, or equivalent legal
  • In the case of a personal visit, you must show your original and current DNI, or legal document
  • In case of representation, you must have sufficient legal power of
  • If you contact by phone, follow the instructions of our staff, keep in mind that You must be able toaccess your email account and / or mobile phone

that you provided at the time of collecting your data.

  • If you choose to fill in the electronic form of exercise of rights available in our website, you must providea digital copy of your ID, or equivalent legal
  • If you do not want to use our electronic form, you can freely draft your request and send it by email

This document incorporates the section EXPLANATION ABOUT YOUR RIGHTS, we recommend your reading when you want to exercise any of them. In addition, our Delegate for the Protection of Data (DPD) will give you all the help you need toeffectively exercise your rights. The Exercise of your rights and the support of our DPD is free.

Also, if you wish, you can exercise your rights through third party representation.

Your representative must formally accredit this legal capacity, either through power of attorney odocument issued and signed byyou, including a photocopy of your ID, or equivalent legal document.

In case it is considered that we have not intervened with sufficient diligence or that we have infringed your rights, you can file a complaint with the Spanish Data Protection Agency (AEPD), 

In addition, the AEPD provides you with information about your rights,

And, a catalog of common questions in,





By exercising this right, it is requested that the right of access to the treatment of data that the organization performs within a maximum period of one month from the receipt of this request, that all the relatedinformation in the Article 15 of the RGPD, in a legible and intelligible way and within the indicated period.

You have the right to know: 

  • Whether or not we are treating personal data that concerns
  • The origin of your data, if you did not provide it to
  • The purposes of the processing of your
  • The categories of data in
  • The recipients or categories of recipients to whom they were communicated or will be communicated personal data, in particular recipients in third parties or international organizations.
  • If possible, the foreseen period of conservation of personal data, or otherwise, the criteria used todetermine this
  • If automated decisions are made - including profiling - using your data personal information, you are informed of the data that has been stored about the interested party.



By exercising this right, it is requested that the right of rectification be provided free of charge, in accordance with with the provisions of article 16 of the RGPD. It will be necessary to provide the corresponding supporting documents. 

  • You have the right to have your personal data accurate and
  • Completing them, if they are
  • Updating or rectifying them, if they do not conform to current reality or are



By exercising this right, you request that the right of deletion, or the right to oblivion, in accordance with the provisions of article 17 of the RGPD. This right can be exercised only if:

  • The data are no longer necessary for the purposes for which they were collected or
  • If the treatment was based on express consent, you withdraw the consent and the treatment cannot beprotected on another legal
  • You have previously successfully exercised the right to object to the processing of your
  • The data has been unlawfully
  • The data must be deleted to comply with a legal

The indicated requirements will not apply as long as the treatment is necessary to:

  • exercise the right to freedom of expression and
  • For the fulfillment of a legal obligation, or
  • for the fulfillment of a mission carried out in the public interest by the responsible for thetreatment, or
  • for the formulation, exercise or defense of



By exercising this right, it is requested that the right to limit treatment be provided free of charge. indicated, in accordance with the provisions of articles 18 and 19 of the RGPD. That is, that we keep them without using them for their intended purposes, as long asany of the following conditions are met:

  • Request the rectification of your personal data, for a period that allows us, such as organizationresponsible for the treatment, verify their
  • The treatment is illegal and opposes the deletion of personal data, requesting in instead the limitationof
  • We no longer need your personal data for the purposes of the treatment, but you need for the formulation,exercise or defense of
  • If you have objected to the treatment while it is being verified whether the legitimate reasons for treating them prevail over your right.

When the processing of personal data has been limited, said data may only be subject to treatment, with the exception ofits conservation, with your consent, for the formulation, exercise or the defense of claims, to safeguard the rights of another natural or legal person, or by essential public interest reasons. Once the limitation of the treatment has occurred, you willbe informed before the lifting of said limitation.



When exercising this right, it is requested that it be provided free of charge to the limitation of the indicated treatment, in accordance with theprovisions of article 20 of the RGPD. We will make personal data available to you

that you have provided us in a structured, commonly used and machine-readable format. What's more,

  • You have the right to request that they be transmitted directly to another responsible for thetreatment when technically

You will only have this right when:

  • We are treating your personal data based on your express consent, or
  • the legal basis is the performance of a contract and,
  • provided that the treatment is carried out by automated



When exercising this right, it is requested that it be provided free of charge to the limitation of the indicated treatment, in accordance with theprovisions of articles 21 and 22 of the RGPD. Through this right requires us to let's stop using your personal data.

You can exercise your right of opposition when the treatment has as a legal basis our "interests legitimate ”. 

If the treatment is based on your consent, you can withdraw it and obtain effects similar to the right to opposition.

  • RIGHT NOT TO BE THE SUBJECT OF AUTOMATED DECISIONS Based on theprocessing of your personal data, including

You can object to being subjected to a decision with legal effects or that affects you in another way. significant, provided that it hasbeen based exclusively on the automated processing of your data and without human intervention.

If you have been the subject of a decision of the type described and you do not agree, you can request that we review the decision to seek human intervention, express your point of view, or contest in any way said decision.

You will not have the right to object when the decision made in an automated way:

  • It is necessary for the execution or execution of a contract of which you are a part,
  • Is authorized by law and there are adequate measures to safeguard your rights and freedoms, or
  • is based on your explicit



If within a period of one month, ANF Certification Authority does not inform you that it is not appropriate to attend Totally or partially the rightexercised, it is mandatory that:

  • The communication is motivated in order to, where appropriate, request the protection of the Agency Spanish DataProtection, under article 57 of the
  • If prior to the claim before the Spanish Agency for Data Protection, consider that

your rights have not been properly satisfied, you can request an assessment before the Data Protection Delegate.

10Our Data Protection Officer

Contact information:

Phone +34 932 661 614 

For a personal visit, make an appointment in advance.

  • Gran Vía de les Corts Catalanes, 996 4th floor Barcelona -08020- Spain


Public attention

Monday to Friday

from 9:00 a.m. to 2:00 p.m. from 3:00 p.m. to 6:00 p.m. 

Our Data Protection Officer will advise and help you in the exercise of your rights. You can consult himby any of the aforementioned means.

11Claims - complaints

You can file your claims using any of the following procedures:

  • Website:


Exercise of your data protection rights in,


Email SAT Website:

  • For a personal visit, make an appointment in Gran Vía de lesCorts Catalanes, 996 4th floor Barcelona - 08018 - Spain Telephone: +34 932 661614


Public attention
Monday to Friday
from 9:00 a.m. to 2:00 p.m. from 3:00 p.m. to 6:00 p.m.

12Information security, audits and impact assessments in data protection

At ANF AC we review all our computer systems and organizational means to internal audits and external auditors carried out by independent auditors of maximum international prestige. External audits are carried out with a maximum annual frequency. ANF AC is certified in conformity against thefollowing international norms and standards:

  • ETSI standards corresponding to Regulation (EU) eIDAS,
  • ISO 9001 Quality for CAs,
  • ISO 27001 Information Security and Management Systems,
  • ISO 17024 Certification of
  • ISO 14001 Environmental Management

All the certifications and audits of conformity obtained by ANF AC are published in our your website.

In addition, ANF AC has carried out an Impact Assessment on Data Protection for each treatment (EIPD), havingachieved a level of risks -low- with the application of the corresponding safeguards. In no case does ANF AC carry outdata processing that is not at risk level low, or for which authorization has been received from the AEPD to assume a greater risk, after making the corresponding -previous consultation- established in Regulation (EU) 679/2014 General Data Protection (RGPD).