Data Processing Activities carried out by ANF AC:

1Registration of electronic signature certificates issued


a) Legal basis Regulation (EU) No. 910/2014 of the European Parliament and of the Council of 23 July 2014 on electronic identification and trust services for electronic transactions in the internal market.
b) Purposes of the processing ANF AC as a qualified Trust Services Provider, provides the certificate issuing service. This service, for its proper management and administration, requires keeping a record of issued certificates.
c) Collective Users of the service contracted to ANF AC.
d) Categories of personal data concerned Content required by legislation regarding qualified certificates and those expressly requested by the interested party to be incorporated. Personal information verification reports.
e) Source of the data The interested parties and third-party sources consulted to verify the accuracy of the information.
f) Categories of recipients of the personal data The ANF AC organization itself, eIDAS auditors, Control Authority, users, legal and fiscal obligation.
g) International transfers No international data transfers are foreseen.
h) Deletion period They will be kept for a period necessary to meet the obligations assumed, and the one required to be able to accredit it.
i) Security measures The technical security measures implemented correspond to those provided in ISO 27001, and safety standards related to ETSI regulations that ANF AC is required to comply with in accordance to the eIDAS Regulation. Regulatory compliance: GDPR and the Organic Law 3/2018 of 5 December on the Protection of Personal Data and the Guarantee of Digital Rights are taken into account. Risk analysis has been carried out and low risk level results were obtained.
j) Responsible entity: ANF Certification Authority.


2Registration of certificate requests.


a) Legal basis Regulation (EU) No. 910/2014 of the European Parliament and of the Council of 23 July 2014 on electronic identification and trust services for electronic transactions in the internal market.
b) Purposes of the processing ANF AC as a qualified Trust Services Provider, provides the certificate issuing service. This service, for its proper management and administration, requires keeping a record of certificates requested.
c) Collective. Users of the service contracted to ANF AC.
d) Categories of personal data concerned Content required by legislation regarding qualified certificates and those expressly requested by the interested party to be incorporated. Personal information verification reports.
e) Source of the data The interested parties and third-party sources consulted to verify the accuracy of the information.
f) Categories of recipients of the personal data The ANF AC organization itself, eIDAS auditors, Control Authority, users, legal and fiscal obligation.
g) International transfers No international data transfers are foreseen.
h) Deletion period They will be kept for a period necessary to meet the obligations assumed, and the one required to be able to accredit it.
i) Security measures. The technical security measures implemented correspond to those provided in ISO 27001, and safety standards related to ETSI regulations that ANF AC is required to comply with in accordance to the eIDAS Regulation. Regulatory compliance: GDPR and the Organic Law 3/2018 of 5 December on the Protection of Personal Data and the Guarantee of Digital Rights are taken into account. Risk analysis has been carried out and low risk level results were obtained.
j) Responsible entity: ANF Certification Authority.


3Registration of certified digitizations. - AC


a) Legal basis The technical security measures implemented correspond to those provided in ISO 27001, and safety standards related to ETSI regulations that ANF AC is required to comply with in accordance with the eIDAS Regulation. Regulatory compliance: GDPR and the Organic Law 3/2018 of 5 December on the Protection of Personal Data and the Guarantee of Digital Rights are taken into account. Risk analysis has been carried out and low risk level results were obtained.
b) Purposes of the Data Processing ANF AC as a Qualified Trust Services Provider, provides the service of certified digitizations according to AEAT regulations. This service, for its proper management and administration, requires keeping a record of the digitizations made.
c) Collective. Users of the service contracted to ANF AC.
d) Categories of personal data concerned Scanned documents.
e) Source of the data Hiring company as responsible for the processing.
f) Categories of recipients of the personal data Users of the service contracted to ANF AC.
g) International transfers No international data transfers are foreseen.
h) Deletion period They will be kept for a period necessary to meet the obligations assumed, and the one required to be able to accredit it.
i) Security measures The technical security measures implemented correspond to those required by the controller, those provided in ISO 27001, and safety standards related to ETSI regulations that ANF AC is required to comply with in accordance with the eIDAS Regulation. Regulatory compliance: GDPR and the Organic Law 3/2018 of 5 December on the Protection of Personal Data and the Guarantee of Digital Rights are taken into account. Risk analysis has been carried out and low risk level results were obtained. If non-compliance with the GDPR is observed, ANF AC assumes the responsibility of informing to the controller. Risk analysis has been carried out with a low risk level result.
j) Responsible entity: ANF Certification Authority.


4Registration of certified communications


a) Legal basis Execution of a contract, ANF AC acts as a processor. GDPR: 6.1.b) Treatment necessary for the performance of a contract to which the data subject is a party or for the application of pre-contractual measures at the request of the data subject.
b) Purposes of the Data Processing ANF AC as a qualified Trust Services Provider, provides certified communications service. Said service, for its proper management and administration, requires keeping a record of the communications processed, senders and recipients.
c) Collective. Senders and recipients of certified communications processed by ANF AC.
d) Categories of personal data concerned Name and surname, company to which it belongs, telephone, email address of the sender. Name and surname, company to which it belongs, telephone, email address of the recipient. Content of the communication. Date and time of delivery, date and time of delivery, date and time of opening.
e) Source of the data Hiring company as responsible for the processing.
f) Categories of personal data concerned The hiring company and recipients of communications.
g) International transfers No international data transfers are foreseen.
h) Deletion period They will be kept for a period necessary to meet the obligations assumed, and the one required to be able to accredit it.
i) Security measures The technical security measures implemented correspond to those required by the controller, those provided in ISO 27001, and safety standards related to ETSI regulations that ANF AC is required to comply with in accordance with the eIDAS Regulation. Regulatory compliance: GDPR and the Organic Law 3/2018 of 5 December on the Protection of Personal Data and the Guarantee of Digital Rights are taken into account. Risk analysis has been carried out and low risk level results were obtained. If non-compliance with the GDPR is observed, ANF AC assumes the responsibility of informing to the controller. Risk analysis has been carried out with a low risk level result.
j) Responsible entity: ANF Certification Authority.


5Register of Registration Authority Operators.


a) Legal basis The technical security measures implemented correspond to those required by the controller, those provided in ISO 27001, and safety standards related to ETSI regulations that ANF AC is required to comply with in accordance with the eIDAS Regulation. Regulatory compliance: GDPR and the Organic Law 3/2018 of 5 December on the Protection of Personal Data and the Guarantee of Digital Rights are taken into account. Risk analysis has been carried out and low risk level results were obtained. If non-compliance with the GDPR is observed, ANF AC assumes the responsibility of informing to the controller.
b) Purposes of the Data Processing ANF AC as a Qualified Trust Services Provider, counts on the collaboration of operators assigned to offices that make up the network of Identity Verification Offices (IVO) and Recognized Registration Authorities (RRA) by ANF AC. ANF AC has signed service provision contracts with all of them, which requires the proper data management by the Registration Authority Operators.
c) Collective. RA operators of ANF AC.
d) Categories of personal data concerned Name and surname, National Identity Card, tax identification code, telephone number, e-mail address. Test performed and its result. Identity Verification Offices or Recognized Registration Authorities (RRA) to which they belong.
e) Source of the data The hiring company as responsible for the processing.
f) Categories of personal data concerned The ANF AC organization itself, eIDAS auditors and the competent supervisory authority.
g) International transfers No international data transfers are foreseen.
h) Deletion period When your data are no longer necessary to determine responsibilities in relation to your professional performance, and the accreditation of compliance with the obligations assumed by ANF AC.
i) Security measures. The technical security measures implemented correspond to those required by the controller, those provided in ISO 27001, and safety standards related to ETSI regulations that ANF AC is required to comply with in accordance with the eIDAS Regulation. Regulatory compliance: GDPR and the Organic Law 3/2018 of 5 December on the Protection of Personal Data and the Guarantee of Digital Rights are taken into account. Risk analysis has been carried out and low risk level results were obtained. If non-compliance with the GDPR is observed, ANF AC assumes the responsibility of informing to the controller.
j) Responsible entity: ANF Certification Authority.


6Human Resources Management


a) Legal basis The technical security measures implemented correspond to those required by the controller, those provided in ISO 27001, and safety standards related to ETSI regulations that ANF AC is required to comply with in accordance with the eIDAS Regulation. Regulatory compliance: GDPR and the Organic Law 3/2018 of 5 December on the Protection of Personal Data and the Guarantee of Digital Rights are taken into account. Risk analysis has been carried out and low risk level results were obtained. If non-compliance with the GDPR is observed, ANF AC assumes the responsibility of informing to the controller.
b) Purposes of the Data Processing Management of labor personnel assigned to ANF AC. Personal file. Time control. Incompatibilities. Training. Prevention of occupational risks and absenteeism control. Offenses and disciplinary sanctions. Issuance of personnel payroll, as well as all products derived from it. Collecting statistical or monographic studies for the economic management of personnel.
c) Collective. ANF AC's staff.
d) Categories of personal data concerned. Name and surname, DNI/CIF/identifying document, personnel registration number, Social Security/Mutuality number, address, signature and telephone. Special categories of data: health data (sick leave, occupational accidents and degree of disability, not including diagnoses) union membership, for the sole purpose of paying union dues (if applicable), union representative (if applicable), receipt of attendance from own and third parties. Personal characteristics data: Sex, marital status, nationality, age, date and place of birth and family data. Data on family circumstances: Date of registration and cancellation, licences, permits and authorizations. Academic and professional data: Qualifications, training and professional experience. Detailed data on employment and administrative career. Incompatibilities. Presence control data: date/entry and exit time, reason for absence. Economic-financial data: Economic data on payroll, credits, loans, guarantees, tax deductions from assets corresponding to the previous job (if applicable), judicial deductions (if applicable), other deductions (if applicable). Bank details. CV, photocopy of ID, photocopy of degrees obtained, reports of references made to third sources, and reports of verification of veracity of the information.
e) Source of the data The interested parties and third-party sources consulted to obtain work references and verify the veracity of the information.
f) Recipient category The ANF AC organization itself. In addition: Financial institutions. State Agency for Tax Administration. Social Security and labor inspection.
g) International transfers No international data transfers are foreseen.
h) Deletion period They will be kept for the time necessary to fulfil the purpose for which they were collected and to determine the possible responsibilities that could derive from this purpose and from the processing of the data. The provisions of the archives and documentation regulations shall apply. The economic data will be kept under the provisions of Spanish Law 58/2003, of December 17, on General Taxation.
i) Security measures The technical security measures implemented correspond to those provided in ISO 27001 and safety standards related to ETSI regulations that ANF AC is required to comply with in accordance with the eIDAS Regulation. Regulatory compliance: GDPR, the Organic Law 3/2018 of 5 December on the Protection of Personal Data and the Guarantee of Digital Rights, legal regulations in this field and guidelines of the European Data Protection Committee are taken into account.
Risk analysis has been carried out and low risk level results were obtained.
j) Responsible entity: ANF Certification Authority.


7Billing and payment record


a) Legal basis: Legitimate interest.
b) Purposes of the Data Processing ANF AC in its general activity, provides services that are billed and that require payment control, within the administrative and financial management process of the organization.
c) Collective. Customers and entities that have hired and received services from ANF AC.
d) Categories of personal data concerned Name and surname, address, telephone number, email, if applicable, company to which they belong, payment method and term, NIF, products or services provided, amount and payment status.
e) Source of the data Contracting company as the data controller.
f) Recipient category The ANF AC organization itself, State Agency for Tax Administration. No information is provided to the data bases of bad debt control.
g) International transfers No international data transfers are foreseen.
h) Deletion period They will be kept for a period of three months, then they will be erased.
i) Security measures. The technical security measures implemented correspond to those required by the controller, the ones provided in ISO 27001, and safety standards related to ETSI regulations that ANF AC is required to comply with in accordance with the eIDAS Regulation. Regulatory compliance: GDPR and the Organic Law 3/2018 of 5 December on the Protection of Personal Data and the Guarantee of Digital Rights are taken into account. Risk analysis has been carried out and low risk level results were obtained. If non-compliance with the GDPR is observed, ANF AC assumes the responsibility of informing to the controller.
j) Responsible entity: ANF Certification Authority.


8Training Record


a) Legal basis GDPR: 6.1.b) Treatment necessary for the performance of a contract to which the data subject is a party or for the application of pre-contractual measures at the request of the data subject. GDPR: 6.1.c) Treatment necessary to comply with a legal obligation applicable to the data controller. General Data Protection Regulation.
b) Purposes of the Data Processing Management and control of the training activities organized by ANF AC aimed at personnel of the organization itself, such as RA operators of the Identity Verification Offices and RRA Offices, as well as other courses that ANF AC can teach. ANF AC has signed the corresponding service provision contract with all the participants involved, including students and teachers.
c) Collective. Teachers and students who participate in ANF AC's training courses.
d) Categories of personal data concerned. Teachers and students:
Name and surname, National Identity Card, NIF, Identification document, address, telephone, image, signature. Employment details: entity or agency and position occupied.
Teachers:
Academic and professional details: training received, qualifications. Economic-financial data: Bank data
e) Source of the data The interested themselves.
f) Recipient category The ANF AC organization itself, AEPD, ENAC, FUNDAE. In addition, teachers' data may be reflected in brochures or on the ANF AC's website as part of the dissemination of training activities. The data of the professors related to remunerated activities will be communicated to the financial entities, such as the State Agency of the Tax Administration.
g) International transfers No international data transfers are foreseen.
h) Deletion period They will be kept for the time necessary to fulfill the purpose for which they were collected and to determine the possible responsibilities that may arise from said purpose and the processing of the data. The provisions of the archives and documentation regulations shall apply.
Teachers' data will be kept for future training actions, unless they request its deletion. In the case of paid activities, they will be kept under the provisions of the General Taxation Law 58/2003, of December 17, 2003.
i) Security measures. The technical security measures implemented correspond to those provided in ISO 27001, ISO 17024 and safety standards related to ETSI regulations that ANF AC is required to comply with in accordance with the eIDAS Regulation. Regulatory compliance: GDPR and the Organic Law 3/2018 of 5 December on the Protection of Personal Data and the Guarantee of Digital Rights.
Risk analysis has been carried out and low risk level results were obtained.
j) Responsible entity: ANF Certification Authority.


9Register of Biometric control (physical accesses)


a) Legal basis Legitimate interest.
b) Purposes of the Data Processing Access control to the ANF AC's facilities. Activities carried out by ANF AC require privacy and its assets must be protected. All this requires control of the people who access the organization's facilities. The staff of the organization in its daily activity has a high degree of mobility and constant entries and exits must be registered but it is materially impossible to manage them through physical access register. This registry allows the automation of the control, without fingerprint capture and without associating it with a specific identity when implementing pseudonymization techniques. This process does not allow the control of the entire period that people spend in their work places, so it cannot be used for other purposes such as productivity or behavioral control.
c) Collective. ANF AC's staff.
d) Categories of personal data concerned. ID, biometric algorithm code. Other information: zone, day and time of entry.
e) Source of the data Interested customers themselves: interested person who contact and ANF AC's operator who answer the call.
f) Recipient category The ANF AC organization itself.
g) International transfers No international data transfers are foreseen.
h) Deletion term They will be kept for a period of three months, then they will be erased unless the organization needs them.
i) Security measures. The technical security measures implemented correspond to those provided in ISO 27001 and safety standards related to ETSI regulations that ANF AC is required to comply with in accordance with the eIDAS Regulation. Regulatory compliance: GDPR, the Organic Law 3/2018 of 5 December on the Protection of Personal Data and the Guarantee of Digital Rights and other legal regulations in this field such as Opinion 2/2009 on the protection of children's personal data, and legal report published by the AEPD 2015-6565. Risk analysis has been carried out and low risk level results were obtained.
j) Responsible entity: ANF Certification Authority.


10Record of incidents (security breaches)


a) Legal basis Legal obligation. GDPR: 5.2 Without prejudice to the legal effect given to pseudonyms under national law, the use of pseudonyms in electronic transactions shall not be prohibited.
b) Purposes of the Data Processing The GDPR requires, from the security officers, the communication to the supervisory authority about control related to data protection and, where appropriate, to the interested parties about the security breaches that may occur. ANF AC manages this record of incidents in order to implement adequate organizational measures that allow to demonstrate compliance with its obligations.
c) Collective. People and entities that have hired and received services from ANF AC.
d) Categories of personal data concerned Name and surname, phone number, email, if applicable, company to which they belong.
Scope of the security breach
Affected processing
Date and time it is detected
Measures taken
Communications made
Date and time the incident was reported the supervisory authority
e) Source of the data Interested customers themselves: interested person who contact and ANF AC's operator who answer the call.
f) Category recipients The ANF AC organization itself, AEPD and, where appropriate, affected stakeholders.
g) International transfers No international data transfers are foreseen.
h) Deletion period They will be kept for a period of three months, then they will be erased.
i) Security measures. The technical security measures implemented correspond to those provided in ISO 27001, ISO 17024 and safety standards related to ETSI regulations that ANF AC is required to comply with in accordance with the eIDAS Regulation. Regulatory compliance: GDPR and the Organic Law 3/2018 of 5 December on the Protection of Personal Data and the Guarantee of Digital Rights. Risk analysis has been carried out and low risk level results were obtained.
j) Responsible entity: ANF Certification Authority.


11Registry of calls. – AC / EC


a) Legal basis Legitimate interest..
b) Purposes of the Data Processing ANF AC provides trust services to carry out transactions that can presuppose personal responsibilities, such as financial damages if clients misuse our instruments. For example: when facilitating their PIN to third parties or transferring private keys, etc. Proper advice is highly important for your interests
The purpose of this processing is to verify the quality of the services received, both from the point of view of comprehensive language and the veracity of the information communicated and, even, to certify whether operators have incur in any type of responsibility.
c) Collective. Customers and ANF AC's staff.
d. Categories of personal data concerned. Telephone number from which the call is made.
Recorded voiceover
Other information: day and time
e) Source of the data Interested customers themselves: interested person who contact and ANF AC's operator who answer the call.
f) Recipient category The ANF AC organization itself.
g) International transfers No international data transfers are foreseen.
h) Deletion term They will be kept for a period of one year, then they will be erased unless the organization needs them.
i) Security measures The technical security measures implemented correspond to those provided in ISO 27001 and safety standards related to ETSI regulations that ANF AC is required to comply with in accordance with the eIDAS Regulation. Regulatory compliance: GDPR and the Organic Law 3/2018 of 5 December on the Protection of Personal Data and the Guarantee of Digital Rights. Risk analysis has been carried out and low risk level results were obtained.
j) Responsible entity: ANF Certification Authority.


12Registry of calls and revocation requests. – AC / EC


a) Legal basis Legal obligation established by the eIDAS Regulation.
b) Purposes of the Data Processing ANF AC, in its capacity as Qualified Trust Services Provider, has the obligation to diligently respond to revocation requests. The holders of the certificates can carry out this procedure by telephone as long as it fulfills the security controls that accredit the holder's identity.
c) Collective Certificate holders and ANF AC's staff.
d. Categories of personal data concerned Telephone number from which the call is made
Recorded voiceover
Other information: day and time
e) Source of the data Interested customers themselves: interested person who contact and ANF AC's operator who answer the call.
f) Recipient category The ANF AC organization itself..
g) International transfers No international data transfers are foreseen.
h) Deletion term They will be kept for a period of 15 years at least, then they will be erased unless the organization needs them.
i) Security measures. The technical security measures implemented correspond to those provided in ISO 27001 and safety standards related to ETSI regulations that ANF AC is required to comply with in accordance with the eIDAS Regulation. Regulatory compliance: GDPR and the Organic Law 3/2018 of 5 December on the Protection of Personal Data and the Guarantee of Digital Rights. Risk analysis has been carried out and low risk level results were obtained.
j) Responsible entity ANF Certification Authority.


13Registry of calls and contracted services


a) Legal basis Execution of a contract.
b) Purposes of the Data Processing This processing is carried out in order to accredit the requests of contracted services or customer´s purchases, the information associated with the service, whether the customer is satisfied or not, and defense in case of a claim.
c) Collective Customers and ANF AC's staff.
d. Categories of personal data concerned. Telephone number from which the call is made
Recorded voiceover
Other information: day and time
e) Source of the data Interested customers themselves: interested person who contact and ANF AC's operator who answer the call.
f) Recipient category The ANF AC organization itself.
g) International transfers No international data transfers are foreseen.
h) Deletion term They will be kept for a period of five year, then they will be erased unless the organization needs them.
i) Security measures The technical security measures implemented correspond to those provided in ISO 27001 and safety standards related to ETSI regulations that ANF AC is required to comply with in accordance with the eIDAS Regulation. Regulatory compliance: GDPR and the Organic Law 3/2018 of 5 December on the Protection of Personal Data and the Guarantee of Digital Rights. Risk analysis has been carried out and low risk level results were obtained.
j) Responsible entity: ANF Certification Authority..


14Web contact form


a) Legal basis Legitimate interest.
b) Purposes of the Data Processing ANF AC in its general activity, offers the possibility to access a website to those people or companies interested in establishing contact with ANF AC. They can fill out electronic forms that are published on different pages of their website, according to the corresponding interest (apply for a job at ANF AC, commercial interest. etc.).
c) Collective People interested in ANF AC's services.
d. Categories of personal data concerned. Name and surname, phone number, email, company to which they belong, comments.
e) Source of the data The interested themselves.
f) Recipient category The ANF AC organization itself.
g) International transfers No international data transfers are foreseen.
h) Deletion term They will be kept for a period of three months, then they will be erased..
i) Security measures The technical security measures implemented correspond to those provided in ISO 27001 and safety standards related to ETSI regulations that ANF AC is required to comply with in accordance with the eIDAS Regulation. Regulatory compliance: GDPR, the Organic Law 3/2018 of 5 December on the Protection of Personal Data and the Guarantee of Digital Rights, legal regulations in this field and guidelines of the European Data Protection Committee are taken into account. Risk analysis has been carried out and low risk level results were obtained.
j) Responsible entity: ANF Certification Authority..


15Complaints and suggestions


a) Legal basis Legitimate interest.
b) Purposes of the Data Processing Registration and processing of complaints and suggestions related to the provision of services by ANF AC as a Qualified Trust Service Provider, and as a Certification Body according to DPO-AEPD Scheme.
c) Collective People who have requested ANF AC's services and ANF AC's staff.
d. Categories of personal data concerned. Name and surname, DNI / NIF / Identification document, address, telephone and signature. Other information: those collected in the complaint or suggestion.
e) Source of the data Interested customers themselves: interested person who contact and ANF AC's operator who answer the call.
f) Recipient category The ANF AC organization itself and, when appropriate, legal action will take place including criminal proceedings.
g) International transfers No international data transfers are foreseen.
h) Deletion term They will be kept for the time necessary to fulfil the purpose for which they were collected and to determine the possible responsibilities that could derive from this purpose and from the processing of the data. The provisions of the archives and documentation regulations shall apply
i) Security measures The technical security measures implemented correspond to those provided in ISO 27001 and safety standards related to ETSI regulations that ANF AC is required to comply with in accordance with the eIDAS Regulation. Regulatory compliance: GDPR and the Organic Law 3/2018 of 5 December on the Protection of Personal Data and the Guarantee of Digital Rights. Risk analysis has been carried out and low risk level results were obtained.
j) Responsible entity: ANF Certification Authority..


16Control access to the building. – AC / EC


a) Legal basis Legitimate interest.
b) Purposes of the Data Processing Access control to the ANF AC's facilities. Activities carried out by ANF AC require privacy and its assets must be protected. All this requires control of the people who access the organization's facilities.
c) Collective Persons who might access ANF AC's facilities and ANF AC's staff.
d. Categories of personal data concerned. Name and surname, DNI / NIF / Details of company represented by visitors and the corresponding signatures.
Other information: date/entry and exit time
e) Source of the data The interested themselves.
f) Recipient category The ANF AC organization itself.
g) International transfers No international data transfers are foreseen.
h) Deletion term They will be kept for a period of three months, then they will be erased unless the organization needs them
i) Security measures The technical security measures implemented correspond to those provided in ISO 27001 and safety standards related to ETSI regulations that ANF AC is required to comply with in accordance with the eIDAS Regulation. Regulatory compliance: GDPR and the Organic Law 3/2018 of 5 December on the Protection of Personal Data and the Guarantee of Digital Rights. Risk analysis has been carried out and low risk level results were obtained.
j) Responsible entity: ANF Certification Authority..


17Register of Processors


a) Legal basis Legal obligation according to Article 28 (3) GDPR.
b) Purposes of the processing ANF AC in its general activity, hires the services of third parties that collaborate in data processing. With all of them, ANF AC has signed the corresponding contract as processor.
c) Collective. Entities hired by ANF AC that collaborate in data processing.
d) Categories of personal data concerned. Name and surname of the entity's Director, telephone, email.
Name and surname of the contact person, telephone, email.
Entity's name, address, telephone, email, web.
Service provision contract.
Analysis of adequacy according to Article 28 (1) GDPR.
e) Source of the data The interested themselves.
f) Recipient category ANF AC organization itself in compliance with legal obligations.
g) International transfers No international data transfers are foreseen.
h) Deletion period They will be kept for a period necessary to meet the obligations assumed, and the one required to be able to accredit it.
i) Security measures The technical security measures implemented correspond to those provided in ISO 27001 and safety standards related to ETSI regulations that ANF AC is required to comply with in accordance with the eIDAS Regulation. Regulatory compliance: GDPR, the Organic Law 3/2018 of 5 December on the Protection of Personal Data and the Guarantee of Digital Rights, legal regulations in this field and guidelines of the European Data Protection Committee are taken into account. Risk analysis has been carried out and low risk level results were obtained.
j) Responsible entity: ANF Certification Authority.


18Register of students at ANF AC's Campus.


a) Legal basis The technical security measures implemented correspond to those provided in ISO 27001 and safety standards related to ETSI regulations that ANF AC is required to comply with in accordance with the eIDAS Regulation. Regulatory compliance: GDPR and the Organic Law 3/2018 of 5 December on the Protection of Personal Data and the Guarantee of Digital Rights. Risk analysis has been carried out and low risk level results were obtained.
b) Purposes of the processing The adequate management and administration of ANF AC's Campus requires a control of the students who have the right of access and to participate in the teaching subjects for which they have processed their registration. In addition, it is necessary to manage their participation in the courses offered.
c) Collective. Students enrolled in ANF AC training courses.
d. Categories of personal data concerned Name and surname, DNI / or other identification document
Company to which they belong
Special categories of personal data: data related to disabilities that require alternative exam or assessment arrangements.
Personal characteristics data: address, telephone, email.
Academic and professional data: Qualifications, training and professional experience.
Employment detail data and professional experience in data protection.
e) Source of the data The interested themselves.
f) Recipient category ANF AC organization itself and, in the case of bonus training, the State Foundation for Employment Training (FUNDAE).
g) International transfers No international data transfers are foreseen.
h) Deletion period They will be kept for the time necessary to fulfil the purpose for which they were collected and to determine the possible responsibilities that could derive from this purpose and from the processing of the data. The provisions of the archives and documentation regulations shall apply.
i) Security measures The technical security measures implemented correspond to those provided in ISO 27001 and safety standards related to ETSI regulations that ANF AC is required to comply with in accordance with the eIDAS Regulation. Regulatory compliance: GDPR, the Organic Law 3/2018 of 5 December on the Protection of Personal Data and the Guarantee of Digital Rights, legal regulations in this field and guidelines of the European Data Protection Committee are taken into account. Risk analysis has been carried out and low risk level results were obtained.
j) Responsible entity: ANF Certification Authority.


19CCTV System Registration


a) Legal basis Legitimate interest.
b) Purposes of the processing Access control to ANF AC's facilities. ANF AC carries out activities that require privacy and its assets must be protected. Control of people who access the organization's facilities is required.
c) Collective. People who might access ANF AC's facilities.
d) Categories of personal data concerned Image recording and real-time surveillance system without image recording.
e) Source of the data The interested themselves.
f) Recipient category ANF AC organization itself.
g) International transfers No international data transfers are foreseen.
h) Deletion period They will be kept for a period of one year, then they will be erased unless the organization needs them.
i) Security measures The technical security measures implemented correspond to those provided in ISO 27001 and safety standards related to ETSI regulations that ANF AC is required to comply with in accordance with the eIDAS Regulation. Regulatory compliance: GDPR, the Organic Law 3/2018 of 5 December on the Protection of Personal Data and the Guarantee of Digital Rights and guidelines according to the legal reports in this field published by the AEPD under the following link:
https://www.aepd.es/media/informes/informe-juridico-rgpd-grabacion-de-imagenes-y-voz-proporcionalidad.pdf
https://www.aepd.es/media/informes/informe-juridico-rgpd-camaras-en-tiempo-real.pdf

Risk analysis has been carried out with a low risk level result.

j) Responsible entity: ANF Certification Authority.


20Register of Training Centers


a) Legal basis Execution of a contract.
GDPR: 6.1.b) Treatment necessary for the performance of a contract to which the data subject is a party or for the application of pre-contractual measures at the request of the data subject. GDPR: 6.1.c) Treatment necessary to comply with a legal obligation applicable to the data controller. Royal Legislative Decree 2/2015, of 23 October, approving the revised text of the Workers' Statute Law.
b) Purposes of the processing ANF AC as a Certification Entity according to the DPO-AEPD Scheme, must manage a register of Training Centers which has signed contracts with and whose training agenda has been accredited. Training entities available must be published on the ANF AC's website.
c) Collective. Training entities whose training agenda has been accredited by ANF AC.
d) Categories of personal data concerned Name and surname of the training entity Director, telephone, email.
Teachers' name and surname, telephone, email.
Teachers' qualifications.
Professional experience.
Reports on claims and recorded incidents.
Tracking file related to compliance with DPO- AEPD Scheme
e) Source of the data The interested parties and third-parties consulted to obtain references and verify the accuracy of the information.
f) Recipient category Potential customers and the AEPD.
g) International transfers No international data transfers are foreseen.
h) Deletion period They will be kept for a period necessary to meet the obligations assumed, and the one required to be able to accredit it.
i) Security measures Las medidas de seguridad técnica implantadas se corresponden con las previstas en la ISO 27001, y normas de seguridad relacionadas con la normativa ETSI que ANF AC está obligaThe technical security measures implemented correspond to those provided in ISO 27001 and safety standards related to ETSI regulations that ANF AC is required to comply with in accordance with the eIDAS Regulation. Regulatory compliance: GDPR and the Organic Law 3/2018 of 5 December on the Protection of Personal Data and the Guarantee of Digital Rights. Risk analysis has been carried out and low risk level results were obtained.
j) Responsible entity: ANF Certification Authority.


21Register of the Committee of Experts.


a) Legal basis Execution of a contract. GDPR: 6.1.b) Treatment necessary for the performance of a contract to which the data subject is a party or for the application of pre-contractual measures at the request of the data subject. GDPR: 6.1.c) Treatment necessary to comply with a legal obligation applicable to the data controller. Royal Legislative Decree 2/2015, of 23 October, approving the revised text of the Workers' Statute Law.
b) Purposes of the processing ANF AC as a Certification Entity according to the DPO-AEPD Scheme, must count on with a Committee of Experts comprised by representative entities, each of them is represented for one expert at least. ANF AC has signed the corresponding contractual commitment with them in accordance with its internal regulations.
c) Collective. Training entities whose training agenda has been accredited by ANF AC.
d) Categories of personal data concerned Name and surname, company to which the experts belong, telephone, email address.
e) Source of the data The interested themselves.
f) Recipient category ANF AC organization itself, AEPD, ENAC and members of the Committee of Experts.
g) International transfers No international data transfers are foreseen.
h) Deletion period They will be kept for a period necessary to meet the obligations assumed, and the one required to be able to accredit it.
i) Security measures. The technical security measures implemented correspond to those provided in ISO 27001 and safety standards related to ETSI regulations that ANF AC is required to comply with in accordance with the eIDAS Regulation. Regulatory compliance: GDPR and the Organic Law 3/2018 of 5 December on the Protection of Personal Data and the Guarantee of Digital Rights. Risk analysis has been carried out and low risk level results were obtained.
j) Responsible entity: ANF Certification Authority.


22Register of DPO certificates


a) Legal basis Execution of a contract. GDPR: 6.1.b) Treatment necessary for the performance of a contract to which the data subject is a party or for the application of pre-contractual measures at the request of the data subject. GDPR: 6.1.c) Treatment necessary to comply with a legal obligation applicable to the data controller. Royal Legislative Decree 2/2015, of 23 October, approving the revised text of the Workers' Statute Law.
b) Purposes of the processing Comply with the obligation established by the DPO-AEPD Scheme and formally assumed by ANF AC before the AEPD.
c) Collective. Data protection officers certified by ANF AC.
d) Categories of personal data concerned Name and surname, ID / CIF / Identification document, address, and telephone.
Academic and professional data: Qualifications, training and professional experience.
Employment detail data and professional experience in data protection.
Registration of complaints, reports related to the activity of interested parties on the ground of complaints.
Complaints and claims File.
File of renewals in accordance with the DPO-AEPD Scheme.
e) Source of the data The interested parties and third sources consulted in the fulfillment of the obligations assumed by ANF AC.
f) Recipient category Potential customers and the AEPD.
g) International transfers No international data transfers are foreseen.
h) Deletion period Once your data are no longer necessary to determine responsibilities in relation to your professional performance, and the accreditation of compliance with the obligations of ANF AC.
i) Security measures The technical security measures implemented correspond to those provided in ISO 27001 and safety standards related to ETSI regulations that ANF AC is required to comply with in accordance with the eIDAS Regulation. Regulatory compliance: GDPR and the Organic Law 3/2018 of 5 December on the Protection of Personal Data and the Guarantee of Digital Rights. Risk analysis has been carried out and low risk level results were obtained.
j) Responsible entity: ANF Certification Authority.


23Register of DPO applicants


a) Legal basis The technical security measures implemented correspond to those provided in ISO 27001 and safety standards related to ETSI regulations that ANF AC is required to comply with in accordance with the eIDAS Regulation. Regulatory compliance: GDPR and the Organic Law 3/2018 of 5 December on the Protection of Personal Data and the Guarantee of Digital Rights. Risk analysis has been carried out and low risk level results were obtained.
b) Purposes of the processing It is the previous step to evaluate applications made by candidates for DPO exams. This is a requirement established in the DPO-AEPD Scheme and has been formally assumed by ANF AC before the AEPD.
c) Collective. Candidates for DPO certificates, who submit their applications in ANF AC.
d) Categories of personal data concerned. Name and surname, DNI / or other identification document.
Special categories of personal data: data related to disabilities that require alternative exam or assessment arrangements.
Personal characteristics data: address, telephone, email. Academic and professional data: Qualifications, training and professional experience.
Employment detail data and professional experience in data protection.
Data related to other prerequisites: DPO training certificate. Application data in order to register for the exam. Report of references made to third sources for the data verification.
e) Source of the data The interested parties themselves and possible references deriving from third sources. ANF AC will check the information provided.
f) Recipient category The organization itself, ANF AC's evaluators, the Committee of Experts, the AEPD and ENAC.
g) International transfers No international data transfers are foreseen.
h) Deletion period During the entire period required to process the service provision, and the one necessary to accredit the correct provision of the service to whom it may concern.
i) Security measures The technical security measures implemented correspond to those provided in ISO 27001 and safety standards related to ETSI regulations that ANF AC is required to comply with in accordance with the eIDAS Regulation. Regulatory compliance: GDPR and the Organic Law 3/2018 of 5 December on the Protection of Personal Data and the Guarantee of Digital Rights. Risk analysis has been carried out and low risk level results were obtained.
j) Responsible entity: ANF Certification Authority.


24Register of examinations taken by DPO applicants


a) Legal basis The technical security measures implemented correspond to those provided in ISO 27001 and safety standards related to ETSI regulations that ANF AC is required to comply with in accordance with the eIDAS Regulation. Regulatory compliance: GDPR and the Organic Law 3/2018 of 5 December on the Protection of Personal Data and the Guarantee of Digital Rights. Risk analysis has been carried out and low risk level results were obtained.
b) Purposes of the processing To manage the participation of DPD applicants who take part in the examination process carried out by ANF AC. This register allows to keep a record of examinations carried out in order to handle potential human resources, appeals and to accredit the fulfillment of the obligations established by the DPO-AEPD Scheme.
c) Collective. Applicants for DPO certificates who have taken an exam in ANF AC.
d) Categories of personal data concerned Pseudonymized information of the interested party

• Applicant's ID code
• Evaluator's ID code
• Id code of the expert who manage the appeal
• Exam performed.
• Evaluation result.
• Appeal for review and appeal, the evaluation reports carried out by the evaluators and, where appropriate, by the appeal expert.
e) Source of the data The interested parties and the evaluators.
f) Recipient category ANF AC organization itself, the evaluators, the Committee of Experts in case of evaluation, the AEPD and ENAC.
g) International transfers No international data transfers are foreseen.
h) Deletion period During the entire period required to process the service provision, and the one necessary to accredit the correct provision of the service to whom it may concern.
i) Security measures The technical security measures implemented correspond to those provided in ISO 27001 and safety standards related to ETSI regulations that ANF AC is required to comply with in accordance with the eIDAS Regulation. Regulatory compliance: GDPR and the Organic Law 3/2018 of 5 December on the Protection of Personal Data and the Guarantee of Digital Rights. Risk analysis has been carried out and low risk level results were obtained.
j) Responsible entity: ANF Certification Authority.


25Register of Evaluators


a) Legal basis Execution of a contract. GDPR: 6.1.b) Treatment necessary for the performance of a contract to which the data subject is a party or for the application of pre-contractual measures at the request of the data subject. GDPR: 6.1.c) Treatment necessary to comply with a legal obligation applicable to the data controller. Royal Legislative Decree 2/2015, of 23 October, approving the revised text of the Workers' Statute Law.
b) Purposes of the processing ANF AC must hire independent evaluators, with the appropriate experience and training in order to perform the review and assessment of DPO candidates, in accordance with the DPO-AEPD Scheme.
c) Collective. Evaluators accredited by ANF AC.
d) Categories of personal data concerned Name and surname, ID / CIF / Identification document, address, and telephone.
Academic and professional data: Qualifications, training and professional experience.
Employment detail data and professional experience in data protection.
e) Source of the data Interested customers themselves: interested person who contact and ANF AC's operator who answer the call.
f) Recipient category ANF AC organization itself, the AEPD and ENAC.
g) International transfers No international data transfers are foreseen.
h) Deletion period Once your data are no longer necessary to determine responsibilities in relation to your professional performance, and the accreditation of compliance with the obligations of ANF AC.
i) Security measures The technical security measures implemented correspond to those provided in ISO 27001 and safety standards related to ETSI regulations that ANF AC is required to comply with in accordance with the eIDAS Regulation. Regulatory compliance: GDPR and the Organic Law 3/2018 of 5 December on the Protection of Personal Data and the Guarantee of Digital Rights. Risk analysis has been carried out and low risk level results were obtained.
j) Responsible entity: ANF Certification Authority.


26Cessation of activity


a) Legal basis Compliance with a legal obligation. Law 59/2003, of 19 December, on Electronic signatures, articles 21.3, 20.1.f.
b) Purposes of the processing Processing operations aimed at complying with the Cessation Plan.
c) Collective Users of the QTSP services provided by ANF AC.
d) Data Categories Identification data of users of QTSP services and operators.
e) Source of the data The data comes directly from the data subjects.
f) Recipient category The ANF AC organization itself, the client organizations where the data subject comes from, other QTSPs, the auditors, the supervisory authority, legal and fiscal obligation.
g) International transfers International data transfers are not foreseen.
h) Term of erasure Data will be kept for the period necessary to meet the obligations assumed, and the one required to be able to prove it.
i) Security measures The technical security measures implemented correspond to those set forth in ISO 27001, and security standards related to the ETSI regulation that ANF AC is obliged to comply with in accordance with the eIDAS Regulation. Regulatory compliance, especially the Law on Information Society Services and E-commerce. Those established by the GDPR, and the Organic Law 3/2018 regulating Personal Data Protection and Digital Rights Guarantee.

Risk analysis and an impact assessment on data protection have been carried out with a low risk level result.
j) Responsible entity ANF Certification Authority.
k) DPIA EIPDANFAC008 - 07/04/2020 Result: Low risk level


English