In compliance with the provisions of Articles 13 and 14 of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons regarding the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation) we inform you of the following legal aspects:
1.- Responsible for the treatment
The data controller is the National Cryptologic Centre (CCN).
VAT number S-2800155-J,
Registered office at C/Argentona 30, 28023 Madrid - Spain
Telephone (+34) 91 372 50 00
2.- Purpose of the treatment
The collection and processing of personal data has as its exclusive purpose the management, provision, expansion and improvement of the services requested at all times by the user, the sending of information, notices and alerts, as well as the monitoring of queries raised by users.
3.- Legitimation of the treatment
The legal basis for the processing, according to Article 6 of the GDPR, is based on the following conditions:
a) The processing is necessary in order to comply with a legal obligation applicable to the Data Controller (CCN), as a consequence of the powers conferred upon it by Royal Decree 311/2022, of 3 May, which regulates the National Security Scheme, Royal Decree 421/2004, of 12 March, which regulates the National Cryptologic Centre, by virtue of the provisions of Law 11/2002, of 6 May, regulating the National Intelligence Centre, within the framework established by the National Cybersecurity Strategy.
b) the processing is necessary for the performance of a contract to which the data subject is party or for the implementation at the request of the data subject of pre-contractual measures; Pursuant to art.13.c of the GDPR, processing based on consent shall mean that the existence of the right to withdraw consent, at any time, shall not affect the lawfulness of the processing based on consent prior to its withdrawal.
It should be noted that, in the event of requesting a service, this cannot be provided if the data necessary to carry it out are not provided. No automated decisions will be made based on your profile.
4.- Data retention
In general, the personal data provided will be kept for as long as the aforementioned legal obligation of the Data Controller or the aforementioned contractual relationship is maintained. When this relationship ceases, and in any case if the deletion of the data is requested, we will keep your personal data blocked for the periods established by law. Once these periods have elapsed, they will be deleted in accordance with current legislation.
5.- Recipients of assignments or transfers
The data may be transferred to legally authorized third parties, such as the Tax Administration or judicial bodies.
We also inform you of the existence of data processors with whom the appropriate contract for access to data on behalf of third parties is signed in accordance with Art. 28 et seq. of the GDPR. Data processors will only be selected if they offer sufficient guarantees to implement appropriate technical and organisational measures so that the processing complies with the requirements of the law.
However, no international data transfers are planned.
6.- Rights of the persons concerned
Those affected, within the legal framework applicable in each case, shall have the following rights:
- Right to withdraw consent at any time.
- Right of access: you may request to consult your personal data.
- Right to rectification: you may amend inaccurate personal data or complete incomplete personal data, including by means of an additional declaration.
- Right of deletion: you may request the deletion of personal data concerning you.
- Right of portability: you have the right to receive the personal data you have provided and to transfer it to another data controller.
- Right to restriction: where certain conditions are met, the data subject has the right to obtain the restriction of the processing of his or her personal data.
- Right to object to the processing of your personal data: you may request that your personal data not be processed.
- The right to lodge a complaint with the supervisory authority (agpd.es) if you consider that the processing does not comply with the regulations in force.