In compliance with Articles 13 and 14 of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation), we hereby inform you of the following legal aspects:
1.- Data controller
The data controller is the National Cryptology Centre (CCN).
VAT numbre S-2800155-J,
Registered office at C/Argentona 30, 28023 Madrid - Spain.
Telephone (+34) 91 372 50 00
2.- Purpose of the processing
The collection and processing of personal data has as its sole purpose the management, provision, extension and improvement of the services requested at any time by the user, the sending of information, warnings and alerts, as well as the follow-up of queries raised by users.
3.- Legitimation of the treatment
The legal basis of the processing, according to Article 6 of the RGPD, is based on the following conditions:
a) Processing is necessary to comply with a legal obligation applicable to the Data Controller (CCN), as a result of the powers conferred on it by Royal Decree 311/2022, of 3 May, which regulates the National Security Scheme, Royal Decree 421/2004, of 12 March, which regulates the National Cryptology Centre, by virtue of the provisions of Law 11/2002, of 6 May, regulating the National Intelligence Centre, within the framework established by the National Cybersecurity Strategy.
b) processing is necessary for the enforcement of a contract to which the data subject is a party or for the application of pre-contractual measures at his request; in accordance with Article 13(c) of the RGPD, processing based on consent shall mean that the existence of a right to withdraw consent shall not at any time affect the lawfulness of processing based on consent prior to its withdrawal.
It should be noted that, in the event of requesting a service, it may not be provided if the necessary information to carry it out is not provided. No automated decisions will be made based on your profile.
4.- Data retention
In general, the personal data provided will be kept as long as the aforementioned legal obligation of the Data Controller or the aforementioned contractual relationship is maintained. When this relationship ceases, and in any case if the deletion of the data is requested, we will keep your personal data blocked for the periods established by law. Once these deadlines have elapsed, they will be eliminated in accordance with current legislation.
5.- Recipients of assignments or transfers
The data may be transferred to legally authorized third parties, such as the Tax Administration or judicial bodies.
We also inform you of the existence of data processors with whom we sign appropriate contracts of data access on behalf of third parties in accordance with art. 28 et seq. of the RGPD. Only those treatment providers who offer sufficient guarantees to implement appropriate technical and organisational measures shall be selected so that the treatment is in accordance with the requirements laid down by law.
Contrarily, no international data transfers are foreseen.
6.- Rights of the persons concerned
The affected parties, within the legal framework that is applicable in each case, shall have the following rights:
- Right to withdraw consent at any time.
- Right of access: they may request access to their personal data.
- Right of rectification: They may amend inaccurate personal data or supplement incomplete data, including by means of an additional declaration.
- Right of deletion: They may request the deletion of personal data concerning them.
- Right of portability: they have the right to receive the personal data provided and to transfer them to another controller.
- Right to limitation: when certain conditions are met, the data subject has the right to obtain a limitation on the processing of his or her personal data.
- Right to object to processing: They may request that personal data not be processed.
- The right to lodge a complaint with the supervisory authority (agpd.es) if they consider that the processing does not comply with current legislation.
To exercise any of these rights or to revoke your consent you can do so by sending an email to . In order to exercise your rights, a copy of your identity card or equivalent document must accompany your application.