In compliance with Articles 13 and 14 of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation), we hereby inform you of the following legal aspects:
The data controller is the National Cryptology Centre (CCN).
VAT numbre S-2800155-J,
Registered office at C/Argentona 30, 28023 Madrid - Spain.
Telephone (+34) 91 372 50 00
E-mail address:
The collection and processing of personal data has as its sole purpose the management, provision, extension and improvement of the services requested at any time by the user, the sending of information, warnings and alerts, as well as the follow-up of queries raised by users.
The legal basis of the processing, according to Article 6 of the RGPD, is based on the following conditions:
a) Processing is necessary to comply with a legal obligation applicable to the Data Controller (CCN), as a result of the powers conferred on it by Royal Decree 3/2010, of 8 January, which regulates the National Security Scheme, Royal Decree 421/2004, of 12 March, which regulates the National Cryptology Centre, by virtue of the provisions of Law 11/2002, of 6 May, regulating the National Intelligence Centre, within the framework established by the National Cybersecurity Strategy.
b) processing is necessary for the enforcement of a contract to which the data subject is a party or for the application of pre-contractual measures at his request; in accordance with Article 13(c) of the RGPD, processing based on consent shall mean that the existence of a right to withdraw consent shall not at any time affect the lawfulness of processing based on consent prior to its withdrawal.
It should be noted that, in the event of requesting a service, it may not be provided if the necessary information to carry it out is not provided. No automated decisions will be made based on your profile.
In general, the personal data provided will be kept as long as the aforementioned legal obligation of the Data Controller or the aforementioned contractual relationship is maintained. When this relationship ceases, and in any case if the deletion of the data is requested, we will keep your personal data blocked for the periods established by law. Once these deadlines have elapsed, they will be eliminated in accordance with current legislation.
The data may be transferred to legally authorized third parties, such as the Tax Administration or judicial bodies.
We also inform you of the existence of data processors with whom we sign appropriate contracts of data access on behalf of third parties in accordance with art. 28 et seq. of the RGPD. Only those treatment providers who offer sufficient guarantees to implement appropriate technical and organisational measures shall be selected so that the treatment is in accordance with the requirements laid down by law.
Contrarily, no international data transfers are foreseen.
The affected parties, within the legal framework that is applicable in each case, shall have the following rights:
To exercise any of these rights or to revoke your consent you can do so by sending an email to In order to exercise your rights, a copy of your identity card or equivalent document must accompany your application.