Privacy Policy of the Authentic App

Please read this privacy and data protection policy carefully as users of the application Authentic, where you can find all the information about the data that is collected about you, how it is used and what control you have over it, as established, Regulation (EU) 2016/679 of the European Parliament and of the Council, of 27 April 2016, on the protection of natural persons with regard to the processing of personal data and the free movement of such data, and Organic Law 3/2018, of 5 December, on the Protection of Personal Data and guarantee of digital rights.

The privacy policy applies to the mobile app:

App Authenticates v 2.0 and later for Android.
App Authenticates v 2.0 and later for iOS.

1. Who is responsible for the processing of your data as an Authentic user?

The person responsible for the processing of your data as a user of Authenticity is:

Name of responsible body: General Secretariat of Digital Administration (hereinafter, the SGAD).
Direction: C/ Del Marble nº2, 28005.
Data Protection Officer: dpd@mineco.es
Direction DPD: Paseo de la Castellana, 162 - 28046 Madrid.

The unit responsible for the Authentic Service is the General Secretariat of Digital Administration (SGAD), a governing body attached to the Secretary of State for Public Service of the Ministry for Digital Transformation and Public Service.

2. What data do we process about you?

The information we process about you will depend on the use you make from Genutica.

To access the app it is necessary that your device has some security mechanism of access activated and that you grant permission for the app to use the Biometric factor, or in its absence the PIN of the device. Under no circumstances will the Authentic App store or process your biometric data.

Likewise, from the main section of the Authentic App, you will have the option of “Scan QR code for Authentication” being able to scan that QR with the App. To do this, the camera of the device will be opened to scan it, requesting in any case Permission to access the device’s camera.

The data relating to your person that could be processed in Authenticity will be obtained from Electronic certificate or Electronic DNI configured on the device, in case you do not have any configured you will be requested to configure your certificate to install it in Authentic with an option to add certificate and be able to search for its location within the resources of the phone, requesting in any case Permission to access your documents. In the case of having one already configured, you can select one to perform the identification that will be associated with the device.

The data processed from Authenticity will belong to one or some of the following typologies:

Data of an identifying nature: Name, surname, identifier, ID, electronic certificate, electronic signature, telephone.
Personal characteristics: Date of birth.
Academic and professional data: Cargo, post, corporate email

In no case will we obtain your data without your consent and at all times you can access and consult your rights in the section of "My profile".

We will notify you of any changes that must be accepted in order to continue using the application.

3. What is the legal basis for the processing of your data?

The processing of personal data that can be done through Authenticity is based on:

The consent you have given for the processing of your personal data for one or more specific purposes (Article 6.4a) of the GDPR)
Because the processing is necessary for compliance with a legal obligation applicable to the data controller (Article 6.4c) of the GDPR)
for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller in accordance with Article 6.1(e) of the GDPR
That the processing is necessary for the fulfilment of legitimate interests pursued by the controller or by a third party, under the conditions set out in Article 6.1(f) of the GDPR

In addition, we inform you that the regulations applicable to the services offered by Authentitica are as follows:

Organic Law 3/2018, of 5 December, on the Protection of Personal Data and guarantee of digital rights.
Law 39/2015, of 1 October, on the Common Administrative Procedure of Public Administrations.
Law 40/2015, of 1 October, on the Legal Regime of the Public Sector.
Regulation (EU) 2016/679 of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation).
Royal Decree 203/2021, of 30 March, approving the Regulation on the operation and functioning of the public sector by electronic means.
Royal Decree 311/2022, of 3 May, regulating the National Security Scheme.

4. Why and why do we use your data?

The Authentic Application offers Authentication services, Single Sign on and authorization, from public employees of the Public Administrations (AA.PP.) and related users, in the access to internal applications of the AA.PP.

The information and data collected in Authenticity will be treated solely for the purpose of offering you a service appropriate to the functionalities of the application.

For this purpose, we use your data to offer you the following services:

Authentication with a high LOA security level On several devices for users who have an installed electronic certificate on their mobile device. The Authentication.
Authentication a low LOA security level, for users who use username and password or Cl@ve and do not register an electronic certificate in the mobile application.

5. For how long do we store your data?

The personal data you provide us will be kept for as long as necessary to fulfill the purpose for which they are collected and to determine the possible responsibilities that may arise from the treatments carried out, in addition to the periods established in the regulations on files and documentation.

Specifically, the data to manage your account will be stored until you decide to delete it and deactivate Authenticate.

6. Do we communicate your data to third parties?

Your personal data will only be transferred to the Public Administrations of the State.

In general, your personal data will not be communicated to other third parties, unless there is a legal obligation, among which may be communications to the Ombudsman, Judges, Courts and persons interested in the procedures related to the complaint submitted.

Neither will international transfers of your data be carried out, a priori. In any case, if these are present, sufficient legal bases and guarantees will be applied in order to legitimize them in accordance with the applicable law.

7.

Only you have access to your data.

Without prejudice to the above, in certain cases (for example, to resolve an incident or query that you ask us) we may need to access the data strictly necessary in order to resolve the incident or respond to your query.

8.

The regulation gives you a number of rights in relation to the data and information we process about you. Specifically, the rights of access, rectification, deletion and portability of data, limitation and opposition to their treatment.

For those data in which the SGAD is responsible for the treatment, these rights will be exercised with the SGAD. For the information obtained through the electronic certificate or the electronic ID card configured in the device, they will be exercised with the body responsible for each of them.

You can consult the full scope and detail of these rights on the website of the Spanish Data Protection Agency (AEPD).

As for the exercise of your rights, you can do it at any time and free of charge in the following ways:

You can contact the Data Controller in person at any of the Registry Assistance Network’s offices (https://administracion.gob.es), or through the electronic headquarters of the Ministry for Digital Transformation and Public Service (https://sedediatid.mineco.gob.es/es-es/Paginas/Index.aspx).
You also have the right to complain to the Data Protection Delegate, in advance and potestativa, through the mail dpd@mineco.es.

Apart from all the above, you have the right at all times to file a claim with the Spanish Data Protection Agency.

9. How do we protect your data?

The General Secretariat of Digital Administration guarantees the security, secrecy and confidentiality of your data, communications and personal information and has adopted the most demanding and robust security measures and technical means to prevent its loss, misuse or access without your authorization.

The security measures implemented correspond to those provided for in Annex II (Security Measures) of Royal Decree 311/2022, of 3 May, which regulates the National Security Scheme.

In addition, we promise to act quickly and responsibly in the event that the security of your data may be in danger, and to inform you if it is relevant. Security incident management protocols are available, which include notifications to supervisory authorities and users in the cases provided for by law.

Finally, we inform you that both the storage and the rest of the activities of the processing of your data will always be located within the European Union.