Privacy Policy

This privacy policy establishes the basis on which the AENOR Group will process any personal information we may obtain, respecting at all times the principles of lawfulness, fairness and transparency, as well as the other obligations and guarantees established in current regulations on the protection of personal data.

1. WHO PROCESSES YOUR DATA?

This Policy applies to all companies in the AENOR Group (hereinafter AENOR). You can access HERE to find out the identity and contact details of the different companies in the Group.

If you would like to receive detailed information about the processing of your data by any of the AENOR entities, you can send an email to datos@aenor.com.

2. FOR WHAT PURPOSE DO WE PROCESS YOUR PERSONAL DATA?

At AENOR, we process personal data to manage contractual relationships and execute the organization's services and activities, as well as to offer interested parties and clients information about activities, products and services related to AENOR.

Depending on your relationship with us, we process the information you provide for the following purposes:

WEB USERS

  • Manage the information you request through the different contact forms on our website.

  • To resolve the queries you submit through the various contact forms on our website.

  • To provide offers of our services and/or products, if authorized.

POTENTIAL CLIENTS

  • Manage the potential business and/or professional relationship.

  • Manage the sending of the information you request.

  • To answer the questions you ask us.

  • To provide offers of our services and/or products, if authorized.

CUSTOMERS

  • Provide the service (conformity assessment / inspection / consulting / IT projects / training / laboratory / licensing (e.g., Certool) / subscription to platforms, e.g., AenorMás) or deliver the contracted product (sale of standards / books).

  • Maintain and manage the contractual relationship with you.

  • To provide offers of our services and/or products, unless you have objected.

  • Conduct satisfaction surveys.

SUPPLIERS

  • Manage the business and/or professional relationship.

  • Evaluate compliance with applicable regulations at all times.

CANDIDATES

  • Manage the personnel selection process.

  • Those candidates who pass the initial stages of the selection process may be invited to take a competency assessment test, after which a competency profile will be developed and stored for current or future selection processes compatible with the candidate.

PERSONNEL TO BE EVALUATED

  • Perform the qualification process in the appropriate conformity assessment scheme.

TASTERS

  • Participate in sensory studies (tastings), to be able to try different products that are already on the market or will be launched soon, from food or cosmetics, to drugstore products.

  • You can access the Laboratory's Privacy Policy: HERE .

ATTENDEES AT CONFERENCES AND EVENTS

  • Manage registration for the conference/event, as well as attendance, send commercial offers from the AENOR Group (if authorized). Capture images for promotional and informational purposes.

USER OF THE COMPLAINTS CHANNEL

  • Manage complaints submitted through the internal information system or any of the alternative channels to carry out the corresponding investigations.

  • You can access our digital reporting channel HERE . On that website you will find additional information about the channel and the processing of personal data.

  • 3. WHAT IS THE LEGAL BASIS FOR PROCESSING YOUR DATA?

    The legal basis for processing your personal data, depending on the category of data subject, may be:

    WEB USERS

    • Consent of the data subject . European legal reference: art. 6.1.a GDPR.

    POTENTIAL CLIENTS

    • Consent of the data subject. European legal reference: art. 6.1.a GDPR.
    • Application, at the request of the interested party, of pre-contractual measures (quotes, engagement letters, service offers, etc.). European legal reference: art. 6.1.b GDPR.
    • Legitimate interest (sending requested information, responding to inquiries, sending commercial offers, etc.). European legal reference: art. 6.1.f GDPR.

    CUSTOMERS

    • Performance of a contract to which the data subject is a party. European legal reference: art. 6.1.b GDPR.

    SUPPLIERS

    • Performance of a contract to which the data subject is a party. European legal reference: art. 6.1.b GDPR.
    • Compliance with legal obligations. European legal reference: art. 6.1.c GDPR.

    CANDIDATES

    • Consent of the data subject. European legal reference: art. 6.1.a GDPR.

    PERSONNEL TO BE EVALUATED

    • Performance of a contract to which the data subject is a party. European legal reference: art. 6.1.b GDPR.

    TASTERS

    • Consent of the data subject (to participate in sensory studies). European legal reference: art. 6.1.a GDPR.
    • Performance of a contract to which the data subject is a party (where applicable). European legal reference: art. 6.1.b GDPR.
    • In the case of minors participating: consent given by the holder of parental authority or guardianship upon completion of the corresponding questionnaire (the minor will never be identified). Spanish legal reference: Art. 7.1.2 LOPDGDD.

    ATTENDEES AT CONFERENCES AND EVENTS

    • Consent of the interested party upon registration for the corresponding event. In the case of the capture of general panoramas, information will be provided, but explicit consent will not be required. European legal reference: art. 6.1.a GDPR.

    USER OF THE COMPLAINTS CHANNEL

    • Compliance with legal obligations. European legal reference: art. 6.1.c. Spanish legal reference: Law 2/2023 on the protection of informants.
    • Consent of the data subject (if they have voluntarily identified themselves). European legal reference: art. 6.1.a.
     
    Details regarding legitimate interest (European legal reference Art. 6.1.f GDPR):
     
    Legitimate interest constitutes a legitimizing basis for processing, provided that such interest in processing the customer's data is within reasonable expectations, based on the relationship you have or have had as a customer of AENOR.
     
    We will process your personal data based on our legitimate interest for the following purposes:

    In accordance with the Information Society Services Act, AENOR may send you commercial communications, including by electronic means, to keep you informed about AENOR Group products and services. You may object to receiving these communications at any time, clearly, free of charge, and easily, in any way you receive them.

     

    Specifically, AENOR may send you information of interest relating to:

     

    • Books, publications, standards, subscriptions and information sessions.
    • Training activities and related workshops.
    • Conformity assessment, auditing or consulting services, as well as information days, presentation or dissemination of new products.
    • Certification of individuals and related events.
    • Software licenses, as well as information sessions on related news.
    • Monthly delivery of the digital magazine.
    Communication to any of the entities of the AENOR Group, in accordance with what is mentioned in section 6 "To which recipients will your data be communicated?".

  • 4. WHAT PERSONAL DATA DO WE PROCESS?

    WEB USERS

    Name, surname, email, telephone, IP address, entity to which you belong, position or job held, if applicable.

     

    POTENTIAL CLIENTS

    Name, surname, email, telephone, entity to which you belong, position or job title held.

     

    CUSTOMERS

    Name, surname, email, telephone number, national identity card or similar document, financial information. If applicable, the name of the organization, position or title held.

    In the case of conformity assessment provided to entities (legal persons), the data processed will be in relation to the interviewed personnel of the audited entity, as well as those that may appear in the documentation shown by the same.

     

    SUPPLIERS

    Name, surname, email, telephone, signature, professional address, financial data.

     

    CANDIDATES

    Name, surname, email, telephone, academic qualifications, professional experience. If you advance in the selection process, the competency profile resulting from the assessment test will be discussed.

     

    PERSONNEL TO BE EVALUATED

    Name, surname, email, telephone, education, professional experience, entity to which you belong, position or office held (if applicable), information resulting from the qualification process.

     

    TASTERS

    At the time of registration

    • Name, surname, date of birth, sex, email, telephone, town, province, IP address.

    At the time of registration

    • ID card, existence of minor children.

    At the time of registration

    • In addition to the above: Postal address, preferences/tastes/behaviors in relation to the products under study, as well as any information that the taster may include and that is considered personal.
    Participation of minors

     

    • Data on minors is provided by the holders of parental authority or legal guardian, after the submission by AENOR of the corresponding questionnaire: age, sex, frequency of consumption of the corresponding product.
     

    ATTENDEES AT CONFERENCES AND EVENTS

    Name, surname, email, telephone, entity to which you belong, position or job held, town.

    When attending activities and events organized by AENOR, participants may be photographed or recorded on video. These photographs and videos are used by AENOR to provide information about these events and are not used for any commercial purpose.

     

    USER OF THE COMPLAINTS CHANNEL

     

    Complaints are based on anonymity, so the informant/complainant will voluntarily decide whether to identify themselves. If they choose to identify themselves, the data they provide, such as name, surname, telephone number, and/or email address, may be processed.
     
    In the case of individuals reported, their data will be treated confidentially.

     

     

    The data we request is adequate, relevant and strictly necessary and you are under no obligation to provide it, but failure to communicate it may affect the purpose of the service or make it impossible to provide.

  • 5. HOW LONG WILL WE KEEP YOUR PERSONAL DATA?

    In compliance with the principle of storage limitation, the data collected will be processed solely and exclusively for the time necessary and for the purposes for which it was collected in each instance. Data retention will be considered justified when:

    • A legal and/or administrative regulation imposes the obligation to retain the data for a certain period of time.
    • They are necessary to fulfill the contractual relationship.
    • The data will be used for historical and/or statistical purposes.
    • It could cause harm to the legitimate interests of the data subject or third parties.
    • They are necessary to ensure traceability and monitoring of a client's certification.
    • The retention period is specifically defined in the certification scheme being audited.
    • Based on the scheme, regulatory and legal compliance aspects are audited, with the retention period being that established by the reference legislation.
    • They are necessary to demonstrate by AENOR compliance with the requirements established in the ISO 17021-1 standard, applicable to organizations that carry out the audit and certification of management systems.
    • The data and documentation serve as proof of an activity or service provided, for the duration of the statute of limitations for any civil, criminal, administrative, or other actions that may arise from said activity or service. In this case, AENOR will keep the data blocked until its retention obligation expires.
    • A longer retention period has been agreed upon by the interested parties.

  • 6. TO WHOM WILL YOUR DATA BE COMMUNICATED?

    AENOR will only exchange personal data with trusted third-party recipients for any of the purposes set out in the Privacy Policy, with the aim of maintaining and executing the contractual relationship.

    Similarly, it may communicate data to the SPANISH ASSOCIATION FOR STANDARDIZATION (UNE) and other companies of the Group, as well as in the legally required circumstances in compliance with any applicable regulations, under the terms set out below:

    a) Necessary for the provision of the service


    Occasionally, AENOR may use trusted providers who may have access to personal data for the provision of contracted services with whom the corresponding data processing agreement has been signed in compliance with Article 28 of the GDPR.


    Additionally, it is reported that personal data necessary for the provision, billing and collection of services may be communicated to banks and financial entities.

    b) Data communications between the companies that make up AENOR and the SPANISH ASSOCIATION FOR STANDARDIZATION (UNE):

    Communications between group companies for technical and/or administrative purposes, such as access to technological tools/systems used for the provision of the service, which will be based on the legitimate interest of AENOR, as well as for sending commercial communications.

    c) Compliance with a legal obligation

    AENOR may also disclose your personal information to duly authorized third parties when necessary to comply with legislation or at the request of an administrative or judicial authority.


    Under no circumstances will the Client's personal data be shared with third-party companies, except with prior information and express consent of the interested party.

  • 7. ARE INTERNATIONAL DATA TRANSFERS CARRIED OUT?

    As a general rule, AENOR avoids international data transfers (outside the European Union or the European Economic Area). However, in cases where an international data transfer is necessary, this will be communicated to the interested party, after AENOR has verified the existence of adequate safeguards in accordance with applicable legal requirements to ensure that the data is properly protected (for example: existence of an adequacy decision, use of standard contractual clauses, etc.).

  • 8. WHAT ARE YOUR RIGHTS WHEN YOU PROVIDE US WITH YOUR DATA?

    The data protection rights to which the data subjects are entitled are:

    ACCESS

    • It allows the data subject to obtain information on whether or not AENOR is processing personal data concerning him or her and, if so, the right to obtain a copy of the personal data being processed.

    RECTIFICATION

    • It allows you to correct errors and modify data that turns out to be inaccurate or incomplete.

    SUPPRESSION

    • This allows data to be deleted and no longer processed by AENOR, unless there is a legal obligation to retain it and/or other legitimate reasons for its processing by AENOR prevail. For example, when personal data is no longer necessary in relation to the purposes for which it was collected, the client may request that we delete that data without undue delay .

    LIMITATION

    • Under the legally established conditions, it allows the processing of data to be stopped, so that AENOR avoids processing it in the future, and will only keep it for the exercise or defense of claims.

    OPPOSITION

    • In certain circumstances and for reasons related to their particular situation, data subjects may object to the processing of their data. AENOR will cease processing the data, except for compelling legitimate grounds, or for the establishment, exercise, or defense of legal claims. Likewise, data subjects have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning them or similarly significantly affects them.

    PORTABILITY

    • It allows the interested party to receive their personal data and to transmit it directly to another controller in a structured, commonly used and machine-readable format .
     
    Holders of the personal data obtained may exercise their rights of personal data protection by sending an email to datos@aenor.com . In cases where there are reasonable doubts about the identity, additional information may be requested to prove said identity.
     
    You may also send written communication to the registered office of the relevant AENOR entity. You can access the identity and contact details of the different AENOR entities HERE .
     
    Templates, forms and more information about your rights are available on the website of the national supervisory authority, the Spanish Data Protection Agency, hereinafter AEPD, www.aepd.es.
     

  • 9. CAN I WITHDRAW MY CONSENT?

    You have the possibility and the right to withdraw your consent for any specific purpose granted at any time, without this affecting the lawfulness of the processing based on the consent prior to its withdrawal.

  • 10. WHERE CAN I FILE A COMPLAINT IF I BELIEVE MY DATA IS NOT BEING PROCESSED CORRECTLY?

    If any interested party believes that their data is not being processed correctly by AENOR, they can send their complaints to datos@aenor.com or to the relevant data protection authority.

    The control authorities in the European countries where AENOR operates are:

    SpainSpanish Data Protection Agency

    ItalyGuarantor for the protection of personal data

    PortugalNational Dice Power Commission

  • 11. SECURITY AND UPDATING OF YOUR PERSONAL DATA

    To safeguard the security of your personal data, we inform you that AENOR has adopted all necessary technical and organizational measures to guarantee the security of the personal data provided. This is to prevent its alteration, loss, and/or unauthorized processing or access, as required by law, although absolute security cannot be guaranteed.
     
    It is important that, in order for us to keep your personal data up to date, you inform us whenever there is a change to it.

  • 12. CONFIDENTIALITY

    AENOR informs you that your data will be treated with the utmost care and confidentiality by all personnel involved in any stage of the processing. We will not transfer or disclose your data to any third party, except in cases legally required, or unless you have expressly authorized us to do so.