Skip main navigation
You are at: Home>Customer Area>AENOR Privacy Policy
Privacy policy

Privacy policy

This privacy policy establishes the basis on which we will process any personal information we may obtain, respecting at all times the principles of legality, loyalty and transparency, as well as the other obligations and guarantees established in the current regulations on personal data protection.


This policy will be applicable to AENOR INTERNACIONAL S.A.U., with Tax ID Number A83076687, headquarters at C/Génova 6, 28004 in Madrid and contact; and its international subsidiaries (together, referred to as "AENOR" and which can be viewed via the following link:  Where to find us


AENOR processes personal data to manage contractual relationships, perform organisational services and activities and to offer interested parties and customers information on activities, products and services related to AENOR. To this end, AENOR hereby notifies you of the legal authority it has to process data:

I. Managing contractual relationships

AENOR will process your personal data to provide the engaged services, as well as to maintain and manage the contractual relationship with the customer.

II. Legitimate interest of AENOR

Legitimate interest gives legal authority to process data, provided that this interest in processing the customer's data is within reasonable expectations, based on the relationship you have or have had with AENOR as a customer.

With due respect for national legislation in this regard, AENOR may send you commercial communications, including via electronic means, in order to keep you informed about products and services. At all times and in each of the communications received, you can clearly, freely and easily object to receiving them.

Specifically, AENOR may send you information of interest relating to:

  • Books, publications, standards, subscriptions and informative seminars on these matters.
  • Training actions and related seminars.
  • Compliance assessment and audit services, as well as workshops to inform of, present or disseminate new products.
  • Certification of persons and related seminars.
  • Software licences and briefing sessions on related innovations.
  • Monthly delivery of the digital magazine.
III. Express consent of the data subject

Express consent constitutes a legitimate basis for processing data that will allow AENOR to process your personal data for the purposes described below, after obtaining the corresponding authorisation for this purpose.

-Processing of allergy data and other health data, which is needed to register as AENOR laboratory consumers.

-Processing, for direct marketing purposes, of the data provided when registering for a seminar or informative session, or when downloading guides, ebooks or similar products free of charge through our website.

-Processing of images of attendees at seminars/events organised by AENOR for educational and informative purposes.

-Processing of the data of candidates who take part in a selection procedure through the AENOR website.

Your consent will be obtained in a clear and unambiguous way by collecting your signature on paper, or by clicking on the "send" button in the application.

You can also withdraw your consent when you wish by contacting AENOR using the channels provided for this purpose and set out in this policy.


By way of a non-limiting example, the data processed by AENOR within the framework of the relationship with the data subject and determined by the purposes for which consent has been given are included in the following categories:

  • Private contact and identity data. (Name and surname, address, email, landline or mobile phone number).
  • Data relating to employment and the organisation. (company, department, position, responsibilities, functions).
  • Data relating to professional and training circumstances (career, position data, employment period, tasks, activities, studies, qualifications and assessments).
  • Economic data for invoicing management (bank account).
  • Allergy data and other health-related data.
  • Data relating to photos and videos featuring personal images.


In compliance with the principle of limiting the storage period, data collected will be processed solely and exclusively for the necessary time and for the purposes for which it was collected at any given time. The personal data provided will be kept while it is needed (unless the data subject asks for it to be deleted) to implement the contractual relationship and to respond to requests or applications, and for the time necessary to comply with corresponding legal obligations in each case, according to each type of data.


AENOR will only exchange personal data with trusted third parties for any of the purposes set forth in the Privacy Policy in order to maintain and execute the contractual relationship. Similarly, you will be able to communicate data to the SPANISH ASSOCIATION FOR STANDARDISATION (UNE) and to other companies in the group, as well as under the circumstances legally required to comply with any applicable regulations, under the terms set out below:

   a)     Needed to provide the service

AENOR may occasionally use trusted service providers, who may have access to personal data to provide the engaged services. Personal data may also to communicated to banks as necessary in order to provide, invoice and collect payment for services.

   b)     Communication of data between AENOR group companies and the SPANISH ASSOCIATION FOR STANDARDISATION (UNE)

Communications between group companies will be based on the legitimate interest of AENOR.

   c)     Compliance with a legal obligation

AENOR may also communicate your personal information to third parties that have been duly authorised by law in order to comply with legislation or at the request of an administrative or judicial authority.

A Customer's personal data will only be shared with third parties if the data subject has been notified and given their express consent to share said information.


In accordance with applicable regulations, AENOR informs the customer or user that they have the following rights under the applicable regulations:

Access: this enables the data owner to obtain confirmation of whether or not AENOR is processing personal data that concerns them and, if it is, to obtain a copy of the personal data being processed.

Correction: this allows you to correct errors and amend data if it is inaccurate or incomplete.

Deletion: this means that data can be deleted and no longer processed by AENOR, unless there is a legal obligation to retain it and/or other legitimate reasons for AENOR to process it. For example, if personal data is no longer needed for the purposes for which it was collected, the customer may request that we delete this data without undue delay.

Limitation: under the conditions established by law, this allows data processing to be halted in such a way that it cannot be processed in the future by AENOR, which will only keep it to file or defend claims.

Objection: under certain circumstances and for reasons related to their specific situation, data subjects may object to their data being processed. Thereafter, AENOR will no longer process data, unless required to do so for overriding legal reasons or to file or defend potential claims.

Portability: this enables the data subject to receive their personal data in a structured, commonly-used, machine-readable format and to send it directly to another data controller.

AENOR guarantees that the measures needed to ensure that these rights can be exercised will be adopted free of charge, wherein, anyone wishing to exercise said rights will need to attach a copy of their official identity document and communicate their intention to us via the following channels:

  • By sending an email containing the information indicated in the previous section to the following address:
  • By sending a letter indicating which right they wish to access to: C/Génova nº6, 28004 Madrid, for the attention of the AENOR Legal Advisory Department.

Similarly, and particularly if the Customer considers that they have not been able to exercise their rights to their full satisfaction, they may file a complaint with the supervisory authority of their country.

The supervisory authorities of the European countries where AENOR operates are: 

Spain-> Agencia Española de Protección de Datos [Spanish Data Protection Authority] 
Italy -> Garante per la protezione dei dati personali  
Portugal -> Comissão Nacional de Potecção de Dados