Privacy Policy

Controller of your data

The Spanish Aviation Safety Agency (hereinafter AESA), as responsible for the processing of your personal data, with CIF Q2801615B, with registered office in Paseo de la Castellana 112 C.P. 28046, Madrid, in compliance with Organic Law 3/2018, of 5 December, on the Protection of Personal Data and the guarantee of digital rights and Regulation (EU) 2016/679 of the European Parliament and of the Council, of 27 April 2016, on the protection of individuals with regard to the processing of personal data and on the free movement of such data, informs you that the personal data collected through the forms provided to initiate an administrative procedure or to make requests of other kinds will be incorporated into the file that make up the Register of Processing of Personal Data.


Purpose and basis of legitimation of the processing of your data

All AESA processing is legitimised on the basis of one of the following sections of the General Data Protection Regulation:

  • The explicit and unequivocal consent of the user. The data subject gave his/her consent to the processing of his/her personal data for one or more specific purposes. (Article 6). Paragraph 1(a) or (Article 9). Paragraph 2. sub-paragraph (a)
  • For the performance of a contract. (Article 6). Subparagraph 1(b) processing is necessary for the performance of a contract to which the data subject is a party or for the application at the request of the data subject of pre-contractual measures.
  • A legal obligation. (Article 6). Subparagraph 1(c) processing is necessary for compliance with a legal obligation applicable to the controller.
  • The fulfilment of obligations and the exercise of specific rights of the controller or the data subject in the field of labour law and social security and protection. (Article 9). Paragraph 2. subparagraph (b)
  • Essential public interest, on the basis of Union or Member State law. (Article 9). Paragraph 2. subparagraph (g)
  • Preventive or occupational medicine, medical diagnosis, provision of health care or treatment, or management of health or social care services. (Article 9). Paragraph 2. subparagraph (h)
  • Treatment necessary for scientific research, historical or statistical purposes. (Article 9). Paragraph 2. subparagraph (j)

You can find the specific purpose and legitimacy in the Register of Processing of Personal Data.


Communication of your personal data

AESA is the recipient of the processing and will only communicate the personal data to:

  • Third parties, public bodies and institutions of the General State Administration, regional and local authorities, including the courts to which it is legally obliged to provide them.
  • The information can be transferred to third parties and make international transfers within the established legal framework, for the management of personal data, only for the purposes described in the Register of Processing of Personal Data.
  • The information can be processed by the processor on behalf of AESA to collaborate in the management of personal data, only for the purposes described in the Register of Processing of Personal Data.


Retention time of your data

The personal information for which you have provided the consent will be retained as long as it is necessary or does not exercise your right of cancellation or deletion.

More information on retention time can be found in the Personal Data Processing Registry.


Security measures applied to your personal data

AESA will take all necessary measures in accordance with the Organic Law on Data Protection and Guarantees of Digital Rights Additional provision first. Security measures in the public sector and the General Data Protection Regulation (Article 32 Security of processing and Article 25 Data protection by design and by default), those established by Royal Decree 311/2022, of 3 May, regulating the National Security Scheme, and those that are decided as a result of an Impact Assessment on Data Protection (if necessary).


Exercise of your rights in relation to your personal data

In accordance with the provisions of the aforementioned Organic Law on Data Protection and Digital Rights Guarantees and also the General Data Protection Regulation, you can exercise your rights of Access, Rectification, Suppression, Portability of your data, Limitation or Opposition to its processing before the Data Controller of your personal data specified at:  Registro de tratamiento de datos.

In case the data subject considers that the above rights have not been served in accordance with the current law, he/she may submit the corresponding claim of protection of rights to the Spanish Data Protection Agency.


Notification of a personal data breach

  • In compliance with the General Data Protection Regulation, in the event of a breach of security affecting personal data, AESA shall notify the Data Protection Agency of the breach without undue delay and no later than 72 hours after becoming aware of it, unless such breach of security is unlikely to constitute a risk to the rights and freedoms of natural persons.
  • Similarly, in compliance with the aforementioned General Data Protection Regulation where it is likely that the breach of the security of personal data poses a high risk to the rights and freedoms of natural persons, AESA shall communicate it to the data subject without undue delay.