Ministry of Defence logo Defence Staff logo


We inform you below about the data protection policy of the Ministry of Defence of Spain.


'Estado Mayor de la Defensa' (hereinafter, EMAD) located at C / Vitrubio nº1, 28006 Madrid (Spain), a body dependent on the Ministry of Defence, is responsible for the processing of the data collected. The breakdown of all the data processing made or carried out by the EMAD, in its capacity as data controller, has been collected and is publicly accessible in its Registry of Processing Activities.


In the aforementioned registry, the features of each specific processing can be looked up, such as: purpose, legal basis or legitimacy, conservation, recipients, international transfers and ARCO+ rights' exercise.


The purposes associated with each processing can be looked up for each specific case, in the Registry of Processing Activities.

In general, the purposes will be linked to attributions and powers conferred on EMAD, with the fulfilment of obligations established by regulations with the status of ordinary law, or for the execution of contracts, provision of assistance and services to interested parties, institutional purposes, sending of communications, publications and support to requests for the exercise of rights of the interested parties.


In general, the legal basis that will legitimize the data processing made by the data controller will be carried out in accordance with the provisions of article 6 of the General Data Protection Regulation.

  • Execution of a contractual relationship in which the interested party is part of the contract (art. 6.1 b) RGPD).
  • Compliance with a legal obligation attributed to the Data Controller (art. 6.1 c) RGPD).
  • Fulfilment of a mission carried out in the public interest or exercise of public powers conferred on the controller (art. 6.1 e) RGPD).
  • In certain specific cases, although on a residual basis, the consent given by the interested party or owner of the personal data (art. 6.1 a) RGPD).

However, to know in detail the legal basis that legitimizes each of the processing carried out by the EMAD, you can consult the information contained in its Registry of Processing Activities. 


The personal data processed shall be preserved for the time required to fulfil the purpose for which they were collected, as well as to comply with both the specific and the general regulations in force at all times.

The preservation periods for each of the treatments may be consulted in the Registry of Processing Activities.


It should be noted that due to the particularities presented by the body responsible for data processing, a large part of the information, as well as the documentation derived from the processing, will become part of the Documentary Heritage, governed in this sense by the provisions of the Law 16/1985, June 25, on the Spanish Historical Heritage, and in RD 2598/1998, December 4, which approves the Regulations for Military Archives.


The personal data collected may be transferred or communicated to different entities, depending on the purpose of the treatment carried out.

In general, said recipients may be banking entities, Public Administrations or agencies dependent on them, Social Security agencies, private entities and individuals, Ministry of Finance, judicial bodies or Security Forces and Bodies.

However, it is recommended to consult the different categories of possible recipients or assignees of personal data, for each treatment, by accessing the Registry of Processing Activities.


Similarly, in certain cases there may be international data transfers to third countries, located outside the European Economic Area (EEA), for which the appropriate guarantees and security measures will be adopted, with the aim of safeguarding the confidentiality of the data transferred. You can also consult the cases susceptible to international data movements, in the Register of Processing Activities of the EMAD.


You can exercise the ARCO+ rights recognized by the General Data Protection Regulation (RGPD) and the Organic Law on Protection of Personal Data and guarantee of digital rights (LOPDGDD), of access, rectification, deletion, limitation, opposition and portability, as well as withdraw the consent initially given in the event that this was the legal basis for the treatment.


  • To proceed with the exercise of the aforementioned rights, we indicate below the main channels available to you:
  • In a simple and at-no-cost way, by sending a communication along with a copy of your NIF or equivalent identity document, to the email address
  • Through the electronic office of the Ministry of Defence. In the "PROCEDURES" section, you will find a section devoted to "PROCEDURES REGARDING THE PROTECTION OF PERSONAL DATA", where you can access the different forms depending on the right you wish to exercise.
  • You can also submit your request, by postal mail, to the address Paseo de la Castellana 109, 28071 Madrid (Ministry of Defence), to the attention of the Data Protection Officer.


You have the right to file complaints with the national control authority, in this case, the Spanish Data Protection Agency (AEPD), located at C / Jorge Juan nº6, 28001 Madrid, whose website is


Likewise, you can also file claims of rights before the regional control authorities, the Basque Data Protection Agency -in the case of Euskadi-, and the Catalan Data Protection Authority -in the case of Catalonia-, in those cases in which said authorities are territorially competent to hear the claim made.


Pursuant to the obligation attributed to public bodies regarding the appointment of a Data Protection Officer (hereinafter DPD), we provide below the contact details of the DPD of the Ministry of Defence, whom you can contact to through a message sent to the email address