Information Security

Information Security and Cybersecurity Policy

The protection of information and information processing systems is of strategic importance to our Company in achieving both its short-term and long-term objectives, while ensuring the privacy of individuals affected by its activities.

Recognizing the critical role of information and information systems in the execution of its business operations, our Company implements an Information Security Policy aimed at:

  • ensuring the confidentiality, integrity, and availability of the information it manages, including personal data,
  • ensuring the proper operation of information systems,
  • providing for the timely response to incidents that may threaten business continuity,
  • ensuring compliance with applicable legal and regulatory requirements, and
  • continuously improving the level of information security.

To achieve these objectives, the Company:

  • establishes the organizational structures required to monitor issues related to Information Security, Cybersecurity, and Privacy,
  • defines the technical and organizational measures for protecting information and the systems that process it,
  • determines the classification levels of information according to its importance and value,
  • specifies the necessary protection measures during the processing, storage, and transmission of information,
  • defines the methods for raising awareness and training employees and partners on Information Security issues,
  • sets procedures for managing Information Security incidents,
  • and ensures business continuity in case of system malfunctions or disasters.

The Company conducts regular risk assessments related to Information Security, Cybersecurity, and Privacy, taking the necessary measures to mitigate identified risks. It also applies a performance evaluation framework that includes measurable indicators, assessment methodologies, and periodic management reviews to ensure continuous improvement.

The Information Security Officer is responsible for monitoring and enforcing the policies and procedures related to Information Security and for taking proactive measures to eliminate risks that could compromise the availability, integrity or confidentiality of Company information and personal data.

All employees and associates with access to Company information and systems are responsible for adhering to this Information Security Policy.

We are committed to continuously monitoring the legal and regulatory framework and to the ongoing implementation and improvement of the effectiveness of our Information Security and Privacy Management System.

Privacy Protection Policy

Our Company recognizes the importance of protecting personal data and ensuring their lawful and proper processing.

In this context, the Company complies with the core principles of data processing, respects the rights of data subjects, and ensures that personal data in its possession:

  • are collected for specific, explicit, and legitimate purposes, as recorded in the Company’s Record of Processing Activities, and with consent where required,
  • are processed solely for the purposes for which they were collected, or for legal, regulatory, or legitimate interest reasons,
  • are not further processed beyond their defined purpose,
  • are adequate, relevant, and limited to what is necessary,
  • are accurate and kept up to date, particularly before any decision affecting individuals,
  • are retained only for as long as necessary to fulfill the purposes of processing or to comply with legal and regulatory obligations,
  • are protected against unauthorized access, loss, or destruction,
  • and are transferred to third parties only when an adequate level of protection is ensured.

These principles are observed by all Company employees as well as by third parties processing personal data on its behalf.

To ensure the above, the Company:

  • implements a Privacy Management System (PMS) covering all operations, to monitor compliance and assess effectiveness against regulatory and best-practice standards,
  • applies procedures for fulfilling data subjects’ rights, ensuring responses within one month (or up to three months in justified cases, with prior notification),
  • provides clear information to individuals about the processing of their data,
  • integrates data protection requirements into all business processes involving personal data,
  • identifies all internal and external stakeholders and their privacy-related requirements,
  • defines roles and responsibilities for data management,
  • provides clear instructions to employees and external partners for the secure use and transfer of data,
  • ensures that data transfers to third parties comply with data protection regulations and this policy,
  • designs, adopts and monitors performance indicators and objectives for lawful and secure data management,
  • invests in the continuous training and awareness of employees regarding data protection and fosters knowledge sharing,
  • allocates adequate resources for the effective implementation of the Information Security, Cybersecurity, and Privacy Management System,
  • has appointed a Data Protection Coordinator (DPC),
  • and ensures this policy is communicated to all personnel and regularly updated to maintain full compliance with the current regulatory framework.

Our Company is committed to continuous monitoring and compliance with all relevant legal and regulatory requirements and to the ongoing improvement of the effectiveness of its Information Security, Cybersecurity, and Privacy Management System.