Política Corporativa de Privacidad y Protección de Datos

1. 1. GENERAL INFORMATION

- Data Controller: Grupo A3sec

- Address: Cl. 98 #70-91, Bogotá D.C, Colombia / C. de Aravaca, 6, Moncloa - Aravaca, 28040 Madrid, Spain

- NIT: 9007804612 CIF: B86560950

- Email: dataprotection@a3sec.com

2. 2. USERS

Access and/or use of this Grupo A3sec website confers the status of user, who accepts, from said access and/or use, the general conditions reflected in this document. These provisions apply to all users of the site, regardless of any other specific agreement that may exist in relation to service contracting or employability processes for officials, suppliers, or contractors.

3. 3. USE OF THE PORTAL

https://a3sec.com/ provides access to information, services, and internet content belonging to Grupo A3sec or its licensors and users who may have access. The user assumes responsibility for the use of the portal. This responsibility extends to any registration that may be necessary for certain services and content.

4. 4. PRIVACY POLICY

4.1. PURPOSE

The purpose of this document is to:

- Establish the "General Privacy and Data Protection Policy" (hereinafter, the policy), in order to detail how users' personal data is collected, used, stored, and protected in accordance with current laws.

- Identify the personal data (hereinafter, "PD") processed by Grupo A3sec, both as Data Controller and Data Processor for third parties, and the processing activities carried out.

- Collect the technical and organizational measures in accordance with current security regulations for the protection of personal data under the responsibility of Grupo A3sec.

- Establish the update processes and the compliance control system for this General Policy and applicable regulations.

This document is mandatory reading for all interested parties. Grupo A3sec will determine which sections will be made available to any third party accessing data processed under the Organization's responsibility. The definitions used in this document are found in section 4.4.

4.2. SCOPE OF APPLICATION

- This document will be applied to process data expeditiously and in accordance with data protection regulatory laws, demonstrating Grupo A3sec's responsibility to the rights of data subjects.

- All PD processed by Grupo A3sec, both as Data Controller and as Data Processor.

- All persons involved in the processing, including Grupo A3sec personnel, as well as third parties working within the aforementioned material scope (the "Personnel").

- The personal data provided by the different parties.

- All automated resources and non-automated media containing and/or processing personal data under the responsibility of Grupo A3sec, including information systems, media and equipment used, clients, suppliers, or any interested party for its processing.

The material scope includes:

- The processing centers and premises where the files are located and the media containing them are stored.

- The archives and server equipment where the Files are located, as well as their environment (offices, cabinets, software, hardware).

- Workstations, whether local or remote, from which files can be accessed.

- Information systems and applications used to access files and process data.

4.3. UPDATE

This document will be kept up-to-date at all times and will be reviewed whenever:

- Relevant changes occur in the processing of PD and/or information systems that contain or process PD;

- There are changes in Grupo A3sec that affect the procedures and measures included in this document;

- Current provisions on personal data security are modified.

- The Data Protection Officer will keep all information and documentation included in this policy permanently updated.

4.4. DEFINITIONS

For all purposes of this document, the following are understood as:

- Personal Data (PD): Any information relating to an identified or identifiable natural person; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

- Data Processor or Processor: A natural or legal person, public authority, agency or other body which processes personal data on behalf of the Data Controller.

- Data Subject: The identified or identifiable natural person.

-Data Controller or Controller: The natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing.

- Processing: Any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

- Personal data breach: A breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed.

4.5. DATA PROCESSING

4.5.1. Inventory and record of processing activities

The Annexes in section 8 contain:

- 8.1 Data Inventory

- 8.2 Systems Inventory

- 8.3 Record of Processing Activities

- 8.4 Record of Third-Party Processors

- 8.5 Record of International Data Transfers

These Annexes will be updated whenever there is a change in Grupo A3sec's PD processing. The personal data collected will be processed for the following specific purposes:

· Provision of Services:

- For the management, administration, provision, expansion, and improvement of our cybersecurity monitoring services, ensuring that their use is only authorized for the purposes of the service contract, contributing to the security and integrity of your networks and computer systems.

- To provide information to third parties with whom Grupo A3sec has a contractual relationship and to whom it is necessary to provide it for the fulfillment of the contracted purpose.

- To transfer or transmit personal data to comply with the anti-money laundering regulations that apply.

- To transmit personal data to third parties with whom Grupo A3sec has a contractual link or has signed a data processing agreement and to whom it is necessary to provide it for the fulfillment of the services provided to the client and the fulfillment of the contractual purpose.

- To carry out the relevant procedures for the development of the corporate purpose in relation to the contracted object entered into with the data subject.

· Commercial Relationship Management:

- To maintain and manage the contractual relationship with our clients, including payment, billing, and collection management.

- To contact the authorized data subject via email for sending invoices or account statements related to obligations arising from the relationship between the parties.

- To contact the data subject via email to send commercial material, as well as everything covering bidding processes and services contracted by Grupo A3sec.

- To respond to inquiries, complaints, and comments.

· Marketing and Advertising:

- To send commercial and promotional communications, where expressly consented.

- To send invitations to events and offer products and services.

- To conduct customer satisfaction surveys with whom a contractual relationship exists.

- To contact the authorized data subject for sending news through campaigns and loyalty programs.

· Security:

To maintain the security of our facilities, systems, and data.

· Employee Personal Data:

- Grupo A3Sec has a legitimate interest in processing the personal data of our personnel (hereinafter, "Staff Member"). However, even if not strictly necessary, by acknowledging this document, the employee authorizes the collection and processing of personal data during employment or contracting in the manner set forth below and as indicated in the formalized contract.

- To establish, manage, and maintain the contractual relationship, including the payment of your remuneration through financial institutions and to interact with tax agencies and social security offices, unions, mutual societies, and insurance entities.

- To carry out, where appropriate, time control and access to facilities (video surveillance).

- To evaluate aptitude for work or tasks, in order to offer training and career transition services, as well as to manage contracts and tasks, and for selection, evaluation, and professional improvement processes.

- To inform about products and services and payment and/or incentive schemes.

- To control the use of our information systems (including computers, servers, PCs, and mobile devices such as tablets, laptops, and mobile phones owned by Grupo A3sec) and, under the conditions established by law, your email communications, to verify compliance with your obligations and duties within the framework of your relationship and your work functions within Grupo A3Sec, as well as

- For the prevention and/or investigation of fraud and other crimes or torts.

- To manage and defend any claims and legal actions, to comply with court orders and other legal obligations and regulatory requirements, for all other purposes authorized by law.

- Grupo A3Sec collects, processes, and discloses your sensitive personal data only when necessary to comply with obligations imposed by law or if there is a compelling business reason to do so as permitted by applicable law or with the consent of the staff member. Your personal data will be stored by Grupo A3Sec for the entire duration of our contract with you and, subsequently, blocked for the period prescribed by law to address any responsibilities or legal or administrative reasons (generally 6 years).

- To carry out our business, your data will be processed and communicated to the following entities (limiting such data to what is necessary to perform the contract of these entities with Grupo A3Sec and, where applicable, for the legal reason).

 · Suppliers:

- Behavior Review: Analyze malicious file behavior (actions performed, connections established).

 - Negotiate and execute contracts or any other legal business arising between Grupo A3Sec and the supplier.

- Conduct security studies related to the individual supplier.

- Verify the data of the legal representatives of the legal entity suppliers.

- Verify the suitability of individual suppliers and employees of legal entity suppliers by virtue of contract execution.

- For the determination of outstanding obligations, the consultation of financial information and credit history, and reporting to credit bureaus regarding unfulfilled obligations of their debtors.

4.5.2. Legal Compliance

To comply with our legal and regulatory obligations, such as tax, accounting, and archiving obligations

- Grupo A3sec may process personal information about its clients in order to provide the contracted services and other activities related to its corporate purpose. Contracts entered into with clients will be governed by the provisions of this policy and the law of the client's country of origin.

- Grupo A3sec assumes that the personal information of third parties, for which the Client is responsible and which acknowledges Grupo A3sec by reason or on the occasion of the contract entered into, has been processed in accordance with the provisions of the General Data Protection Regulation (GDPR) of the European Union, the Organic Law on Data Protection and Guarantee of Digital Rights (LOPDGDD) of Spain, the Federal Law on Protection of Personal Data Held by Private Parties of Mexico, the Organic Law on Personal Data Protection of Ecuador, and Statutory Law 1581 of 2012 on Data Protection for Colombia, and other current regulations at all times.

4.6. SECURITY MEASURES

We implement a series of technical and organizational measures to protect personal data against unauthorized access, loss, alteration, disclosure, or destruction. This includes:

- Data Encryption: Control applied to data both in transit and at rest.

- Access Controls: Restrictions on access to personal data only to authorized personnel.

- Periodic Audits: Regular evaluations and audits of our security and data protection practices.

- Training: Continuous training programs for our employees on data protection and security.

4.7. RIGHTS OF DATA SUBJECTS

Users have specific rights regarding their personal data, in accordance with applicable regulations. These rights include:

- Right of Access: Obtain confirmation of whether we are processing their personal data and, if so, access to it.

- Right to Rectification: Request the correction of inaccurate or incomplete data.

- Right to Erasure (Right to be Forgotten): Request the deletion of their personal data when it is no longer necessary for the purposes for which it was collected.

- Right to Restriction of Processing: Request the limitation of the processing of their personal data in certain circumstances.

- Right to Data Portability: Receive their personal data in a structured, commonly used, and machine-readable format, and transmit it to another data controller.

- Right to Object: Object to the processing of their personal data in certain circumstances, such as in the case of direct marketing. To exercise these rights, you can contact us via email at dataprotection@a3sec.com.

4.8. INTERNATIONAL TRANSFERS

In cases where it is necessary to transfer personal data outside the Economic Area of the country of origin with equivalent regulations, we will ensure that such transfers are carried out in compliance with appropriate safeguards, such as standard contractual clauses approved by the European Commission or equivalent mechanisms.

4.9. RETENTION PERIODS

Personal data will be retained only for the time necessary to fulfill the purposes for which it was collected and in accordance with legal data retention periods. Subsequently, the data will be securely deleted, unless it must be kept to comply with a legal obligation or for the exercise or defense of claims.

4.10. RISK ANALYSIS

Annex 6.1 contains a risk analysis related to the Company's PD processing. The Privacy Monitoring Committee ("PMC") will monitor and inform the Privacy Officer of the application of the established control measures and the Risk Analysis.

4.11. UPDATING

These Annexes will be reviewed and controlled within the established Monitoring Committee.

4.12. PRIVACY ORGANIZATION

4.12.1 Roles and Governance

Grupo A3Sec designates the Data Protection Officer with the following functions:

- Review and propose changes to this PGP.

- Supervise compliance with personal data protection regulations.

- Identify changes in personal data regulations and communicate them to the security and privacy committee.

- Coordinate the response to potential personal data breaches.

- Act as a point of contact with data protection authorities.

- Suggest data protection controls in projects or processes involving high risk.

- Disseminate and raise awareness about personal data protection.

- Keep the General Data Protection Policy reviewed, updated, and approved by the Security and Privacy Committee.

- Address the guidelines and requirements under their responsibility for Personal Data Protection.

- Be the point of contact for internal and external privacy requests within the organization.

A Security and Privacy Committee is established as the data controller, composed of the management of Grupo A3sec in Spain, Colombia, and Mexico as participants, including the Data Protection Officer. The Committee has the following functions:

- Periodically review the application of this PGP, applying the control points established in Section 6.5.

- Review and propose changes to this PGP.

- Establish the purposes for which personal data is collected and processed, as well as the methods and processes used to maintain its data protection.

- Ensure compliance with legal responsibility and current regulatory obligations.

The collaborators who process or administer PD in any way due to their competence and functions are designated as Data Processors for each area of the Company and clients, as designated in the job description manual. The Data Processor has the following functions:

- Guarantee the custody of the acceptance of use and storage of personal data in digital and physical processes.

- Process personal data in accordance with Grupo A3sec's guidelines and respecting client directives.

- Implement the necessary technical and organizational measures to ensure an adequate level of protection.

- Ensure that personal data complies with confidentiality, integrity, availability, traceability, and authenticity processes.

- Communicate and assist the Data Protection Officer in responding to requests if required. Ensure compliance with data protection regulations on technical platforms.

4.13. PROTOCOLS

The following internal protocols are established to ensure compliance with PD protection regulations (indicated in Annex 7):

The protocols are included in this PGP in Section 7 (Protocols).

4.14. PERSONNEL OBLIGATIONS

- TRAINING: Effective management of PD under the responsibility of Grupo A3sec will be carried out:

- Persons to whom this security document applies, with access to and use of PD, will comply with the duties established in Personnel Obligations.

- The Security Officer has established mechanisms to prevent a user from accessing data or resources with different rights than those authorized.

- The need to create new files with personal data and the modification or deletion of those present in the file inventory will be communicated to the Security Officer.

- Only authorized personnel may grant, alter, or cancel authorized access to data and resources, with the approval of the criteria established by the Security Officer.

All Personnel who access personal data are obliged to know and observe the measures, rules, procedures, rules, and standards that affect the functions they perform. All persons must maintain due secrecy and confidentiality regarding personal data they know in the performance of their work. They must sign the Employee Confidentiality Policy.

It is an obligation of the Personnel to notify the Security Officer of any security incidents of which they become aware regarding protected resources, according to the procedures established in this document. To ensure that all Personnel are aware of the security rules that affect the Company's performance of its duties, as well as the consequences of non-compliance, they have the following documents for knowledge of this policy and its annexes.

The Personnel has been informed of their obligations and functions according to the following procedure:

- Each person has signed a confidentiality commitment, either in their employment contract or in the services contract.

- Each person can directly access this General Privacy Policy in Grupo A3Sec's document repository, implemented in Google Drive, GENERAL OFFICE Section, GDPR Subsection.

- Each person has received training sessions on obligations and functions regarding personal data (coordinated by the Security Officer, together with the Human Talent department).

Any person who violates these regulations will be subject to labor discipline, considered a labor breach (depending on the specific case, as a minor, serious, or very serious offense).

4.15. INCIDENT MANAGEMENT

Definition of Incident: An "security incident" is considered, among others, any non-compliance with the regulations developed in this PGP, and in particular the Security Rules, as well as any anomaly that affects or may affect the security of personal data.

In order to duly comply with the established provisions, the Company has this procedure for notification, management, and response to incidents.

Annex 7.1 contains the Incident protocol.

a) Types of Incidents that must be notified

Below is a list of incidents that will be unequivocally registered. This list may be expanded with other types of incidents that may have been omitted:

· Incidents affecting user identification and authentication:

- Loss of password confidentiality.

- Detection of irregular accesses (failed access attempts, accesses outside office hours, etc.) after "logs" review.

- Deactivation periods of security tools.

- User communication of suspicion that someone has impersonated their identity.

· Incidents affecting data access rights:

- Requests for modification of data access rights.

- Requests for modification of access rights to access management tools and utilities with privileged access.

· Incidents affecting media management.

- Communication of media loss.

- Communication of media location in inappropriate places.

- Content errors in received and sent media.

· Incidents affecting backup and recovery procedures:

- Errors detected in backup processes.

- Data recovery procedures carried out.

· Incidents affecting non-automated files (paper-based)

- Media or documents with data found outside the Entity without custody.

- Detection of unauthorized copies of file data.

· Incidents affecting compliance with established security rules:

- Any non-compliance with personal data security and protection measures.

Any other incidents observed as a result of the execution of controls defined to ensure compliance with the Security Document (biennial audits, monthly reviews, etc.).

b) Incident Notification Procedure

Any person who is part of the Company's staff or is providing services in it (even if temporarily) must immediately notify the Security Officer of any incident they detect that affects or may affect the security of protected data and resources. The notification will be made through any means that ensures the confidentiality of the incident, according to the protocol in Annex 7.1.

Delay in incident notification will constitute a breach of contractual good faith, punishable according to applicable labor regulations.

c) Incident Log

The Security Officer, in accordance with GDPR, Article 33 no. 5, maintains an electronic incident log.

Annex 7.1 includes the format model that the Security Officer will use for incident logging. These logs will be stored by the Security Officer for historical purposes for the time required to meet legal and audit obligations (at least 5 years).

d) Incident Response

The Security Officer will manage any security incidents that may occur, initiating their resolution within 10 days of notification.

The Security Officer will supervise the work of correcting the detected anomaly and record all actions and measures taken to resolve or minimize the incident in the incident log. For control purposes, information that allows verification of compliance with the incident response time is included in the incident log itself.

4.16. PERIODIC CONTROLS AND AUDITS

a) Periodic controls to verify compliance with standards

The Security Officer will carry out the periodic controls indicated in Annex 6 of this policy.

b) Audits

Periodically, when deemed necessary and appropriate, an audit of the information systems and personnel within the scope of the Security document will be carried out for files requiring the implementation of medium-level measures. The audit may be internal or external, as deemed appropriate at the time of its execution.

An audit will also be necessary when substantial modifications occur in the information and organizational systems with repercussions on the security of protected data.

The purpose of the audit will be to measure the degree of compliance with the security measures established by Data Regulations and the procedures, instructions, and policies developed in the Security Rules.

The Security Officer will analyze the audit report and present the conclusions obtained, along with improvement proposals, to the File Controller for the adoption of appropriate corrective measures.

The audit report will be kept by the Security Officer, in case it is required by the Data Protection Agency. All Company personnel and external service providers who have access to personal data must at all times provide their cooperation to carry out the necessary controls and their corresponding audit at the request of the Security Officer.

4.17. COMPLIANCE WITH FUNDAMENTAL PRINCIPLES

4.17.1 Legitimacy and Purposes

Definition of Legitimacy:  A "lawful or legal processing" is considered processing carried out on the basis of the Data Subject's consent, or if necessary for the performance of a contract to which the data subject is party, for compliance with a legal obligation, to protect the vital interests of the data subject or another natural person, for the performance of a task carried out in the public interest or in the exercise of official authority, or if processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party.

Personal Data will only be processed for legitimate purposes of Grupo A3Sec and with the informed consent of the data subjects. The Record of Processing Activities indicates the legitimacy and consent provided for each PD processing carried out by the Company.

The Data Protection Officer will control the legitimacy of each PD processing. The Company will maintain an adequate information system to be able to associate each PD processing with the informed consent of the data subject. Current legitimacy is established below:

4.18. SENSITIVE PROCESSING

Definition of sensitive data: "Sensitive data" is considered any personal information revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, or genetic data, biometric data, data concerning health or data concerning a natural person's sex life or sexual orientation.

The Company will not carry out processing of data classified as Sensitive (see Definitions) or Special Categories (see Definitions), without complying with the following procedure:

- Notification of the intended processing to the Company's Privacy Officer.

- Identification of the data to be processed and the processing activities.

- Risk analysis, carried out under the supervision of the Privacy Officer.

- Report on the application of organizational, technical, and legal measures to ensure the correct level of protection.

- Authorization signed by the Privacy Officer.

➔ Currently, according to the RAT, the Company does not process sensitive data. See analysis of the need for a DPO and DPIA in Annex 6.6 and 6.7.

4.18.1 Data Minimization

Definition of data minimization: The principle of data minimization prescribes that personal data must be adequate, relevant, and limited to what is necessary in relation to the purpose for which they are processed. The Company processes only the data that are strictly necessary for its purposes, as stated in the RAT. The adequacy of the data with the purposes is analyzed below:

After analyzing the data in the table above, the Company considers that all processed data are necessary for the indicated purpose. The Company implements the following measures to ensure minimal data processing:

- Online contact and registration forms only contain the strictly necessary fields for the purpose (contact, user registration, etc.).

- Automatically collected information is deleted within the minimum timeframes (cookies, etc.) and is designed to collect only the data necessary for the purposes.

- The company periodically reviews all paper files and eliminates any files that may contain personal data.

- The company implements a retention policy indicated below and deletes or blocks as much data as necessary to minimize processing.

- The company implements employee, client, and supplier onboarding and offboarding processes to ensure minimal data processing (see Annex 7.4).

4.19. DATA RETENTION, BLOCKING, AND DELETION

Definition of data storage limitation principle: The principle of data storage limitation prescribes that data should be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed.

The Company will store data for the following periods:

The data will be stored in the company's active systems indicated in this document as long as they are required for the indicated purposes (e.g., end of the contractual relationship). Once the purposes are fulfilled (see cases below), they will be cancelled in the company's active systems and will only be kept in blocked and encrypted backup copies, which only the Security Officer can access, for the indicated periods (periods corresponding to labor, accounting, tax, and social security anti-fraud regulations). After this period, they will be completely deleted, except for data that is disassociated and intended for historical or statistical purposes. If the data is in documents, deletion or dissociation, if applicable, will be carried out using a paper shredder.

 Cases of data cancellation and blocking:

- At the request of the data subject. 

- Inactivity of the user/client account after 6 months, once the user has been informed of the deactivation. 

- Termination of the data subject's relationship with the company (employment, client, supplier). 

The Security Officer will verify compliance with this section at least once every 6 months. The cancellation of personal data will be carried out by blocking, which, depending on the processing system, will be:

 -Logical blocking: When personal data is stored in applications or databases located in the entity's information systems. This blocking will be requested from the IT support department using the personal data blocking request form to proceed with the corresponding development.

 - Physical blocking: When data is stored on physical media or documents, the media will be stored in a restricted access area in the Administration Department's offices, and only the Grupo A3Sec Security Officer will have access. 

4.20. DATA QUALITY 

Definition of data quality: The principle of data quality prescribes that personal data must be accurate and up-to-date, and correctly formatted. Ensuring data quality is a continuous process. To respect this principle, the company carries out the following activities: 

4.21. DATA SUBJECT RIGHTS

Under data protection laws, data subjects have the right to: 

- Request access to their personal data (commonly known as a "data subject access request"). This allows you to receive a copy of the personal data the Company holds about you and to check that it is lawfully processing it. 

- Request correction of the personal data that the Company holds about you. This enables you to have any incomplete or inaccurate data the Company holds about you corrected. 

- Request erasure of their personal data. This enables you to ask the Company to delete or remove personal data where there is no good reason for it to continue processing it. You also have the right to ask the Company to delete or remove your personal data where you have successfully exercised your right to object to processing (see below), where the Company may have processed your information unlawfully or where the Company is required to erase your personal data to comply with local law. 

- Object to the processing of their personal data where the Company is relying on a legitimate interest (or those of a third party) and there is something about your particular situation which makes you want to object to processing on this ground as you feel it impacts on your fundamental rights and freedoms. You also have the right to object where the Company is processing your personal data for direct marketing purposes. In some cases, the Company may demonstrate that it has compelling legitimate grounds to process your information which override these rights. 

- Request restriction of processing of their personal data. This enables you to ask the Company to suspend the processing of your personal data in the following scenarios:

(a) if you want the Company to establish the data's accuracy; 

(b) where the Company's use of the data is unlawful but you do not want the Company to erase it; 

(c) where you need the Company to hold the data even if the Company no longer requires it as you need it to establish, exercise or defend legal claims; or 

(d) you have objected to the Company's use of your data but the Company needs to verify whether it has overriding legitimate reasons to use it. 

- Request the transfer of their personal data to themselves or to a third party. The Company will provide to you, or a third party you have chosen, your personal data in a structured, commonly used, machine-readable format. This right only applies to automated information which you initially provided consent for the Company to use or where the Company used the information to perform a contract with you. 

- Withdraw consent at any time where the Company is relying on consent to process your personal data. However, this will not affect the lawfulness of any processing carried out before you withdraw your consent. If you withdraw your consent, the Company may not be able to provide certain products or services to you. 

Grupo A3Sec has implemented the following measures to make these rights effective: 

Creation of a specific email address where data subjects can direct their requests: dataprotection@a3sec.com 

A special protocol (ARCO Protocol) is established to define the necessary actions in case of ARCO requests. 

a) Personal data recovery: When personal data recovery is necessary, the Security Manager will treat it as an incident and must log it.

4.22. PRIVACY BY DESIGN 

Definition of Data Protection by Design: The term "Data Protection by Design" means that the Controller shall, at the time of the determination of the means for processing and at the time of the processing itself, implement appropriate technical and organisational measures, such as pseudonymisation, which are designed to implement data-protection principles in an effective manner and to integrate the necessary safeguards into the processing in order to meet the requirements of the GDPR. Grupo A3Sec, in order to ensure compliance with the requirements and, therefore, to protect the rights of the data subjects, applies the following measures:

- In the process of collecting personal data, only personal data of data subjects that are strictly necessary are collected;

- Data quality is constantly reviewed, periodically checking the consistency and relevance of the data and deleting those that are no longer relevant.

- Both technical and physical security measures have been implemented to guarantee the processing of personal data by Grupo A3Sec in accordance with the security standards required by data protection regulations. In addition, Grupo A3Sec maintains a record or authorizes access to personal data;

- A strict policy has been implemented that all employees and independent contractors follow in relation to personal data;

- Interested parties can easily exercise data subject rights by contacting the Company via email or postal mail.

- The way to exercise data subject rights is indicated in the website's privacy policy, as well as in all contracts.

- Grupo A3Sec, under the principle of data minimisation and storage limitation, will delete all personal data when it is no longer necessary and will store (block) it for administrative and legal liability reasons.

• 5. PROTECTION MEASURES AND SECURITY POLICY 

Security Measures The Company has the obligation to implement security measures to ensure a level of security appropriate to the risk, which includes:

- The pseudonymisation and encryption of personal data;

- The ability to ensure the ongoing confidentiality, integrity, availability, traceability, authenticity and resilience of processing systems and services;

- The ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident;

It is a process for regularly testing and evaluating the effectiveness of technical and organisational measures for ensuring the security of processing by enforcing its Corporate Information Security Policy.

• •  
• Approval Date:  August 27, 2024