Graphenus is aware of the importance of information security and personal data protection as key factors in achieving organisational excellence, market competitiveness, business sustainability and regulatory compliance.

Accordingly, the group has established processes within the organisation for planning and implementing controls, as well as for monitoring and improvement, in order to ensure the confidentiality, integrity, authenticity, traceability and availability of information and services.

The Graphenus management team is responsible for implementing, updating, improving, accrediting and maintaining an Information Security Management System, in accordance with good practices and international standards, specifically in accordance with the standard "UNE-EN ISO/IEC 27001:2017. Information technology. Security techniques. Information Security Management Systems. Requirements". It has established the following objectives:

• Establish an information security committee, with authority and competence to ensure confidentiality, authenticity, integrity, availability and traceability of information.
• Implement the security organisation, designating those responsible for security, services, information, personal data protection and information systems.
• Analyse the risks and threats to the security of the information handled and implement the necessary organisational, operational and technical measures for its proper treatment.
• Ensure business continuity in the face of events that could affect critical assets.
• Plan human and technological resources to provide services to clients in accordance with information security requirements and in compliance with current legislation.
• Raise awareness and train all staff and collaborators in information risks and threats, the regulations for their prevention and mitigation and the notification of incidents.
• Measure and analyse the objectives and indicators of information security management, enabling the monitoring of security risks and incidents and the management and improvement of the effectiveness of measures and controls.
• Implement review, audit and continuous improvement processes to ensure that established controls and security measures are maintained.
• Comply with and demonstrate compliance with applicable legal, policy and regulatory requirements, with particular emphasis on those ensuring digital rights and personal data protection.

Graphenus and all its members undertake to carry out their activities in accordance with current national and international data protection legislation, paying particular attention to the provisions of Regulation (EU) 2016/679 of the European Parliament and of the Council of the European Union.
Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data (hereinafter referred to as the GDPR); and to Organic Law 3/2018 of 5 December 2018 on the Protection of Personal Data and the Protection of Individuals with regard to the Processing of Personal Data (hereinafter referred to as the GDPR); and to Organic Law 3/2018 of 5 December 2018 on the Protection of Personal Data (hereinafter referred to as the GDPR).
guarantee of digital rights (hereinafter, LOPD).

Graphenus has a Data Protection Officer (DPO) in charge of supervising data protection compliance.
The actions of the group and all its employees in the processing of personal data are in line with the basic principles set out in Article 5 of the GDPR:

a) Principle of legality, transparency and fairness.

b) Purpose limitation principle. It implies that the data must be processed for specified, explicit and legitimate purposes, and prohibits the data collected from being further processed in a way incompatible with those purposes.

(c) Principle of data minimisation. Technical and organisational measures must be implemented to ensure that only data that are strictly necessary ('adequate, relevant and limited') for each purpose are processed.

d) Principle of accuracy. Data must be kept up to date and must be deleted or rectified if inaccurate.

e) Principle of limitation of the storage period. Once the purposes of the processing have been achieved, the data should be erased, blocked or anonymised.

f) Principle of integrity and confidentiality. The processing must ensure the integrity, availability and confidentiality of personal data.

The data controller shall be responsible for ensuring compliance with the above principles and for demonstrating compliance with them, in accordance with the principle of proactive responsibility. The General Management of Graphenus, consequently, with the above, is committed to the allocation of reasonable and proportional human and material resources for the achievement of the above objectives. The responsibility for the good functioning of the Information Security Management System falls, therefore, on the General Management, delegating to the Information Security Manager the necessary authority and competences for its effective implementation, its accreditation, its maintenance and improvement, counting, for this purpose, on the support of the management team and the Graphenus staff and collaborators.