Information Security Police

INTRODUCTION

Information is a core asset for our organization, and therefore we treat information security as a critical and fundamental element.

OBJECT

The purpose of this document is to define the fundamental principles and basic rules governing information security management at PADIMA.

SCOPE

This policy applies to PADIMA’s entire Integrated Management System, to all employees and users, including third parties who process information on our behalf.

It shall apply to the organization’s information systems, including personal devices or servers, networks, applications, operating systems, and business processes that belong to and/or are managed by PADIMA. This policy covers the aspects most directly related to personnel responsibility and the proper use of these systems.

INFORMATION SECURITY POLICY

At PADIMA, we believe that the application of good Information Security practices is fundamental, and therefore we are committed to continuous improvement in order to protect you, our clients, and all those with whom we interact.

PADIMA defines the following application principles as a reference framework for the establishment of information security objectives, which apply as the highest‑level rules in its relationship with PADIMA. In this regard, you must:

  • Contribute to Information Security throughout the Organization as required for your role.
  • Preserve the confidentiality, integrity, availability, and resilience of information, with the objective of ensuring compliance with legal, regulatory, and customer requirements related to information security.
  • Comply with the remaining specific policies communicated by PADIMA.
  • Specifically with regard to personal data:
    • You shall process them lawfully, fairly, and transparently in relation to the data subject (Lawfulness, fairness, and transparency).
    • You shall collect them for specified, explicit, and legitimate purposes, and shall not process them in a manner incompatible with those purposes (Purpose limitation).
    • The data shall be adequate, relevant, and limited to what is necessary in relation to the purposes for which they are processed (Data minimization).
    • You shall ensure that they are accurate and kept up to date, adopting reasonable measures to ensure that inaccurate personal data are erased or rectified without delay with regard to the purposes for which they are processed (Accuracy).
    • You shall retain them for no longer than is necessary for the processing of personal data; where they are processed solely for public archiving purposes, scientific or historical research purposes, or statistical purposes (Storage limitation).
    • You shall process them in a manner that ensures appropriate security, including protection against unauthorized or unlawful processing and against accidental loss, destruction, or damage, through the implementation of appropriate technical or organizational measures (Integrity and confidentiality).

PADIMA for its part:

  • Protects PADIMA’s information assets against internal or external threats, whether deliberate or accidental, in order to ensure the continuity of the services provided to our clients and the security of information.
  • Establishes information security plans that integrate activities for the prevention of and minimization of the risk of security incidents, based on the established risk management criteria.
  • Provides the necessary means to carry out the appropriate actions to manage the identified risks.
  • Assumes responsibility for information security awareness and training as a means of ensuring compliance with this policy.
  • Seeks to continuously improve security through the establishment and periodic monitoring of information security objectives, risk analyses, and plans for their treatment in accordance with international standards.

Any deliberate or negligent breach of security policies and standards that may result in potential harm, whether incurred or not, to PADIMA shall be sanctioned in accordance with the mechanisms provided for in the applicable collective agreement and in the current legal, contractual, and corporate regulations.

Disciplinary actions in response to breaches of the Information Security Policy are the responsibility of PADIMA’s Management and governing bodies, in accordance with applicable legislation.

In the event that a breach of this policy is detected, or for any inquiries, you may contact the Security Committee, established to ensure compliance with this policy, at the following email address: csi@padima.es.

UPDATE AND MAINTAINING

This policy shall be maintained, updated, and kept appropriate to the purposes of the Organization, aligned with its risk management context. It shall be reviewed at planned intervals or whenever significant changes occur, in order to ensure that its suitability, adequacy, and effectiveness are maintained.

DISTRIBUTION OF THIS POLICY

The distribution of the security policy shall be carried out in the following ways, depending on the stakeholder group to which it is addressed:

  • Organization personnel and management: the distribution of the security policy shall be carried out via email or the organization’s official messaging tools.

Clients, partners, suppliers, and other stakeholders: the security policy shall be included as a section of our website, where it may be consulted and kept up to date at all times.

APPROVAL AND ENTRY INTO FORCE

This Information Security Policy shall be effective from the date of approval and shall remain in force until replaced by a new one.

Approved by Eva Toledo at the Security Committee meeting dated 06/03/2025.

Reviewed according to the ISMS Controls plan on 03/02/2026, with no changes or modifications.

Last review: February 3th of 2026.

Contact us! How may we assist you?