INFORMATION SECURITY POLICY

  1. Home
  2. INFORMATION SECURITY POLICY

1.- Statement of Principles

The PAPREC Group is a group of entities dedicated to integrated waste management and environmental services. In the course of its activities, PAPREC considers information and personal data to be high-value assets, the protection of which is essential to ensure business continuity, customer trust and regulatory compliance.

Aware of this responsibility, PAPREC establishes this Information Security Policy as a reference framework to protect the confidentiality, integrity, availability, authenticity and traceability of information, as well as to ensure compliance with applicable legislation.

Information security and privacy protection form an integral part of PAPREC’s corporate culture and are present throughout all stages of the lifecycle of the organisation’s systems, services and processes.

2.- General Objectives

The purpose of the Security Policy is to establish the general principles and guidelines that enable:

  • The protection of information and data against internal or external, deliberate or accidental threats.
  • The guarantee of service and operational continuity.
  • Compliance with applicable legal, regulatory and contractual requirements.
  • The protection of personal data in accordance with current regulations.
  • The effective management of information security risks.

Security measures are defined and implemented taking into account risk analysis and the balance between the acceptable level of risk and the cost of the measures implemented.

3.- Commitment of Senior Management

PAPREC Senior Management expresses its firm commitment to Information Security and Privacy Protection, undertaking to:

  • Integrate information security as a key element of the corporate strategy.
  • Ensure compliance with applicable legislation, especially regarding the protection of personal data.
  • Promote the continuous improvement of security processes and controls.
  • Provide the necessary resources to maintain an appropriate level of security.
  • Ensure business continuity through appropriate plans and procedures.
  • Promote staff training and awareness regarding information security.
  • Encourage responsible relationships with customers, suppliers and other stakeholders in relation to information security.

4.- Principles of Information Security

PAPREC bases its information security management on the following fundamental principles:

  • Confidentiality: Information is accessible only to duly authorised persons.
  • Integrity: The accuracy and completeness of information and the systems processing it are guaranteed.
  • Availability: Information and services are available when required.
  • Authenticity: The identity of individuals and systems accessing or generating information is ensured.
  • Traceability: Actions carried out on information can be unequivocally attributed.
  • Regulatory compliance: Information is managed in accordance with applicable legal, ethical and professional requirements.

5.- Protection of Personal Data

In the course of its activities, PAPREC processes personal data and undertakes to comply with the principles established by data protection regulations, including:

  • Lawfulness, fairness and transparency.
  • Purpose limitation.
  • Data minimisation.
  • Accuracy.
  • Storage limitation.
  • Integrity and confidentiality.
  • Accountability.

PAPREC implements appropriate technical and organisational measures to ensure a level of security appropriate to the risks associated with the processing of personal data.

6.- Security Organisation

Information security is the responsibility of the entire organisation. PAPREC has an organisational structure that enables:

  • The definition of security responsibilities.
  • The coordination of information security management.
  • The monitoring of compliance with this Policy.
  • The effective management of security incidents.

The operational details of this organisation are set out in internal documentation.

7.- Risk Management

PAPREC periodically identifies, analyses and manages the risks that may affect information security and the protection of personal data, adopting the necessary measures to reduce such risks to acceptable levels.

8.- Staff Awareness and Obligations

All PAPREC staff are required to know and comply with this Security Policy, as well as with the rules and procedures derived from it. The organisation promotes ongoing training and awareness initiatives to ensure a strong culture of information security.

9.- Third Parties

When PAPREC collaborates with third parties or grants them access to information or services, it ensures that such third parties comply with appropriate levels of security and applicable regulations through contractual agreements and controls proportionate to the risk.

10.- Review and Improvement

This Security Policy is reviewed periodically to ensure its suitability to the organisation’s context, technological changes, emerging risks and applicable regulations.

11.- Applicable Legislation

This Policy aligns, among others, with the following regulations:

  • National Security Framework (ENS).
  • General Data Protection Regulation (EU) 2016/679.
  • Organic Law 3/2018 on the Protection of Personal Data and Guarantee of Digital Rights.
  • Applicable legislation regarding information society services and security.