JUSTIFICATION

EDNON has established a framework of information security and information technology strategies aligned with the business. Its ultimate goal is to continuously improve customer service and ensure improved information security. The general objective is to create a more innovative, responsive, efficient, and low-risk service that facilitates customer activity, ensuring its availability and improving customer satisfaction. This general objective serves as a reference framework for establishing specific information security and ICT service objectives.

The organization's various areas and departments will consider security from the moment personal data is processed ("privacy by design"), applying established security measures to existing data and existing data, thus guaranteeing its availability, authenticity, integrity, and confidentiality ("privacy by default").

CORPORATE POLICY

Taking the above into account, EDNON is committed to:

Implementing and maintaining an Information Security and ICT Services Management System (ISMS) based on the requirements of the international standards UNE-ISO/IEC 27001 and UNE-ISO/IEC 20000-1, as well as the National Security Framework (ENS), appropriate for the organization, efficient, and dynamic, allowing it to meet the applicable requirements, needs, and expectations of its service users, as well as maintaining the information security levels required by the activities carried out and the establishment and review of the established service management and information security objectives.
Complying with and ensuring compliance with the legal and contractual requirements applicable to the company's activities regarding information security and ICT services.
Reducing and addressing risks to services and associated information, both internal and external, resulting in greater availability.
Facilitate the commitment, participation, communication, and awareness of all internal and external stakeholders involved in the organization's activities, as well as further integrate suppliers and collaborators into these activities.
Base the Information Security and ICT Services Management System on the prevention of non-conformities as a means of improving effectiveness and efficiency.
Monitor our customers' needs, addressing suggestions, complaints, and requests, and making decisions that will be implemented in the management system.
All people in the organization must comply with and ensure compliance with the provisions of EDNON's ISMS (Information and Services Security Management System).

PERSONAL DATA PROTECTION

The areas that comprise EDNON will:

Process personal data that needs to be collected fairly and lawfully. The collection of data through fraudulent, unfair, or illicit means is prohibited.
They will comply with the international, national, or local personal data protection legislation applicable in each case.
They will ensure respect for the principles of quality for personal data. Personal data will be collected and processed when appropriate, relevant, and not excessive in relation to the scope and purposes for which it is collected or processed. These purposes must be specific and legitimate, unless otherwise provided by applicable law.
They will ensure that the personal data collected is truthful and accurate.
Likewise, they will promote the consideration of the set of standards of conduct and principles of action contained in this Policy:

In the design and implementation of their corporate policies, internal compliance standards, or the procedures that comprise them.
In the products and/or services offered.
In the contracts and obligations formalized or assumed.
In the implementation of any systems and platforms that allow access by EDNON professionals or third parties and/or the collection or processing of personal data. The objective of the security organization is to establish a management structure to control and manage information security within the organization.

MANAGEMENT COMMITMENT

To ensure this compliance, Management delegates the responsibilities of supervising, verifying, and monitoring the system to the Security Manager and the ICT Services Manager, who have the necessary authority and will have the appropriate resources to ensure the proper operation of everything defined in the ISMS.

Finally, Management undertakes to provide the necessary means and adopt appropriate improvements throughout the Organization to promote the prevention of risks and damage to assets, thereby improving the efficiency and effectiveness of the ISMS.

REVIEW AND APPROVAL

This policy is reviewed periodically and will be available within the organization and externally to all interested parties through the company's website.

Santiago de Compostela, February 28, 2023