Personal data protection and information security policy

Elliot Cloud is aware of the importance of information security and personal data protection as key factors in achieving organisational excellence, market competitiveness, business sustainability and regulatory compliance.

Accordingly, the group has established processes within the organisation for planning and implementing controls, as well as for monitoring and improvement, in order to ensure the confidentiality, integrity, authenticity, traceability and availability of information and services.

Elliot Cloud's management team is responsible for implementing, updating, improving, accrediting and maintaining an Information Security Management System, in accordance with best practices and international standards, specifically in accordance with the standard UNE-EN ISO/IEC 27001:2017. Information technology. Security techniques. Information Security Management Systems. Requirements. It has established the following objectives:

• Establish an information security committee, with authority and competence to ensure confidentiality, authenticity, integrity, availability and traceability of information.
• Implement the security organisation, designating those responsible for security, services, information, personal data protection and information systems.
• Analyse the risks and threats to the security of the information handled and implement the necessary organisational, operational and technical measures for its proper treatment.
• Ensure business continuity in the face of events that could affect critical assets.
• Plan human and technological resources to provide services to clients in accordance with information security requirements and in compliance with current legislation.
• Raise awareness and train all staff and collaborators in information risks and threats, the regulations for their prevention and mitigation and the notification of incidents.
• Measure and analyse the objectives and indicators of information security management, enabling the monitoring of security risks and incidents and the management and improvement of the effectiveness of measures and controls.
• Implement review, audit and continuous improvement processes to ensure that established controls and security measures are maintained.
• Comply with and demonstrate compliance with applicable legal, policy and regulatory requirements, with particular emphasis on those ensuring digital rights and personal data protection.

Elliot Cloud and all its members undertake to carry out their activities in accordance with current national and international data protection legislation, paying particular attention to the provisions of Regulation (EU) 2016/679 of the European Parliament and of the Council of the European Union.
Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data (hereinafter referred to as the GDPR); and to Organic Law 3/2018 of 5 December 2018 on the Protection of Personal Data and the Protection of Individuals with regard to the Processing of Personal Data (hereinafter referred to as the GDPR); and to Organic Law 3/2018 of 5 December 2018 on the Protection of Personal Data (hereinafter referred to as the GDPR).
guarantee of digital rights (hereinafter, LOPD).

Elliot Cloud has a Data Protection Officer (DPO) responsible for overseeing data protection compliance.
The actions of the group and all its employees in the processing of personal data are in line with the basic principles set out in Article 5 of the GDPR:

a) Principle of legality, transparency and fairness.

b) Purpose limitation principle. It implies that the data must be processed for specified, explicit and legitimate purposes, and prohibits the data collected from being further processed in a way incompatible with those purposes.

(c) Data minimisation principle. Technical and organisational measures must be implemented to ensure that only data that are strictly necessary ('adequate, relevant and limited') for each purpose are processed.

d) Principle of accuracy. Data must be kept up to date and must be deleted or rectified if inaccurate.

e) Principle of limitation of the storage period. Once the purposes of the processing have been achieved, the data should be erased, blocked or anonymised.

f) Principle of integrity and confidentiality. The processing must ensure the integrity, availability and confidentiality of personal data.

The controller will be responsible for ensuring the performance in accordance with the above principles and demonstrate compliance, in accordance with the principle of proactive responsibility. Elliot Cloud's General Management, consequently, with the above, is committed to the allocation of human and material resources, reasonable and proportional, to achieve the above objectives. The responsibility for the proper functioning of the Information Security Management System lies, therefore, in the General Management, delegating to the Head of Information Security the authority and powers necessary for its effective implementation, accreditation, maintenance and improvement, relying, for this, with the support of the management team and staff and collaborators of Elliot Cloud.