Privacy Policy and Information Security

PRIVACY POLICY

All the companies forming part of AUREN are totally committed to the security of any personal information and its lawful transparent processing.

In this document, we will provide you with detailed information relating to the processing of any personal data gathered through this Webpage.

DATA CONTROLLER

Depending on the service or information requested through this Webpage, the processing of your data may be carried out by any of the entities forming part of AUREN, according to the following list:

AUREN INTERNACIONAL, SERVICIOS PROFESIONALES AVANZADOS, S.L., with registered address at Calle Mallorca 260, Ático, Madrid (08008) and Spanish tax ID code B64250970.

AUREN SERVICIOS PROFESIONALES AVANZADOS S.L., with registered address at Avenida General Perón, 38 3ª planta, Madrid (28020) and Spanish tax ID code B83151464.

AUREN AUDITORES SP SLP, with registered address at Avenida General Perón, 38, Madrid (28020) and Spanish tax ID code B87352357.

AUREN CORPORATE SP SLP, with registered address at Avenida General Perón, 38, Madrid (28020) and Spanish tax ID code B87364659.

AUREN CONSULTORES SP SLP, with registered address at Avenida General Perón, 38, Madrid (28020) and Spanish tax ID code B87352340

AUREN ABOGADOS Y ASESORES FISCALES SP SLP, with registered address at Avenida General Perón, 38, Madrid (28020) and Spanish tax ID code B87352373

AUREN HOLDING SP SLP, with registered address at Avenida General Perón, 38 3ª Planta, Madrid (28020) and Spanish tax ID code B87558797

AUREN INTERNACIONAL SERVICIOS PROFESIONALES AVANZADOS, S.L., with registered address at Calle Mallorca, 260 Ático, Barcelona (08008) and Spanish tax ID code B64250970.

For communication purposes, the address of all the foregoing companies will be: Avenida General Perón, 38 3ª Planta – 28020 – Madrid

AUREN has a Data Protection Officer, who may be contacted through the following email address: dpd@auren.es

PURPOSE OF THE COLLECTION AND PROCESSING OF PERSONAL DATA

The different companies comprising AUREN collect their personal data through the forms included on this Webpage, taking into account the following purposes:

• Answering any messages sent to us through our “Contact” form.
• Managing staff recruitment processes for the companies comprising AUREN and in relation to the applicant as a candidate in those processes, when the data is collected through our “Work with us” form.
• Managing your registrations for AUREN courses and events, when such registration was requested by completing our “Events form”, through an email sent to AUREN or through our webinar registration forms on the various publicising platforms.
• Managing your subscription to our Blog through the corresponding subscription form.

PERSONAL DATA TO BE PROCESSED

General access and browsing on this Webpage does not require any registration by the user, except in order to request certain services or functionalities, in which case you must provide the information requested through the corresponding application or registration forms. All fields marked with an asterisk (*) on these forms must be completed; therefore, if any of them are omitted, this could make it impossible to obtain the services or information requested.

LAWFUL BASIS FOR THE DATA PROCESSING

The simple fact of sending us your personal data through any of the forms on our webpage will imply your consent to its processing.

Consequently, when ticking the box appearing on all the data collection forms on this Webpage that reads “I have read and accept the Legal Notice and the Privacy Policy” and clicking on the button that says “Send”, “Send CV”, “Subscribe” or the like, you are unequivocally providing your express consent to having your personal data processed in accordance with the aforementioned purposes and are stating you have read, understood and expressly accepted this Legal Notice and Privacy Policy

You make revoke the consent you have provided, without this affecting the lawfulness of any processing conducted up to that point.

COMMUNICATION AND USE OF DATA

Your personal data may be sent to any of the companies comprising AUREN for internal administrative purposes. Your personal data will not be disclosed to any third parties without your consent, except in those cases where there is a legal obligation to report the data to the corresponding authorities.

However, in order to be able to manage the service or functionality requested, AUREN may receive the collaboration of third-party service providers who would access your data, processing it in the name and on behalf of AUREN. In such cases, AUREN undertakes to sign the corresponding data processing outsourcing agreement with such service providers and request the appropriate technical and organisational measures in order to ensure the security of the processing of your data.

PERSONAL DATA STORAGE PERIOD

In general, we will only store your personal data for the time needed to comply with the purpose for which it was gathered, bearing in mind the lawful basis of its processing. In particular:

We will store any personal data provided through our “Contact” form while this is needed in order to respond to your information request.

Any personal data provided through our “Work with us” form will be stored for 12 months.

Any personal data provided when registering for courses and events will be kept for a period of 3 years from the last registration for any of them.

Any data provided through the form for subscribing to the AUREN Blog will be kept until the data subject expresses their wish to unsubscribe from the Blog.

RIGHTS OF THE DATA SUBJECTS IN RELATION TO THEIR PERSONAL DATA

You are entitled to access your personal data, to know what data is being processed and what processing operations are being performed.

You are also entitled to request the rectification of your data should you consider it is not accurate.
Likewise, you may request the removal of your data, in those situations in which it is no longer relevant or necessary for the purposes for which it was gathered.

You may oppose the processing of your data where plausible and appropriate, given your personal circumstances. In such case, AUREN will cease to process the data, notwithstanding any legitimate grounds such as complying with legal obligations or defending against potential claims.

Under certain circumstances, clients or data subjects may request the limitation of the processing, so that AUREN will only store and use such data in those cases authorised by the law.

You may request the portability of your data. The right to portability consists of the right to receive the data we are processing also in an electronic format that is organised, legible and mechanised, either for its direct disclose to other controllers or so that you yourself may receive such data, to store it on the devices you consider appropriate, with no need to disclose it to any other controllers.

Data subjects may exercise their rights, at any time and free of charge, by sending an email to dpd@auren.es, attaching a photocopy of their national identity document or any other document proving their identity, indicating the right they wish to exercise.

You are entitled to file a claim related to the processing of your personal data with the Spanish Data Protection Agency (Agencia Española de Protección de Datos) (www.aepd.es) should you believe we have committed an infringement of the applicable regulations on matters of data protection in respect of the processing of your personal information. However, AUREN provides you with a direct channel through the Data Protection Officer, whom you may contact should you believe that the processing we carry out of your data is not appropriate or to deal with any other consultation related to the processing of your data, by writing to dpd@auren.es.

CONDITIONS OF USE

In compliance with Law 34/2002, on Services of the Information Society and Electronic Commerce, AUREN hereby informs any users of the webpage http://www.auren.com/ that accessing, browsing or using it implies the express acceptance of all the terms included in these Conditions of Use and their fulfilment will be required of any person accessing, browsing or using such webpage.

Minors may not make use of the functionalities and services available on this Webpage without the prior authorisation of their parents, guardians or legal representatives, who will be exclusively subject to any type of liability that might arise from the activity of such minors through this Webpage, including filling in any forms with their personal data and requests for registrations.

This webpage contains general information and may not under any circumstances be seen as constituting legal or any other advice.

AUREN makes this Webpage available to the general public on the condition that any liability for any damage or loss of any type that might arise from the use of the same or the use of its content as a basis for taking any decisions or for executing any decisions is excluded to the extent allowed by law.

DETAILS

https://www.auren.com/ (hereinafter, the Webpage):

Company Name: AUREN INTERNACIONAL, SERVICIOS PROFESIONALES AVANZADOS, S.L.

Spanish Tax ID Code Number: B64250970

Registered Office: Calle Mallorca 260, ático, 08008 Barcelona (SPAIN)

Email: dpd@aurenadmin

Recorded in the Commercial Registry of Barcelona on 16 January 2007, volume 39.182, folio 104, page B-340.916, entry 1.

PURPOSE AND SCOPE OF APPLICATION

The purpose of these Conditions of Use is to regulate the access, browsing and use of the Webpage by the User, notwithstanding the right that AUREN reserves to change them.

The access, browsing and use of the contents of the Webpage by the User following the entry into force of any changed Conditions implies their acceptance.

For interpretation purposes, we understand that a person becomes a User of the Webpage when they access, browse and/or use the contents of the Webpage and accept the Conditions of Use and Privacy Policy established.

LIABILITIES

Auren is not liable for:

1. The improper functioning and/or errors of the Webpage, if this is due to maintenance work, incidents, the faulty functioning of the terminal or its insufficient capacity for supporting the essential systems for making use of the service.
2. Any virus and/or other corrupting components on the Webpage or the server providing it.
3. Any damage that the User might be caused in the event it is impossible to provide the service due to a case of unforeseen circumstances, force majeure or any other reasons not attributable to AUREN.
4. Any damage caused to themselves or any third party by any person breaching the Conditions of Use that AUREN establishes on the Webpage or by breaching the Webpage security systems.
5. The information published on the Webpage, when this information has been manipulated or uploaded by a third party.

Auren states that it has taken all the necessary measures, to the extent of its capacities and the state of the art, to guarantee the functioning of the Webpage and reduce any errors in the system to a minimum, both from a technical and a legal and organisational perspective.

Auren will take any appropriate measures to ensure a swift response, without being liable for any delays that might be due to telecommunications services.

Furthermore, AUREN is not liable for any information stored in blogs, comments, social networks or any other means allowing third parties to publish information on its Web.

RULES FOR ACCESSING AND USING THE CONTENTS

In particular, and without this being a closed list, the following are prohibited:

1. Obtaining the contents provided on the Webpage through unlawful or fraudulent means, theft or plagiarism.
2. Using any of the services and contents that AUREN provides for unlawful purposes.
3. Performing any activity that might harm, overload, impair or prevent the normal activity of the Webpage or the computer of a third party.
4. Using the Webpage to transmit, instal or publish any virus, malware or any other harmful programs or files.
5. Accessing any section of the Webpage, other systems or connected networks, any server of AUREN or any of the services offered through the Webpage without authorisation, through piracy or falsification, password theft or any other unlawful means.

Should the User cause any damage to third parties due to making use of any service or content provided through the Webpage, this will expressly release AUREN from any liability that might be attributed to it. To this end, the User will assume sole responsibility for any liability that might arise.

AUREN reserves the right to bring the appropriate legal actions in the event of the breach of any of the foregoing obligations by the User.

LINKS TO OTHER WEBPAGES

AUREN does not control the contents or Conditions of Use or Privacy Policy of any webpages of third parties.

Furthermore, AUREN will not be liable for the availability of such Webpages and does not subscribe to any type of advertising, products or services offered on them.

The User accepts that AUREN will not be liable for any damage or loss that the User might incur as a result of the availability of the said Webpages.

In addition, any Users wishing to include links to the Webpage of AUREN from their own webpage will be obliged to meet the following conditions:

1. They must obtain prior authorisation from AUREN.
2. The link will only link to the Webpage through its Internet address.
3. No type of false or inaccurate statement about AUREN on the webpage providing the link.
4. The webpage providing the link must observe current laws and may not provide a link to any contents that are unlawful, harmful, immoral or contrary to standard practices.

In any case, AUREN reserves the right to prohibit or disable any hyperlink to this Webpage at any time.

INDUSTRIAL AND INTELLECTUAL PROPERTY

AUREN holds or has the corresponding licences to the Industrial and Intellectual Property rights of the elements comprising the design of the Webpage, such as trademarks, commercial names or distinctive signs. In particular, they are protected by copyright, logos, colour combinations, the choice and form of presentation, the source code of the Webpage, the menus, the navigation buttons, the HTML code, the texts, photographs, graphics and any other content of the Webpage relating to the services, contents and/or tools provided by AUREN.

Under no circumstances will it be understood that any accessing, browsing or use of the Webpage by the User implies a waiver, transfer or assignment in full or in part of such rights by AUREN.

Users may view, print and copy the contents of this Webpage for their own private use, although its use is not allowed for commercial purposes, and nor is the exercise of any rights to the exploitation, reproduction, distribution, public communication, provision or transformation of all or part of the contents included on the Webpage, without the prior express written consent of AUREN.

SUSPENSION OF THE WEBPAGE

AUREN reserves the right to suspend, amend, restrict or interrupt, whether temporarily or permanently, the access to, browsing or use of, storing and/or downloading of the content and/or use of the services of the Webpage, with or without prior notification, without the User being able to demand any compensation on these grounds.

APPLICABLE LAW AND JURISDICTION

These Conditions of Use are governed by the applicable Spanish regulations in force.

The resolution of any disputes or issues related to this Webpage will be subject to the laws of Spain, to which the parties expressly submit themselves, with the Courts and Tribunals of Madrid and, where applicable, the consumer Courts of Arbitration having jurisdiction for resolving any disputes that might arise as a result of the content of these provisions.

INFORMATION SECURITY POLICY

INTRODUCTION

AUREN depends on Information and Communication Technology (ICT) systems for meeting its objectives. These systems must be administered diligently, with suitable measures being taken to protect them against any damage that might affect the availability, integrity and confidentiality of the information processed or the services provided, especially any classified as essential.

The information security objective is to guarantee the quality of the information and the ongoing provision of the services, acting preventively, supervising the day-to-day activities and reacting to any incidents swiftly.

The ICT systems must be protected against any rapidly developing threats that might affect the confidentiality, integrity, availability, foreseen use and value of the information and services. In order to defend against these threats, a strategy is required that can be adapted to any changes in the conditions of the environment in order to ensure the ongoing provision of the services. This means that the minimum security measures required by the Spanish National Security System (Esquema Nacional de Seguridad) (ENS) must be applied, service provision levels must be continually monitored, any vulnerabilities reported must be monitored and analysed and an effective response to any incidents must be prepared in order to guarantee the continuity of the services provided.

Auren considers ICT security to be an integral part of each stage of the life cycle of the system, from its concept to its withdrawal from service, including development and acquisition decisions and exploitation activities. Any security requirements and financing needs must be identified and included in the planning, requests for proposals and the tender terms and conditions for any ICT projects.

The corresponding departments must be prepared in order to prevent, detect, react to and recover from any incidents, pursuant to Article 7 of the ENS.

PREVENTION

The corresponding departments must prevent, at least to the extent possible, any information or services from being harmed by security incidents. To do so, they must implement the minimum security measures established by the ENS and ordered by the IT department, as well as any additional control measure identified through a risk and threat assessment. These controls, and the security roles and responsibilities of the entire staff, must be clearly defined and documented.

In order to ensure this policy is implemented, the corresponding departments must:

• Authorise the systems before they enter into operation.
• Assess the security regularly, including any evaluations of changes in configuration.
• Request a periodic review by their parties in order to obtain an independent evaluation.

DETECTION

Given that the services may deteriorate quickly due to incidents, the services must monitor their operations continually in order to detect any anomalies in the service provision levels and act accordingly pursuant to Article 8 of the ENS.

Monitoring is particularly relevant when lines of defence are established in accordance with Article 9 of the ENS. Detection, analysis and reporting mechanisms will be established which reach those responsible regularly and when there is a significant deviation in the parameters pre-established as normal.

RESPONSE

AUREN must:

• Establish mechanisms for responding effectively to any security incidents.
• Designate a point of contact for any communications regarding incidents detected in other departments or bodies.
• Establish protocols for the exchange of aby information related to the incident.

RECOVERY

In order to guarantee the availability of essential services, ICT system continuity plans must be developed as part of the general business continuity plan and recovery activities.

SCOPE

This policy applies to the ICT systems of AUREN and to all members of the organisation, without exception.

VISION AND MISSION

Our mission is to provide our client with highly specialised professional services with high added value.

In the information age, where security is an essential requirement, our vision is to offer clients the highest quality standards, where the name of AUREN can be associated with cybersecurity, as other firms have already managed to do.

REGULATORY FRAMEWORK

AUREN is subject to the following regulations in the provision of the services provided to its clients:

• Organic Law 3/2018, dated December 5, on the Protection of Personal Data and the guarantee of digital rights.
• Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation), applicable to the fully or partially automated processing of personal data, and to the non-automated processing of any personal data contained or to be included in a file.
• Law on Occupational Risk Prevention 31/1995, dated November 8, and Royal Decree 39/1997, dated 17 January, approving the Prevention Service Regulation.
• The applicable collective agreement corresponding to “Offices and Office Spaces”.
• Law 34/2002, dated 11 July, on Services of the Information Society and Electronic Commerce (Ley de Servicios de la Sociedad de la Información y Comercio Electrónico) (LSSI-CE).
• Royal Decree Law 13/2012, dated 30 March, on cookies.
• Law 59/2003, dated 19 December, on electronic signatures.
• Law 39/2015, dated 1 October, on the Common Administrative Procedure of Public Authorities.
• Royal Decree 1553/2005, dated 23 December, regulating national ID documents and their electronic signature certificates.
• Royal Legislative Decree 1/1996, dated 12 April, approving the consolidated text of the Intellectual Property Law, standardising, clarifying and harmonising the legal provisions in force on this matter.

Any other regulations applicable to the activities inherent in AUREN also form part of the regulatory framework.

The framework of reference providing this document with legal coverage is established in the following sections of Royal Decree 311/2022, dated 3 May, regulating the Spanish National Security System (Esquema Nacional de Seguridad) (ENS):

ENS. Article 13. Organisation and implementation of the security process

All members of the organisation must be committed to security. The security policy, in application of the principle of the differentiation of liabilities referred to in Article 11 and detailed in Section 3.1 of Schedule II, must be known by all those forming part of the organisation and must unequivocally identify those responsible for ensuring its fulfilment.

ENS. Schedule II

Security Measures Organisational Framework [org]

Security policy [org.1]

In order to manage the control and monitoring of any applicable laws, we use the Spanish Official State Gazette (Boletín Oficial del Estado) (BOE) subscription service for matters of “Telecommunications” and “Research and Technology”

APPROVAL AND ENTRY INTO FORCE

Text consolidated and approved on 27 July 2023 by the Security Committee. This Information Security Policy renders effects as from such date and until it is replaced by a new Policy.