Security-measures - Advertising Platform

Security Measures

1. Obligations of users with access to personal data

2. Organizational Measures

2.1 Security policy
2.2 Roles and responsibilities
2.3 Access control policy

3. Resource and change management

4. Personnel Management

4.1 Duty of confidentiality and security
4.2 Training and awareness

5. Incident response and business continuity

5.1 Incident and data breach management
5.2 Definition of a business continuity plan

6. Technical Measures

6.1 Access control mechanism
6.1.1 User identification and authentication
6.2 Access Monitoring
6.2.1 User activity logging

7. Data Security

7.1 Protection against malicious code
7.2 Pseudonymisation

8. Communication Security

8.1 Secure connection
8.2 Firewall
8.3 Communication encryption
8.4 Network segmentation

9. Backup copies

9.1 Backup and recovery procedures

10. Portable devices

11. Secure Development

11.1 Security Requirements for Equipment and Applications

12. Information disposal: reuse and destruction of media

13. Physical security measures

13.1 Designated protected areas
13.2 Server room with protective Features
13.3 Protection of fixed equipment
13.4 Storage of media
13.5 Transport of media

14. Image capture by cameras and security purpose

15. Handling the exercise of data subject rights

16. Verification of security measures

1. Obligations of users with access to personal data

Access only the data necessary to perform their professional duties.
Do not destroy or alter data without proper authorization.
Do not copy or disclose data to third parties without proper authorization.
Report and correct any errors found in the data.
Safeguard and do not disclose the assigned username and password. These credentials must not be used outside the company’s premises.
Do not transmit personal data over the Internet without prior authorization.
In customer service departments, do not disclose personal data without proper authorization. Always verify the identity of the person requesting the data.
If documents are printed on paper, access must not be allowed to unauthorized individuals.

2. Organizational Measures

2.1 Security policy

A security policy is in place, composed not only of this document but also the following:

Rules for the use of information resources and systems.
The procedure for managing security breaches.
The contingency plan for processing systems and services.
The following documents supporting the implementation of security measures:

The confidentiality and security commitment.
The password receipt form and the definition of profiles and access permissions.
The portable device delivery form, if applicable.

2.2 Roles and responsibilities

A security officer has been appointed, along with resource managers responsible for processing personal information.

2.3 Access control policy

Each user or process accessing the system is assigned a unique identifier, making it possible to determine who receives access rights, what those rights are, who has performed an action, and what the action was.

When a user has multiple roles within the system (e.g., as a citizen, internal employee, or system administrator), each role is assigned a unique identifier to ensure clear separation of privileges and, where applicable, activity logs.

User accounts are linked to a unique identifier and are disabled when the user leaves the organization, ceases the function that required the account, or when instructed otherwise by the authorizing party. Accounts are retained for the necessary period to ensure traceability of associated activity records.

Access rights for each resource are defined based on the decisions of the resource owner and are periodically reviewed to ensure that user permissions are appropriate to their profile.

User access rights are assigned according to the following principles:

Least Privilege: limiting access to the minimum strictly necessary.
Need-to-Know: limiting access to information required to fulfill responsibilities.
Authorization Capacity: only the competent manager may grant, modify, or authorize access.

Specifically, the following functions are segregated: development, configuration and maintenance, and auditing.

3. Resource and change management

An up-to-date inventory is maintained of all assets associated with personal data and resources used for information processing. This inventory includes the nature of each asset and the identification of the person responsible for decisions related to it. The inventory is kept continuously updated.

All updates or changes announced by the manufacturer or provider are analyzed to determine whether they should be implemented.

Before deploying a new version or a patched version into production, testing is carried out on a non-production system to verify that the installation works correctly and does not reduce the effectiveness of essential daily functions.

The testing environment is equivalent to the production environment in the aspects being verified. Changes are planned to minimize the impact on the provision of the affected services.

A list of applications that must be kept up to date is maintained, along with a procedure and alerts for analyzing, prioritizing, and determining when to apply security updates, patches, improvements, and new versions. A log is kept of all installed updates and patches.

4. Personnel Management

4.1 Duty of confidentiality and security

All personnel with access to personal data are fully aware of their obligations regarding information security. They sign a confidentiality and data protection agreement, which explicitly sets out their responsibilities in this regard.

4.2 Training and awareness

Regular actions are taken to raise staff awareness of their role and responsibility in achieving the required level of system security.

Staff are periodically trained in areas necessary for the performance of their duties, particularly in matters related to system configuration, incident detection and response, and the handling, transfer, copying, distribution, and destruction of media containing personal data.

5. Incident response and business continuity

5.1 Incident and data breach management

In the event of a security breach, the controller must assess whether it involves the accidental or unlawful destruction, loss, or alteration of personal data that is transmitted, stored, or otherwise processed, or the unauthorized disclosure of or access to such data.

All employees are required to report to the data controller any security breaches that affect personal data so that the controller can notify the Spanish Data Protection Authority (Agencia Española de Protección de Datos) and, where applicable, the data subjects, in accordance with the terms outlined in the section Guidelines for Security Breach Management of this document.

In addition to breach notification, the controller has implemented the necessary mechanisms for logging, documenting, and managing incidents.

5.2 Definition of a business continuity plan

In the event of an incident that could lead to the accidental or unlawful destruction, loss, or alteration of personal data affecting systems or processes of higher criticality, a continuity or contingency plan has been defined. This plan ensures the recovery of normal operations within a reasonable timeframe in order to guarantee business continuity.

6. Technical Measures

6.1 Access control mechanism

Access to any system resource for performing a specific action is established through identification and authentication.

System resources are protected by mechanisms that prevent their use unless appropriate access rights are granted.Access rights for each resource are defined by the individual responsible for the resource, in accordance with the system’s security policy and regulations.

Credentials or passwords are activated only once they are under the effective and exclusive control of the user, after the user has acknowledged receipt and accepted the obligations of diligent custody, confidentiality protection, and prompt reporting in case of loss.

Passwords must be changed at least once per year and are withdrawn and disabled when the user, device, or process ends its relationship with the system.

The number of permitted login attempts is limited. Access is blocked after three consecutive failed attempts.Minimum password requirements include:

At least eight characters in length.
A combination of alphabetic and numeric characters.
Passwords must be changed at least every six months and cannot repeat any of the last three passwords used.
Passwords must not be written down or stored in any place that makes them visible.

Any personnel changes will require the update of passwords for all devices, services, and systems previously accessed by the departing employee.

The administrator account is managed by the security officer and is changed each time it must, for technical reasons, be disclosed to another member of the technical team.

6.2 Access Monitoring

6.2.1 User activity logging

User activities within the system are logged, recording who performs the activity, when it is performed, and on what data or resource. Both successful and failed access attempts are logged.

Activity logs also include the actions of system operators and administrators, particularly in relation to system configuration and maintenance.
Activity records are regularly reviewed for abnormal patterns.

7. Data Security

7.1 Protection against malicious code

Mechanisms are in place for the prevention and response to malicious code. Malicious code includes viruses, worms, trojans, spyware, and, in general, all forms of malware.

These mechanisms are maintained in accordance with the manufacturer’s recommendations and implemented through a comprehensive security suite that includes antivirus, antispam (to block unsolicited emails), anti-phishing (to protect against intrusion attempts), and, where possible, anti-ransomware (which protects against system lockouts or data encryption followed by ransom demands).

Free antivirus software is never used, and no two antivirus programs are installed simultaneously. All antivirus solutions must be properly installed, kept up to date, and have all essential modules activated.

7.2 Pseudonymisation

Measures are in place to pseudonymise special categories of personal data so that such data can no longer be attributed to a specific data subject without the use of additional information, which is kept separately.

8. Communication Security

8.1 Secure connection

The router is configured as follows:

The access password for the configuration interface is changed.
Connection control is maintained.
Only essential ports are left open; all others are closed.

The default settings for wireless interconnection technology (Wi-Fi) are modified by activating encryption systems for routers and access points. The WPA (Wi-Fi Protected Access) security protocol is selected, and strong access passwords are established.

8.2 Firewall

A firewall (a protection system that prevents unauthorized connections, generally implemented on the router or an equivalent device) is installed. The default configuration is replaced with a more restrictive one, and the firewall is kept active at all times.

8.3 Communication encryption

When transmitting special categories of personal data to third parties (e.g., health data), the data is encrypted to prevent unauthorized access.

8.4 Network segmentation

Access to information is restricted, and the spread of security incidents is limited to the environment in which they occur. The network is segmented in such a way that:

There is user entry control for each network segment.
There is control over the data that leaves each segment.
Networks may be segmented using physical or logical devices. The interconnection point is specifically secured, maintained, and monitored.

9. Backup copies

9.1 Backup and recovery procedures

Backup copies are performed on at least a weekly basis to allow the recovery of data that may be lost accidentally or intentionally. The proper execution of backups and the possibility of data recovery are periodically verified. Media used for backups are properly labeled, and a record is kept of the media on which backups have been performed.

Backup copies are afforded the same level of protection as the original data in terms of integrity, confidentiality, authenticity, and traceability.

9.2 Offsite backup and recovery procedures

Backups are stored in an independent storage system separate from the server where the original data resides, located outside the organization’s premises.

10. Portable devices

Corporate mobile devices that may leave the organization’s premises are subject to the following specific protection measures:

A procedure is in place for the request and assignment of corporate mobile devices. This procedure defines what may be stored on such devices and where work-related information should be saved within the device’s directory structure.
Access control is implemented through authentication and password protection, with periodic password changes. Devices must not contain remote access credentials that could enable access to other systems within the organization.
Users are informed about proper care and usage of mobile devices in public areas, meeting rooms, and other unsecured environments. A communication channel is available to report any loss or theft to the incident management service.
When connecting through networks outside the organization’s control, prior authorization is required from the information and service managers. Access to information and services is limited to the minimum strictly necessary.
Special categories of data or information about vulnerable individuals stored on the device must be protected through encryption.

Privately-owned mobile devices that may be taken outside the organization are subject to the following specific protection measures:

A procedure is in place informing users of the obligation to separate private and business use, including the use of software to enable such separation, a waiver of ownership over business data, and the cleansing of business data at the end of the professional relationship.
Devices must be configured to lock automatically after a period of inactivity and to implement access control for connecting to the corporate network (e.g., password authentication, two-factor authentication, VPN access).

11. Secure Development

11.1 Security Requirements for Equipment and Applications

Manufacturer specifications are followed for the installation and maintenance of systems, and defect advisories are continuously monitored.

Before going into operation, systems are configured as follows:

Default accounts and passwords are removed.
The “minimum functionality” rule is applied, meaning only the functions strictly necessary for the intended purpose are enabled—no free, operational, administrative, or auditing functions are included.
Folders are organized according to the information classification policy so that staff store documentation in the appropriate locations. Access permissions are granted according to the employee’s profile.
Unnecessary, irrelevant, or inadequate functions are eliminated or deactivated through configuration control.
The “security by default” principle is applied: users are protected by default. To reduce the level of security, the user must take deliberate action. The natural use of the system is a secure one.

An up-to-date register of authorized software licenses is maintained, along with a repository containing all authorized software and corresponding installation credentials. No programs are installed beyond those necessary or related to the services provided. Software is always installed from trusted sources, avoiding downloads from general-purpose repositories.

12. Information disposal: reuse and destruction of media

If a storage medium is to be reused, any previously stored information must be rendered unrecoverable through formatting. Media that are not intended for reuse must be securely destroyed, either by incineration or shredding.

If a destruction service is used, it must offer certified destruction to ensure the secure disposal of media containing special categories of personal data.

13. Physical security measures

13.1 Designated protected areas

Critical information systems and their components are installed in dedicated areas specifically designed for their function. Access to these areas is strictly controlled, allowing entry only through designated and monitored access points. All individuals entering are identified, and their entries and exits are logged.

13.2 Server room with protective Features

The server room is equipped with appropriate systems to ensure the proper functioning of the installed equipment, particularly in terms of temperature and humidity control and cable protection. It also includes necessary power supplies and outlets to ensure a stable electricity supply and the proper functioning of emergency lighting. Fire extinguishers are installed and maintained in perfect working condition for fire protection.

Alternative facilities with equivalent security guarantees are available to maintain operations in the event that the primary facilities become unavailable.

13.3 Protection of fixed equipment

Equipment is positioned to minimize unnecessary access to work areas and to reduce the risk of unauthorized persons viewing information during use.

Desktop computers are configured to lock after a period of inactivity, requiring user re-authentication to resume activity.

Workstations must be kept clear of any documents or media not strictly necessary for the current task. Such items must be stored in a secure, locked location when not in use.

13.4 Storage of media

Cabinets and filing systems equipped with locks and keys are provided for the proper storage of documents and media, ensuring their protection and controlled access.

13.5 Transport of media

All incoming and outgoing media containing personal data are logged. During transport, media must be protected against unauthorized access, misuse, or damage.

A reliable courier or transport service must be used, and the packaging must adequately protect the contents from any physical harm during transit.

14. Image capture by cameras and security purpose

In the case of video surveillance systems:

CAMERA PLACEMENT: Cameras are positioned so as to avoid capturing images in areas designated for employee rest or relaxation.
MONITOR PLACEMENT: The monitors used to view camera footage are located in restricted-access areas, ensuring they are not accessible to unauthorized third parties.
IMAGE RETENTION: Images are stored for a maximum period of one month, except in cases where the images must be submitted to courts or law enforcement authorities.
INFORMATION DUTY: The presence of cameras and image recording must be communicated through a visible notice containing both a pictogram and text specifying the data controller to whom data subjects may exercise their right of access. The required information may be included directly within the pictogram.
EMPLOYEE MONITORING: When cameras are used for employee monitoring purposes under Article 20.3 of the Spanish Workers’ Statute, employees or their representatives must be informed of the monitoring measures implemented by the employer, with explicit mention of the purpose of using the recorded images for labor control.
RIGHT OF ACCESS TO IMAGES: In order to exercise their right of access, data subjects must specify the date and time to which their request refers. Direct access to images that contain other individuals will not be granted. If it is not possible to show the images without displaying third parties, a written confirmation or denial will be provided indicating whether images of the data subject exist.

15. Handling the exercise of data subject rights

The data controller shall inform all employees of the procedure for handling data subject rights, clearly defining the mechanisms through which such rights may be exercised (e.g., electronic means, contact with the Data Protection Officer if applicable, postal address, etc.), and taking into account the following:

Upon presentation of their national identity document or passport, data subjects may exercise their rights of access, rectification, erasure, objection, portability, and restriction of processing. The exercise of these rights is free of charge.

The data controller must respond to data subjects without undue delay and in a concise, transparent, intelligible manner, using clear and plain language. Proof of compliance with the obligation to respond to such requests must be retained.
If the request is submitted electronically, the response must be provided through the same channel where feasible, unless the data subject requests otherwise.
Requests must be answered within one month of receipt. This period may be extended by an additional two months if necessary due to the complexity or number of requests. In such cases, the data subject must be informed of the extension within one month of the request’s receipt, along with the reasons for the delay.

16. Verification of security measures

A risk analysis regarding security measures is conducted on an annual basis.