The Entity applies the necessary technical and organizational measures to mitigate the risks associated with the protection of personal information and the rights and freedoms of Stakeholders.
The general measures aimed at avoiding risks of alteration, loss, unavailability and unauthorized processing or access to information are described in the CaixaBank Group's Information Security Policy. From a preventive and proactive approach, the measures to be applied in the information systems are defined to protect the information throughout its life cycle. In any case, the application of specific measures will be the result of the analysis and evaluation of the specific risk for each treatment, following the methodology foreseen for the Impact Assessments (PIAs).
In addition, the Entity and the CaixaBank Group companies apply a common procedure for the management of breaches or violations of personal data security in accordance with the CaixaBank Group's Information Security Policy. This procedure includes the registration, management and notification of security breaches of personal data to the AEPD and, when it involves a high risk to rights and freedoms, also to the Data Subject.
In addition, CaixaBank has an internal procedure by virtue of which alleged breaches of confidentiality reported by third parties are analyzed and managed. This management procedure involves the internal audit function, as well as the Data Protection Delegate. Finally, it is the Incidents Committee which, by delegation of the Management Committee, holds the disciplinary authority and, consequently, in the light of the conclusions drawn from the investigation of the specific case, will apply the corresponding disciplinary regime to the Bank's professionals.