In accordance with the obligations established in:
• Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (GDPR).
• Organic Law 3/2018 of 5 December on the Protection of Personal Data and Guarantee of Digital Rights (LOPD-GDD)


  1. Purpose

The business activity of Lar España Real Estate SOCIMI, S.A. and its subsidiaries (hereinafter LAR ESPAÑA) is based on the processing of different types of data and information, which allows it to execute basic business operations. The systems, programs, communications infrastructures, files, databases, archives, etc. are the main asset of LAR ESPAÑA, such that their damage or loss would affect the performance of its operations and could jeopardise the continuity of LAR ESPAÑA.

The Information Security Policy defines and outlines the objectives and responsibilities of the various technical and organisational actions required to ensure information security, always complying with applicable legal regulations and directives, specific policies and defined procedures.

These actions are selected and implemented based on a risk analysis carried out and the balance between acceptable risk and cost of the measures.

Those responsible for the group’s information assets (detailed in the Risk Analysis) and the person in charge of Information Security and IT must define the security requirements, and identify and prioritise the importance of the different elements of the activity carried out, so that the most important and/or sensitive processes will receive greater protection.

It is the responsibility of the LAR ESPAÑA Management team (as this term is defined below) and the Area responsible for Information Security to encourage and support the implementation of the necessary technical and organisational measures that will minimise the potential risks the information is exposed to, in order to ensure the strategic objectives of the business are achieved.

The purpose of this Policy is to ensure an adequate protection of LAR ESPAÑA’s information through the following security principles:

  • Confidentiality: guarantee that the information is accessible only to those who are authorised.
  • Integrity: guarantee the accuracy and completeness of the information and its processing.
  • Availability: guarantee authorised users’ access to information and its associated assets when they need it.

These basic principles must be preserved and ensured in any of the forms that the information takes –electronic, printed, visual or spoken– and regardless of whether the information is processed in LAR ESPAÑA departments or not.

Similarly, the above principles must be considered in the following security areas:

  • Physical: Includes the security of the departments, installations, hardware systems, supports and any physical asset that processes or may process information.
  • Logical: Includes the protection of electronic communication and computer systems applications, networks and prototypes.
  • Political-corporate: Comprising security aspects related to the entity itself, internal rules, regulations and legal regulations.


  1. Declaration of Intent

The manager or external manager of LAR ESPAÑA, Grupo Lar Inversiones Inmobiliarias, and the directors responsible for the Company’s Information Security (all together, “Management”) are aware of the importance of Information Security for the company to ensure an optimal degree of competitiveness in the current market.

Thus, LAR ESPAÑA has developed this Information Security Policy and the corresponding procedures that guarantee the confidentiality, integrity and availability of the information.

The Management team has tried to define the most appropriate processes LAR ESPAÑA must carry out to improve their Information Security Systems with the opinion that it will result in greater efficiency in its production processes. On this basis, when the specific applications or solutions to the points contained in this document are detailed, it will be done from that perspective, in order to develop as much as possible all solutions that ensure LAR ESPAÑA’s information is more secure.

The final purpose of the comprehensively defined and developed system is to offer our clients the best service, improving our processes and scrupulously respect their legally established rights.

For all these reasons, the LAR ESPAÑA Management team would like to expressly note its knowledge and approval of the policies contained in this document, ensuring every employee understands it and adopts it as part of their job description.

For all this to be possible, and for the proper development of what is established herein, both at the beginning of the project and in its future maintenance, the necessary resources will be allocated.


  1. Information Security Policy

LAR ESPAÑA bases its activity on the processing of different types of data and information, which allows it to execute basic business operations. The systems, programs, communications infrastructures, files, databases, archives, etc. are the main asset of LAR ESPAÑA, such that their damage or loss would affect the performance of its operations and could jeopardise the continuity of LAR ESPAÑA. This Information Security Policy has been designed to ensure this does not happen; its main purposes are to:

  • Protect information assets (through controls/measures) against threats that may lead to security incidents.
  • Mitigate the effects of security incidents.
  • Establish an information and data classification system to protect critical information assets.
  • Define responsibilities in terms of information security, resulting in the corresponding organisational structure.
  • Develop a set of rules, standards and procedures applicable to management bodies, employees, partners, external service providers, etc.
  • Specify the effects of non-compliance with the Security Policy in the workplace.
  • Evaluate the risks affecting information assets to adopt the appropriate security measures/controls.
  • Verify the operation of security measures/controls through internal security audits carried out by independent auditors.
  • Train users in security management and information and communication technologies.
  • Protect people in the event of natural disasters, fires, floods, terrorist attacks, etc. through emergency plans.
  • Control information and data traffic through communications infrastructures or by sending optical, digital, paper, etc. data media.
  • Monitor data protection, intellectual property, employment, information society services, criminal, etc. legislation that affects LAR ESPAÑA’s information assets.
  • Protect LAR ESPAÑA’s intellectual capital, ensuring it is never disclosed or used unlawfully.
  • Obtain evidence to prove any security incidents and the identification of their perpetrator.
  • Reduce the possibilities of unavailability through the proper use of LAR ESPAÑA information assets.
  • Defend information assets against internal or external attacks so that they do not become security incidents.
  • Control the operation of security measures by knowing the number of incidents, their nature and effects.
  • Guarantee the security of information systems and take extreme precautions with external connections and access; for example, in the case of remote work, protecting devices with different tools that increase their security, and information access communications through the LAR ESPAÑA VPN connection installed in them.