In order to ensure that all ECIJA's activity is carried out under principles of due diligence, proactivity and commitment to existing good practices, the Management has agreed to implement a Governance, Management and Control System (GGCS) under the requirements of national and international standards. Both the SGGC, as well as this Policy and any other development regulations will be mandatory for all professionals of the firm, including collaborators, partners and any third party operating under the control or supervision of ECIJA in the provision of its services.

• To focus on continuous improvement in all areas and activities of the organisation, promoting, among others, the improvement of environmental performance.
• Define and assign the necessary responsibilities, generating the corresponding organisational structure.
• Identify and respond to any compliance requirements that may exist, with special attention to those linked to the environmental management system, information security, privacy and business continuity.
• Implement an overall operational framework for a structured, conscious and coordinated response to compliance requirements.
• Create and promote a culture of compliance throughout the organisation.
• Integrate the identification and management of compliance risks in all its processes and services.
• Seek the quality of the services provided and the satisfaction of our customers.
• Promote reference frameworks for the establishment and achievement of the objectives of the QMS.
• Commitment to the protection of the environment, including the prevention of pollution, as well as other commitments within which the sustainable use of natural resources is included.
• Safeguarding the security and privacy of information in its dimensions of Confidentiality, Integrity, Availability, Authenticity and Traceability. In this sense, ECIJA pays special attention to the risks that could jeopardise the confidentiality of the information provided by its clients.
• Adopt the necessary measures to ensure that the services provided by ECIJA are not affected or maintained in the event of extreme situations or disasters.
• Firmly prohibit the acceptance or offer of any type of bribery and the commission of offences on behalf of ECIJA or in the context of the activities that personnel carry out for the organisation.
• Require compliance with any legislation that relates to ECIJA's compliance requirements, especially anti-bribery and criminal law.
• Invite any person related to ECIJA to make use of the established means of communication of irregularities or non-compliance.

In order to ensure that the SGGC achieves its objectives, a Legal Compliance Officer has been appointed, who is responsible for ensuring ECIJA's compliance in anti-bribery and corporate crime prevention matters. The main function of this Officer will be the prevention of bribery and the commission of crimes within the scope of the legal services and legal advice provided by ECIJA to its clients, activities susceptible to face this type of situations. This role operates independently and has sufficient authority to perform its function. Additionally, a Coordinator of the CMS has been appointed, whose function is to identify new compliance obligations and exercise his authority to achieve compliance on an interim basis until the appointment of a Compliance Officer, as well as to identify and take action in the event of situations of conflict of interest.

This CMS Policy, as well as all the development regulations created within the scope of the same, must be complied with by all personnel. Failure to comply with the provisions of these documents will lead to various consequences for all parties involved, including the execution of disciplinary proceedings for internal staff or the termination of agreements reached between ECIJA and third parties with which it collaborates. ECIJA has established specific procedures so that all personnel are aware of, understand and comply with the SGGC Policy and all its development regulations.

In addition, mechanisms have been established for all interested parties that allow the communication of any type of concern, notification or complaint regarding the different compliance obligations that affect ECIJA or to which the firm has committed itself. The use of these means shall in no case entail any reprisal or prejudice to those who make notifications in good faith. In the event of risks or situations linked to the commission of crimes or bribery, all ECIJA staff, as well as third parties with whom they have a relationship, shall be obliged to notify these situations as soon as possible.

With regard to the safeguarding of information security, the Heads of Information and Services, Security and Systems have been formally appointed by decision of ECIJA's Management, which will supervise them and decide on any necessary changes of assignment. All of them work in a coordinated manner, both at the level of security preservation and compliance, with communication and coordination between all those responsible for the SGGC. In the day-to-day management of security and privacy, the following Basic Principles and Minimum Requirements are always taken into account and respected throughout the life cycle of the processing and processes:

• Security and privacy as an integral process
• Risk-based security management
• Prevention, detection, response and preservation
• Existence of lines of defence
• Continuous monitoring and periodic reassessment
• Differentiation of responsibilities
• Organisation and implementation of the security and privacy process
• Risk analysis and management
• Staff management
• Professionalism
• Authorisation and access control
• Facility protection
• Procurement of security products and contracting of security services
• Least privilege
• Information system integrity and updating
• Protection of stored and in-transit information
• Prevention of other interconnected information systems
• Logging of activity and detection of malicious code
• Security and privacy incidents
• Business continuity
• Continuous improvement of the security and privacy process
• Security and privacy by design and by default

All documentation, records and documented guidelines of the CMS are managed according to the documented procedures that ECIJA has developed taking into account the national and international standards that apply in each case.