+34 936 32 32 36

+34 628 379 016

Youtube Instagram Linkedin Facebook-f

Information security policy

Law Firm: M&C Abogados (Apna Advocats SLP)

Version: 1.0

Approval date: 06/26/2025

Approved by: Diana Caballero Aguirre, CEO and Head of Information Security.

Level of confidentiality: Internal

1. Introduction

Information and the systems that manage it are critical assets for M&C Abogados. The growing dependence on digital technologies, the processing of sensitive data and the need to maintain client confidence require the establishment of a formal security policy. This policy defines the principles, roles, responsibilities and controls necessary to protect information against internal and external threats.

Mission and objectives

The mission of this policy is to ensure the confidentiality, integrity, availability, authenticity and traceability of the information handled by the firm. Its main objectives are:

  • Comply with current regulations (RGPD, LOPDGDD, LSSI).
  • Minimize the risk of data breaches or loss.
  • Ensure operational continuity.
  • Raise the team’s awareness of their role in information protection.

3. Scope

It applies to all systems, people, devices and processes involved in the processing of information in M&C Abogados. It includes both digital and paper information, regardless of its format or support.

4. Regulatory framework

This policy is based on:

  • Regulation (EU) 2016/679 (GDPR).
  • Organic Law 3/2018, on data protection and guarantee of digital rights.
  • Law 34/2002 (LSSI).
  • Principles of ISO/IEC 27001.

5. Classification of information

Dispatch information will be classified in three levels:

  • Confidential: records, health data, minors, criminal proceedings.
  • Internal use: internal communications, human resources, work documents.
  • Public: content published on the web and social networks.

6. Security organization

  • Security Manager: Diana Caballero Aguirre (CEO).
  • Data Protection Delegate: Equal Data Protection (external).
  • Head of digital channels: Head of digital marketing.
  • IT support: external provider, under punctual order.

All personnel are responsible for complying with this policy and reporting incidents or weaknesses.

7. Risk management

Although a formal audit has not been conducted, the firm is committed to:

  • Review risks at least once a year.
  • React to incidents that affect security.
  • Evaluate technological or regulatory changes.

8. Technical controls and access

  • Strong passwords and two-step authentication.
  • Encrypted storage in Google Drive and OneDrive.
  • Website protection with Wordfence and Limit Login Attempts.
  • Controlled remote access and responsible use of personal devices.

9. Incident Management

Incidents shall be reported immediately to the Security Officer. Their impact shall be assessed and the AEPD shall be notified if applicable. All cases shall be documented to prevent future recurrences.

10. Relationship with third parties

Third parties accessing the firm’s data must sign confidentiality agreements and comply with this policy. At the end of the relationship, they must delete all information under auditable safeguards.

11. Training and awareness

The entire team will receive annual basic training in cybersecurity, best practices and data protection. An active security culture will be promoted.

12. Updating and continuous improvement

This policy will be reviewed annually or when relevant changes occur. All modifications will be approved by management and communicated to personnel.

13. Supplementary documentation

This policy will be developed through:

  • Internal safety standards.
  • Safe work procedures.
  • Good practice guidelines for employees.

Approved by:

Diana Caballero Aguirre
CEO and Head of Information Security