Information Security and Cybersecurity
Commitment, procedures, standards and permanent channels of the Borgstena Group in matters of information security, cybersecurity and incident management.
Demonstrating Borgstena's commitment to information security, this page brings together the procedures, standards and permanent channels in force in the organisation for the management of information security and cybersecurity incidents.
1. Commitment to information security
Information security is an essential pillar of compliance at the Borgstena Group. The confidentiality, integrity and availability of data — personal or otherwise — are protected by an integrated system of technical and organisational measures, articulated with the Personal Data Protection System and with the management of the supply chain. This commitment is reflected in the existence of a Permanent Contact Point, the implementation of internal standards and the adoption of unified procedures for incident notification and management.
2. Regulatory framework
Information security at the Borgstena Group is governed by the following articulated regulatory references: Article 32 of Regulation (EU) 2016/679 (GDPR), as regards the security of the processing of personal data; Articles 33 and 34 of the GDPR, as regards the notification of personal data breaches to the supervisory authority and communication to the data subject; Directive (EU) 2022/2555 (NIS 2), as regards a high common level of cybersecurity across the Union; and Law No. 41/2004 of 18 August, as regards the security of electronic communications. The national transposition of Directive (EU) 2022/2555 is set out in [national act to be confirmed and referenced on this page after verification in the official journal].
3. Permanent Security Contact Point
The Borgstena Group provides a Permanent Contact Point for the reporting and management of information security and cybersecurity incidents. This channel is accessible to all workers, suppliers, partners and users wishing to report the occurrence of an incident.
4. Security Officer
The Borgstena Group has designated a Security Officer, responsible for the coordination of the information security system and for the relationship with the Data Protection Officer, with supplier management and with the operational areas. The Security Officer operates in close coordination with the Permanent Contact Point and reports, within the scope of their attributions, to the Group's leadership.
5. Applicable standards and procedures
6. Reporting of incidents
Any person may report the occurrence of an information security or cybersecurity incident to the Permanent Contact Point, namely:
- the workers of the Borgstena Group, in fulfilment of their employment duties and of the Data Protection and Privacy at Work Policy;
- suppliers and their employees, in compliance with the Unified Procedure for Incident Notification and Management;
- users of the website and other data subjects, in the exercise of the right to report a personal data breach.
The communication should identify, as far as possible, the nature of the incident, the time of detection, the systems and data involved and any measures already taken. The subsequent management of the incident — analysis, containment, notifications to the competent authorities and, where applicable, communication to data subjects — is ensured by the Permanent Contact Point, in coordination with the Data Protection Officer.
7. Relationship with the Data Protection Platform
This page is cross-connected with:
- the Data Protection Officer page, for the articulation with GDPR obligations;
- the Suppliers page, for the management of security in the supply chain;
- the Forms page, for the reporting of incidents.
8. Term and review
This page is subject to periodic review, under the responsibility of the Security Officer and in coordination with the Data Protection Officer, whenever developments in the regulatory framework — namely in cybersecurity matters — or in the Group's practices so warrant.