LogoCHM202322

Privacy and data protection policy

The Directorate of chm/Padels, aware of the commitment it undertakes with its clients and with society, has established within your organization a Management System based on UNE-EN-ISO 9001, UNE-EN-ISO 14001, UNE-EN-ISO 50001, and ISO 45001 Standards, aimed at achieving the following objectives:

  • Ensure compliance with our clients' requirements, guaranteeing their satisfaction.
  • Comply with applicable legal and regulatory requirements, as well as other requirements we voluntarily subscribe to, always taking stakeholders into account.
  • Achieve continuous improvement of the Integrated Management System through the effectiveness of all our processes, management, and performance at all levels, and drive this improvement by establishing and reviewing management objectives.
  • To provide services and products whose quality/price ratio meets our customers' requirements and expectations.
  • Establish permanent training programs, which will allow for personnel with a high level of qualification to perform the activities included in the Management System, prioritizing their motivation and participation.
  • Collaborate with our clients and suppliers to improve the efficiency of our activities and the achievement of our objectives.
  • Engage, motivate, and commit staff to foster their participation in management, and the contribution of ideas and suggestions for improvement.
  • Make an effort for the more efficient use of natural resources and raw materials it relies on, taking into account the life cycle perspective. Likewise, it will support design activities and the acquisition of energy-efficient products and/or services that impact the system's energy performance.
  • Establish process monitoring to improve energy performance, aiming to minimize energy consumption and greenhouse gas emissions.
  • Promote the research, development, and use of environmentally friendly products that are committed to energy efficiency.
  • Protecting the environment, as well as adhering to the principle of pollution prevention in all phases of its activity, incorporating environmental criteria within its scope of action.
  • chm/Padels commits to providing safe and healthy working conditions, safeguarding safety and health, as well as preventing damage and deterioration of health. To this end, the first preventive action will be to avoid risks and combat them at their source, striving to replace the dangerous with what entails little or no risk and adapting the workstation to the person whenever possible. To this end, the evolution of technology will be taken into account, and due instructions will be given to workers. Furthermore, when technically and reasonably feasible, priority will be given to adopting measures that place collective protection above individual protection.
  • Everyone who has personnel under their charge is responsible for their safety and health, and therefore must know and enforce all prevention rules that affect the work they perform. Likewise, each worker has the obligation to comply with the prevention measures adopted.
  • Ensure consultation and participation of workers, and when they exist, worker representatives.
  • chm It maintains a strong commitment to research and development, as well as technological innovation as a differentiating element from its competition. To achieve this, it fosters the creativity of its staff, analyzing and valuing different proposals, and creating a common spirit that motivates its employees, suppliers, and clients to carry out R&D&I-related activities.

The management will establish, within the General Policy of chm/Padels, the plans and resources necessary to achieve the objectives established in the Management Policy.

Chief Executive Officer chm/Padels

22/07/2024

The Directorate of CHM Aware of the commitment it makes to its clients and society, it has established a Management System within its organization based on the UNE-EN 27001-2023 Standard, which establishes the commitment to provide and maintain the highest levels of service quality, generating the maximum possible information security guarantees.

The purpose is to be an organization oriented towards process management and risk analysis, to ensure their control and improvement, the integration of our personnel in their development, and compliance with the commitment to quality and information security, in order to seek the maximum satisfaction of our clients.

as well as being a benchmark for sectors and activities:

INFORMATION SECURITY MANAGEMENT SYSTEMS REQUIRED TO PROVIDE CONSTRUCTION SERVICESRoads, railway works, hydraulic works, airport works, building and urban developments, and special works, in addition to road maintenance services, water treatment, real estate and urban development, production of bituminous mixtures, and building maintenance. ACCORDING TO THE CURRENT DECLARATION OF APPLICABILITY.

All based on the development of people, the sense of belonging to the organization and their personal fulfillment, the best adaptation and optimization of resources, process management and risk analysis, as indispensable elements to achieve Continuous Improvement.

Aware of the need for internationally recognized standardized systems, the organization has aligned its Information Security Management System with the ISO 27001 standard.

Therefore, the Management is committed to leading and maintaining an Information Management System in the organization based on continuous improvement and the following guidelines:

  • The serious commitment to understand the needs and expectations of our clients and other interested parties, to achieve their satisfaction, and continuous improvement, by establishing and verifying the achievement of established objectives periodically.
  • Commitment to compliance with applicable laws and regulations, as well as contractual requirements.
  • Ensuring the security of our own information and that of our clients. Our activity involves processing various types of information to execute our core business processes. Recognizing that information systems, applications, communication infrastructures, files, and databases constitute a significant company asset, management prioritizes the confidentiality, integrity, and availability of information when defining and outlining objectives and responsibilities for various technical and organizational actions, and oversees compliance with the legal framework, specific directives and policies, and defined procedures.
  • The commitment to the continuous review of competencies and continuous improvement, in order to guarantee the quality of services and their ability to face the growing challenges posed by our clients.

All of our personnel are committed to improving services, the company's auxiliary processes, and developing responsible information security conduct in their respective roles.

Chief Executive Officer CHM

24/11/2023

The Directorate of CHM Construction and Infrastructure SA, aware of the need for internationally recognized standardized systems, has aligned its Information and Security System with the requirements of ISO/IEC 27001:2022 (ISMS) and of the NATIONAL SECURITY SCHEME (ENS RD 311/2022).

Through this security policy, CHM Construction and Infrastructure SA articulate the continued management of Information Security, in accordance with the following basic principles and requirements;

  1. Organization and implementation of the security process. The organization relies on ICT systems to achieve its objectives. These systems are managed diligently, taking appropriate measures to protect them from accidental or deliberate damage that could affect the availability, integrity, confidentiality, or traceability of the information processed or the services provided. The objective of information security is to ensure the quality of information and the continuous provision of services, by acting proactively, monitoring daily activity, and reacting promptly to incidents. To achieve this, the organization has developed and maintains a security process based on the following elements: Prevention, Detection, Response, and Retention.
  2. Risk analysis and management. All systems subject to this Policy conduct risk analyses, according to internal procedures, evaluating the threats and risks to which they are exposed. This analysis will be repeated: Regularly, at least once a year. When the information handled changes. When the services provided change. When a serious security incident occurs. When serious vulnerabilities are reported.
  3. Personnel Management. Mechanisms necessary so that anyone who accesses, or may access, information assets knows their responsibilities, thereby reducing the risk derived from improper use of said assets.
  4. Professionalism. The Information System's security is attended to and is reviewed and audited by qualified, dedicated, and trained personnel throughout all phases of its lifecycle. The necessary training and experience requirements for personnel to perform their competencies have been determined.
  5. Authorization and access control. Access control, limiting access to information assets by users, processes, and information systems through the implementation of identification, authentication, and authorization mechanisms appropriate to the criticality of each asset.
  6. Facility protection. Use of corporate ICT resources, such as email, Internet access, and computer and communication equipment. Management of inventoried, categorized information assets associated with a responsible party.
  7. Product acquisition. Acquisition, development, and maintenance of information systems, considering information security aspects throughout all phases of the system lifecycle.
  8. Least privilege. Information systems have been designed and configured granting the minimum necessary privileges for their correct performance.
    And security by default. Physical security, so that information assets will be located in secure areas, protected by physical access controls appropriate to their criticality level. The systems and information assets within these areas will be sufficiently protected against physical or environmental threats.
  9. System integrity and updates. All systems are maintained to be sound and up-to-date according to established requirements, and managed through change management processes and risk analysis.
  10. Protection of information stored and in transit. All information is stored appropriately, following established guidelines, throughout all its phases.
  11. Prevention against other interconnected information systems. The system will protect the perimeter, especially if connected to public networks. In any case, the risks arising from the interconnection of the system, through networks, with other systems will be analyzed, and their connection point will be controlled.
  12. Activity log. User activities are logged, retaining the necessary information to monitor, analyze, investigate, and document improper or unauthorized activities, allowing for the identification of the person acting at any given time.
  13. Security incidents. Security Incident Management by implementing appropriate mechanisms for the correct identification, recording, and resolution of security incidents.
  14. Business continuity. Business continuity management by implementing appropriate mechanisms to ensure the availability of information systems and maintaining the continuity of business processes.
  15. Continuous improvement of the safety process. The integrated security process implemented is continually updated and improved. To achieve this, criteria and methods recognized in national and international practice related to information technology management are applied.

Therefore, the address commits to lead and maintain an Information Security Management System in the organization based on continuous improvement and the following general objectives:

  • The serious commitment to understanding the needs and expectations of our clients and stakeholders, in order to achieve their satisfaction, and to continuous improvement, by establishing and verifying compliance with annual objectives and goals.
  • Commitment to compliance with applicable laws and regulations, as well as contractual requirements.
  • Ensuring the security of your own and our clients' information. Our activity involves the processing of various types of information to execute basic business processes. Knowing that information systems, applications, communication infrastructures, files, and databases constitute important company assets, management prioritizes the confidentiality, integrity, availability, traceability, and authenticity of information when defining and delimiting objectives and responsibilities for various technical and organizational actions, and monitors compliance with the legal framework, specific directives and policies, and defined procedures.
  • The commitment to the continuous review of competencies and continuous improvement, in order to guarantee the quality of services and their ability to face the growing challenges posed by our clients.
  • Development and general structure of an effective documentation system for Information System management, based on:;
    • General Operating Procedures.
    • List of system documents (internal and external) for version control and validity.
    • Security framework.

CHM Construction and Infrastructure SA utilizes ICT (Information and Communication Technologies) systems for the provision of its services and the performance of its processes, which must be managed and regulated with the application of measures to guarantee their protection against intentional or accidental damage that could impact the availability, integrity, confidentiality, authenticity, and traceability of the information they manage, taking into account that the Organization uses the unclassified use classification for what is considered public, as well as the restricted-confidential use category for personal, sensitive data, and operational information, indicating its proper handling according to what is established in the ISMS.

Therefore, the mission of this Policy is to ensure the quality of information, its availability, as well as that of the assets and services that support it, to provide its reliable and secure use to our clients, employing preventive techniques, monitoring daily practices, and identifying incidents with their appropriate response.

The collaboration of the different internal Business Areas supports the response to the potential materialization of threats, which are handled in accordance with the guidelines deployed from the Information Security Management System and the National Security Scheme, encompassing logical and physical security best practices, those related to data and information management, as well as communication channels for incidents, along with the battery of technical measures corresponding to the maintenance of internal IT Infrastructures and Services.

Thus, processes are established that allow for the prevention and detection of security incidents, and subsequent recovery in accordance with Article 8 of the National Security Scheme, specified as:

  • Prevention The Organization avoids, as far as possible, security incidents that could harm information or services, by implementing the minimum measures specified by the ENS, those indicated by the Security Management System environment, and additionally, any that are considered necessary by the internal area responsible for security management that may arise from the analysis and evaluation of risks, vulnerabilities, and threats, identifying the responsible parties involved.
  • Detection Daily activity is monitored for the detection of incidents and anomalies as indicated in Article 9 of the ENS, establishing mechanisms that allow for their active identification, analysis, and reporting to designated responsible parties.
  • Answer: There are processes in place to enable incident response, with clear communication channels available to stakeholders and the exchange of information when necessary with units that can respond to emergencies.
  • Conservation The availability of services and information is guaranteed through continuity plans.

The security organization is structured from the creation of the ICT Security Committee, which is composed of the profiles of the Director Responsible for the System, Information Security Managers, Systems Manager, Information Manager, and Service Manager, who in turn acts as secretary, convening the necessary meetings with minutes of the same.

the functions of Committee will be the following:

  • When necessary, you will report to the Steering Committee.
  • Coordinate and approve relevant security actions.
  • Promote information security awareness and training.
  • Define the System Category and Risk Analysis.
  • Joint review and approval of safety-related documentation and associated records.
  • Participate in the resolution of problems and discrepancies related to security management.

The responsibilities of Security Manager, are defined as:

  • Maintenance of adequate security levels for information and services within scope
  • Manage security training and awareness
  • Verify that the security measures are adequate for the Organization's objectives and needs
  • Review all system security related documentation
  • Monitor the security status of the system provided by security event management tools and audit media
  • Perform the audits that are deemed necessary based on the ENS and the ISMS
  • Support and oversee security incident investigations from notification to resolution, providing reports to the Committee in relevant cases.
  • Operate and maintain the information system throughout its lifecycle.
  • Define the scope of the information system, identify the assets, their evaluation in each dimension, and establish the system's category.
  • Review the risk assessment and propose safeguards, as well as measures
  • Ensure that security measures are properly integrated into the overall security framework.
  • The Systems Manager could propose the suspension of the processing of certain information or the provision of a specific service if they identify serious security deficiencies that could affect the fulfillment of established requirements. The final decision will be made by the Management Committee.

The responsibilities of System Administrator will be the following:

  • Promote and organize periodic audits according to ENS and SGSI in collaboration with the Security Officer.
  • Describe the security-related documentation
  • Participate in safety training and awareness
  • Register and track security incidents, as well as any changes that may arise.
  • Promote synergies between the ISMS and the National Security Scheme
  • Conduct risk and threat assessment.
  • Support the System Manager in defining the scope of the ENS and ISMS, asset identification, and their evaluation.
  • Collaborate with HR and Management on any safety-related tasks they deem necessary.

The responsibilities of Information Manager will be the following:

  • Ultimately responsible for the use of information and, therefore, for its protection.
  • Ultimately responsible for any error or negligence leading to a confidentiality or integrity incident (in data protection) and availability (in information security).
  • Approval of established security levels.

The responsibilities of Service Manager will be the following:

  • Responsible for establishing security services requirements.
  • Determine service security levels.

As users, the Organization understands that any employee or external third party, when applicable, who requires the use of Information Systems for their daily activities within the company's business areas, must collaborate with the Security Manager in all indicated activities, as well as restrict the use of Systems according to the specifications approved by the Systems Manager. They may be designated as responsible for assets or risks, depending on their involvement with them.

The designation of the members of the ICT Security Committee is assimilated to the Security Committee described by the ISMS, being historically responsible for any security-related action within the Organization. Regarding personal data, the data collected within the information relevant to the scope of the National Security Scheme, as well as that processed by the indicated services, are classified as low typology. The Organization, in accordance with the compliance required within the ISMS, maintains a high performance through audits of the requirements associated with its processing.

The system undergoes a risk analysis, which assesses threats and recorded risk levels to which it is frequently exposed annually, provided that serious incidents do not occur, or changes that could alter the initial conditions regarding the information handled, the services provided, or the emergence of vulnerabilities.

Once the available controls for threat containment have been established, the final risk is considered “residual or trivial risk,” with treatment categories established according to their level.

The development of this Policy is carried out in a complementary manner to the activities related to the ISMS, and is available to all personnel of CHM Construction and Infrastructure SA, and constituting an element of a public nature that can be communicated to both suppliers and customers.

Awareness and information security training days will be organized for the Organization's employees. Personnel responsible for the use, operation, or administration of ICT systems will receive the necessary training in the security measures required in each case.

In cases where CHM Construction and Infrastructure SA, use third parties for the provision of services within scope, will communicate its requirements through the communications established in the “Evaluation Criteria”, classifying suppliers according to the characteristics established therein.

A communication channel will be provided so that you can quickly and directly report any security incidents related to the service or information subject to your service provision. When any of the third parties does not comply with the minimum requirements set out in the “Evaluation Criteria” mentioned above, their disapproval will be requested from the Manager of the affected business area.

The scope of this Policy is established as:

Information system that supports the infrastructure, services, and security applied to:

  • Project Management: Road works (highways, railways, airports, and urban development), infrastructure maintenance, building construction (residential, non-residential, and industrial), urban services, and hydraulic works.
  • Corporate management systems.

According to the application statement in effect on the date of certificate issuance.

According to the current categorization: MEDIUM CATEGORY.

Chief Executive Officer CHM Construction and Infrastructure SA

30/10/2024

The Directorate of CHM, In accordance with its Occupational Risk Prevention Plan and its Integrated Management System (Quality - Environmental - Energy and Safety - Occupational Health), it considers and assumes Occupational Road Safety as another key aspect of its management, applying criteria of social responsibility and business ethics with the objective of reducing occupational road accidents.

ROAD SAFETY COMMITMENT

The Directorate of CHM commits to identifying and controlling occupational road risks inherent in the development of its operations, ensuring safe and conducive working conditions for the execution of activities; likewise, it guarantees compliance with road safety and mobility standards, laws, regulations, and practices, with the purpose of protecting the health and lives of its personnel.

The Directorate of CHM Adapt the Road Safety Policy and its derived objectives to the purpose and context of the organization, in the Road Safety Management System Monitoring meetings (Management Review).

The monitoring of these objectives is included within the Road Safety Management System Follow-up meetings (Management Review).

This Policy is disclosed and explained by CHM Management, in case of modification, to the entire organization.

TRAFFIC SAFETY PRINCIPLES

The development of the Directorate's Occupational Road Safety Policy can be summarized as follows:

  • Decisively take on the challenge of improving road safety with zero tolerance for accidents and by integrating all involved parties (employers, own personnel, and subcontractors).
  • Ensuring the occupational road safety of our personnel, extending beyond their working lives, as they also drive outside of work, meaning their families and loved ones also benefit from this company investment.
  • To achieve a high level of safety in the development of our activities, ensuring that our personnel, contractors, clients, and those in our vicinity are exposed to minimal health risks, thereby increasing everyone's satisfaction level. Management assumes and drives this commitment, allocating the necessary human and material resources to achieve it.

TEN COMMANDMENTS OF OBJECTIVES

  1. To eradicate traffic accidents with fatalities and injuries in our company.
  2. Achieving safe mobility for all citizens, especially in businesses, by generating mechanisms and strategies, and promoting the creation of safe communities through risk management via programs for the prevention, attention, and treatment of road accidents.
  3. Contribute to compliance with traffic regulations to reduce road accidents in the city and improve citizen coexistence.
  4. Determine, evaluate, and control any agent that constitutes a road safety risk factor.
  5. To maintain a safe work environment by addressing risk factors that threaten the physical integrity of community members or company resources.
  6. Implement preventive and control measures according to the prioritization of risk factors, directing these actions to drivers and owners.
  7. Establish promotional and preventive activities aimed at creating self-care and a tranquil lifestyle (zero stress) habits.
  8. Generate a road safety culture within the company.
  9. Preventing traffic accidents at work.
  10. Continuous training and information on road safety.

Chief Executive Officer CHM

15/04/2024

The Directorate of chm, aware of the commitment it makes to its clients and society, ha established an Innovation Management System in your organization based on the Standard ISO 56001 oriented towards achieving the following objectives:

  •  Ensure compliance with our clients' requirements, guaranteeing their satisfaction.
  •  Comply with applicable legal and regulatory requirements, as well as other requirements we voluntarily subscribe to, always taking stakeholders into account.
  •  Achieve continuous improvement of the Innovation Management System through the effectiveness of all our processes, management, and performance at all levels, and drive such improvement from the establishment and review of management objectives.
  • Establish permanent training programs that will ensure a highly qualified staff to carry out activities within the Innovation Management System, prioritizing their motivation and participation.
  • Collaborate with our clients and suppliers to improve the efficiency of our activities and the achievement of our objectives.
  • Engage, motivate, and commit personnel to foster their participation in management, and the contribution of ideas and suggestions for improvement in innovation.
  • Make an effort for the more efficient use of natural resources and raw materials that it utilizes, taking into account the lifecycle perspective. Likewise, it will support
    design activities and the procurement of more sustainable products and/or services, fostering
    decarbonization.
  • chm maintains a strong commitment to research and development, as well as technological innovation as a differentiating factor from its competition, thereby improving its brand image. To achieve this, it fosters the creativity of its staff, analyzing and valuing different proposals, and creating a common spirit that motivates its employees, suppliers, and customers to carry out activities related to R&D&I and the guidelines expressed in the following ten-point statement:

    INNOVATION CULTURE: TEN GUIDELINES
    Encourage leaders at all levels to demonstrate their leadership and commitment, and to act as role models
    2. Allow the coexistence of creativity and effective execution,
    3. Openness to change, risk-taking attitude, collaboration, and co-creation,
    4. Ideate with purpose, focusing on users and value realization.,
    5. Exploration and experimentation to acquire new knowledge and skills,
    Challenging established assumptions and conditions.,
    7. Diversity of participation and respect for different perspectives,
    8. Balance analysis and decision-making on the basis of both assumptions and evidence,
    9. Fostering feedback and continuous learning,
    The ability to work with ambiguity and uncertainty.

The Directorate of chm will provide the necessary plans and resources to achieve the established objectives
in the Innovation Policy.

CEO chm
20/01/2026