Data responsible officer: G.Breuer Soc. Civil

Category/ Hierarchy/ Rank: Socio

Last date of review of the Security Document: Marzo 2019

This Security Document (hereinafter referred to as the “Document”) lays down guidelines for implementation of security measures for the correct processing and storage of Information and Personal Data that the Firm processes in the performance of its activity.

This document is complementary to the Information and Personal Data Protection and Privacy Policy, and the principles and obligations established therein will be applied at all times.

The terms in capital letter not defined in this Document will have the meaning indicated under the Privacy Policy.

The measures provided in this Document particularly comprise aspects relating to the security of the Information and the Personal Data that the Firm has, and they are intended to maintain integrity, accessibility and confidentiality thereof.

This Document will be applied to all the Information and Personal Data processed by the Firm in the performance of its activity, and its obligations are extended to the information, media and equipment systems used for the processing.

The staff of G. Breuer and/or any authorized third party having access to the Information and Personal Data shall respect and comply with this Document, whether same are included or not in databases of ownership of the company.

G. Breuer provides the following databases (hereinafter referred to as the “Databases”):

a) COMPUTERIZED DATABASES:

(i)  Trademark Database: includes pending trademark applications, oppositions to trademark applications, registered trademarks and trademark archives (with G. Breuer acting as an appointed agent of trademarks or third parties).

(ii)  Patent Database: includes pending patent applications, registered patents and archives (with G. Breuer acting as an appointed agent of patents or third parties).

(iii)  Industrial Models Database: includes industrial models filed by G. Breuer as an appointed agent of trademarks and third parties.

(iv)  Domain Name Database: includes domains handled by G. Breuer and dispute procedures.

(v)  Copyright Database: includes copyright deposits carried out by G. Breuer on behalf of its clients.

(vi)  Plant Variety Database: includes deposits of plant varieties carried out by G. Breuer on behalf of its clients.

(vii)  Clients, Agents and Colleagues Database: includes current, past and potential clients.

(viii)  Power of Attorney Database: includes Powers of Attorney granted by current and past client in favor of the Firm.

(ix)  Lawsuit Database: includes judicial proceedings (active and archived) from any venue and jurisdiction, in which G. Breuer and/or its members act in the name of their clients or as their legal representative.

(x)  Extrajudicial Enquiry Database: includes legal enquiries made by the clients to the Firm.

(xi)  Staff and Salary Database: includes current and former employees.

(xii)  Applicant for Employment Database.

(xiii)  Supplier Database: includes current and former suppliers.

(xiv)  Telephone Database.

(xv)  Billing Database: includes invoices issued by the Firm for the rendered services, or invoices issued by third parties to the Firm.

(xvi)  Claim Database.

The computer systems used for the processing of the information are the following: Java, Informix de IBM y Google G Suite.

b) PHYSICAL DATABASES:

(i) Trademark Database: includes pending trademark applications, oppositions to trademark applications, registered trademarks and trademark archives (with G. Breuer acting as an appointed agent of trademarks or third parties).

(ii) Patent Database: includes pending patent applications, registered patents and archives (with G. Breuer acting as an appointed agent of patents or third parties).

(iii) Industrial Models Database: includes industrial models filed by G. Breuer as an appointed agent of trademarks and third parties.

(iv)Domain Name Database: includes domains handled by G. Breuer and dispute procedures.

(v) Copyright Database: includes copyright deposits carried out by G. Breuer on behalf of its clients.

(vi) Power of Attorney Database: includes Powers of Attorney granted by current and past client in favor of the Firm.

(vii) Lawsuit Database: includes judicial proceedings (active and archived) from any venue and jurisdiction, in which G. Breuer and/or its members act in the name of their clients or as their legal representative.

(viii) Extrajudicial Inquiry Database: includes legal inquiries made by the clients to the Firm.

G. Breuer has appointed Alejandro Breuer Moreno as a Security Responsible Officer.

The Security Responsible Officer is in charge of coordinating and controlling the management and compliance of the measures defined in this Document,

Any security incident shall be immediately notified to the Security Responsible Officer.

The staff having access to the personal data is under obligation to observe and be familiar with the measures, rulings, procedures, rules and standards that concern their work. In this sense, the employees shall read and accept the rulings included in this Document, in the Information and Personal Data Protection and Privacy Policy, and in the Code of Conduct.

The staff performing tasks that do not involve the Processing of Personal Data will have limited access to said data, the media containing same, or resources of the information system.

G. Breuer takes all preventive measures to protect security and privacy of the Personal Data and Information in its tenure. For that purpose, it has implemented measures involving technological and physical security, so that the access to the Firm and/or its information is made exclusively by the authorized staff. Among them there are: biometric controls of access, security cameras, sensors, alarms, locks and safety and protection computer programs (firewalls y antivirus), among others.

Furthermore, authentication means and passwords, along with a clear definition of roles and functions of the employees and members, have been implemented to achieve safe access to the systems of protection of the information. In this context, third party services (currently G Suite from Google) are made use of, providing access, storage and data and information processing in a safe manner, thus complying with the highest standards of the market.

According to the recommendations of the Annex I of the Resolution 47/2018 of the Agency of Access to the Public Information, the following measures have been adopted:

a) Identification and authentication

Measures and rulings relating to the identification and authentication of the authorized staff to access the personal data have been adopted, with an aim of maintaining the security thereof. Should external staff of G. Breuer has access to the resources, same will be subject to the same security conditions and obligations that the in-house staff.

Each employee, whose functions require the Access to the Databases, is assigned with an individual and personalized user. In this way, every user has its own account, which cannot be shared nor used by any other employee and/or third party.

To access said account the user must enter a password that is only known to him. Said password will not be able to be written or stored on any support (either physical or electronic) that could be easily accessed by third parties. Infringement of this rule will be considered as a serious infringement to the Security Policy of the Firm.

b) Access levels

Different user profiles, which are defined within the staff, are assigned with differentiated obligations, privileges and access levels.

The type of Information and/or Personal Data to which the employees will have access will depend on the sector in which they work and the tasks they undertake. G. Breuer adopts strict criteria of access on a need-to-know basis (that is to say, the employees can only have access to those data that are required for the performance of their tasks). In case there is a change of tasks or sector (and, as long as the access is not required any more for the performance of a new task), the access to the respective data will be revoked.

The Systems Department is the only authorized sector to grant, change, limit or revoke the Access of the staff to the data of the Databases and the resources. This authorization is always under supervision of the Data Protection Officer.

c) Access control

All accesses are registered, namely, the user ID, date and time of access, accessed file or Database, access type and if same has been authorized or denied.

d) Means to avoid unauthorized access

The passwords used by the users to access their accounts shall be alphanumerical of at least 8 (eight) characters and alternate the use of capital and small letters. Said passwords shall be changed by the users every 90 days. After 3 (three) failed attempts of access to the information system, the user will be blocked.

Each user will be responsible for the confidentiality of his password and, in case it is disclosed, by accident or fraudulently, by unauthorized persons, he shall register it as an incident (in accordance with the chapter 7 of this Document) and immediately change it.

In case of termination of a labor relationship, the access to the information and personal data will be immediately eliminated from the respective account.

A security incident is an event, occurred in a separate manner, creating a problem for the security of the Databases and Personal Data. In this sense, loss or unauthorized destruction of Data, theft, misplacement, unauthorized copy, unauthorized use, access or processing of Data, damage, alteration or unauthorized modification, and in general, any non-compliance of the measures set forth in this Document and/or any fault that affects or may affect the security of the personal data subject to the processing by G. Breuer will be deemed as an incident.

It is understood that this Policy is focused on the principles of contingency prevention and reduction of possible damages. Hence, to be able to respond adequately to an incident, the Firm has adopted a mechanism involving the following steps: Identification, Analysis, Resolution and Conclusion.

Identification involves the identification of a possible or potential incident. At this stage, the focus is on the monitoring of the potential security events or incidents. The IT sector is in charge of regular monitoring of computer nets and systems, using the assistance of resources such as Firewalls and Antivirus. Additionally, each particular employee has been instructed to report a potential incident, as soon as he takes cognizance of it.

In the event of an incident, the staff is under obligation to notify the Security Responsible Officer, in accordance with the procedures set forth in this Document. This stage is called Analysis and includes the notification sent to the Security Responsible Officer and the assessment of the contingency measures and resolution making.

In particular, the responsible Officer will study:

• The nature of the incident.
• Type of affected data.
• The possibility of damages to the clients, third parties and the Firm.
• Incident status (if same is isolated, in motion or contained).

Once the analysis is done, the next stage is Resolution, at which the Responsible Security Officer will seek to provide a solution to the incident as soon as possible, taking all necessary measures according to the nature and characteristics of the event, and including the IT sector, if appropriate. Moreover, notice will be given to the control authority (Agency of Access to the Public Information) with no delay and, if possible, within seventy two (72) hours from having taken cognizance of the event. Same notice will be given to the owner of the Personal Data.

The notice of the security event to the control authority and its owner will contain the following information:

• The nature of the incident;
• The personal data that may be compromised;
• The corrective actions made in an immediate manner;
• The recommendations to the data owner about the measures that he can adopt to protect his interests;
• The media at the disposal of the data owner to obtain more information in this respect.

Finally, once the incident is solved, the next step is Conclusion, at which the Security Responsible Officer will study the reasons due to which the incident occurred and assess the measures to be taken with pursuance of reducing to the maximum possible the occurrence of a similar event in future. The learning of the occurred event is essential, since any incident must necessarily teach a lesson in order to reduce to the maximum the occurrence thereof in future.

a. Incident record

G. Breuer will keep a record of the security incidents to prevent possible attacks and, if possible, identify and pursue those responsible for such incidents.

The record of incidents shall contain: (i) the type of incident; (ii) the moment at which it occurred or was detected; (iii) the person giving notice; (iv) to whom it is communicated; (v) the effect arising from it; and (vi) the corrective measures applied.

b. Procedure of recording and resolution of incidents

A file called “Security” will be created in the e-mail program used by G. Breuer, in which all the e-mails referred to security incidents will be stored. When an event considered as security incident occurs, one or more e-mails will be written describing the event and the actions taken for the solution, and sent to a different e-mail account. Date and time, characteristics, and solution of the incident are recorded in those e-mails.

Alternatively, the record of incidents can be kept in a chapter of a Book of System Reports, in which all the events referred to the information protection and personal data will be reported. Same will be kept in a secure, locked facility.

Backup copies are made regularly, with an aim of protecting the information contained in the Databases.

The procedures established for backup copies and its recovery guarantee their reconstruction to the state at the moment the loss or destruction occurred.

The IT sector will verify the procedures of backup copies and recovery of the data every six month.

In order to avoid loss, corruption and/or impossibility of restoring the information contained in the Databases, the operating system presents a “Security Unit” with Firewall to avoid undesired access through the Internet. The “Security Unit” provides regular and automatic request for updating, which is carried out every time it occurs

In addition, all the computers and devices have antivirus software, which is defined on a corporate level by the IT sector of G. Breuer. Software installation on the computers is forbidden without previous authorization from the IT Sector. Laptops connected to the G. Breuer net must be previously authorized by the IT Sector, have installed a personal Firewall and be subject to the security guidelines of this Document.

To prevent the entry of malicious software and/or unauthorized extraction of information and/or personal data of the Firm, the USB ports of the computers are disabled.

The databases and files stored on paper support are located in sector of the firm prepared for its storage and custody. Only staff and members from specific areas are authorized to access same, being absolutely forbidden the management or search of the files and/or archives by unauthorized staff.

The members of the Firm are aware of the fact that the management and/or access to the files and/or content of the databases will be exclusively for the compliance of the particular purposes for which they have been collected, and always within the framework of the activity of the Firm.

Besides, the Firm has implemented a Clean Desk Policy. This means that the own and natural place of every file is inside the specific archive. In this way, once the task is accomplished, the file will be immediately returned to its place by the qualified staff, who will supervise that the storing is in the adequate place and according to the numbering or order that it had been allocated.

Efforts will be also made to keep information or personal data in their places. Employees are specifically instructed not to leave any type of content in the area of the photocopy machines and, in case of using physical media of support of the information (paper, CD, USB flash drives, hard disks, etc.), same should be stored in appropriate places (their respective archive and/or locked personal desk).

In case same are no longer useful and/or not required for the purpose of which they have been collected, they shall be properly destructed, in a way that nobody else may access them.

Any Security Incident involving Information or Personal Data stored on the physical support will be addressed in detail in the chapter 7.

G. Breuer reserves the right to monitor any electronic traffic –such as, electronic mails, Internet navigation, etc.-, and documentation contained in the devices of the Company as part of its normal operational activities, within the framework of the legislation in force.

The employees understand that the tools of the Company shall be used solely for work purposes (although occasional and limited personal use will be tolerated), and renounce to any expectation of privacy on the communications/activities performed and documentation stored in said tools.

a. Functions and obligations of the staff

Functions and obligations of the staff of G. Breuer that have access to the information on the Databases are indicated in a general manner hereinbelow:

• Trademark Department

Functions: Trademark management and custody.

• Patent Department

Functions: Patent management and custody.

• Legal Department

Functions: Management of legal and administrative affairs relating to industrial property and law in general.

• Accounting, Management and Human Resources Department

Functions: Collections and payments, management and human resources of the Firm. Preparation of accounting records and settlements. Implementation, organization and control of Information and Personal Data Protection and Privacy Policy.

• IT Department
  Functions: Operation, system maintenance and information security management.

The heads of every department are in charge of the management and good use of the Information and Personal Data contained in the Databases that they administer.

b. Training and information

G. Breuer will carry out mandatory trainings in order to ensure that all persons involved in the processing of the information and data are acquainted with the security measures contained in this Document.

In addition, this Document will be permanently published on the Intranet of G. Breuer, so that it is always available to the staff.

c. Confidentiality

The entire staff of G. Breuer and/or authorized third parties having access to the Databases and/or confidential information will be appropriately informed and commit themselves to observe the strict confidentiality with regard to the information contained therein

In addition, said individuals are requested to sign confidential statements through which they commit themselves to keep strict secrecy and confidentiality of the information to which they access and not to share it without express authorization.

d. Background analysis:

As set forth in the Privacy Policy, in order to implement an adequate processing of the security of the Information and Personal Data, G. Breuer will seek to verify education levels and former employments of the applicants and will search for internal and external references on them, according to the position and the responsibilities to cover.

The non-compliance of the obligations and security measures established in this document by the involved staff will be punished according to the gravity of the fault.

The analysis of the infringement and determination of the corresponding punishment will be made by the Security Responsible Officer, with assistance of the Data Protection Officer.

The Security Responsible Officer will review the document on a regular basis and at least once in a year. It will be updated as long as relevant changes are produced in the information system, in the content of the Databases or because of the regular controls.

A relevant change refers to the one that may affect the normal compliance of the implemented security measures.

Likewise, this Document shall always comply with the regulations in force in the personal data protection matters.

G. Breuer will inform the employees when a modification is done.