Information and Personal Data Security Policy
The Management and all personnel of R1 s.p.a., operating in the field of design, consulting, development, integration, supply and assistance of information systems, is committed to protecting its information assets, in order to preserve its competitive advantage, profitability, legal, regulatory and contractual compliance, and at the same time, is committed to ensuring the confidentiality, integrity, availability and resilience of personal data processed by the Organization, to guarantee the rights and freedoms of data subjects, as well as the consequent positive market image that the adoption of serious protection of its customers’ privacy is able to generate.
The requirements for information and personal data security are consistent with the Organization’s general objectives and operational procedures. The adopted Information Security Management System (ISMS) and the Organizational Model for Personal Data Protection represent the tool that allows information sharing, correct operations, and the reduction of information-related risks to acceptable levels.
The strategic plans of R1 s.p.a. and its risk management framework constitute the context for the identification, analysis, evaluation, and control of information-related risks. The definition of roles and responsibilities, as well as the specific identification of personal data processing activities and the related risk analysis to which they may be subject, constitute the context in which the Organizational Model has been implemented and is dynamically kept up to date, in function of the continuous evolution of the context itself. The risk assessment and treatment document and the statement of applicability (SOA) define the ways in which information-related risks are kept under control.
Business continuity, data backup procedures, protection from malware and intrusions, access control to systems, and reporting mechanisms in case of information security issues represent additional fundamental elements for this policy. Control indicators for each of these areas are defined in the System documentation and supported by specific procedures.
All involved parties belonging to the Organization and any stakeholders, considered within the perimeter defined in the System’s scope of application, as well as external processors who process personal data on behalf of the Controllers and the independent Controllers with whom the Company has decided to share some of its processing activities, assume behaviors in compliance with what is indicated in this Policy, in the Organizational Model and in the Information Security Management System that implements it. All human resources and personnel assigned to personal data processing are subject to formal appointment and receive necessary and appropriate training.
The ISMS and the Organizational Model are subject to continuous and systematic reviews and improvements, and R1 s.p.a. is constantly committed to effective maintenance of the related certification, based on the UNI CEI EN ISO/IEC 27001:2017 standard and compliance with the requirements set by the EU Regulation 2016/679 on the protection of natural persons with regard to the processing of personal data.
This policy is periodically reviewed to consider any changes in risk assessment and, consequently, in the related treatment plan.
Rome, February 12, 2025
The Management