Indra Group (Indra) recognizes the importance of proper processing of personal data, considering it to be a matter of particular relevance for the company.
Accordingly, it has created an Indra Data Privacy and Protection Policy (the "Privacy Policy") that establishes the principles of governance and management of privacy in the organization. This Privacy Policy is mandatory for all Group companies and subsidiaries, across all corporate processes and lines of business.
The Privacy Policy contributes to guaranteeing the security of personal data and preventing their alteration, loss, processing or unauthorized access. All working and related third parties must comply with the Privacy Policy.
Its application covers the information systems and facilities used for the processing and storage of personal data, including the systems used in operations and projects developed for customers.
Since 2010, Indra has had a Data Protection and Privacy Office headed by the company's Data Protection Officer (DPO). Moreover, since the entry into force of Regulation (EU) 2016/679, General Data Protection Regulation (GDPR), this Privacy Policy has been updated to comply with its requirements. The current version of this Policy was approved by the Board of Directors on May 13, 2025.
The Data Privacy and Protection Office within the company's legal area ensures
the implementation of the most effective controls and procedures that minimize the privacy risks to which the company is exposed. The DPO reports independently, at least once a year, to the Audit and Compliance Committee (ACC) and the Risk Coordination Unit (RCU).
Indra's privacy principles must be respected at all times and under any circumstance, even in the case of requests for information from governmental authorities, always guaranteeing compliance with both this Privacy Policy and current regulations.