IT MEDIA USAGE POLICY

Prepared by: Raúl Herbosa

Approved by: Jesús B. Serrano, Oscar Tejedor

Authorized by: Jesús B. Serrano

Internal code: DEP_08-10

Version: 1.5
Date: 13/04/2020

GMV  GMV, 2020; all rights reserved

Isaac Newton, 11; PTM Tres Cantos; Madrid 28760
Tel. +34 918072100; Fax. +34 918072199
www.gmv.com
 Code: DEP_08-10
Date: 13/04/2020
Version: 1.5
Page: 2 of 29

DOCUMENT STATUS SHEET

Version Date Pages Changes
1.0 30/01/2008 26 Draft. First release.
1.1 09/08/2013 26 Updated version.
1.2 10/05/2015 26 Update to include references to the management of classified information with
computer and communication systems
1.3 15/06/2016 29 Added external access policy in case of temporal sick leave.
1.4 22/05/2017 27 Added infection through mail
1.5 13/04/2020 29 Added lock screen policy and web services with text (translators, pdf converters,..).
Added GDPR conditions. Minor changes reviewed and updated.

 GMV, 2020; all rights reserved IT MEDIA USAGE POLICY

 Code: DEP_08-10
Date: 13/04/2020
Version: 1.5
Page: 3 of 29

TABLE OF CONTENTS
1. INTRODUCTION ................................................................................................................................ 6
1.1. PURPOSE ................................................................................................................................ 6
1.2. SCOPE .................................................................................................................................... 6
1.3. DEFINITIONS AND ACRONYMS ................................................................................................. 7
1.3.1. DEFINITIONS .................................................................................................................................... 7
1.3.2. ACRONYMS ....................................................................................................................................... 7

2. REFERENCES .................................................................................................................................... 8
2.1. APPLICABLE DOCUMENTS ........................................................................................................ 8
THE GMV GROUP ELECTRONIC MAIL STYLE BOOK. ................................................................................. 8
2.2. REFERENCE DOCUMENTS ......................................................................................................... 8
3. RIGHTS AND DUTIES ........................................................................................................................ 9
3.1. COMPANY................................................................................................................................ 9
3.2. USERS .................................................................................................................................... 9
3.3. RESPONSIBILITIES ................................................................................................................ 10
3.3.1. TEMPORARY OR EMERGENCY SUSPENSION OF THE SERVICE ............................................................. 10
3.3.2. INDEFINITE SUSPENSION OF THE SERVICE ...................................................................................... 11

4. USAGE POLICIES ............................................................................................................................ 12

4.1. THE USE OF IT RESOURCES ................................................................................................... 12
4.2. USER EQUIPMENT USAGE ...................................................................................................... 14
4.3. THE USE OF COLLECTIVE EQUIPMENT..................................................................................... 15
4.4. USING THE IT NETWORKS...................................................................................................... 15
4.5. USING ELECTRONIC MAIL ...................................................................................................... 16
4.5.1. USER RESPONSIBILITIES WITH RESPECT TO THE USE OF E-MAIL ...................................................... 16
4.5.2. CORPORATE MAIL POLICY ................................................................................................................ 16
4.5.2.1. Mailbox Size ....................................................................................................... 16
4.5.2.2. Dispatches and Transfers ..................................................................................... 16
4.5.2.3. External E-mail Abuse .......................................................................................... 17
4.5.2.4. Internal E-mail Abuse .......................................................................................... 17
4.5.2.5. E-mail Server and Distribution List Filtration Rules .................................................. 18
4.5.2.6. Activating and Deactivating E-mail Accounts ........................................................... 19
4.5.3. INFECTION THROUGH MAIL.............................................................................................................. 20

4.6. WEB ACCESS USAGE ............................................................................................................. 20

4.6.1. DEFINITION OF THE SERVICE........................................................................................................... 20
4.6.2. WEB SERVICE ACCESS CRITERIA ..................................................................................................... 20
4.6.3. USE OF WEB SERVICES.................................................................................................................... 21
4.6.4. EXCEPTIONS ................................................................................................................................... 21
4.6.5. WEB ACCESS CLIENTS ..................................................................................................................... 21
4.6.6. USING THE WEB ACCESS SERVICE CORRECTLY. ............................................................................... 21
4.6.7. ABUSIVE USE OF THE WEB ACCESS SERVICE.................................................................................... 22
4.6.8. ACTIVATING AND DEACTIVATING THE WEB ACCESS ......................................................................... 23

4.7. EXTERNAL ACCESS USAGE ..................................................................................................... 24

5. COPYRIGHT .................................................................................................................................... 25
6. APPLICATION OF AND COMPLIANCE WITH THE POLICY ..................................................................... 26
7. THE CONSEQUENCES OF NON-COMPLIANCE..................................................................................... 27
 GMV, 2020; all rights reserved IT MEDIA USAGE POLICY
 Code: DEP_08-10
Date: 13/04/2020
Version: 1.5
Page: 4 of 29

8. DISCLAIMER ................................................................................................................................... 28

 GMV, 2020; all rights reserved IT MEDIA USAGE POLICY

 Code: DEP_08-10
Date: 13/04/2020
Version: 1.5
Page: 5 of 29

LIST OF TABLES AND FIGURES

Table 1 Definitions.................................................................................................................... 7
Table 2 Acronyms ..................................................................................................................... 7
Table 3 Reference documents .................................................................................................... 8

 GMV, 2020; all rights reserved IT MEDIA USAGE POLICY

 Code: DEP_08-10
Date: 13/04/2020
Version: 1.5
Page: 6 of 29

1. INTRODUCTION
1.1. PURPOSE
The purpose of the company’s IT resources is that of supporting the productive processes, research
projects and administrative tasks required to ensure that the organisation functions. This requirement
implies a series of responsibilities on behalf of the employees, who must respect the rights of their
fellow users, the integrity of the system and physical resources, and the laws and regulations
currently in force.

Included here are all of the IS (Information Systems) of the Grupo Tecnológico e Industrial GMV S.A.
and its subsidiaries, henceforth GMV Organisation, be they individual or shared or connected or
disconnected to our networks. IT Department as well as that equipment that is connected to the
company’s networks by way of an extranet must apply the policy content to all equipment
(workstations, PCs and servers) and communications infrastructure that is either owned or
administrated.

All of the above includes terminals, personal computers, workstations, servers and associated
peripherals, such as software, irrespective of whether these used for administrative, financial,
research, project development, or other areas of management.

The users of these services and installations might have access to strategic resources that are
extremely valuable to the organisation, access to third-party data and to external communications
networks. For this reason, it is important that all users act in a responsible and ethical manner when
making use of these resources. Correct resource usage implies respecting the rights of other users,
the integrity of the installations and the agreements and contracts with third parties whenever these
are applicable. This document establishes a series of specific rules governing the use of all the
company’s IT resources and which have been drawn up with the aim of ensuring that the resources
provided are used as efficiently and correctly as possible.

The current degree to which the I.S. are used coupled with the fact that they are interconnected via
the same network throughout the different offices, makes up the organisation to publish this internal
policy. Main objective of the policy is to clarify the correct way in the use of all of corporate IT
resources, delimiting responsibilities and establish a framework for regulating the use of the different
services provided and managed by IT Department.

Point 8 includes the disclaimer form. All user, employee of IT resources should sign the form.

Any questions, doubts or interpretation anyone may have regarding these rules, should be address to
IT Department.

1.2. SCOPE
The rules contained in this IT Media Usage Policy document must apply to all of the offices and
companies included in the Corporate Group with respect to the usage of the IT infrastructure and
collective services, including not only the media owned by the company itself, but also that owned by
third parties or managed by IT Department.

It is the company’s responsibility to ensure each user is familiar with and uses the infrastructure and
services in question in accordance with the terms and conditions stipulated in this document.

IT Department can modify this document in order to adapt it to any technical and/or legislative
developments that might occur, in which case the subsequent approval of the company's Board of
Directors is required. Any approved modifications made to this document will be promptly notified to
the users.

 GMV, 2020; all rights reserved IT MEDIA USAGE POLICY

 Code: DEP_08-10
Date: 13/04/2020
Version: 1.5
Page: 7 of 29

Restricted Access Area (RAA) infrastructure, communication systems and equipment’s are included in
this policy even though additional and special restrictions should apply as well.

1.3. DEFINITIONS AND ACRONYMS

1.3.1. DEFINITIONS
Concepts and terms used in this document and needing a definition are included in the following table.
Every time that a term defined in this section is used in the document, the term appears in italics.
Other definitions and acronyms are provided in the document Glossary of terms and acronyms
([AD.1]).
Table 1 Definitions

Concept / Term Definition

Classified Information
Enterprise Security Clearance (ESC)
Facility Security Clearance (FSC)
GMV Organisation
IT Department
Protection Service
Restricted Access Area (RAA)
Security Officer
Information or any other material requiring a level of protection against an unauthorized
disclosure (intentional or involuntary) defined by its classification level.
Is the positive declaration of the National Security Authority (NSA) of formal recognition of an
enterprise capacity and trustworthiness to generate and access to classified information up to
a specific level, not ween allowed to manage or store it in its facilities.
Is the positive declaration of the National Security Authority (NSA) of formal recognition of an
Enterprise, holding a valid and inforce ESC capacity and trustworthiness to manage and store
classified information up to a specific level, in its own facilities accredited for that purpose
Enterprise facilities are understood as the offices, premises, buildings or groups of buildings
belonging to the enterprise in a unique geographical location, within a clearly demarcate
perimeter.
The GMV corporate Group. This includes both the legal companies and the different physical locations
thereof.
Information Technology Department.
Persons, facilities, resources and procedures that, acting coordinately, aim at protecting
classified information under the responsibility of an enterprise against the unauthorized
access and the loss of integrity and availability.
Physical area in which classified contracts (contracts managing classified information)
Responsible, within a given organization, of managing and controlling the protection service,
as well as fulfil and enforce the fulfilment the applicable norms and of ensuring that the
enterprise protection plan is known and properly applied by the personal of the organization
accessing to the classified information.

1.3.2. ACRONYMS
Acronyms used in this document and needing a definition are included in the following table:
Table 2 Acronyms

Acronym Definition
RAA Restricted Access Area
NSA National Security Authority
ESC Enterprise Security Clearance
FSC Facility Security Clearance

 GMV, 2020; all rights reserved IT MEDIA USAGE POLICY

 Code: DEP_08-10
Date: 13/04/2020
Version: 1.5
Page: 8 of 29

2. REFERENCES
2.1. APPLICABLE DOCUMENTS
The following documents, of the exact issue shown, form part of this document to the extent specified
herein. Applicable documents are referenced in this document in the form [AD.X]:
Table 2-1 Applicable documents

Ref. Title Code

[AD.1] SPANISH ROYAL DECREE-LAW 14/1999, of September 17, the Electronic
Signatures Act.
[AD.2] SPANISH ROYAL DECREE-LAW 11/996, of April 12, which approves the consolidated text of
the Spanish Copyright Act.
[AD.3] SPANISH ORGANIC LAW 15/99, of December 13, the Personal Data Protection Act.
[AD.4] SPANISH ROYAL DECREE 994/1999, of June 11, which approves the Regulation of the
Security Measures of Automated Files containing Data of a Personal Nature.
[AD.5] SPANISH ORGANIC LAW 1/1982, of May 5, regarding the Right of Honour, of Personal,
Individual and Family Privacy and the Protection of One’s Own Image.
[AD.6] ISO/IEC Standard 27001.
[AD.7] THE GMV GROUP ELECTRONIC MAIL STYLE BOOK.

[AD.8] The Workers’ Statute.

[AD.9] GDPR, REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE
COUNCIL of 27 April 2016

2.2. REFERENCE DOCUMENTS

The following documents, although not part of this document, amplify or clarify its contents. Reference
documents are those not applicable and referenced within this document. They are referenced in this
document in the form [RD.X]:
Table 3 Reference documents

Ref. Title Code Version Date

[RD.1]

 GMV, 2020; all rights reserved IT MEDIA USAGE POLICY

 Code: DEP_08-10
Date: 13/04/2020
Version: 1.5
Page: 9 of 29

3. RIGHTS AND DUTIES

3.1. COMPANY
With respect to the management of its workers and to the means it puts at their disposal, the
company is authorised to both direct and control the aforementioned, a right that even forms part of
the Spanish Constitution as stipulated by article 28 thereof:
“Free Enterprise is recognised within the framework of a market economy. The public authorities
guarantee and protect its exercise and the safeguarding of productivity in accordance with the
demands of the general economy and, as the case may be, of economic planning.”

Likewise, article 20 of the Workers’ Statute describes the company’s powers with respect to the
management and control of its employees’ working activities. Article 20.2 stipulates the following:

“In compliance with the contractual obligation to work, the worker must provide the employer with the
diligence and collaboration in the workplace stipulated by the legal provisions, collective bargaining
agreements and orders or instructions agreed upon by the latter in the habitual exercising of his/her
powers of management and, failing this, to all intents and purposes. Whatever the case, the worker
and the employer must commit themselves to performing their respective roles in good faith.”

In addition, article 20.3 specifies the following:

“The employer shall be entitled to adopt the monitoring and control measures he/she deems most
opportune in order to verify the compliance of the worker with respect to his/her occupational duties
and obligations. Whilst so doing, the employer must never compromise the human dignity of the
worker and always bear in mind, where appropriate, the true capacity of handicapped workers”.

From the above text, according to the Law, the company is entitled to establish the control and
protection mechanisms that it deems opportune, bearing in mind the limits of the rights of the
workers and of human dignity.

Company will fulfil all IT matters covered in REGULATION (EU) 2016/679 OF THE EUROPEAN
PARLIAMENT AND OF THE COUNCIL of 27 April 2016 [AD.9] and will establish policies and
mechanisms to ensure all user data privacy is managed in the way this regulation establishes.

As Spanish local regulatory laws regarding IT management are applicable to this corporate policy, the
rest of local regulatory laws of all countries where GMV has presence also are applicable. All of them
applies in the same way.

Finally, Company makes the IT media available to its employees to perform the user tasks. It is for
this reason that the Company establish control measures and/or impede the indiscriminate usage for
private purposes of the media it puts at its employees disposal.

3.2. USERS
The users have the right to preserve their privacy in accordance with that stipulated in article 18 of
the Spanish Constitution, which establishes:

1. The right to honour, to personal and family privacy and to the own image is guaranteed.
2. The home is inviolable. No entry or search may be made without the consent of the
householder or a legal warrant, except in cases of flagrante delicto.
3. Secrecy of communications are guaranteed, particularly regarding postal, telegraphic and
telephonic communications, except in the event of a court order.

 GMV, 2020; all rights reserved IT MEDIA USAGE POLICY

 Code: DEP_08-10
Date: 13/04/2020
Version: 1.5
Page: 10 of 29

4. The law shall restrict the use of data processing in order to guarantee the honour and personal
and family privacy of citizens and the full exercise of their rights”.

This concept is also included in Spanish Organic Law 1/1982 regarding the Right of Honour, of
Personal, Individual and Family Privacy and the Protection of One’s Own Image. This right establish
that the following measures can be illegal interferences regarding personal privacy if they are used
without the consent of the employee. Use of listening apparatuses, optical devices, or of any other
medium in order to gain insight into his/her private life, or of private statements or letters not
addressed to a person who does not make use of the media in question.

The aforementioned protection is further strength by that stipulated in the Spanish Penal Code, article
197.1 of which establishes:

“Any person shall be punished with prison sentences of between one and four years and a fine in case
of actions to discover the secrets or violate the privacy of another, without his or her consent. Gains
access to papers, letters, electronic mail messages or any other personal documents or effects or
intercepts his or her telecommunications or uses technical listening, transmission, recording or audio-
visuals reproduction devices, or any other communications signal”

Finally, article 18 of the Spanish Workers’ Statute states the following:

“Searches can only be carried out on the person of the worker, his or her lockers and personal effects
when this is deemed necessary to protect the company’s assets and those of its remaining workers
within the work centre and during working hours. Likewise, it is of utmost importance that the dignity
and privacy of the worker is fully respected whilst so doing, and that a workers’ representative, or if
this is not possible, another company worker is present at all times”.

Users will fulfil all IT matters covered in REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT
AND OF THE COUNCIL of 27 April 2016 [AD.9] and is it is own responsibility to avoid to introduce any
personal data into the corporate computer equipment where the user can get access to
create/change/modify files over any corporate or digital media.

3.3. RESPONSIBILITIES

Whenever incorrect or unacceptable usage proved with respect to that specified in this document, IT
Department shall proceed to cut off the service in the computer or network device depending on the
severity and reiteration of the incident.

3.3.1. TEMPORARY OR EMERGENCY SUSPENSION OF THE SERVICE

Premeditatedly violations of any of the terms and conditions of this document or in case of any
incident causing a deterioration/degradation of the network resources and/or is implicating the
company in some type of liability, will produce the application of this measure.

This action must consist of the physical disconnection of the computer or device that is the source of
the incident from the company’s data network until the situation that led to the taking of this measure
has been resolved.

All traffic to and from it must be filtered in case of not be able to physically disconnect the affected
equipment.

 GMV, 2020; all rights reserved IT MEDIA USAGE POLICY

 Code: DEP_08-10
Date: 13/04/2020
Version: 1.5
Page: 11 of 29

3.3.2. INDEFINITE SUSPENSION OF THE SERVICE

This measure applies in the case of particularly serious infractions or of repeated violations of the
terms and conditions of this document following the corresponding warnings issued by the staff of IT
Department. The service must only be re-established once it is considered that the measures adopted
by the user of the computer or device that caused the incident guarantee that it will be acceptably
used in the future.

Any user within the company who fails to comply with the terms and conditions stipulated in this
document shall have to face the consequences of having put company infrastructure to incorrect use.

Every GMV Organisation employee who uses any of its IT services must know and comply with the
policies contained in this document. Claiming to be unfamiliar with these in order to justify any non-
compliance will not be acceptable as a valid excuse for avoiding the corresponding penalties.

In case these activities detection in any of the equipment deployed in the RAA, IT Department shall
promptly report the Security Officer, who will in turn decide about adoption of further measures.

 GMV, 2020; all rights reserved IT MEDIA USAGE POLICY

 Code: DEP_08-10
Date: 13/04/2020
Version: 1.5
Page: 12 of 29

4. USAGE POLICIES
4.1. THE USE OF IT RESOURCES
Listed below are a set of generic guidelines for using the IT resources provided by the organisation in
a responsible manner. These guidelines apply to any IT systems resource of GMV organisation
property managed by IT Department. The following points describe the specific rules governing the
use of particular services. Take into account the fact that certain actions might result in legal
proceedings and actions.

GENERAL RULES:

1. Employees must only use those IT systems (computer networks), access accounts (user names and
passwords), data files, etc. for which they are authorised;
Under no circumstances must an employee use the identification details of another person.
Prohibition of capture or try the passwords of other users.
Each user is responsible for the assigned resources; therefore, specific prohibition of haring of any
information that enables access to other systems or resources.

2. Employees must obey the specific rules established for the use of any computer or data network
whenever accessing it either from outside or within the GMV Organisation. As examples, users of the
computer rooms must obey the usage rules established for those rooms. Those who access computers
located outside GMV premises via external networks (for example Internet) must obey the specific
rules established by IT Department as well as the usage rules of the networks they have accessed
(the internet service provider, be it public or private).

3. Employees must not attempt to access the restricted areas of a network, IT system, security
software, user account, etc. without the approval of the owner or of IT Department. Breaking into an
IT system without due authorisation constitutes a violation of Internet usage rules, irrespective of the
weakness or strength of the protection of these systems. The unauthorised connection to the
telephone network or to data networks with restricted access form the GMV Organisation’s network or
using the means of the GMV Organisation constitutes a violation of these rules and, in the majority of
cases, a possible crime.

4. Regarding the privacy and rights of third parties: prohibition to access or copy electronic mail,
addresses, data, programs or other files without the permission of the owner.

5. Employees must, at all times, follow and comply with that legislation currently in force with respect
to the protection of privacy, copyright and telecommunications.

6. Employees must remember that the legislation governing copyright also affects the licensing
contracts regarding software and other materials with access rights from the GMV Organisation’s
network. Prohibition of copying software that is not within the public domain or "freeware". Where
software distributed under licence within the GMV Organisation is concerned, users must abide with
the specific terms and conditions of the software owner for copying or use that software. In
accordance with the legislation currently in force, copyright extends to images, text and sound, even
though these are on digital support.

Copy, modify or send via the network of this kind of software make especially vulnerable to
unauthorised accesses or the infringement of copyright. Employees must remember anytime the
prohibition of distribution of material that is subject to copyright. Under no circumstances, employees
will use the IT media of the GMV Organisation to access or distribute these materials. Employees must
also bear in mind the poor image and other damage GMV Organization can incur using IT resources
for illicit purposes.

Law also regulates the transference and storage of classified information, being able to constitute a crime its
transference and jeopardizes GMV FSC/ESC, which implies the cancelation of all the contracts requiring such
clearances for their development.

 GMV, 2020; all rights reserved IT MEDIA USAGE POLICY

 Code: DEP_08-10
Date: 13/04/2020
Version: 1.5
Page: 13 of 29

7. Employees must be polite and prudent when using the IT systems to communicate with other
persons. Whenever they send messages or other information to other users, they must use their ID,
even though they are acting as an intermediary, in the name of or with the authorization of another
person. It is not tolerated the use of the GMV Organisation’s resources for harassing other persons, no
matter how justified the reasons.

8. Every employee must be aware of the needs of other users and make use of the IT resources in
such a way to ensure all users can work together. Use of the computer rooms or of the conference
rooms or of the centralised systems (electronic mail, web servers, Navision, NAS filer, Internet access,
etc.) must use these media responsibly, efficiently and professionally, so that in situations or during
periods of high demand, the work of those around them remains unaffected. It is not tolerated
sending massive emails to multiple addressees, chain letters, using the web for casual reading or
mere entertainment are examples of activities that can result in network or systems congestion and
have a negative effect on the work of other staff.

9. Employees must treat all of the IT systems and the information available within the GMV
Organisation as a valuable resource. They must protect the data and the systems to which they have
access. They must adhere to the backup copy policy established for the files they use for their work,
use suitable passwords and change these periodically. Employees must ensure that they both know
and understand the scope of the access privileges to data and systems with regard to the work they
are doing. They must treat the data, programs and equipment they work with and on with care.

The voluntary introduction (be it active or passive) of a computer virus, "worms", "Trojans" or any
other type of software designed to slow down the normal working of the network, the systems or of
any computer connected to the GMV Organisation’s network, irrespective of who owns it, is a serious
offence. For this very reason, all employees must consult with IT Department prior to installing new
programs and be familiar with the Organisation’s antivirus policy. Employees must bear in mind that
"a virus" in "a computer" connected to the company’s network, irrespective of its geographical
location, might well result in a significant degradation of the Internet access service and confidential
files sent from that computer to third parties can cause serious damage.

Contract software from or services provided by third parties for use in the GMV Organisation’s network
without the approval of IT Department is not permitted. Employees must bear in mind that by not
following these procedures the company can incur in additional expenses, or a project could be totally
invalidated due to unfamiliarity with the architecture of the systems, legal aspects, security, etc.

10. Employees must use the GMV Organisation’s IT resources for work related with the Organisation.
These resources are designed and adapted to provide the necessary work tools, and not as social
privileges or tools for personal or private use.

11. Employees must make every effort to remain abreast of the changes made to the IT systems. The
field of technology is constantly changing, new services included; security requirements imply changes
that are not exactly simple, etc. The IT services take pains to adapt themselves to the technical
changes and to the new needs of the users. The modifications that have been made and those that
are planned for the systems must be communicated by e-mail to all those implicated, with the
criticality of the change and whether the user must perform some type of action being clearly stated.
Furthermore, a copy of the communications will be sent to the sis_info@gmv.com or
sis_crit@gmv.com email lists so that all of the notifications carried out can be subsequently consulted
in INCORPORATE. Being up-to-date with changes will really help employees with their work. Although
we know that "technology" can present problems for many users, some effort to know the basics can
be of benefit to everybody.

12. Within our organization, there are a number of systems or services governed by specific usage
rules, such as electronic mail, access to the corporate network and web access. These specific rules
deals with the corresponding sections below.

13. If an employee has any doubts regarding the technology, status and/or operation of the IT
systems, hardware, software, communications, etc., or wishes to make some type of request, he/she
must not hesitate to contact IT Department:

Email: IT-Systems-Department@gmv.com
Intranet: https://incorporate.gmv.com/EN/Servicios/default.aspx

 GMV, 2020; all rights reserved IT MEDIA USAGE POLICY

 Code: DEP_08-10
Date: 13/04/2020
Version: 1.5
Page: 14 of 29

Internal Telephone: 3000

External Telephone: +34 91 807 21 00
24-hour Systems Security Telephone: +34 902 464 601
Incidents and Requests: https://askfor.gmv.com/

4.2. USER EQUIPMENT USAGE

IT Department provides each user with a desktop computer (PC) or a laptop in order to enable them
to carry out their work correctly. User choice between desktop and laptop will be according the user
profile and type of work expects to carry out.

1. This material and their use is the responsibility of the user. This not only includes being responsible
for the possible actions that can be performed from the equipment, but also the programs, data and
software that it contains.

2. It is the user and only the user who is responsible for the equipment with which he/she is provided
including any content inside. All of the transactions carried out under his/her user name and password
(personal and non-transferable attributes) are also his/her sole responsibility.

3. Although the IT material is company property, employees must look after it as though it were their
own. Special care must be taken in the case of laptops:

 Unprotected networks must not be accessed.

 Downloaded services and programs must not be used when using external connections.
 The equipment must never be shared with anybody from outside the organisation.
 The data contained in the equipment must be protected using encryption mechanisms provided
by IT Department.
 The equipment must not be used for non-work related purposes.
 In the event of an equipment malfunction or a suspected infection, the employee must
immediately contact IT Department BEFORE connecting the equipment to the corporate
network.

4. In particular, the following actions are expressly prohibited:

 Changing the configuration of the equipment without the authorization of IT Department.

 Installing any type of software (legal or illegal, free or licensed) without the supervision of IT
Department.
 Installing antivirus, personal firewalls, etc. without the knowledge of IT Department.
 Connecting any external device and/or modifying the physical characteristics of the equipment.

5. Users who suspect that their equipment has been infected by a virus must immediately switch it off
and call IT Department so that it can be checked and, if necessary, disinfected.

6. Regarding management of classified information, it is expressly forbidden connection of both portable and desk
equipment to more than one network; at least one of them is isolated and/or accredited for the management and
storage of classified information, including wireless connection (WIFI).

7. Even all user equipment has applied special security directive to lock the screen under inactivity condition,
users should lock the screen when they leave alone the laptop/desktop with opened sessions. Special care when
leave a meeting-room with external personnel.

 GMV, 2020; all rights reserved IT MEDIA USAGE POLICY

 Code: DEP_08-10
Date: 13/04/2020
Version: 1.5
Page: 15 of 29

8. Once a user relationship with GMV is terminated, any computer material should be returned to IT department
to remove any information contained on them. This procedure is explained in detail in the termination procedure
followed and initiated by Human Resources department.

4.3. THE USE OF COLLECTIVE EQUIPMENT

The organisation provides collective IT equipment that is distributed throughout communal facilities
such as lecture rooms, conference rooms and printing rooms that can be shared by several users. This
equipment includes printers, demonstration equipment, training equipment, sharing equipment usage
and videoconference equipment, among others.

This equipment must be treated and used in accordance with the policies governing the equipment
allocated to each user and described in the previous point.

Employees must leave the collective equipment exactly as they found it prior to commencing work.

4.4. USING THE IT NETWORKS

1. The user is indirectly bound to accept the terms and conditions stipulated in the company’s connection
agreements with the service providers who supply the company’s internal networks with exterior
connectivity (Internet) and its internal connectivity between work centres (Internal Networks). These
agreements state that the services related must be used for purely professional purposes, thereby
excluding any criminal practices (hacking) or any other activity voluntarily tends to affect other users
of the networks, both performance wise and with respect to the privacy of the contained information.

2. In particular, the following actions are expressly prohibited:

 Attempting to cause damage to systems or equipment connected to the networks where a user
can get access.
 Spreading viruses, worms and other types of programs designed to damage information.
 Using the resources provided by the network for advertising or commercial purposes other than,
those related with the activity of the GMV Organisation.
 Intentionally congesting communications links or IT systems by sending information or using
programs designed for such a purpose.
 Attempting to access or accessing the user accounts of others (by using any protocol, telnet,
ftp etc.), even if unsuccessful.
 Exporting password files or manipulating these in any way, in other words attempting to obtain
the passwords of other users.
 Affecting or paralysing any service provided by IT Department.
 Modifying files that are not the property of the user and without authorisation to do so, even
though they include write permission.
 Accessing, analysing or exporting files that are accessible to everybody unless the files are
located in public locations (anonymous ftp servers, Web servers, etc.).
 Modifying the structure of the network by adding departmental switches or hubs in order to
enable the connection of several pieces of equipment to one single network port and without
the express knowledge of IT Department.
 Incorporating computers onto the network without the express knowledge of IT Department.
 Connecting computer systems to more than one network, ensuring that at least one of them is
isolated and/or accredited for the management and storage of classified information, including
wireless connection (WIFI)

Remark the following rules:

 User accounts are not shareable.

 Project accounts are not shareable except among the members of the project team.

 GMV, 2020; all rights reserved IT MEDIA USAGE POLICY

 Code: DEP_08-10
Date: 13/04/2020
Version: 1.5
Page: 16 of 29

 Users must keep their passwords safe.

 All users involved in a project must keep the password of the project account safe.
 Passwords must be changed regularly in accordance with the policy defined for that purpose.
 Notify immediately IT department if any anomaly situation is found.

3. All of the aforementioned rules and recommendations are valid with independence of the type/role
of access to the company's services, both from inside of internal network and via remote accesses
gained using Guardian platform or web services.

4.5. USING ELECTRONIC MAIL

4.5.1. USER RESPONSIBILITIES WITH RESPECT TO THE USE OF E-MAIL

1. The users are responsible for all of the activities performed via the electronic mail accounts
provided by IT Department.

2. This responsibility involves looking after the resources that make up the account in question and, in
particular, the elements, such as the password, that might enable third parties to access the account,
or other personal resources that use that ID.

3. If a user suspects than a computer or a third party uses service account, he/she must immediately
notify it to IT Department.

4. Mechanisms and systems, which hides the e-mail sender’s identity, are not permitted.

5. It is prohibited to supplant the ID of another person when sending e-mail messages due to this
activity is considered as violation of the Spanish General Telecommunications Act.

6. User must report any phishing suspicion received by email using the fraud email report plugin
installed over outlook and webmail services.

4.5.2. CORPORATE MAIL POLICY

4.5.2.1. Mailbox Size

Each e-mail account has a set of limited storage resources associated with it. Currently, there is a
maximum size restriction of 5.0 GB, as of which the mail server sends messages indicating this
situation. In the event of this limit excess by 0.5 GB, the server will enable incoming mails to be
received by the mailbox in question, but it will deactivate the possibility of sending outgoing mails
until the stipulated storage limit has been re-established.

4.5.2.2. Dispatches and Transfers

The maximum size per email allowed via the corporate mail servers is 30 MB. However, other external
e-mail service provider’s restrictions can produce email transaction rejection.

Users must keep in mind that the mail sent will be transmitted via different Internet servers and
restrictions of any institution can affect to the final destination.

 GMV, 2020; all rights reserved IT MEDIA USAGE POLICY

 Code: DEP_08-10
Date: 13/04/2020
Version: 1.5
Page: 17 of 29

4.5.2.3. External E-mail Abuse

Certain practices with respect to the way in which the e-mail account is used are classified as E-mail
Abuse. The Internet Community goes to extra lengths in order to stamp out these activities and if the
source thereof is discovered, it usually results in the image of the organisation in question being
severely damaged.

Whenever an organisation is affected by activities of this type and is able to determine the
whereabouts of those responsible, it might decide to implement an increasingly common practice and
block and reject all e-mail messages sent by the organisation identified as being the source of the
problem. The Spanish Information Society Services and Electronic Commerce Act (LSSICE) singles e-
mail abuse out as being a misdemeanour that can result in severe economic repercussions.

In order to diminish these problems, the e-mail service has been equipped with an infrastructure that
contains complex hardware and software elements, which deletes those e-mails that contain viruses
and that are classified as spam due to their characteristics using heuristic methods, etc. The GMV
Organisation sees this solution as being a course filter that affects all of the messages it receives.

These elements perform the front-end functions by permitting that only those incoming e-mails that
the system considers legitimate are received by the organisation. Given the fact that there is no 100%
effective solution, and that users employ different criteria when it comes to classifying certain types of
e-mail as spam, a fine filter solution is added. Whenever users receive a mail in their inbox, which
they consider spam, they must tag it as such in the e-mail visual display unit, thereby generating a
series of personal lists of what the user considers as being blocked senders and secure senders. The
administration of these lists (black and white) must be the responsibility of each user and not affect
other users.

The filtering techniques and the corporate usage policy are reflected on the corporate webpage:
http://www.gmv.com/mail_policy.htm. This page must be referenced each time an e-mail is filtered
and rejected, and the sender thereof must be informed why his/her mail was rejected. The reason for
this referencing procedure is the prevention of false positives (legitimate mails being considered as
spam).

4.5.2.4. Internal E-mail Abuse

Users are strictly prohibited from performing the following actions from the internal mailboxes with
which they are assigned:

1. The distribution of unsuitable content.

Content that is illegal by nature (everything that constitutes complicity with criminal acts). Examples:
the defence of terrorism, pirate programs, threats, fraud, pyramid schemes, viruses or any sort of
hostile code.

The sending of chain letters or messages that are excessively bulky or addressed to multiple recipients
via the e-mail account, be it locally or to outside the Organisation.

2. Distribution via unauthorised channels.

The unauthorised use by users of an external e-mail server for resending their own mail. Although the
message itself may be legitimate, external resources are being used without permission.

Therefore, users must be notified as to all of the configuration parameters, including those servers
they must use for the sending and reception of messages, when they obtain an e-mail account.

 GMV, 2020; all rights reserved IT MEDIA USAGE POLICY

 Code: DEP_08-10
Date: 13/04/2020
Version: 1.5
Page: 18 of 29

3. Unauthorised mass distribution.

The use of internal or external e-mail accounts for the mass distribution of e-mail messages that have
not been requested by the addressee be they advertising or non-advertising is not permitted. This
activity can be construed as a violation punishable be law and represents inappropriate use of the
GMV Organisation’s resources.

4. The unauthorised use of an external list (of which the user is neither owner nor publisher) for the
sending of any type of messages.

5. The use of the list of which the user is owner/publisher for the sending of messages whose content
does not correspond to the purpose of the list. This applies to the general lists of the corporation such
send birthday greetings to all@gmv.com list).

6. Attacks designed to hinder the service or render it useless.

These might target a specific user or the mail system itself. In both cases, the attack consists of
sending a large number of messages per second, or any variant thereof, with the aim being to
paralyse the service either by saturating the lines, reducing the capacity of the server’s CPU or limiting
the server’s or user’s disc space.

Responsibility for this type of abuse maybe the result of action or omission, as a there is a great deal
of software that generates e-mail messages automatically and furnishes them with an inappropriate
configuration that might result in a loss of quality throughout the general service.

7. Specific rules governing the use of internal lists (netiquette). There are a number of rules written
and published by the Marketing Department with respect to the style of e-mail communications.
Furthermore, users must always ask themselves whether the message they wish to send to the
internal list is of interest to all of the addressees. If the answer is “no” or “I don’t know”, it must not
be sent.

4.5.2.5. E-mail Server and Distribution List Filtration Rules

Each email with attached file including an extension such as those described below must not be delivered to the
addressee because it might contain a virus. The server will generate a warning message for the addressee
notifying him/her this condition with a copy of the GMV Organisation’s e-mail server filtration rules policy.
The filtered extensions are obtained from the following Microsoft security recommendation: Microsoft Security
Advisory (ordered by the extensions of the attached messages). This filter applies to both internal and external
e-mails.

File Extension and Description:

ADE Microsoft Access Project Extension
ADP Microsoft Access Project
APP
ASD
ASF
ASX Windows Media Audio / Video
BAS Microsoft Visual Basic Class Module
BAT Batch File
CHM Compiled HTML Help File
CMD Microsoft Windows NT Command Script
COM Microsoft MS-DOS Program
CPL Control Panel Extension
CRT Security Certificate
DLL

 GMV, 2020; all rights reserved IT MEDIA USAGE POLICY

 Code: DEP_08-10
Date: 13/04/2020
Version: 1.5
Page: 19 of 29

EXE Program
FXP
HLP Help File
HTA HTML Program
HTO
INF Setup Information
INI
INS Internet Naming Service
ISP Internet Communication Settings
JS JScript File
JSE JScript Encoded Script File
LIB
LNK Shortcut
MDA Microsoft Access Add-in Program
MDB Microsoft Access Program
MDE Microsoft Access MDE Database
MDT Microsoft Access Workgroup Information
MDW Microsoft Access Workgroup Information
MDZ Microsoft Access Wizard Program
MSC Microsoft Common Console Document
MSI Microsoft Windows Installer Package
MSP Microsoft Windows Installer Patch
MST Microsoft Windows Installer Transform, Microsoft Visual Test Source File
OCX
OPS Office XP Settings
PCD Photo CD Image, Microsoft Visual Compiled Script
PIF Shortcut to MS-DOS Program
PRF Microsoft Outlook Profile Settings
PRG
REG Registration Entries
SCF Windows Explorer Command
SCR Screen Saver
SCT Windows Script Component
SHB Shell Scrap Object
SHS Shell Scrap Object
SYS
URL Internet Shortcut
VB Vbscript File
VBE Vbscript Encoded Script File
VBS Vbscript File
VCS
VXD
WMD
WMS
WMZ
WSC Windows Script Component
WSF Windows Script File
WSH Windows Scripting Host Settings File

4.5.2.6. Activating and Deactivating E-mail Accounts

Inappropriate use or abuse with the e-mail service might cause the temporary or permanent
deactivation of the e-mail accounts. Such actions might be performed in accordance with those
incidents that may represent a problem for the smooth operation of the service.
Deactivation of email account inherently implies higher-level management staff and should be notified
about the incident. This special committee will decide whether the account is permanently deleted or
reactivated.

While an account is deactivated, it is impossible to receive new emails until it is reactivated.

 GMV, 2020; all rights reserved IT MEDIA USAGE POLICY

 Code: DEP_08-10
Date: 13/04/2020
Version: 1.5
Page: 20 of 29

In any case, e-mail account activation and deactivation policy must be implemented in accordance
with the type of incident caused and the final resolution adopted.

4.5.3. INFECTION THROUGH MAIL

To avoid infection risks over our laptops/desktops through email we must always follow the following
indications:

NEVER open mails with suspicious appearance. That means:

- Do not trust unknown senders.
- These emails often includes attachments. Do not even open or click on the link!
- Sometimes body email content presents an unnatural writing (created by automatic translator).
- False links that points to another addresses to which the text indicates.
- Request too much personal information.
- No one gives anything by email. Be suspicious if you think it is your lucky day!

IT department provides a platform to train all users against email fraud, monitoring and following up
of training courses. Awareness campaigns will be done for all users to keep alert about the fraud risk.

In case of any suspected email, users should report it to IT department to be analysed and take the
corrective applicable actions. The report will be done using the fraud email report button installed in
the outlook program and OWA tool (emails readers).

4.6. WEB ACCESS USAGE

4.6.1. DEFINITION OF THE SERVICE

The term web access system refers to the set of mechanisms needed for accessing internal and
external servers that make use of the HTTP protocol as defined in RFC Standards 1945 and 2068.

4.6.2. WEB SERVICE ACCESS CRITERIA

Internet web access can be done from any laptop/desktop connected to the GMV Organisation’s
network. The configuration data is different for each office or branch and it is automatically configured
via the Active Directory directives. This particular configuration is transparent to each user. A roaming
mechanism has been provided in such a way that any piece of equipment that is moved from one
office to another automatically configure the specific data needed to allow access to the web from its
new location once the connection is established.

On forcing the configuration required for each work centre, the browser proxy option is activated in
the customer http for both standard browsing (http) and secure browsing (https). This proxy server
(one per each office location) establishes a series of filters to disable browsing for non-work specific
content, such as sex, games, etc. The same set of filters is used in all the corporate proxies, thereby
ensuring that the restrictions policy is the same throughout the entire GMV Organisation.

With independence of the efficiency of the filters, users are responsible to:

 Not engaging in activities that have nothing whatsoever to do with their professional functions.
 Not engaging in activities that generate economic benefits of a personal nature for the user.

 GMV, 2020; all rights reserved IT MEDIA USAGE POLICY

 Code: DEP_08-10
Date: 13/04/2020
Version: 1.5
Page: 21 of 29

 Not accessing pornographic publications or leisure and entertainment sites such as horoscopes,
beauty, gossip, jokes, etc.
 Not engaging in the mass printing of information downloaded from the Internet without the due
authorisation.
 Not indulging in individual or group games or downloading gaming applications onto their IT
equipment.

4.6.3. USE OF WEB SERVICES

Users should have special care when using some web services such online language translators, file
converters (word->pdf, etc) to include information which should not bring out from internal network
nor being shared with third parties.

Confidential information will not never inserted into any web browser or other external application
from outside of GMV network without the authorization of IT department.

4.6.4. EXCEPTIONS

Filtering of web contents visited via the corporate network is obligatory. However, it is possible for the
filters application to partially or totally disabled, if necessary for professional reasons but only with the
authorisation of the relevant Head of Department or Project Manager.

Official web browser ports are the 80 for the non-secure version and the 443 for the secure version.
These corresponds to the standard web browser ports. In the event of the Head of Department or
Project Manager justifiably refuse to disable partially or totally the filter application, the user shall be
entitled to request to IT Department to study possible alternatives.

4.6.5. WEB ACCESS CLIENTS

Web access browser supported by IT Department is Microsoft Internet Explorer, which meets the
minimum requirements acceptable with respect to compatibility with the services deployed, plug-in
support (java, flash, etc.) and the adequate support of digital certificates for secure browsing.

In order to prevent unnecessary traffic, the web browsers (Explorer) must remain closed except when
they are going to be used, taking into account the fact of certain dynamic sites generate automatic
connections that are out of the user’s control.

4.6.6. USING THE WEB ACCESS SERVICE CORRECTLY.

User responsibilities:

4.6.6.1. It is the responsibility of users to restrict their browsing activities to those sites and pages
related to their professional activity.

4.6.6.2. Users are responsible for all the problems that might arise due to the inappropriate
downloading of files from remote websites.

4.6.6.3. Users must correctly manage the cookies stored in their computers given that these might
present a security problem for them and the organisation itself.

 GMV, 2020; all rights reserved IT MEDIA USAGE POLICY

 Code: DEP_08-10
Date: 13/04/2020
Version: 1.5
Page: 22 of 29

4.6.6.4. Users must manage the validation data in a responsible manner and ensure that all the
generated information is deleted if the used machine is for collective use. Any unlawful access gained
to this data for this reason shall be the responsibility of the user.

4.6.7. ABUSIVE USE OF THE WEB ACCESS SERVICE

Expressly prohibited actions by users:

4.6.7.1 Using Unauthorised Access Proxies

A proxy is a piece of equipment that acts as a causeway between the users and another server. The
unauthorized use of this type of software for obtaining a connection and eluding the content filter in
the corporate proxies constitutes an extremely serious violation which in the first instance might result
in that machine being blocked without detriment to another type of subsequent measures.

4.6.7.2 The Mass Downloading of Files

Using the web service for the indiscriminate downloading of large-sized files can result in a dramatic
loss of service quality, which in many cases might lead to a service denial scenario.

IT Department reserves the right to be able to block the access to those IP addresses who generates
an extremely high quantity of unjustified traffic.

The downloading of software protected by copyright or material that might be carrying a virus or
launch an attack against the integrity of the systems is totally prohibited.

Likewise, it is absolutely prohibited to use peer-to-peer programs like emule, BitTorrent, muTorrent,
etc.

4.6.7.3 The Encapsulation of Protocols

Use of software or applications that encapsulate protocols over http, use of reverse tunnels, etc in
order to dodge the existing restrictions at firewall level are strictly prohibited and constitutes a serious
violation of the corporate network’s integrity.

4.6.7.4 The Use of Customer-based Software that Modifies the Headers

The use of software that intentionally modifies the headers of the http requests are strictly prohibited
in order to prevent the proxies from functioning correctly.

4.6.7.5 Attacks aimed at Hindering or Blocking the Service

The generation of a high number of simultaneous requests or the downloading of very bulky files
constitutes a service denial attack that drastically reduces the quality of the web access service.

IT Department reserves the right of temporarily filter those addresses from which any activity of this
type is being carried out.

4.6.7.6 The Use of Public Instant Messaging Programs

The risk associated with this type of applications, which encapsulate everything from chat-type
communication tools to presence control public voice communications programs means that any
possibility to use from inside the corporate network must be eliminated. Only authorized corporate
instant messaging programs can be used.

 GMV, 2020; all rights reserved IT MEDIA USAGE POLICY

 Code: DEP_08-10
Date: 13/04/2020
Version: 1.5
Page: 23 of 29

Although IT Department has now incorporated specific filters in order to make it impossible for
employees to communicate using public instant messaging systems, it must be emphasized that the
use of these applications are strictly prohibited. In the event of there being no filtration mechanisms
or of these being ineffective, the user will be responsible in the case of non-compliance.

Special care in the use of social networks and collaborative tools utilization. Use of them must be
related with work environment. Personal use is not allowed.

4.6.8. ACTIVATING AND DEACTIVATING THE WEB ACCESS

Deactivation of restrictions upon the web access could be carried out under the criteria of IT
Department in the event of this causing one or other of the suppositions indicated in point 6 and when
these actions represents a danger to the security of the corporate network or a deterioration of the
service for the rest of the users.

Deactivation or application of permanent restrictions in the web access could be decided upon in those
cases that, due to recurrence or severity, they are deemed opportune.

 GMV, 2020; all rights reserved IT MEDIA USAGE POLICY

 Code: DEP_08-10
Date: 13/04/2020
Version: 1.5
Page: 24 of 29

4.7. EXTERNAL ACCESS USAGE

Access to certain services or even access to the internal network can be allowed for certain user´s prior
authorization from the responsible of the user. Those access rights will be protected against unauthorized
access using secure protocols (encryption, etc.) and defined by IT Department.

The criterion for publishing resources from outside must always follow the criterion of "need to get access" and
in any case, it should not be considered such a privilege.

Those accesses may be locked or even terminated by IT Department criteria in case of abuse or improper use
or once a security risk or degradation of the corporate network or service is detected.

The deactivation of those accesses may be made in cases of temporary sick leave where the period exceeds
intermittent or continuously four months. Responsible of the user can expressly solicit to continue with the
external user access through a special request to I.T. department.

Permanent deactivation of those accesses may be determined in those cases that risk situations or damages are
relapsed by the user.

 GMV, 2020; all rights reserved IT MEDIA USAGE POLICY

 Code: DEP_08-10
Date: 13/04/2020
Version: 1.5
Page: 25 of 29

5. COPYRIGHT
All software available within the GMV Group can only be used on equipment for which they are licensed.
Make unauthorised copies of software programs is not allowed. Likewise, as stated above, it is totally
prohibited to install commercial products in equipment owned by the GMV Organisation without the
corresponding usage licences. All of the licences of the programs installed are stored and safeguarded
by IT Department.

 GMV, 2020; all rights reserved IT MEDIA USAGE POLICY

 Code: DEP_08-10
Date: 13/04/2020
Version: 1.5
Page: 26 of 29

6. APPLICATION OF AND COMPLIANCE WITH THE POLICY

GMV Organisation, by virtue of the management capacity bestowed upon it by the Spanish
Constitution, including monitoring and control capacity bestowed upon it by the Spanish Workers'
Statute, establish those mechanisms, which it deems to be adequate. All of them are part of the policy
established within this document in strict compliance with the legislation currently in force.

The rest of applicable laws in all countries where GMV has presence and related with workers and IT
management applies in the same way than Spanish legislation.

The members of IT Department shall be entitled to access, only for maintenance and/or security
reasons, those user files that enable the administrators to detect, analyse and follow the traces of a
certain session or connection. Whatever the case, the systems administrators are bound to keep the
content of the user´s files secret and are not authorised to permit third parties to access them.

Systems administrators are entitled to allow third parties (Project Managers, Director, Senior
Managers, etc.) access to certain files of other users, but in order to do so they must have the
approval of GMV General Director (CEO) or any person delegated thereby for these purposes.

These actions always must be done from the company's offices and during working hours.

The aim behind the inspection of records regarding accesses, the use of resources, web browsing, use
of the e-mail service and all other IT media must be the protection of the company’s assets and those
of the workers themselves. Inspections can be carried out at any time if the following suspicions can
be justified:

 A drop in the performance and productivity of a workstation.

 The appearance of costs incurred by non-compliance with the IT media usage policy.
 The existence of viruses and malware in e-mails, unsecured browsing procedures and files.
 Prestige and public image of the company might be compromised.
 A leak of corporate, confidential information.

In order to ensure that the IT media usage policy is fulfilled and understood, IT Department must publish
this document in electronic format and Human Resources Department must distribute a disclaimer form,
which must be initially signed by all users of IT media, and subsequently by anyone joining the company.
This disclaimer form is included in point 8 of this document.

 GMV, 2020; all rights reserved IT MEDIA USAGE POLICY

 Code: DEP_08-10
Date: 13/04/2020
Version: 1.5
Page: 27 of 29

7. THE CONSEQUENCES OF NON-COMPLIANCE

In the event of any of the aforementioned rules being broken, or of any other type of abuse of the
resources of the GMV Organisation resulting in damage to other users or to the security or integrity of
the systems, the responsible will be warned of the situation. If this warning is ignored, IT Department
must not only notify the authorities within GMV Organisation of the facts so that the suitable
disciplinary or administrative measures can be adopted, but also proceed to deny the user in question
further access to any of the GMV Organisation’s resources if deemed necessary.

Non-compliance with this policy might result in penalties against the user that could even include
disciplinary dismissal by applying articles 54.2.b, ‘Indiscipline or Disobedience in the Workplace’ and
54.2d, and/or ‘Transgression of Contractual Good Faith and Abuse of Confidence whilst Performing
One's Work' of the Spanish Workers’ Statute.

 GMV, 2020; all rights reserved IT MEDIA USAGE POLICY

 Code: DEP_08-10
Date: 13/04/2020
Version: 1.5
Page: 28 of 29

8. DISCLAIMER

DEED OF COMMITMENT WITH RESPECT TO COMPLIANCE WITH THE IT MEDIA

USAGE POLICY OF THE GMV CORPORATION

In light of that expressed in the IT Media Usage Policy document, I, in my capacity as

employee, with National Identity Document No. _______________ , do declare that I have
read and do fully understand the IT media usage rules and policies.

Likewise, I recognise that any non-compliance on my part could result in public liability and
criminal charges being brought not only against myself, but also against the GMV
Organisation.

For this reason, I hereby accept that I can be punished by the Organisation accordingly,
which could entail the termination of my working relationship with the GMV Organisation
without detriment to the application of any respective public liability and/or criminal
charges.

Signature: _____________________

User: ___________________

Date: ___________________

 GMV, 2020; all rights reserved IT MEDIA USAGE POLICY

 Code: DEP_08-10
Date: 13/04/2020
Version: 1.5
Page: 29 of 29

END OF DOCUMENT

 GMV, 2020; all rights reserved IT MEDIA USAGE POLICY