Integrated Cybersecurity and Privacy Policy

 

 

Introduction and Regulatory Reference

 LAST Technology Srl recognizes the critical importance of cybersecurity and personal data protection as foundational pillars for maintaining the trust of customers, employees, and stakeholders. This policy outlines Management’s commitment to implementing an integrated Cybersecurity and Privacy framework that safeguards IT systems, corporate information, and personal data in compliance with EU Directive 2022/2555 (“NIS2”), the GDPR (EU Regulation 2016/679), Legislative Decree 138/2024, and other applicable legal requirements.

 

Objectives

The adoption of an integrated cybersecurity and privacy framework aims to:

• Protect company information and personal data from unauthorized access, alteration, disclosure, or destruction;
• Ensure the confidentiality, integrity, and availability of data and IT systems;
• Maintain business continuity by minimizing risks related to cybersecurity and personal data protection;
• Achieve full compliance with current cybersecurity and data protection regulations;
• Enhance awareness and responsibility among all employees regarding information security and privacy protection;
• Actively contribute to strengthening cybersecurity and privacy at both national and EU levels, thereby protecting society and the market.

Scope

This policy applies to all employees, collaborators, suppliers, and third parties who access LAST Technology’s IT systems and personal data, regardless of their location or the nature of their contractual relationship.

 

Cybersecurity and Privacy Principles

LAST Technology is committed to implementing appropriate and proportionate technical, organizational, and procedural measures to:

• Manage risks associated with the security of IT systems and networks involved in its operations and service delivery;
• Protect personal data in accordance with the GDPR principles of lawfulness, fairness, transparency, purpose limitation, data minimization, accuracy, integrity, and confidentiality;
• Prevent, detect, and promptly respond to security incidents and personal data breaches through established incident management plans and notification procedures;
• Enforce suitable access controls, monitoring, and encryption policies;
• Foster a culture of security and privacy awareness through continuous training and updates for all personnel;
• Conduct ongoing risk assessments and continuously enhance security and data protection measures.

 

Responsibilities and Roles

• Company Management: Defines the strategy and guidelines for cybersecurity and privacy, allocates responsibilities and resources, and approves and monitors the implementation of this integrated policy;
• Integrated Management System Manager (RESP-SGI): Oversees regulatory compliance and drives continuous improvement activities;
• IT and Cybersecurity Personnel: Implement, monitor, and maintain technical protection measures;
• Employees and Collaborators: Adhere to company policies, participate in training programs, and promptly report any anomalies or security incidents;
• Suppliers and Third Parties: Comply with equivalent security and privacy standards and are subject to periodic audits and monitoring.

 

Training and Awareness

LAST Technology commits to providing regular, targeted training on cybersecurity and personal data protection to ensure all staff are aware of and properly apply relevant policies and procedures.

 

Monitoring, Review and Improvement  

The enforcement of this policy will be regularly monitored and updated in response to changes in legislation, technology, or context. Management pledges to the continuous enhancement of the company’s cybersecurity and privacy posture to protect assets, ensure regulatory compliance, and reinforce stakeholder trust.

 

Prata di Pordenone, May 9, 2025 Management