1. PURPOSE

Uniline has adopted a Data Security Policy as an umbrella document providing a framework for the information security management system. The information security policy defines the basic principles and responsibilities with regard to the information security management system. Uniline's pursuit of business activities depends on the proper functioning of the information system. The role of the information system is to enhance our employees' productivity and efficiency of the business process, and Uniline considers information to be a sensitive and vital asset. The information security management system is established to protect information from threats jeopardising data confidentiality, integrity and/or availability in order to ensure business continuity, reduce business risk and increase profits from business opportunities.

2. OBJECTIVE

The objective of this Policy is to establish a framework for information security management system that will mitigate the impact of security incidents and protect our information assets (data, information systems, documents, data storage media, telecommunications equipment and appliances, workplace, market position, employees), operational continuity, intellectual and material property, and legal and business interests, from damages and losses caused by internal or external, intentional or accidental, fraudulent, misdemeanour and criminal acts, for the purpose of protecting Uniline's business continuity.

2.1. Scope of application

The provisions of the Data Security Policy and all other security rules and procedures arising from this Policy have to be observed by all users of Uniline's information system, employees, all people who temporarily provide contractual services, and all Uniline's external associates or partners that have access to information system resources.

2.2. Responsibilities

The Management Board adopts policies, rules and procedures, and other implementation documents that lay down detailed provisions regarding the information security, the modality of use and the implementation of information system security programmes. The head of the IT department proposes to the Management Board security standards and procedures resulting from the security policy and controls the application and the implementation of the security measures he/she is in charge of. The coordinator of the IT department coordinates the setting of security goals and their implementation and is in charge of the creation and review of the Data Security Policy proposed by the head of the IT department to the Management Board for approval. All employees and external associates of Uniline are obliged to comply with the principles set out in this Policy and all other documents arising from the Data Security Policy, and they are obliged to report any failures or incidents they happen to notice. Any Uniline's employee's failure to comply with the provisions of the Data Security Policy and the related policies, rules, procedures and instructions will be deemed a breach of his/her employment contract which may constitute a cause for disciplinary action, termination of the employment contract due to employee's fault, or immediate termination of employment. Any failure to comply with the provisions of the Data Security Policy and the related policies, rules, procedures and instructions by Uniline's external associates or partners will be deemed a breach of contractual obligation which may constitute a reason for termination or cancellation of the respective contract.

3. PRINCIPLES OF INFORMATION SECURITY

Risk identification, assessment, analysis and processing provide the basis for proper functioning of the information security system. The information system risks are assessed on an annual basis in order to identify changes in the types of threats to the information system and accordingly to consider changes in the organisation itself. Uniline will base the risk assessment and processing upon a methodology in compliance with statutory and regulatory provisions, international standards and best global practices. In order to prevent infringement of data confidentiality, integrity and availability, Uniline develops procedures for protection of information and data that are generated, downloaded, processed, stored or transferred through Uniline's information system resources, all in compliance with the relevant statutory, regulatory and contractual obligations. Information system users must familiarise themselves with the modality of proper use of Uniline's information system through documented instructions, safeguards and security measures in the respective field of activity. Training is conducted for all new and existing Uniline's employees in order to provide skilled and motivated employees and to reduce the risk of theft, fraud and abuse of information system resources. To reduce the adverse impact on the allocation of resources, the distribution of hardware and software and their maintenance, the identification and location of assets, and the security of its information system, Uniline properly manages the information system assets. The information system should be properly protected, hence Unline takes appropriate measures for protection of its people, premises and assets, prevention of unauthorised physical and logical access, damage to premises and trespassing, protection of information in networks and the supporting network infrastructure, and applicable information system services. Management of the business continuity is one of Uniline's strategic interests in order to protect its business processes from major interruptions, disasters or unwanted events and to implement as soon as possible the subsequent recovery operations. For this purpose, Uniline will ensure a reliable backup storage for key information resources, develop disaster management recovery plans and procedures, and take all necessary measures to get prepared for a timely and competent response to security incidents that may affect information system resources. Uniline's external associates and relevant third parties that access its information system must be aware of the provisions of this Policy, thus formally accepting their share of responsibility regarding the maintenance of an acceptable security level of the information system. In order to ensure compliance with and implementation of the above principles as well as support of Uniline's business objectives with efficient use of information system resources, Uniline will manage the information system while bearing in mind Uniline's strategic orientation, setting up an effective reporting system and ensuring compliance with statutory, regulatory and contractual obligations as well as the requirements of international standards in the field of information security management system.

4. APPENDICES

Unline's documents listed below are an integral part of the Data Security Policy:

- Password Policy

- Data Retention Policy

- Bring Your Own Device Policy (BYOD)

- Decision on Log Storage

- Decision on Video Surveillance

5. FINAL PROVISIONS

This Policy will be available to all users of Uniline's information system.