CONTENT INDEX
VERSION RECORD
- DOCUMENT OBJECTIVE
- ENTITY IDENTIFICATION
- INTRODUCTION TO RISK ANALYSIS AND MANAGEMENT
- SCOPE OF RISK ANALYSIS AND MANAGEMENT
- METHODOLOGY OF RISK ANALYSIS AND MANAGEMENT
- POTENTIAL RISK SCENARIOS
- RISK ANALYSIS IN INFORMATION SOCIETY SERVICES AND ELECTRONIC COMMERCE
- INITIALLY PLANNED MEASURES
- ESTIMATION OF INITIAL RISK LEVEL
- MEASURES PROPOSED TO TREAT THE INITIAL RISK
- ESTIMATION OF RESIDUAL RISK LEVEL
- CONCLUSIONS AND RECOMMENDATIONS
VERSION RECORD
| Business Name | Tax ID | Version |
| AK ORAL ESTUDIO, S.L.P | B44650661 | 1.00 |
| Acronym | Creation Date | |
| ARLSSI_AK ORAL ESTUDIO, S.L.P | February 16, 2024 | |
| DESCRIPTION | ||
| Identification, analysis, assessment, and management of risk points associated with compliance with the regulations of Information Society Services and Electronic Commerce | ||
- DOCUMENT OBJECTIVE
The objective of this document is to identify, analyze, assess, and manage the risk points associated with compliance with the regulations of Information Society Services and Electronic Commerce. Additionally, the document contains procedures, guidelines, and recommendations to manage the risk to which AK ORAL ESTUDIO, S.L.P will be subjected and must face.
Therefore, this document aims to analyze and assess potential risk scenarios that may threaten AK ORAL ESTUDIO, S.L.P, evaluate the necessary corrective factors to mitigate, as far as possible, these risks, and thus guarantee compliance in the field of Information Society Services and Electronic Commerce.
Finally, it is important to highlight that this document will be kept updated at all times and will be reviewed whenever relevant or substantial changes occur in the activities developed by AK ORAL ESTUDIO, S.L.P.
2. ENTITY IDENTIFICATION
| Business Name | AK ORAL ESTUDIO, S.L.P |
| Tax ID | B44650661 |
| Address | COMANDANTE BENITEZ, 16, 08028 BARCELONA (BARCELONA) |
| Professional Activity | AK ORAL ESTUDIO, S.L.P dedicates its main activity to: DENTAL CLINIC |
| Geographical Area of Operation | AK ORAL ESTUDIO, S.L.P operates within the geographical area of the European territory. |
AK ORAL ESTUDIO, S.L.P has no subsidiaries or other companies within its corporate structure.
3. INTRODUCTION TO RISK ANALYSIS AND MANAGEMENT
AK ORAL ESTUDIO, S.L.P considers risk analysis and management as an essential part of the security process within its organization.
Risk analysis and management will allow maintaining a controlled environment, minimizing risks to acceptable levels for the entity. The reduction of these levels will be carried out through the deployment of security measures or controls, which will establish a balance between the actions taken by AK ORAL ESTUDIO, S.L.P, the risks to which they are exposed, and the security measures or controls adopted.
Consequently, AK ORAL ESTUDIO, S.L.P identifies and evaluates its risks in the area of Information Society Services and Electronic Commerce, relating them to its activities, products and/or services, or relevant aspects of its operations with the aim of identifying situations where non-compliance with the mentioned regulations may occur and establishing an assessment and prioritization of risks to classify them in a way that allows the organization to make decisions and thus favor the adoption of preventive measures, actions, and controls.
In this regard, the organization must articulate and demonstrate its continuous commitment to risk management which should include:
The organization’s purpose for managing risks and their links to its objectives and other related policies.
The reinforcement of the need to integrate risk management throughout the culture of the organization itself.
Leadership in integrating risk management into the main business activities and decision-making.
The determination of responsibilities, as well as the obligation to be accountable if necessary.
Availability of necessary resources.
How to handle conflicting objectives.
Review and improvement of risk analysis.
Also, in line with the above, commitment to risk management should be communicated to the entire organization as well as to interested/affected parties appropriately, ensuring comprehensive communication with the highest possible transparency.
4. SCOPE OF RISK ANALYSIS AND MANAGEMENT
AK ORAL ESTUDIO, S.L.P must determine the limits and applicability of risk analysis and management in the area of Information Society Services and Electronic Commerce and thereby establish its scope.
Likewise, it is essential and fundamental that the organization’s management is fully involved without reservations in the process of conducting risk analysis and management in the area of Information Society Services and Electronic Commerce, aiming to detect, correct, manage, etc., risks linked to regulatory compliance and thus achieve defined objectives and milestones, leading the process with a committed and evident attitude that allows adopting a culture of compliance within the organization.
On the other hand, consistent with the previous paragraphs, the regulatory scope of the measures and/or controls planned within the Risk Analysis aims for AK ORAL ESTUDIO, S.L.P to have the appropriate tools to comply with the following regulations:
Directive 2000/31/EC of the European Parliament and of the Council, of June 8, 2000, on certain legal aspects of information society services, in particular electronic commerce in the internal market.
Organic Law 34/2002 of July 11, on Information Society Services and Electronic Commerce.
Guide on the Use of Cookies. AEPD, June 2022.
Law 9/2014, of May 9, General Telecommunications Law.
Law 7/1996, of January 15, on Retail Trade Regulation.
Legislative Royal Decree 1/2007, of November 16, approving the consolidated text of the General Law for the Defense of Consumers and Users and other complementary laws.
Law 56/2007, of December 28, on Measures to Promote the Information Society.
Law 7/1998, of April 13, on General Contracting Conditions.
Law 3/2014, of March 27, amending the consolidated text of the General Law for the Defense of Consumers and Users and other complementary laws.
5. METHODOLOGY OF RISK ANALYSIS AND MANAGEMENT
Risk analysis and management correspond to the first phase an organization should carry out to improve its security in the area of Information Society Services and Electronic Commerce.
It is worth noting that a risk analysis and management process provides information and not a security measure or control as such. That is, performing the action or process itself will not prevent AK ORAL ESTUDIO, S.L.P from suffering security incidents and/or non-compliance in Information Society Services and Electronic Commerce, but will allow identifying threats and vulnerabilities to which the organization will be exposed.
In any case, it is clear that it will be much easier for the entity to protect itself from those situations representing a higher risk if it properly identifies, analyzes, and manages the potential risks to which it is exposed in the area of Information Society Services and Electronic Commerce.
Currently, there are different methodologies to perform risk analysis and management. Each has different characteristics, advantages, and disadvantages, but basically all are based on very similar processes and work on the same elements.
Also, depending on the objectives to be achieved, the approach and scope of the analysis itself, and the risks to which the organization is subjected, each entity will choose a specific risk analysis and management methodology.
All of this must be connected with the fact that risks can be variable, both regarding probability and severity. Therefore, when selecting and applying technical and organizational measures, the following must be taken into account:
The probability that the situation putting the organization at risk will occur.
The severity of the consequences if the situation putting the organization at risk occurs.
AK ORAL ESTUDIO, S.L.P has made an estimate of the level or risk zone as a whole when, due to its nature, they can be combined. Risk identification and analysis should allow determining if there is a high risk and whether the planned measures mitigate it or, on the contrary, it is uncontrolled.
For this purpose, once AK ORAL ESTUDIO, S.L.P has identified all initially planned measures, it will assess the probability and severity that the risk occurs. This provides information on the initial risk level of each Potential Risk Scenario (hereinafter, PRS) and, if appropriate, of each risk group, and will allow developing an initial risk scenario that evaluates them in relation to the risk quantification formula (RISK = Probability x Severity) and thus adopt corrective measures that allow the organization to manage and/or treat the risks.
PROBABILITY ASSESSMENT
AK ORAL ESTUDIO, S.L.P has mainly considered two general criteria: on the one hand, how the planned measures can reduce the probability and, on the other hand, how often the potential risk scenario has occurred before.
A risk situation is unlikely to occur when several measures have been planned as “lines of defense,” that is, if one fails there is always another preventing the undesired event.
A risk situation is unlikely but possible to occur when several measures have been planned as “lines of defense,” that is, if one fails there is another that can prevent the undesired event, but not in all cases.
A risk situation is likely to occur when measures to reduce the probability are not planned as “lines of defense,” that is, if one fails the rest cannot prevent the undesired event.
A risk situation is very likely to occur when only one measure to reduce its probability has been planned and there is at least one known case in which the undesired event has occurred. The combination of these factors makes this potential risk scenario very likely.
A risk situation is imminent to occur when no measures have been planned to reduce its probability and there are several known cases in which the undesired event has occurred. The combination of these factors makes us consider that, imminently, actions could be affected by this potential risk scenario.
Below is a summary of the criteria AK ORAL ESTUDIO, S.L.P has taken into account for risk assessment in the area of Information Society Services and Electronic Commerce related to probability.
| PROBABILITY | |||||
| Description | Unlikely | Unlikely but Possible | Likely | Very Likely | Imminent |
| Several measures planned | • | • | |||
| Some measures planned | • | ||||
| Only one measure planned | • | ||||
| No measures planned | • | ||||
| All measures form a line of defense | • | ||||
| Some measures form a line of defense | • | ||||
| Measures do not form a line of defense | • | ||||
| The undesired event has never occurred before | • | • | |||
| The undesired event has occurred before | • | • | |||
| The undesired event has occurred several times before | • | ||||
SEVERITY ASSESSMENT
AK ORAL ESTUDIO, S.L.P has mainly considered the material or moral damages that the risk may cause to the affected persons, as well as the deprivation of their rights or freedoms.
A risk situation will be considered irrelevant when it does not cause material, immaterial, or moral damage or harm to the organization or affected persons, nor deprives them of their rights or freedoms. Therefore, the consequences focus on minor formal deficiencies with practically imperceptible effects, usually related to the material obligations of the entity, and can be corrected with easily implemented measures.
A risk situation will be considered minor when it does not cause material, immaterial, or moral damage or harm to the organization or affected persons, nor deprives them of their rights or freedoms. Therefore, the consequences focus on minor material deficiencies with minimal effects, usually related to the material obligations of the entity, which can be corrected with easily implemented measures.
A risk situation will be considered serious when it may cause material, immaterial, or moral damage or harm to the organization or affected persons, difficult to repair or that may partially deprive them of their rights or freedoms. Therefore, the consequences focus on regulatory compliance deficiencies that can be corrected by implementing or improving the effectiveness of existing measures.
A risk situation will be considered significantly serious when it may cause material, immaterial, or moral damage or harm to the organization or affected persons, difficult to repair or that may totally deprive them of their rights or freedoms. Therefore, the consequences focus on regulatory compliance deficiencies that can be corrected by implementing new or improved measures, although this implies some difficulty for the entity.
A risk situation will be considered extremely serious when it may cause material, immaterial, or moral damage or harm to the organization or affected persons, impossible to repair or that may totally deprive them of their rights or freedoms. Therefore, the consequences focus on regulatory compliance deficiencies for which there are no measures to implement or, if any, require disproportionate efforts by the entity.
Below is a summary of the criteria AK ORAL ESTUDIO, S.L.P has taken into account for risk assessment in the area of Information Society Services and Electronic Commerce related to severity.
| SEVERITY | |||||
| Description | Irrelevant | Minor | Serious | Significantly Serious | Extremely Serious |
| No damage or harm occurs | • | • | |||
| Some damage or harm occurs | • | • | • | ||
| Damage or harm is difficult to repair | • | • | |||
| Damage or harm is impossible to repair | • | ||||
| No deprivation of rights or freedoms | • | • | |||
| There is deprivation of rights or freedoms | • | • | |||
| There is total deprivation of rights and freedoms | • | ||||
| Involves a minor formal deficiency | • | ||||
| Involves a minor material deficiency | • | ||||
| Material obligations are not met | • | • | |||
| Rights and principles obligations are not met | • | • | • | ||
| Measures can be easily implemented | • | • | |||
| Measures can be implemented | • | ||||
| Measures are difficult to implement | • | ||||
| Measures require efforts | • | ||||
MATRIX OF POTENTIAL RISK SCENARIOS
In order to graphically determine the control status of the identified risks in the area of Information Society Services and Electronic Commerce, taking into account the probability and severity assessment detailed in the previous sections of this document, AK ORAL ESTUDIO, S.L.P will use the following matrix to establish whether the risks are uncontrolled, mitigable, tolerable, acceptable, or controlled:
Potential risk scenarios assessed with a level higher than 2 must be considered unacceptable risks and, therefore, measures must be applied to reduce this risk level.
When the level is equal to 2, the risk is tolerable, but attention must be paid to the effectiveness of the planned measures. Therefore, it is advisable to address these risks to try to lower their level.
When the level is below the value 2, the risk is acceptable, since the organization’s activities are carried out under reasonably controlled risk conditions. We must be alert to possible variations of this risk and review the effectiveness of the measures implemented, but from a risk analysis point of view, they do not need to be treated.
To do this, AK ORAL ESTUDIO, S.L.P uses a value scale that allows the risk level being evaluated to be defined as precisely as possible.
AK ORAL ESTUDIO, S.L.P uses a scale from 1 to 5 to determine the potential risk scenario.
Below, and to graphically show the content of the actions carried out in the Risk Analysis and Management report, the following flowchart of the mentioned report is shown:
6. POTENTIAL RISK SCENARIOS
AK ORAL ESTUDIO, S.L.P has taken into account the following enumeration of specific Potential Risk Scenarios (hereinafter, PRS) in the area of Information Society Services and Electronic Commerce.
This is a list of risk situations that may appear on web pages owned by AK ORAL ESTUDIO, S.L.P and/or in the advertising communications made by it. They have also been structured according to whether they are risks that may affect advertising communications and, in the context of a web page, if they are risks that affect the cookie policy, legal notice/terms of use, privacy policy, website security, or obligations derived from electronic commerce.
Below is the basis of the specific potential risk scenarios that AK ORAL ESTUDIO, S.L.P has taken into account in the area of Information Society Services and Electronic Commerce:
INFORMATION SOCIETY SERVICES AND ELECTRONIC COMMERCE
Risk scenarios that may affect ADVERTISING COMMUNICATIONS
| Code | Description |
|---|---|
| RCP.01 | No express and prior consent is requested from recipients to carry out electronic advertising communications |
| RCP.02 | Making it difficult to revoke consent or exercise the right to object to receiving advertising communications and/or promotional mailings |
| RCP.03 | Users of the website are not informed about data collection in forms for commercial advertising purposes |
Risk scenarios that may affect the COOKIE POLICY
| Code | Description |
|---|---|
| RPC.01 | No cookie policy is available |
| RPC.02 | No information is provided about the use of cookies and/or consent is not obtained for their installation and use (use of non-exempt cookies) nor about the mechanisms for their deactivation or removal |
Risk scenarios that may affect the LEGAL NOTICE
| Code | Description |
|---|---|
| RAL.01 | No adequate legal notice is available |
| RAL.02 | The legal notice is not visible nor easily accessible to the user |
Risk scenarios that may affect the PRIVACY POLICY
| Code | Description |
|---|---|
| RPP.01 | No privacy policy is available |
| RPP.02 | At the time of data collection in website forms, minimum information about data processing is not provided |
Risk scenarios that may affect SECURITY
| Code | Description |
|---|---|
| RSPW.01 | Non-compliance with the general regulation on Information Society Services and Electronic Commerce |
| RSPW.02 | No training plan is available regarding Information Society Services and Electronic Commerce |
| RSPW.03 | The relationship with data processors has not been properly formalized |
| RSPW.04 | The organization is unaware of the procedures to respond to the exercise of rights |
| RSPW.05 | Inability to detect and manage incidents affecting data security |
| RSPW.06 | Appropriate security measures are not implemented |
| RSPW.07 | Measures adopted are not verified |
Risk scenarios that may affect ELECTRONIC COMMERCE
| Code | Description |
|---|---|
| RCE.01 | No general contracting conditions are available |
| RCE.02 | The organization does not have simple and secure payment mechanisms |
| RCE.03 | Clear information about the prices of products/services/reservations offered on the website is not provided |
| RCE.04 | No confirmation of receipt of acceptance is issued |
| RCE.05 | No information is provided about the existence (or not) of the right of withdrawal |
| RCE.06 | The warranty period is not indicated to the customer |
| RCE.07 | No repair materials for products are available |
7. RISK ANALYSIS IN INFORMATION SOCIETY SERVICES AND ELECTRONIC COMMERCE
Currently, AK ORAL ESTUDIO, S.L.P does not have a website or conduct advertising communications, so this section is not applicable. If a website is provided or electronic advertising communications are made, PROFESSIONAL GROUP CONVERSIA SLU must be contacted to update the documentation.
8. CONCLUSIONS AND RECOMMENDATIONS
Currently, AK ORAL ESTUDIO, S.L.P does not have a website or conduct advertising communications, so this section is not applicable. If a website is provided or electronic advertising communications are made, PROFESSIONAL GROUP CONVERSIA SLU must be contacted to update the documentation.
