Kontaktieren Sie mich

Privacy Policy

The Company has the authority to design, evaluate, and continuously review the governance and sustainability system, and in particular, to approve and update the corporate policies containing the guidelines that govern the Company’s actions. In the exercise of these responsibilities and within the framework of the law, the guidelines for action that materialize the purpose and values of the Company, as well as its sustainable development strategy, this Privacy Policy (the “Policy”) is approved.

1. Purpose

The purpose of this Policy is to establish the common and general principles and guidelines for action within the Company regarding the protection of personal data, ensuring compliance with applicable legislation in all cases.

In particular, the Policy guarantees the right to data protection of all natural persons who have a relationship with the Company, ensuring respect for the right to honor and privacy in the processing of different types of personal data from various sources and for different purposes, depending on their business activity, in line with the Company’s human rights policy.

2. Scope of Application

This Policy applies to the Company and to all persons who have a relationship with the Company.

3. General Principles for the Processing of Personal Data

The Company strictly complies with the data protection laws of its jurisdiction and with the laws applicable to the processing of personal data it carries out.

Furthermore, the Company will promote that the principles contained in this Policy are taken into account: (i) in the design and implementation of all procedures for processing personal data; (ii) in the products and services they offer; (iii) in all contracts and obligations they enter into with natural persons; and (iv) in the implementation of all systems and platforms that allow the Company’s professionals or third parties to access, collect, or process personal data.

4. Fundamental Principles for the Processing of Personal Data

The principles for the processing of personal data on which this Policy is based are set forth below:

a) Principles of lawfulness, fairness, and transparency in the processing of personal data. The processing of personal data shall be carried out lawfully, regularly, and in accordance with applicable laws. In this sense, personal data must be collected for one or more specific and legitimate purposes in accordance with applicable legislation. In cases where required by applicable law, the consent of the data subjects must be obtained before their data is collected. Furthermore, the purposes of processing personal data, where required by law, must be explicitly stated at the time of collection. In particular, the Company does not collect or process personal data relating to ethnic or racial origin, political opinions, beliefs, religious or philosophical convictions, sex life or sexual orientation, or trade union membership. Nor does it process health, genetic, or biometric data for the purpose of uniquely identifying a person, unless the collection of such data is necessary, legitimate, and required or permitted by applicable law; in which case, it will be collected and processed in accordance with the provisions of the agreement.

b) Principle of data minimization Only such personal data that is strictly necessary for and proportionate to the purpose for which it is collected or processed shall be processed.

c) Principle of accuracy Personal data must be accurate and kept up to date. Otherwise, it must be deleted or rectified.

d) Principle of storage limitation Personal data shall not be kept longer than necessary to achieve the purpose for which it is processed, except in cases provided for by law. (Annex I – Protocol, retention periods, and disposal periods).

e) Principles of integrity and confidentiality When processing personal data, appropriate security must be ensured through suitable technical or organizational measures, guaranteeing the protection of such data against unauthorized or unlawful processing and preventing its loss, destruction, or accidental damage. (Annex II – Security Policy). Personal data collected and processed by the Company must be kept strictly confidential and secret; it may not be used for purposes other than those that justified and enabled its collection, and it cannot be disclosed or transferred to third parties outside of the cases permitted by applicable legislation.

f) Principle of proactive accountability The Company is responsible for compliance with the principles set forth in this Policy and the provisions required by applicable law, and must be able to demonstrate this when required by applicable law.

Risk Analysis: The Company must carry out a risk assessment of the processing operations it performs to determine the measures that must be taken to ensure that personal data is processed in accordance with legal requirements. Potential risks to the protection of personal data arising from new products, services, or information systems will be reviewed in advance, and necessary measures will be taken to eliminate or mitigate these risks, provided this is required by law. For complex processing operations, where the main source of risk stems from sensitivity, the volume of data, data collection methods, or disclosure to third parties, a comprehensive data lifecycle analysis is recommended. (Annex III – Data Lifecycle).

Record of Processing Activities: The Company maintains a record of activities describing the personal data processing carried out within the framework of its operations.

Management of Security Breaches: In the event of an incident leading to the accidental or unlawful destruction, loss, or alteration of personal data, or unauthorized disclosure or access to such data, the internal protocols established for this purpose by the security officer or by the management executing its duties under applicable law must be followed. These occurrences must be documented, and measures will be taken to remedy and mitigate potential negative impacts on the affected data subjects. (Annex IV – Security Breach Management Protocol).

g) Principles of transparency and information The processing of personal data shall be carried out in a transparent manner toward the data subject, providing them with information about the processing of their data in an understandable and accessible form, provided this is required by applicable law. To ensure fair and transparent processing, the Company, as the data controller, must inform data subjects or individuals whose data is to be collected about the circumstances of the processing in accordance with applicable legislation. (Annex V – Protocol for Informing Data Subjects about Processing).

h) Acquisition or Collection of Personal Data It is prohibited to collect or obtain personal data from unlawful sources, from sources that do not offer sufficient guarantees of their lawful origin, or from sources whose data was collected or transmitted in violation of the law.

i) Engagement of Data Processors Prior to hiring a service provider that accesses personal data for which the Company is responsible, as well as during the term of the contractual relationship, they must take the necessary measures to ensure and, where legally enforceable, demonstrate that the data processing by the processor is carried out in accordance with applicable regulations. (Annex VI – Supplier Engagement Protocol).

j) International Data Transfer Any processing of personal data subject to European Union law that involves a transfer of data outside the European Economic Economic Area must be carried out in strict compliance with the requirements of applicable law in the origin jurisdiction.

k) Rights of Data Subjects The Company must enable data subjects to exercise their rights of access, rectification, objection, erasure, portability, and restriction of processing, establishing for this purpose the internal procedures necessary to meet at least the statutory requirements applicable in each case. (Annex VII – Protocol on the Management of Data Subject Rights).

5. Implementation

The HR Directorate develops and updates, in accordance with the provisions of this Policy, the internal regulations for global data protection management, which will be implemented by said management and is mandatory for all members of the management team and professionals of the Company.

Likewise, the HR Directorate, together with the other department heads, will establish internal procedures to develop the principles contained in this Policy and specify its content in accordance with applicable law.

The HR Directorate is responsible for reporting on regulatory developments and innovations in the field of personal data protection.

The Head of the IT Department is responsible for implementation, controls, and IT developments suitable for ensuring compliance with internal regulations for global data protection management, ensuring that these developments are updated at all times.

Additionally, the following steps will be taken: (i) designate the individuals responsible for the data, subject to the legislation applicable at any given time, who will act coordinately and under the supervision of the HR Directorate; and (ii) coordinate with activities that involve or include the management of personal data.

Finally, data protection consultants will monitor the general state of personal data protection and ensure proper compliance with practices and adequate risk management in the field of personal data protection.

6. Monitoring and Evaluation

It is the responsibility of the Executive Management performing its duties to monitor the Company’s compliance with the provisions of this Policy. The foregoing provisions apply in any case without prejudice to the responsibilities of other bodies and directorates of the Company.

To verify compliance with this Policy, periodic audits will be carried out with internal or external auditors.

Evaluation

The competent management will evaluate the compliance and effectiveness of this Policy at least once a year and report on the outcome.

This Policy was approved on June 2, 2026.

Scroll to Top