Protection of personal data

1 Objective Establish the guidelines for addressing requests to exercise the rights of access, rectification, cancellation, and opposition to the processing of personal data; as well as the actions that the company must carry out as responsible for the protection, processing, conservation, safeguarding, and elimination of personal data collected by any means.

2 Scope It is generally applicable and mandatory for all personnel, especially those executing activities in the company’s key processes, as well as suppliers, officials, and any interested party.

When contracting third parties as suppliers and partners, the area within the company that conducts negotiations and contracting must ensure the correct handling of information related to compliance with applicable personal data protection legislation.

3 Definitions

4 Development The company is committed to the highest ethical standards in the businesses it participates in and in the provision of its services; therefore, it complies with the current and applicable personal data protection legislation in Mexico, including but not limited to Articles 6 and 16 of the Political Constitution of the United Mexican States and the Federal Law on the Protection of Personal Data Held by Private Parties, published in the Official Gazette of the Federation on July 5, 2010.

4.1 Guidelines for the Protection of Personal Data In the processing of personal data, areas must observe the principles of quality, consent, purpose, information, loyalty, legality, proportionality, and responsibility.

Principle of Legality Obliges the responsible party to ensure that the processing complies with Mexican legislation and international law. The company guarantees this principle of legality through the full compliance by the company or the designated responsible parties with each applicable policy, procedure, format, declaration, or regulation.

Principle of Consent The responsible party must obtain consent for the processing of personal data, unless it is not required according to Article 10 of the LFPDPPP. The request for consent must refer to a specific purpose or purposes outlined in the privacy notice. The company guarantees this principle of consent through the signature of each personal data holder on the applicable privacy notice.

Principle of Information The responsible party must inform the data holder about the existence and main characteristics of the processing their personal data will undergo through the privacy notice, in accordance with the LFPDPPP and this policy. The company guarantees this principle of information through clear, precise, and accurate content within the applicable privacy notice regarding the processing of personal data.

Principle of Quality The principle of quality is met when the processed personal data are accurate, complete, relevant, correct, and updated as required for the fulfillment of the purpose for which they are processed. The company guarantees this principle of quality through the periodic and constant updating of databases to ensure that the personal data contained therein are relevant, correct, and updated according to the purposes for which they were collected.

Principle of Purpose Personal data may only be processed to fulfill the purpose or purposes established in the privacy notice, in terms of Article 12 of the LFPDPPP. The company guarantees this principle of purpose through periodic reviews with the intervention of the Integrity Committee, ensuring that the processing of personal data is limited to fulfilling the purposes outlined in the privacy notice.

Principle of Loyalty The principle of loyalty establishes the obligation to process personal data prioritizing the protection of the data holder’s interests and reasonable expectation of privacy, as established in Article 7 of the LFPDPPP. The company guarantees this principle of loyalty by committing not to obtain and process personal data through deceptive or fraudulent means. The company must prioritize the protection of the data holder’s interests and reasonable expectation of privacy, ensuring compliance with the principles of personal data protection established in the legislation, and adopting necessary measures for their application.

Principle of Proportionality Only personal data that are necessary, adequate, and relevant in relation to the purposes for which they were collected may be processed. The company guarantees this principle of proportionality by ensuring that the processing of personal data is necessary, adequate, and relevant in relation to the purposes outlined in the privacy notice. The company must only process personal data that are adequate, relevant, and strictly necessary for the purpose that justifies their processing.

Principle of Responsibility In terms of Articles 6 and 14 of the LFPDPPP, the responsible party has the obligation to ensure and respond for the processing of personal data under their custody or possession, or those communicated to a processor, whether the latter is within Mexican territory or not. The company guarantees this principle of responsibility by taking necessary and sufficient measures to ensure that the privacy notice disclosed to the data holder is respected at all times by the company or third parties with whom it has a legal relationship.

The company and all its employees will adopt necessary measures to maintain accurate, complete, relevant, correct, and updated personal data in their possession, to ensure the veracity of the data, by attending to the following:

• Personal data are accurate when they reflect the reality of the data holder’s situation, i.e., they are true or faithful.
• Personal data are complete when none of the required data for the purposes for which they were obtained and processed are missing.
• Personal data are relevant when they effectively correspond to the data holder and not to a homonym.
• Personal data are updated when they correspond to the current situation of the data holder.
• Personal data are correct when they meet all the above characteristics, i.e., they are accurate, complete, relevant, and updated.

The Business Unit or Support Area Management will be responsible for supporting the Integrity Committee or the Compliance Officer in the responsible processing of personal data by performing the following functions:

• Adopt security measures for the safeguarding of Personal Data Systems under their responsibility, in physical support, to prevent alteration, loss, or unauthorized access.
• Explicitly authorize, in cases not provided for by a legal instrument or normative provision, users, and maintain an updated record of persons with access to Personal Data Systems in physical support.
• Apply and monitor compliance with security measures and standards for the conservation and safeguarding of the organization’s Personal Data Systems, as determined by the Integrity Committee or the Compliance Officer, through specific normative provisions of general observance for the Processes area.
• Maintain an updated inventory of personal data processed by their area in charge and ensure planned intervals of submission to the Integrity Committee or the Compliance Officer. Additionally, they must have an updated risk level for each personal data within the inventory and inform the Integrity Committee or the Compliance Officer of actions taken to mitigate and control such risk when requested.
• Areas must process personal data that are strictly necessary for the exercise of their attributions and functions, observing applicable personal data provisions. The Integrity Committee must ensure an updated inventory of personal data at least once per calendar year, requesting each Business Unit or Support Area Director to update it based on their responsibility stipulated in the previous Roman numeral IV.

It is presumed that the quality of personal data is met when provided directly by the data holder until they express and prove otherwise.

4.2 Sensitive Personal Data The Sensitive Personal Data described below are illustrative and not exhaustive:

• Racial or ethnic origin;
• Present or future health status;
• Genetic information;
• Religious beliefs;
• Philosophical and moral beliefs;
• Political opinions;
• Sexual preference; and
• Union affiliation.

For sensitive personal data, the express and written consent of the data holder must be obtained for its processing, through their autograph signature, electronic signature, or any authentication mechanism established for this purpose.

Databases containing sensitive personal data cannot be created without justifying their creation for legitimate, specific purposes aligned with the activities or explicit goals pursued by the regulated entity.

All company personnel are informed that, in case of any doubt or clarification regarding the processing of sensitive personal data, they can contact the Integrity Committee or the Compliance Officer.

The processing of personal data will be necessary, adequate, and relevant in relation to the purposes outlined in the privacy notice. For sensitive personal data, the responsible party must make reasonable efforts to limit the processing period to the minimum necessary.

In the case of sensitive personal data, the privacy notice must explicitly state that it concerns this type of data.

4.3 Cancellation of Personal Data When personal data are no longer necessary for the fulfillment of the purposes outlined in the privacy notice and that motivated their processing according to applicable provisions, they must be deleted, after being blocked if applicable, once the retention period has concluded.

The retention periods for personal data must not exceed those necessary for the fulfillment of the purposes that justified their processing and must comply with applicable provisions, considering administrative, accounting, tax, legal, and historical aspects of the personal data.

The company, through the Integrity Committee, will establish controls or mechanisms to ensure that all individuals involved in any phase of personal data processing maintain confidentiality regarding the data, an obligation that will persist even after their relationship with the company ends.

Business units/staff areas must make the corresponding Privacy Notice available to all personnel, suppliers, officials, and any interested party according to the established parameters.

4.4 Transfer of Personal Data All transfers of personal data will be subject to the consent of the data holder and, once consent is obtained, must be authorized by the Integrity Committee, provided it is not previously contemplated within the privacy notice signed by the respective data holder.

The instrument that, if necessary, formalizes the transfer in terms of this article must contain at least the following:

• Identification of the Personal Data System, the transmitter, and the recipient;
• Purpose of the transfer, as well as the type of data involved;
• Security and custody measures adopted by the organization and the recipient;
• Retention period for the data transmitted to the recipient, which may be extended by notifying the company; and
• Indicate whether, once the purposes of the transmission are concluded, the personal data should be destroyed or returned to the company, along with any support or document containing any Personal Data subject to the transmission.

4.5 ARCO Rights The exercise of ARCO rights will be free of charge, and the company may only charge to recover reproduction, certification, or shipping costs, in accordance with applicable regulations.

The deadlines and procedures for processing ARCO rights requests within the organization must be resolved within the maximum period established in the LFPDPPP, adhering to the provisions within that period. The data holder will be notified through the Integrity Committee or, if applicable, by the legal department.

The company has an established procedure for exercising ARCO rights called “PR-GAL-01 ARCO Rights Claim,” which outlines step-by-step guidelines for responding to any exercise of ARCO rights by their holders.

4.6 Training The training officer must schedule courses for personnel and relevant stakeholders of the company regarding compliance with this Policy, as well as important general information related to personal data protection, considering the recommendations of the Integrity Committee.

Within a year, all personnel and stakeholders must participate in at least one training course.

Additionally, the training area must plan to provide training when there are amendments to applicable legislation, including training for members of the Integrity Committee.

4.7 Open Doors The company makes the following form available to all personnel, suppliers, and third parties for exercising ARCO rights and for making any inquiries to the Personal Data Committee. The form can be sent to the following email: [email protected].

Additionally, any interested person can contact the company to make any inquiries or requests regarding the application and compliance with this policy through the contact form available on the website.

4.8 Reporting to the Integrity Committee Personnel, officials, suppliers, third parties, and stakeholders assume the responsibility to report to the Integrity Committee or the Compliance Officer any activity that violates or could violate this policy or applicable legislation. The report can be made by any person who identifies themselves with an official document and describes the incident as detailed as possible, along with the evidence and convincing means they deem appropriate.

To this end, the company has implemented a reporting system through the email [email protected], where anyone can report any activity that violates or could violate this policy or applicable legislation.

If necessary, the company will hire external lawyers to advise on determining the existence of a potential violation of this policy. If a determination cannot be made with the available information or if the existence of a potential violation is determined, corrective measures will be carried out according to the mechanism to prevent, address, and sanction applicable illicit acts of corruption and bribery.

4.9 Sanction As a preventive measure, the company informs officials, suppliers, third parties, and stakeholders that, in case of violation of this Policy, the company, at its discretion, may decide to act in conjunction with the Integrity Committee or not, and will apply the disciplinary measures it deems appropriate according to PR-GAL-03 Administrative Sanctions, which may include termination of the labor, professional, or commercial relationship and, as appropriate, reporting the matter to the competent authorities and all those contemplated by applicable legislation.

4.10 Corrective Measures The company, through the Integrity Committee with the support of areas that may intervene, will seek to implement Corrective Measures aimed at identifying activities that could potentially constitute a violation of this Policy or applicable legislation, investigating them to their fullest extent, applying the corresponding sanctions, and establishing a knowledge base for the continuous improvement of personal data security.

4.11 Internal Audit If necessary, at the discretion of the Integrity Committee, evaluations will be planned to help conduct a gap analysis of information security measures, with the obligation to review the company’s privacy notices at least every 12 (twelve) months, updating them if necessary.

4.12 Reporting to Authorities The report and supporting documentation on activities investigated by the Integrity Committee for possible irregularities in compliance with this policy will be analyzed by the legal department personnel, who, together with external lawyers and depending on each particular case, will develop a strategy to report the investigated facts to the competent authorities when applicable, informing the General Management through PR-GPO-06 Management Review.

4.13 Collaboration in Sanctions In case any authority initiates an administrative investigation procedure against the company, the latter, together with the Integrity Committee, commits to collaborating in obtaining and identifying the required information.