PERSONAL DATA PROTECTION POLICY

CCBABOGADOS CIA. LTDA.

PERSONAL DATA PROTECTION POLICY
1. The Company
CCBABOGADOS CIA. LTDA., hereinafter referred to simply as CCB ABOGADOS or the Company, is a company whose main purpose is to provide high-quality legal and accounting services, with expertise in advising clients from the private sector and public institutions in Ecuador. CCB ABOGADOS' client portfolio includes commercial and industrial companies in sectors such as technology and telecommunications, automotive, retail, education, non-governmental organizations, energy, construction, pharmaceuticals, among others.
CCB ABOGADOS has received several recognitions from different international legal directories in its areas of practice.
2. Purpose, Scope, and Users
CCB ABOGADOS is committed to complying with the Organic Law on Personal Data Protection, hereinafter referred to as LOPDP, its implementing regulations, and in general all the legal framework related to personal data protection in force in Ecuador. This policy establishes the basic principles by which CCB ABOGADOS processes personal data of its clients, suppliers, partners, employees, and third parties (who have direct links with CCB ABOGADOS), as well as the obligations of its employees, associates, and partners regarding the processing of personal data as defined in the LOPDP.
This policy applies to the Company and related third parties who process personal data on its behalf and conduct business within the Ecuadorian territory or process personal data of individuals domiciled in Ecuador or abroad.
The users of this document are all employees, permanent or temporary, associates, partners, and all professionals and/or suppliers working on behalf of CCB ABOGADOS.
3. Reference Documents
a) The Organic Law on Personal Data Protection - LOPDP, published in the Fifth Supplement of the Official Registry, No. 459, on May 26, 2021
b) General Regulation of the Organic Law on Personal Data Protection.
c) Personal Data Protection Policy.
d) General Manual of Processes of CCB ABOGADOS.

4. Definitions
The following definitions of terms used in this document come from Article 4 of the Organic Law on Personal Data Protection:

• Personal Data Protection Authority: An independent public authority responsible for supervising the application of this Law, its regulations, and the resolutions issued by it, in order to protect the fundamental rights and freedoms of natural persons regarding the processing of their personal data.

• Anonymization: The application of measures aimed at preventing the identification or re-identification of a natural person without disproportionate efforts.

• Database or file: Structured set of data, regardless of the form, mode of creation, storage, organization, type of support, treatment, processing, location, or access, whether centralized, decentralized, or functionally or geographically distributed.

• Consent: The voluntary, specific, informed, and unequivocal expression of the will by which the data subject authorizes the data controller to process their personal data.

• Dato biométrico: Dato personal único, relativo a las características físicas o fisiológicas, o conductas de una persona natural que permita o confirme la identificación única de dicha persona, como imágenes faciales o datos dactiloscópicos, entre otros.

• Dato genético: Dato personal único relacionado a características genéticas heredadas o adquiridas de una persona natural que proporcionan información única sobre la fisiología o salud de un individuo.

• Dato personal: Dato que identifica o hace identificable a una persona natural, directa o indirectamente.

• Datos personales crediticios: Datos que integran el comportamiento económico de personas naturales, para analizar su capacidad financiera.

• Datos relativos a la salud: datos personales relativos a la salud física o mental de una persona, incluida la prestación de servicios de atención sanitaria, que revelen información sobre su estado de salud.

• Datos sensibles: Datos relativos a: etnia, identidad de género, identidad cultural, religión, ideología, filiación política, pasado judicial, condición migratoria, orientación sexual, salud, datos biométricos, datos genéticos y aquellos cuyo tratamiento indebido pueda dar origen a discriminación, atenten o puedan atentar contra los derechos y libertades fundamentales.

• Data Protection Officer: The natural or legal person without a dependent relationship who is responsible for advising, overseeing, and ensuring compliance with the obligations attributable to CCB ABOGADOS regarding personal data, as well as managing and provision of all instruments adopted to comply with the applicable rules and the application of good data management practices within the company. Additionally, this person will be responsible for the obligations and functions set out in this Manual.

• Recipient: Natural or legal person who has been provided with personal data.

• Profiling: Any processing of personal data that allows for the evaluation, analysis, or prediction of aspects of a natural person to determine behaviors or patterns related to professional performance, economic situation, health, personal preferences, interests, skills, location, physical movement of a person, among others.

• Data Processor: Natural or legal person, public or private, public authority, or other body that, alone or jointly with others, processes personal data on behalf of a data controller.

• Certification Entity: An entity recognized by the Data Protection Authority, which may, non-exclusively, provide certifications in the field of personal data protection.

• Publicly Accessible Source: Databases that can be accessed by anyone, with public, unconditional, and widespread access.

• Data Controller: Natural or legal person, public or private, public authority, or other body that, alone or jointly with others, determines the purposes and means of the processing of personal data.

• Personal Data Protection Seals: Accreditation granted by the certification entity to the data controller or data processor for having implemented best practices in their processes, with the aim of promoting the trust of the data subject, in accordance with the technical regulations issued by the Data Protection Authority.

• Pseudonymization: Processing of personal data in such a way that it can no longer be attributed to a data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organizational measures aimed at ensuring that the personal data is not attributed to an identified or identifiable natural person.

• Data Subject: Natural person whose data is subject to processing.

• Transfer or Communication: Expression, declaration, delivery, consultation, interconnection, assignment, transmission, dissemination, disclosure, or any form of disclosure of personal data to a person other than the data subject, data controller, or data processor. The communicated personal data must be accurate, complete, and up-to-date.

• Processing: Any operation or set of operations performed on personal data, whether by automated, partially automated, or non-automated technical procedures, such as collection, gathering, obtaining, recording, organization, structuring, retention, storage, adaptation, modification, deletion, indexing, extraction, consultation, use, possession, exploitation, distribution, transfer, communication, or any other form of enabling access, comparison, interconnection, limitation, erasure, destruction, and, in general, any use of personal data.

• Personal Data Security Breach: A security incident that affects the confidentiality, availability, or integrity of personal data.

5. Basic principles of personal data processing
The principles of data protection describe the basic responsibilities of organizations that process personal data (in this case, applicable to the Company). Article 10 of the LOPDP establishes the following principles for personal data processing:
5.1. Legality
Personal data must be processed in strict compliance with the principles, rights, and obligations established in the Constitution of Ecuador, the LOPDP, and other applicable regulations.
5.2. Loyalty
The processing of personal data must be loyal, meaning that the data subject must be clear that their data is being processed through lawful and fair means or for lawful purposes.
5.3. Transparency
Information or communication related to the processing must be accessible and easy to understand for the data subject, using simple and clear language.
5.4. Purpose
The purposes of the processing must be determined, explicit, legitimate, and communicated to the data subject. Personal data processing for purposes other than those initially collected should only be allowed when compatible with the purposes of the initial collection.
5.5. Data Minimization
Personal data must be relevant and limited to what is strictly necessary for the fulfillment of the processing purpose.
5.6. Proportionality of processing
El tratamiento de datos debe ser adecuado, necesario, oportuno, relevante y no excesivo con relación a las finalidades para las cuales hayan sido recogidos o a la naturaleza misma de las categorías especiales de datos.
5.7. Preservation
Personal data will be retained for no longer than necessary to fulfill the purpose of the processing. Timeframes for deletion or periodic review will be established. Personal data should not be kept for longer than necessary for the purposes for which the personal data are processed.
Los datos personados no deben ser conservados más de lo necesario para los fines para los cuales los datos personales son tratados.
5.8. Confidentiality
The processing of personal data must be based on due secrecy and confidentiality. It must not be processed or disclosed for a purpose other than that for which it was collected, unless one of the justifications allowing for further processing is present.
5.9. Quality and accuracy
Personal data subject to processing must be accurate, complete, precise, verifiable, clear, and, if applicable, duly updated. All reasonable measures will be taken to delete or rectify personal data that is inaccurate with respect to the purposes for which they are processed.
5.10. Security of personal data
The controller or processor of personal data must implement appropriate and necessary security measures, accepted by the state of the art, whether organizational, technical, or of any other nature, to protect personal data against any risk, threat, vulnerability, taking into account the nature of personal data, the scope, and context.
5.11. Proactive responsibility
The controller of personal data processing must implement mechanisms for the protection of personal data, in compliance with the principles, rights, and obligations established in the Organic Law on Personal Data Protection. For this purpose, it may rely on standards, best practices, self-regulation schemes, protection codes, certification systems, personal data protection seals, or any other mechanism deemed appropriate for the purposes.
6. Development of data protection in CCB ABOGADOS’ activities
6.1. In order to comply with the principles of personal data protection, CCB ABOGADOS will follow the following provisions: Legitimate processing
Data processing is considered legitimate and lawful when one of the following conditions is met:
a) Consent of the data subject for one or more specific purposes.
b) Compliance with a legal obligation.
c) Judicial order.
d) In compliance with an obligation carried out in the public interest, subject to compliance with applicable international human rights standards, principles of the LOPDP, and criteria of legality, proportionality, and necessity.
e) For the execution of pre-contractual measures at the request of the data subject or for the fulfillment of contractual obligations.
f) To protect the vital interests of the data subject or another natural person.
g) To satisfy a legitimate interest.
6.2. Legitimate interest
When the processing of personal data is based on a legitimate interest of the Company, it will be subject to the following conditions:
a) Only those personal data that are strictly necessary for the fulfillment of the purpose can be processed.
b) Transparency of the processing must be ensured to the data subject.
c) The Data Protection Authority may require CCB ABOGADOS to provide a report to verify that there are no concrete threats to the legitimate expectations of the data subjects and their rights.
6.3. Consent for processing
The consent of the data subject for the processing of their personal data will be valid when the consent is:
a) Freely given: voluntary, without any form of intimidation or error.
b) Specific: with a specific determination of the means, purposes of the processing, and transfer for processing.
c) Informed: easy to understand, in simple and clear language.
d) Unambiguous: leaving no doubt as to the scope of the authorization.
6.4. Collection of personal data
CCB ABOGADOS must strive to collect the minimum amount of personal data possible, without prejudice to its social purpose and its inherent activities of legal advice and representation. If personal data is obtained from a third party, CCB ABOGADOS’ collaborator must ensure that the personal data is obtained legally.
6.5. Processing, storage, and deletion
The purpose of the processing, methods, storage limitation, and retention period of personal data must be consistent with the information contained in CCB ABOGADOS' Privacy Policy. CCB ABOGADOS must maintain the accuracy, integrity, confidentiality, and relevance of personal data in relation to the purpose of the processing. Adequate security mechanisms designed to protect personal data must be used to prevent leakage, theft, misuse, or abuse of personal data and mitigate potential security breaches of systems and/or databases containing personal data. The designated personal data protection officer (referred to as the "Designated") is responsible for complying with the requirements listed in this section.
6.6. Transfer and communication of data to Data Processor
Whenever CCB ABOGADOS uses a data processor (referred to as the "Processor") to process personal data on its behalf, the Designated must ensure that the Processor provides security measures to safeguard the personal data that are appropriate to prevent misuse, unauthorized disclosure, security breaches of personal data systems, and any associated risks.
The processing of personal data carried out by the Processor must be specified in a "Personal Data Processing Agreement," which must include at least the following provisions:
a) Specification of the data to be processed.
b) Methods of data processing.
c) Specific purposes of the processing.
d) Transfer or communication to third parties.
e) Final disposal of the data.

6.7. International Transfer or Communication of Personal Data
Before transferring personal data outside the Ecuadorian territory, the Designated must review whether the country to which the transfer will be made provides adequate levels of protection, in accordance with the standards and criteria established in the Organic Law on Personal Data Protection, or, failing this, in accordance with the provisions of the relevant international treaties on personal data protection. If necessary, authorization must be obtained from the Personal Data Protection Authority.
6.8. Right to information of data subjects
The Designated is responsible for informing data subjects, through any channel, about the following regarding the personal data subject to processing:
a) Purposes of the processing.
b) Legal basis for the processing.
c) Types of processing.
d) Retention period.
e) Source of the data, when it has not been obtained directly from the data subject.
f) Existence of a database.
g) Identity and contact information of the Company as the data controller, which will include:
a. Residential address.
b. Phone number.
c. Email address.
h) Intended national or international transfers or communications.
i) Consequences for the data subject in case of refusal to provide personal data.
j) Effect of providing incorrect or inaccurate personal data.
k) Possibility to revoke consent.
l) Existence and procedure to exercise the data subject's rights provided in the Organic Law on Personal Data Protection.
m) Mechanisms for data portability.
n) Where and how to file complaints with the Company and the Personal Data Protection Authority.
o) Existence of automated assessments and decisions.
6.9. Rights to access, rectification and update of data subjects
As the data protection officer, the Designated must provide data subjects with a reasonable mechanism that allows them to access their personal data, as well as request the rectification and updating of their inaccurate or incomplete personal data.
6.10. Right to Data Portability
Data subjects have the right to receive their data from CCB ABOGADOS in a structured format or to transmit them to other data controllers, free of charge. The Designated is responsible for ensuring that these requests are fulfilled when technically feasible. The transferred data must be deleted unless the data subject requests their retention.
CCB ABOGADOS will authorize data portability when one of the following conditions is met:
a) The data subject has given consent for the processing.
b) The processing is carried out by automated means.
c) It concerns a substantial volume of personal data.
d) The processing is necessary for the performance of obligations or the exercise of rights of the data controller, data processor, or data subject.
If technically feasible, data portability will be conducted between data controllers.
This right shall not apply to information derived or generated from analysis or processing performed by the Company.
6.11. Suspension of Processing
Data subjects may request CCB ABOGADOS to suspend the processing of their data in the following cases:
a) The data subject challenges the accuracy of the data.
b) The processing is unlawful, and the data subject opposes the erasure of the data and requests the limitation of its use.
c) CCB ABOGADOS no longer needs the personal data for the purposes of processing, but the data subject requires it for the formulation of claims.
d) The data subject has objected to the processing of health-related data.
6.12. Deletion of personal data
Data subjects may request CCB ABOGADOS to delete their personal data in the following cases:
a) The processing is no longer necessary for the fulfillment of the purpose.
b) The data has fulfilled the purpose for which it was obtained.
c) The retention period for the data has expired.
d) The processing affects fundamental rights or individual liberties.
e) The data subject explicitly withdraws their consent.
f) Legal obligation.
6.13. Request for the exercise of Rights
Requests made to CCB ABOGADOS to exercise the rights detailed in sections 6.9, 6.10, 6.11, and 6.12 must be addressed within 15 days by the Designated. CCB ABOGADOS will provide data subjects with a "Request or Complaint Form" and implement a process for handling such requests. The requests must be addressed within 15 calendar days.
7. Guidelines for lawful processing
Personal data should only be processed when explicitly authorized by the Company.
The Company must decide whether to conduct a data protection impact assessment for each data processing activity.
7.1. Notice to data subjects
En el momento de la obtención o antes de recoger datos personales para cualquier tipo de actividades de tratamiento de datos personales, el Designado es responsable de informar adecuadamente a los titulares sobre los siguientes tipos de datos personales: los tipos de datos personales recogidos, los fines del tratamiento, los derechos de los titulares con respecto a sus datos personales, el período de conservación, las posibles transferencias de datos a tercer internacionales, si los datos serán compartidos con terceros y las medidas de seguridad de CCB ABOGADOS para proteger los datos personales. Esta información es proporcionada mediante cláusulas en los contratos laborales y de prestación de servicios técnicos especializados, ofertas y contratos de prestación de servicios legales suscritos por los clientes, y mediante un Aviso de Privacidad visualizados tanto en la página web de la Empresa como en los correos electrónicos (oficiales asignados por la Empresa) de los trabajadores, profesionales de CCB ABOGADOS.
In the event that CCB ABOGADOS shares personal data with a data processor or a third party, the Designated must ensure that data subjects have been notified of this.
When personal data is transferred to another country, it must be clearly stated where and to which entity the personal data is being transferred.
When sensitive personal data is obtained, the Designated must explicitly indicate to the data subject the purpose for which this sensitive personal data is being collected.
7.2. Obtaining consent
Whenever the processing of personal data is based on the consent of the data subject or other legal grounds, the Designated is responsible for maintaining a record of such consent. CCB ABOGADOS is responsible for providing options to data subjects to provide consent and must inform and ensure that their consent (when consent is used as the legal basis for processing) can be revoked at any time.
For children and adolescents under the age of 15, the consent for the processing of personal data must be provided by their legal representative.
Personal data should only be processed for the purpose for which it was initially obtained. In the event that CCB ABOGADOS needs to process the collected personal data for another purpose, the Designated is responsible for obtaining the consent of the data subjects. Any such request must include the initial purpose for which the data was collected, as well as the new additional purpose(s). The request must also include the reason for the change in the purpose(s).
8. Organization and responsibilities
The responsibility for ensuring the proper handling of personal data rests with all individuals working for CCB Abogados, whether they have an employment relationship or not, and have access to the personal data processed by the Company.
The key areas of responsibility for the processing of personal data lie with the following positions within the organization:
The General Board of Partners: This body makes decisions and approves the general strategies of CCB ABOGADOS regarding personal data protection, including the present Policy (in accordance with its powers established in the Companies Law and the Bylaws of CCB Abogados Cía. Ltda).
The Designated Data Protection Officer is responsible for:
• Managing the personal data protection program and the development and promotion of personal data protection policies.
• Approving any data protection statements included in communications such as emails, letters, social networks, and the website.
• Addressing any data protection inquiries made by third parties.
• Monitoring and analyzing changes in laws and regulations concerning personal data, ensuring compliance with requirements, and assisting all parties involved in the Company in complying with this Policy (especially) and all applicable national regulations on personal data protection.
The IT Coordinator of the Company is responsible for:
• Ensuring that all systems, services, and equipment used for data storage comply with acceptable security standards.
• Carrying out regular checks and scans to ensure that hardware and software are functioning properly.
The Administrative and Human Resources Management is responsible for:
• Disseminating knowledge of personal data protection to all employees and all collaborators and associates.
• Organizing training sessions on specialized knowledge and raising awareness regarding personal data protection for employees working with personal data.
• Ensuring the comprehensive protection of personal data of employees, collaborators, associates, and partners.
• Ensuring that personal data of employees, collaborators, associates, and partners are processed based on legitimate business purposes and needs.
• Transmitting data protection responsibilities to suppliers and improving the suppliers' knowledge levels in personal data protection matters.

9. Response to data security breaches.
When CCB ABOGADOS becomes aware of an actual or suspected personal data security breach, the Designated must conduct an internal investigation and take timely corrective measures within a period of fifteen days (from the knowledge of the incident).
If there is a risk to the rights and freedoms of the data subjects, the Company must notify the Personal Data Protection Authority and the Telecommunications Regulation and Control Agency without undue delay and within five (5) days after the occurrence of the event. In the event that the Company acts as a Data Processor, it must notify the security breach to the Data Controller within two (2) days after the occurrence of the event.

10. Auditing and proactive responsibility
The General Board of Partners or the person designated by it is responsible for auditing how well the departments implement this policy.
Any employee, collaborator, associate, or partner who violates this policy will be subject to disciplinary measures, and the employee may also be liable for civil or criminal responsibilities if their conduct violates laws or regulations in accordance with the due constitutional and legal process that will be established for the determination of respective responsibility.
In the event of non-compliance with obligations by employees of the Company regarding this Policy, it will be considered a serious offense under the Company's Internal Regulations and therefore sanctioned accordingly.

11. Conflicts of legislation
This policy is intended to comply with the laws and regulations regarding the protection of personal data in Ecuador. In the event of a conflict between this policy and the applicable laws and regulations, the laws and regulations of Ecuador shall prevail.

12. Management of records stored based on this document
Record name Location Person responsible for storage Record protection controls
Request for consent of the owner Files of each client
Only authorized personnel can access applications 7 years
Request for withdrawal of the consent of the person in charge Files of each client Administrative and Human Resources Management Only authorized personnel can access the requests 7 years
Request for parental consent File of the Human Resources area Administrative and Human Resources Management Only authorized personnel can access the requests 7 years
Request for access, rectification and updating, deletion of personal data. And request for opposition to the processing of personal data. Files of each client, employees and suppliers. Administrative department Only authorized personnel can access requests 7 years
Supplier data processing agreements Administrative area file Administrative department Only authorized personnel can access the folder 7 years after the agreement has expired
Registration of privacy notices File of each client Administrative department Only authorized personnel can access the folder Permanent

13. Validity and management of documents
This document is valid starting from May 8, 2023.