Privacy Notice

CHM COMPLIANCE COMPREHENSIVE PRIVACY NOTICE

CHM Compliance, S.A.P.I. de C.V., hereinafter referred to as the “Organization”, domiciled at Calle Bosque de Radiatas No. 44, Oficina 303, Colonia Bosques de las Lomas, Alcaldía Cuajimalpa de Morelos, Ciudad de México (Mexico City), C.P. 05120, is the processor of the treatment and protection of your personal data pursuant to the Federal Individuals' Personal Data Protection Law (the “Law”), its Regulations, the Privacy Notice Guidelines and our internal policies, hereby provides you with this Privacy Notice (the “Privacy Notice”).

We are pleased to inform you of the following:

1. Personal data or information processed by the Organization

   The following personal data shall be used to achieve the objectives stated in this Privacy Notice:
   
   Representation data (Identification and domicile of individual and/or company)

   • Identification Data
   • Contact Details
   • Equity Information
   • Financial Information

   We hereby inform you that the Organization, Data to which the Organization may have access and with which the Organization shall act as the processor of said data, which any vary in terms of the scope and type of service contracted with the Organization:

   • Personal data of the Client’s employees.
   • Identification data, contact details and equity information of the Client's business suppliers and partners.
   • Client's Equity and Financial Information and, if applicable, of the companies it controls.

   It must be mentioned that the processing of personal data and other data to which the Organization has access shall only be processed pursuant to the Client’s instructions. Therefore, we shall refrain from processing personal data or purposes other than those instructed by the Client and we shall uphold the confidentiality of the personal data processed.

2. Main Processing Objectives

   The personal data collected shall be used to performance the obligations arising from the legal relationship between the Organization and the Client (data controller) on the understanding that said data is necessary to render the service that, requested as:

   • Construction and implementation of Integrity Policies aligned with national and international compliance standards.
   • Implementation of internal and external standards compliance systems.
   • Process mapping, optimization and re-engineering.
   • Operational and financial risk management.
   • Outsourced internal Compliance Officer and Controller.
   • Internal and external auditing based in national and international standards.
3. Secondary Processing Objectives

   The representation data collected for purposes other than the current legal relationship, will be used for Client development and follow-up purposes.
   Please mark any of the following boxes to grant consent for this purpose:

   • Yes, I wish to be contacted or have information sent to me for Client development and follow-up purposes.
   • No, I do not wish to be contacted or have information sent to me for Client development and follow-up purposes.

   The Client of the personal data may revoke or cancel the consent for the treatment of the representation data for this purpose by notifying through the ARCO Rights Request Procedure explained in section 8 of this Privacy Notice.

4. Transfer of Personal Data

   The Organization undertakes not to transfer any type of personal data to third parties (public, private, social or mixed individuals and companies).

   The only data transfers that may be made will be to meet the following assumptions:

   • (i) that there is a legal obligation to do so,
   • (ii) at the requirement of a jurisdictional authority,
   • (iii) that the transfer is necessary or legally required to safeguard a public interest or for the procurement or administration of justice, or
   • (iv) that the transfer is required for the recognition, exercise or defense of a right in a legal process, and
   • (v) when the transfer is required for the maintenance of or compliance with a legal relationship between the Organization and the Client (data controller).
   • (vi) when the Client (data controller) grants its express authorization to share its information or that for which it is responsible.

   In accordance with the aforementioned assumptions, we inform you that data may be transferred to:

   • Authorities that require the information in terms of the applicable legislation.
   • Companies within our own corporate group, which operate under the same internal processes and policies as the Organization.
   • Authorities that request the information from us as part of a legal or administrative process or in situations in which personal data or information needs to be disclosed.

   In all cases, regardless of whether the transfer is national or international, we will provide the receiver with this Privacy Notice in order that said party assume at least the same obligations to which the Organization is subject. This is achieved through contractual clauses or other legal instruments signed by and between the Organization and the receivers of the data or electronic/automated acceptances of same.
   
   We hereby inform you that all the transfers listed in this section are permitted in the terms of Article 37 of the Law; therefore, it is not necessary that this Privacy Notice contain an acceptance clause for the transfer of personal data.
   
   We also hereby inform you that the Organization may be required to share (send) personal information or data with suppliers (processors) that render services to us and should data processing be required, said suppliers shall use the personal information or data solely on our behalf pursuant to our instructions and in the terms of the written contract that stipulates the scope and content of our relationship with the respective supplier(processor).

5. Confidentiality of Information

   The confidentiality of your data is guaranteed and thus it is protected by administrative, technical and physical means to prevent its damage, loss, alteration, destruction, misuse, unauthorized access and/or undue disclosure. Only the persons authorized shall have access to Clients’ personal data or information.

6. Permission to Use Logos

   The Organization may use the Client's logo and/or trading name in corporate presentations and on its web page for information purposes. We emphasize that the project content and information shall be treated confidentially.

   • Yes, I accept and authorize the use of the logo and/or trading name.
   • No, I do not accept and authorize the use of the logo and/or trading name.

   Pursuant to the provisions of Article 386 of the Federal Intellectual Property Protection Law, should the Client authorize the use of the logo and/or trading name, in order to avoid confusion or error among the public, the Organization undertakes to expressly mention in each case the Client's logo and/or trading name is used, that there no type of association exists between the Organization and the Client.

7. ARCO Rights

   The Federal Individuals' Personal Data Protection Law (Ley Federal de Protección de Datos Personales en Posesión de los Particulares, in Spanish) lists rights that may be exercised by the holders or owners of the personal data at any time in relation to their personal data. These rights are known as the “ARCO Rights” and are explained as follows:

   • (i) Access to the personal data held by the Organization, as well as awareness of the detail of how it is processed,
   • (ii) Rectification if they are out of date, inaccurate or incomplete,
   • (iii) Cancellation, and
   • (iv) Opposition to its processing for specific purposes.
8. ARCO Rights Request Procedure

   This procedure may be followed to exercise the ARCO Rights, Revoke consent or Limit the data or information of any holder or owner to be processed by the Organization. The procedure also applies to any other request that as a Client of the Organization, needs to be made concerning the processing of the personal data or information by the Organization.
   
   Applicants may send an e-mail to correodedenuncia@ch-m.mx, accompanied by the following information or documentation:

   • (i) Full name of holder or owner.
   • (ii) E-mail address of holder or owner to inform the response to the request.
   • (iii) If applicable, the Client's company name.
   • (iv) If applicable, state the type of relationship with the Client and a corporate e-mail address.

   Attach the following documentation:

   • (i) Current official identification that confirms the holders’ and/or applicant's identity.

   Attach the following if legal representation is required:

   • (i) Current official identification of the holder and legal representative.
   • (ii) Public instrument (proxy granted before a notary public), a proxy letter signed before two witnesses or a statement made during the personal appearance of the holder in order to confirm the representation of the holder.

   Regarding the ARCO Right to be exercised, Revocation of consent or Limitation of the data or information to be processed by the Organization, please state:

   • (i) The clear and precise description of the personal data or information for which the exercise of any of the aforementioned rights is sought.
   • (ii) Any other element or document that facilitates the location of the personal data or information processed.

   For any other information request to be made, please state:

   • (i) The clear and accurate description of your request.
   • (ii) The justification or reason for the request.

   Once the Organization receives the request to exercise the ARCO Rights, the Organization’s Compliance Department Manager shall issue the response within 20 (twenty) business days from the reception date of said request.
   
   In the event that additional information is required for the request, the holder shall be advised within 5 (five) business days from the reception date of said request. The holder shall have 10 (ten) business days to deal with the information requirement; otherwise the request must be filed again.
   
   Once the response on the confirmation of the request is received, the Organization shall process the request within a term not exceeding 15 (fifteen) business days.
   
   The aforementioned terms may be extended for an equal term on one occasion only provided that the circumstances of the case can be justified. If no confirmation of our resolution is received, we shall understand, in good faith, that the holder agrees with said resolution.
   
   We hereby inform that, as processor of the personal data, the Organization may decline the exercise of the ARCO Right requested in the assumptions permitted by the Law and its Regulations, in which case, we shall advise the applicant of the reasons for our denial. The denial may be partial, in which case, we shall enable the access, rectification, cancellation or opposition in the admissible part.

9. Revocation of Consent to the Processing of your Personal Data

   You may revoke your consent to the processing of your personal data or information by following the same ARCO Rights procedure (see section 8 of this notice), on the understanding that once your revocation request is received by the Organization, the response shall be issued within a maximum of 5 (five) business days.

10. Doubts, Complaints and Comments

    You may contact us at any time as we are at your complete disposal to help you with any doubt, complaint or comment you may have regarding the personal data we process on your behalf.

    CHM’s Compliance Department Manager or Compliance Officer is the person responsible for processing and following-up on your requests and ensuring the protection of personal data inside our Organization. You may contact them at this -mail address correodedenuncia@ch-m.mx.

11. Options to Limit the Use or Disclosure of your Personal Data

    You may limit the use or disclosure of your personal data or information by following the same ARCO Rights procedure (see section 8 of this notice), on the understanding that once your request is received by the Organization, the response shall be issued within a maximum of 5 (five) business days.
    
    In order to request the limitation of the use and disclosure of data, we hereby inform you that there are other mechanisms, such as the Public Publicity Prevention Register (REPEP, Spanish acronym) managed by the Federal Consumer Protection Agency (https://repep.profeco.gob.mx/) and the Public Register of Users who do not wish their Financial Products and Services information to be published (REUS, Spanish acronym) of the National Financial Services Users' Protection Commission (CONDUSEF, Spanish acronym) (https://webapps.condusef.gob.mx/reus/app/registro.jsp), in which you can register at no cost.

12. Cost of Procedures

    All the aforementioned procedures are free of charge and on prior agreement by and among the holder or owner of the personal data, the Customer and the Organization, the means used to send the request or the information, if applicable, may be charged.

13. Use of Cookies, Web Beacons and Other Similar Technologies

    We hereby inform you that there are services offered via the Internet that use mechanisms such as Cookies, Web Beaco ns and other technologies that capture data automatically and simultaneously. Said data includes the origin IP address, the browser used, the operating system and the time at which the page was accessed, thereby enabling the user’s Internet behavior to be monitored. We define each term as follows:
    
    Cookies: A data file stored in the hard drive of the user's computer or electronic communication device when browsing a specific website, thus enabling information to be exchanged between said site and the user's browser. The status information may disclose means of identification of the user's session, authentication or preferences, as well as any other data item stored by the browser about the website.
    
    Web Beacons: An image visible or hidden inside a website or e-mail address that is used to monitor user behavior in these media. Web beacons may obtain information such as the origin IP address, the browser used, the operating system and the time at which the page was accessed, and in the case of e-mail, the association of data.
    
    Based on the foregoing, we hereby inform you that the use of these mechanisms can be disabled at any time, in accordance with the instructions that each browser owner company (browser or Internet viewer) has implemented to activate and deactivate said Cookies and Web Beacons.
    
    Browser Controls: Most browsers will allow you to access the cookies stored in your computer and they can be eliminated individually or blocked for all or one particular site. Any preference that has been set will be lost if all cookies are eliminated , including the options to choose not to use them because this process requires their use to be disabled.
    
    For further information about how to change the configuration of your browser to block or filter cookies, you may consult http://www.aboutcookies.org/ (English) or http://www.cookiecentral.com/faq/ (English).

14. Changes to Our Privacy Notice

    The Organization may make modifications, changes and/or updates to this Privacy Notice at any time, which shall be published for the general public via the website (http://chmcompliance.com/).

DATE OF LAST UPDATE: DECEMBER 1st, 2022