Data Protection Policy

I. OBJECTIVE


To establish mechanisms for the processing and protection of personal data to guarantee the rights of individuals related to Robalino Abogados Ecuador FEREC S.A. (hereinafter “Robalino Abogados”) and CPA Consulting Ecuador CPAEC S.A. (hereinafter “CPA Consultores”), collectively referred to as “the Firm.”

II. SCOPE


The scope of this Policy applies to the employees of "the Firm."
This Policy applies to business, administrative, technical, and control processes; to all employees, as well as to third parties who provide services or have a relationship with the Firm and manage any type of personal data.

III. DEFINITIONS

  • Authorization: Prior, explicit, and informed consent from the Data Subject to carry out the processing of Personal Data.

  • Privacy Notice: A written communication issued by the Data Controller to inform the Data Subject about the applicable Policies, how to access them, and the purposes for which the company processes their personal data.

  • Personal Data Database: An organized collection of personal data subject to processing, whether automated or not, regardless of the format.

  • Personal Data: Any information about a natural person that identifies them or makes them identifiable through reasonably utilized means. Includes numerical, alphabetical, graphical, photographic, acoustic, or personal habit information.

  • Sensitive Data: Information that affects privacy or could lead to discrimination, such as racial origin, income, political opinions, health, sexual life, physical characteristics, and biometric data like fingerprints or facial patterns.

  • Data Protection Officer (DPO): A person responsible for informing the Data Controller about their legal obligations, monitoring compliance, and serving as a liaison with the supervisory authority.

  • Data Processor: The entity responsible for processing personal data on behalf of and under the instruction of the Data Controller.

  • Data Subject: A natural person whose personal data is being processed.

IV. GENERAL PRINCIPLES

  1. General Definitions of Personal Data Protection:
    This policy adheres to the Organic Law on Personal Data Protection of Ecuador and its Regulation. It also incorporates international best practices and guidelines.

  2. Responsibilities, Supervision, and Accountability:

  • Data Protection Officer: Advises and monitors compliance with data protection regulations, cooperates with supervisory authorities, and acts as a liaison between the organization and data subjects.

  • Head of Systems and Information Security: Provides guidance on practices and policies to mitigate risks in handling personal data.

  • Human Resources Management: Trains employees and encourages the adoption of measures to comply with this policy.

V. PRINCIPLES OF PERSONAL DATA PROCESSING


The Firm ensures that the processing of personal data adheres to the following principles:

  • Legality: Comply with applicable laws and avoid fraudulent data collection.

  • Purpose: Collect data solely for specific and lawful purposes.

  • Proportionality: Ensure data processing is adequate and relevant to the established purpose.

  • Quality: Guarantee data is accurate, up-to-date, and pertinent.

  • Security: Protect data through technical and organizational measures.

  • Transparency: Provide clear and accessible information about data processing.

  • Confidentiality: Ensure proper secrecy and discretion in handling personal data.

VI. RIGHTS OF THE DATA SUBJECT


The Firm guarantees the rights of Data Subjects whose data it processes, in compliance with the Organic Law on Personal Data Protection (LOPDP). These rights include:

  1. Access
    The Data Subject has the right to request information about the personal data being processed, the purpose of the processing, the origin of the data, the third parties to whom it has been transferred, and the retention periods.

  2. Rectification and Updating
    The Data Subject can request the correction of inaccurate or incomplete data to ensure it is up to date.

  3. Deletion
    The Data Subject may request the deletion of personal data when it is no longer needed for the purposes for which it was collected, when consent is withdrawn, or if the processing is unlawful.

  4. Objection
    The Data Subject has the right to object to the processing of their personal data for reasons related to their specific situation or for direct marketing purposes.

  5. Portability
    The Data Subject has the right to receive their data in a structured, commonly used, and interoperable format and to request that it be transferred to another data controller.

  6. Not to Be Subject to Automated Decisions
    The Data Subject has the right not to be subjected to decisions based solely on the automated processing of their data, including profiling.

  7. Suspension of Processing
    The Data Subject may request the temporary suspension of processing while the accuracy of the data is verified or in the case of an objection.

VII. RESPONSIBILITIES IN DATA PROCESSING

  1. Responsibilities of the Data Controller
    The Data Controller must ensure the implementation of organizational and technical measures to comply with the legislation and protect personal data. This includes informing the Data Subject about the processing of their data and obtaining prior consent.

  2. Responsibilities of the Data Processor
    The Data Processor must follow the instructions of the Data Controller and ensure that data is processed securely and confidentially.

  3. Breach Notification Obligations
    The Firm is required to notify authorities and Data Subjects about any security breaches that compromise personal data.

VIII. DATA SECURITY

  1. Technical and Organizational Measures
    The Firm implements measures to ensure the security and integrity of personal data, including encryption, access management, and system monitoring.

  2. Data Protection Impact Assessments (DPIAs)
    Before implementing projects or systems that may affect the privacy of Data Subjects, impact assessments must be conducted to identify risks and establish mitigation measures.

  3. Incident Management
    The Firm has protocols for managing and resolving security incidents that compromise personal data, ensuring a timely response and proper communication with affected individuals.

IX. TRANSFER OF PERSONAL DATA

  1. Domestic Transfer
    Personal data may be shared with third parties within the country, provided they comply with current regulations and offer adequate protection guarantees.

  2. International Transfer
    The transfer of data to other countries is carried out only if those countries have adequate levels of data protection or through agreements that ensure data security.

  3. Transfer Agreements
    Before transferring personal data to third parties, agreements must be signed specifying the conditions of use, protection measures, and the responsibilities of each party.

X. RETENTION AND DELETION OF PERSONAL DATA

  1. Retention Period
    Personal data will be retained only as long as necessary to fulfill the purposes of the processing and in accordance with the periods established by applicable regulations.

  2. Data Deletion
    Once the purposes have been fulfilled, personal data will be deleted or anonymized, unless a law requires its retention.

XI. TRAINING AND AWARENESS

The Firm will implement training and awareness programs for all its employees to ensure compliance with personal data protection regulations. These programs will include:

  1. Periodic training sessions: Designed for new and current employees to disseminate best practices and procedures for handling personal data.

  2. Regulatory updates: Training on changes in legislation or internal policies related to data protection.

  3. Informative materials: Distribution of guides, manuals, and newsletters on privacy and information security topics.

XII. POLICY REVIEW AND UPDATE

This Policy will be reviewed periodically and updated whenever there are changes in regulations, internal processes, or other circumstances requiring adjustments. Updates will be communicated promptly through the Firm's official communication channels.

XIII. SANCTIONS FOR NON-COMPLIANCE

Failure to comply with the provisions of this Policy and data protection regulations by employees, processors, or third parties may result in:

  1. Internal disciplinary actions: In accordance with the Firm’s internal work regulations.

  2. Legal liability: In cases of serious violations that affect the rights of Data Subjects, the Firm reserves the right to initiate legal actions.

  3. Contract suspension: For third parties or processors who breach confidentiality agreements or the conditions established for data handling.

XIV. CONTACT INFORMATION FOR THE DATA PROTECTION OFFICER (DPO)

For inquiries, requests, or to exercise rights related to personal data protection, Data Subjects may contact the Data Protection Officer at:

  • Email: protecciondedatos@robalinolaw.com

  • Phone: +593 23810950

  • Address: Av. 12 de Octubre and Lincoln N26-48, Edificio Mirage, Quito, Ecuador

XV. FINAL PROVISIONS

  1. Scope: This Policy is binding for all employees, processors, and third parties interacting with the Firm.

  2. Interpretation: Any discrepancies in the interpretation of this Policy will be resolved by the Firm’s General Management in consultation with the Data Protection Officer.

  3. Adoption: This Policy becomes effective upon its publication and must be adhered to by all involved parties.