Introduction

Chariklo SRL., its Divisions (hereinafter “Chariklo” or “the Company”) confirms and formalizes its commitment to the values and principles of business ethics and to the fight against Corruption and illegality through this Policy.

Chariklo has developed its Code of Ethics, as well as this Anti-Corruption Policy, to prevent and combat Corruption. Violation of the Code of Ethics, internal policies, or applicable anti-corruption legislation, even when the action or operation is carried out outside the Dominican Republic, may give rise to civil and criminal sanctions, which range from fines to penalties. deprivation of liberty and are applicable both at the personal level and at the Company level.

At Chariklo the commitment to the Protection of Personal Data belongs to everyone.

Aim

Chariklo’s Privacy Program is designed to provide the structure and guidance required to incorporate appropriate Privacy practices and standards into daily operations to build trust and provide transparency and protection to the people who trust us with their personal information.

The objective of this Policy is to establish the applicable principles and guidelines for the proper use of personal information, as well as the physical, technical and administrative security measures to which we must adhere, diligently accrediting our responsibility towards the different obligations provided. in the applicable regulations and ensure the reputation of the Company as an entity committed to privacy and Protection of Personal Data.

Likewise, this Policy establishes the guidelines applicable to the Privacy of communications related to the provision of our Services.

Scope

This Policy is applicable and mandatory for you and for each and every one of our Employees, both internal and external of Chariklo, Data Processors and Third Parties, who have access to Personal Data held by Chariklo in each of the countries in which those of us who operate, so it is important to know, understand, promote and respect the principles, values and guidelines contained therein.

Definitions

Privacy Notice: Physical or electronic document, generated by the Controller, which is made available to the Owner, prior to the Processing of their Personal Data.

Confidentiality: It is the obligation that all people who process Personal Data have, not to disclose them.

Personal Data(s): This is any information concerning an identified and/or identifiable natural person.

Sensitive or Special Personal Data: Data whose misuse can cause, with a high probability, greater damage to the Owners. Some examples are health data, political and religious preferences, sexual orientation, union membership, and sometimes some biometric data.

Employee(s): Any person or persons who are employed under an individual or collective bargaining agreement by Chariklo or any of its Divisions and/or who provide professional services or services of a similar nature to Chariklo or any of its Divisions.

Data Processors: The natural or legal person who, alone or jointly with others, processes Personal Data on behalf of Chariklo or any of its Divisions.

Privacy Team: Data Protection Group that makes relevant decisions and coordinates Chariklo’s Privacy strategy.

Management: It is the area of Chariklo responsible for establishing an Integrity and Compliance Program that includes adequate and effective control, surveillance and audit policies and systems, and that constantly and periodically examines compliance with integrity standards throughout the organization. info@chariklo.net

Subsidiary Management: It is the area of the Subsidiary responsible for executing, monitoring compliance and disseminating the Integrity and Compliance Program, in accordance with the criteria, indications and evaluations of Chariklo Management.

Privacy: It is the appropriate use or processing of Personal Data or personal information in accordance with the purposes authorized by the Owners and applicable laws.

Integrity and Compliance Program: Program developed and supervised by Management that includes, but is not limited to: (i) the development of policies and other Company guidelines to comply with current legislation; (ii) the identification, prevention and mitigation of operational and legal risks in order to guarantee long-term reputational value of the Company and generate greater certainty to its value chain; (iii) the establishment of adequate and effective control, surveillance and audit systems, which constantly and periodically examine compliance with integrity standards throughout the organization; and (iv) managing the operation of the Complaints Portal and coordinating training on compliance issues.

Privacy Program: The set of policies, guidelines, awareness instruments, training and mechanisms implemented by Chariklo to demonstrate compliance with the various obligations regarding Privacy and Protection of Personal Data at Chariklo.

Protection of Personal Data: It is the right that protects the natural person or Owner against the illicit processing of their Personal Data, granting them the power to decide and control the use of their information.

Referral: It is the communication of Personal Data between the Controller and the Processor.

Responsible: It is the company that decides on the use that will be given to the Personal Data. Each Chariklo Subsidiary is responsible for the Personal Data entrusted to it by the Owners.

Risk: Probability of a negative event occurring and the effect or impact of such event, the existence of which represents a threat (source of danger) and vulnerability of the Company to its effects.

Security: Implementation of appropriate physical, technical and administrative measures for the Protection of Personal Data.

Services: Those services derived from any contract for the provision of services that a Holder signs with one of the Divisions and/or subsidiaries of Chariklo; any service related to the use of applications, software, websites and functionalities of terminal equipment and/or any other services that the owners voluntarily decide to acquire.

Subsidiary: Any entity that is under the control of Chariklo.

Third party(s): Distributors, representatives, advisors, business partners, agents, intermediaries, clients, contractors, managers, lobbyists, consultants or suppliers who are part of Chariklo’s value chain or who represent the Company during an interaction with another Third, a Government or public servants. Civil society organizations and educational, charitable, cultural or sports institutions are included.

Owner: The natural person to whom the Personal Data concerns.

Transfer: Any communication of Personal Data made to a person other than the Controller or Data Processor.

Treatment: The obtaining, use, disclosure or storage of Personal Data, by any means. Use covers any action of access, handling, use, transfer or disposal of Personal Data.

General guidelines

Privacy Program

In order to raise our standard of Personal Data Protection, we have adopted a Privacy Program that establishes the fundamental bases on which the various actions implemented by Chariklo are built to comply with the different legal obligations that concern us and to demonstrate continuously and

transparent that we have implemented the necessary controls to protect Personal Data in all phases of processing.

The bases on which our Privacy Program is built are:

  • Responsible Management. For Chariklo, taking care of Personal Data is an everyday job, and it takes the form of a proactive responsibility by which we apply the appropriate physical, technical and organizational measures in order to guarantee and be able to demonstrate that the Processing of Personal Data that we carry out is carried out in accordance with applicable regulations.
  • Commitment. We guarantee that Personal Data is protected and used exclusively for the purposes authorized by the Owners and by applicable regulatory requirements.
  • Legality. All of us who are part of Chariklo and at different levels of the organization are obliged to comply with the processes and policies to protect Personal Data in our company, as well as applicable laws.

For Chariklo, the Protection of Personal Data is a fundamental activity to guarantee respect for human rights in each of the jurisdictions in which we are present. In this sense, we have a firm commitment to provide lawful processing of Personal Data and apply the necessary measures to demonstrate responsible handling thereof, which are described in these guidelines.

Data Protection by Design and by Default

We will apply appropriate physical, technical and organizational measures, both at the time of determining the means of Processing and at the time of the Processing of Personal Data, taking into account the state of the art, the cost of the application and the nature, scope, context. and purposes of the Treatment, as well as the risks that a certain Treatment could imply for the rights and freedoms of the Owners.

Likewise, we will apply appropriate technical and organizational measures to ensure that, by default, only Personal Data that is necessary for each of the specific purposes of the Processing is subject to Processing.

Privacy Team

For the purposes of disseminating, executing and monitoring compliance with the Privacy Program and this Policy, we structure a Privacy Team with expert personnel and extensive experience in the laws and best practices of Personal Data Protection of each Subsidiary and/or region with the in order to understand how each main unit works and your Privacy needs. The Privacy Team works to ensure that the privacy standard

Chariklo supports compliance with legal obligations, and aligns with our business objectives, achieving maximum Protection of Personal Data at all levels.

Chariklo Privacy Team Integration

The Privacy Team is made up of the Local Data Protection Officer (or “Responsible” or “Delegate” of local privacy, without prejudice to the terminology adopted in accordance with the applicable regulations) who is designated for this purpose and will be the Responsible for Personal Data Protection for one or several Chariklo Divisions, located in a specific country or region. Each Subsidiary and/or region will designate the expert personnel that it considers necessary for the performance of its functions.

The Privacy Team will be led by Chariklo’s Data Protection Officer who is part of our Company Management.

Chariklo Privacy Team Features

The functions of the Chariklo Privacy Team will be, but are not limited to, the following:

  • Define and coordinate the implementation of actions, tools and mechanisms to promote the culture of Personal Data Protection in Chariklo and accredit compliance with the different Personal Data Protection obligations provided for in the applicable regulations.
  • Issue the necessary policies of mandatory observance for the Company.
  • Identify threats and coordinate the evaluation of Privacy Risks.
  • Design strategies to prevent security breaches, non-compliance with applicable law and guarantee the rights of the Owners.
  • Carry out audits and reviews to monitor compliance with our policies and applicable regulations.
  • Coordinate training and communication strategy on issues related to Privacy and Protection of Personal Data.

Duties of the Local Data Protection Officer

Without prejudice to the functions that this figure must fulfill by applicable legislation in each country, it must, at a minimum:

  • Participate appropriately and in a timely manner in all issues related to the Protection of Personal Data.
  • Provide advice on Personal Data Protection to the business units and project implementation of its Subsidiary and/or region and coordinate the necessary actions to ensure due compliance with the Personal Data Protection policies and/or practices.
  • Analyze, monitor and evaluate the logical flow of personal information to identify the Treatments, the life cycle and databases to which the relative legislation applies.
  • Prepare, review and, where appropriate, make modifications to Privacy Notices, in accordance with applicable legislation.
  • Process in a timely manner the requests of the Owners for the exercise of the rights of the owners over their personal information and establish the procedures for addressing complaints in this matter.
  • Monitor compliance with the principles and duties established by the applicable Personal Data Protection regulations, as well as Chariklo’s Privacy and Rights Protection Policy and other related policies and procedures.
  • Review and update contracts with Third Parties regarding Transfers and Remissions of Personal Data.
  • Respond to and manage the requirements made by the authorities regarding Personal Data.

Risk assessment

An important pillar of our Privacy Program is the identification of existing legal obligations and processes regarding the Protection of Personal Data and the determination of the degree of compliance in each of the Chariklo Divisions. Risk analysis is a tool that allows us to carry out an objective assessment of the risks and the possible measures that we can use to mitigate them.

To do this, we consider the different legally applicable requirements, best practices and international standards regarding Personal Data Security that are applicable and relevant.

Among the functions of the Privacy Team is to map how Personal Data is processed through each of our Divisions, identify threats and evaluate their risks with the purpose of designing strategies to prevent security breaches of Personal Data and/or non-compliance with applicable regulations and guarantee the rights of the Owners.

Likewise, work will be done to treat the Risks with the aim of reducing their level of exposure, improving the control measures that allow reducing the probability and/or impact of them materializing, as well as mitigating the inherent Risks based on the measures. that are adopted until the residual risks are placed at levels that are considered reasonable.

Following the principles of proactive responsibility and continuous improvement, our Risk map will be updated annually, without prejudice to said update being reviewed as a result of relevant issues that affect its results.

Data Protection Impact Assessment

When it is likely that a type of Treatment, particularly if it uses new technologies, due to its nature, scope, context or purposes, entails a high risk for the rights and freedoms of the Owners, each Subsidiary or region must carry out, prior to the Treatment, an evaluation of the impact on the Protection of Personal Data according to the guidelines that are applicable in accordance with the best international practices and the regulations in force in the jurisdictions in which we operate.

Data Inventory

At all times, and as our Processing activities arise or evolve, we will maintain a record of the Personal Data Processing activities that we carry out, as well as those that are carried out by Third Parties authorized by us in accordance with the legally applicable requirements.

Legitimation for the Processing of Personal Data

Chariklo processes the Personal Data of the Owners to comply with the legal relationship and provision of the contracted Services. Our activities, to be legal, must be supported by a basis of legitimation or due legal authorization.

Our actions to process Personal Data fairly and lawfully will focus mainly on:

  • Obtain the respective consent in cases where it is required to process Personal Data, unless it is not necessary in terms of the provisions of the applicable regulations.
  • We process Personal Data exclusively for the explicit purposes authorized by the owner and we will not use it for any other purpose, except when expressly authorized.

Transparency

In accordance with the provisions of the applicable regulations, prior to collecting Personal Data we must inform the Owners, in a fair, transparent manner and with clear and simple language, at least the following:

Identity of the Organization Responsible for Data Processing

We will inform the Owners about the identity and address of the Company and/or entities responsible for the Processing of the Personal Data that they entrust to us.

Personal Information that we collect about the Owners

At Chariklo, we can collect in different ways and through different channels, in person or directly from the Owners, or indirectly when they are provided by our Divisions and/or subsidiaries, Third Parties with which we have entered into binding agreements, as well as from legitimate publicly accessible sources.

We may process Personal Data belonging to different categories depending on the nature of the contracted Services and/or the relationship we have with the Owners, among which we can mention, but are not limited to: Personal identification and authentication data, contact, patrimonial and/or financial, fiscal, demographic, data on the devices used to provide our Services and their geographical location, information about preferences and interests related to our Services, as well as information generated due to the use of the Services we provide.

Regarding the information we collect from Employees and candidates, we may process Personal Data for identification and authentication, contact, property and/or financial, tax, demographic, academic data, employment data and personal data that are generated during the legal relationship. that we hold with them.

Likewise, in particular cases, we may collect biometric Personal Data related to your physical and physiological characteristics (fingerprint, facial features, iris, hand geometry) and/or behavioral and personality characteristics (signature recognition, handwriting recognition, recognition voice, keyboard writing recognition) or data related to the current and/or future health status of our Employees and/or Third Parties in order to comply with certain labor, health and/or public health obligations.

Third Party Data

In certain cases, we may process Personal Identification and Contact Data of Third Parties to be contacted as personal references associated with the owner of the service for purposes related to compliance with the obligations derived from the contracted Services and/or offering our Services. Likewise, we may process Data

Third Party Personnel when our Employees provide them for contact purposes, in case of emergency or to manage certain employment benefits.

Boys, Girls and Adolescents

At Chariklo it is prohibited to collect information directly from children and/or adolescents, so, if we become aware that said information refers to said Owners, we will proceed to delete it immediately. We will only collect information from children and/or adolescents with the consent of their father, guardian and/or person with parental authority in terms of applicable legislation.

Device Information

When you use our Services, in particular through the use of applications, software or programs owned by Chariklo, we may directly collect and/or infer from the use of certain Services, information related to the device used for the provision of the Services. Services, including that referring to the technical, configuration and operational characteristics of the same, information generated by other devices connected or used (including your IP address, device identification data, preferences and information derived from interactions with other devices and applications) , data related to internet browsing, data on the use and consumption of Internet Services, information related to the use of software and applications and information on the use of Third Party Services.

Use of Cookies, Tracking Technologies and Similar Technologies

Our websites and applications may use cookies, web beacons and other tracking technologies through which it may be possible to monitor the behavior of users of our Services, offer new products and Services based on your preferences and interests, provide better service and/or improve the browsing experience on our website(s ) . To comply with the above, we may use our own and third-party cookies in accordance with the provisions of the cookie policy of the corresponding website . In the cookie policy you will find information about which cookies we use, the purposes for their use and the mechanisms available for disabling them when they are not necessary for the functioning of our websites.

Use of Algorithms, Artificial Intelligence and Big Data

In certain cases, we may use algorithms based on artificial intelligence to carry out certain activities of analysis of consumption trends and preferences regarding the use of products and Services, prediction of behavior and consumption trends on our Services, profiling and analysis of information to technical purposes and improvement of our products and Services. If we use these technologies, we will ensure that they are fair and based on ethical values aimed at respecting the dignity and freedom of people, without their adoption implying discrimination or direct impact on people’s rights.

When legally required, according to applicable regulations, we will disclose the aspects considered for the adoption of certain technologies based on artificial intelligence algorithms.

Anonymized Information

Whenever possible and we do not have the need to identify the Owners, we will apply information protection techniques such as the anonymization of Personal Data to reduce the risks of improper Processing of Personal Data. When we apply certain anonymization techniques, since there is no possibility of individual identification, the personal data protection regulations will not be applicable.

Uses that we can give to Personal Information

The personal data we collect may be used for different purposes depending on the type of information collected, the Service and the context for which it was collected. Chariklo will inform about the primary and secondary purposes for which it obtains the information, the most frequent being the following:

  • Contracting the service and compliance with the obligations derived from its provision.
  • Personalization and improvement of our Services according to customer needs.
  • Identification and promotion of Services that may be of interest to our clients.
  • Sending advertising and commercial prospecting.
  • Processing of Personal Data without human evaluative decision and profiling activities.
  • Compliance with the obligations provided for in applicable laws, regulations, court orders, official and public security requirements in force in each of the countries in which we operate.
  • Selection and administration of work personnel.

Personal Data Transfers

Any Transfer and/or Submission of Personal Data will be duly regulated through an appropriate legal instrument in which the obligations and responsibilities of the parties regarding the Protection of Personal Data will be identified in accordance with the legislation applicable in each country.

To comply with the obligations derived from the provision of the Services, we may share data and information of the Owners in the following cases:

  • With competent authorities in the cases legally provided for when a legal provision so requires us or there is a written, founded and reasoned order from a competent judicial authority.
  • With Divisions or subsidiaries companies that comply with the same Privacy standards applicable to Chariklo.
  • With our business partners.
  • With Third Parties that may intervene in the provision of the contracted or requested Services.

In the case of our Employees, we may share your information in the following cases:

  • To competent authorities in the legally provided cases.
  • To banking institutions to make the corresponding payments, to insurers for insurance and reimbursement procedures, to retirement fund administrators and to third parties who collaborate with us in the management of benefits, benefits and incentives that may be applicable.
  • To recruiters and other third-party companies to give employment references of collaborators in which case their consent will be necessary.

Notwithstanding the above, there may be specific cases in which it may be required to share Personal Data and information with other Third Parties, therefore, prior to sharing Personal Data, we will specifically inform about the recipients or categories of recipients and purpose. for which information will be shared.

We will only share such information to territories and/or third parties in which adequate compliance with the applicable Personal Data Protection regulations is guaranteed and there are adequate measures to protect the fundamental rights and freedoms of individuals.

Conservation of Personal Information

At Chariklo we will only keep those Personal Data that are necessary in accordance with the purposes previously informed to the Owners in the corresponding Privacy Policy and/or Notice for the purpose of providing the requested Services, as well as complying with contractual and legal obligations, according to is required.

However, in certain cases and if we have due legal justification, we can retain the Personal Data necessary for the purposes identified in each operation.

We will proceed to the secure and definitive deletion of the Personal Data, once the applicable retention periods have expired. Although it is not mandatory in all jurisdictions in which we operate, we will endeavor to inform Owners of the applicable Personal Data retention periods for each Processing activity.

Owners’ Rights

In accordance with the provisions of the applicable legislation in each of the countries in which we operate, the Owners may have the right to access their Personal Data in a simple and free way, in physical or electronic structured and machine-readable formats, including the obtaining a copy of them, as well as knowing the information about the characteristics of the Processing of your Personal Data (access and portability), modifying them or updating the Personal Data if they are incorrect or not updated (modification or rectification). , request that they be deleted once the purposes of their Treatment have been fulfilled (cancellation or deletion), oppose that they are used for specific purposes, as long as they do not involve compliance with the legal relationship and/or the Services that we provide (opposition ), as well as to request the application of measures on Personal Data such as preventing it from being modified, deleted or deleted (limitation of processing).

At Chariklo we undertake to respond in a timely manner to requests regarding the exercise of rights and possible complaints or claims that the Owners make to us, whenever they fall within our competence. As such, each of our Divisions will clearly establish the means, procedures, deadlines and formats for the above, in accordance with the regulations of each country. This information will be made available to the Owner in a simple and free manner, in legible and easy-to-understand formats to the extent that it is technically possible.

Security and Confidentiality in the Processing of Personal Data

At Chariklo we assume high security standards aimed at guaranteeing the integrity, availability and confidentiality of information in accordance with applicable regulatory requirements and international best practices.

To protect the information entrusted to us, we implement physical, technical and administrative measures to guarantee an adequate level of Security that allows us to protect Personal Data, in any phase of its Processing, against any event that could involve its loss. unauthorized access, use or disclosure or Processing.

Access to the personal information of our clients and Employees is limited exclusively to those Employees who have a need to know it to perform their job duties.

We constantly monitor the proper functioning of our systems, applications and technological infrastructure to guarantee adequate Privacy and Protection of Personal Data. However, events may occur that may compromise the Security and/or Confidentiality of Personal Data. In these cases, you must proceed in accordance with Chariklo’s Information Security Policy and the policy and/or procedure that each operation determines for this purpose. Likewise, in the event that it is determined that the Security incident may compromise the fundamental rights and/or freedoms of the Owners, when the applicable regulations so require, we will proceed to notify the affected Owners and/or the competent control authority in this matter, in order to avoid further impacts on their rights.

It is your responsibility and that of all Employees to know and respect the measures that guarantee the Security and Confidentiality of Personal Data held by Chariklo. Failure to observe the aforementioned Security measures may give rise to Risks for the Company and/or the Owners, a situation that may be sanctioned by the Company and/or the competent authorities.

Pseudonymization and Minimization

In all Personal Data Processing, we will try to process and collect the minimum data necessary to fulfill the purposes for which we request it, in such a way that we will make efforts not to process Personal Data that is excessive and/or is not relevant to fulfill certain requirements. purposes of the Treatment. In particular, we will make notable efforts to limit the Processing and Processing periods of Sensitive Data or special categories of data.

Likewise, whenever possible, we will apply pseudonymization techniques to reduce the Risks inherent in certain Personal Data Processing.

Data Protection Training

As part of our Privacy Program, a comprehensive training program will be instituted for all Chariklo Employees, through adequate dissemination of the obligations related to the Protection of Personal Data, which consists of: (i) an initial training course online, (ii) a set of Privacy tools in our Privacy page for internal use with our policies, guidelines, comparisons, etc. and (iii) training and updating courses on the subject.

Likewise, a Communication Strategy is established in order to create constant awareness on Personal Data Protection issues. Our Privacy Team will be responsible for identifying necessary changes and updating our Employees’ knowledge.

Continuous monitoring

An integral part of our Privacy Program consists of continuous monitoring of our Divisions to control, manage and report on the Risk associated with Privacy management practices.

The Privacy Team will monitor and enforce Privacy requirements in order to ensure that personal information is handled appropriately and aligned with the principles and duties developed in this Policy.

To monitor compliance with our Privacy Program, Chariklo’s Data Protection Officer will have periodic reporting mechanisms by the Divisions in order to have constant monitoring of matters related to Privacy and Protection of Personal Data.

Our Privacy Team will conduct Privacy audits to determine the extent to which systems, operations, processes and people comply with Privacy policies and practices.

Communications Privacy

The Privacy of our clients’ communications is a fundamental principle that governs us, not only by legal provision but because it is based on the trust that the public has placed in us.

The guidelines established by Chariklo regarding Privacy of the communications are:

  • No one may listen to or monitor any conversation, data transmission or other form of communication, nor reveal its existence or content, except by duly founded and motivated written order from the competent authorities in terms of law. However, Chariklo cannot notify the line owner regarding the order of the competent authority.
  • Notwithstanding the above, the delivery of information from individuals may be carried out, the geolocation of a mobile communication line may be carried out, it may be blocked, restricted or a record and control of communications may be kept when such actions are required in terms of the resulting legislation. applicable, and must always be stated in writing, through an official letter issued and signed by a competent authority and whose request is duly founded and motivated in terms of law.

Requirements of Competent Authorities

The Chariklo Divisions that provide telecommunications Services, for reasons of collaboration with national security and in the administration of justice, are obliged as concessionaires and/or authorized to locate lines and deliver their location in real time, preserve, register and deliver certain information about the users of its Services and make it available to the competent authorities for the purposes of investigation, law enforcement, crime prevention or legal compliance, upon request by means of an order or request in writing or by electronic means, founded and motivated by the competent authority and/or judicial resolution in the terms established by the laws in force in the countries where we operate.

Likewise, as required by law and by a competent authority, in certain cases we may be required to block, delete or delete certain content on the Internet. However, in any case, we will properly review and analyze each request in order to comply with the law and guarantee human rights.

It is important to note that not all jurisdictions in which we operate may have the same guarantees to limit access to information to the authorities and in certain cases we will be legally obliged to cooperate with government security and justice entities without the obligation to notify. prior to the user of this practice. However, in any case, we will duly review and analyze each request in order to comply with the law and ensure the privacy of the Owners of our Services whenever this is legally and materially possible.

At Chariklo we are committed to the protection of human rights and freedom of expression, for this reason, the delivery of information to the competent authorities is only permitted in cases that legislation requires and/or requires and in accordance with the requirements established by the legislation applicable to each of the operations that make up the Group.

To comply with these requirements, at Chariklo strict security procedures have been defined, as well as specific criteria for verifying the validity of each request received by the authority.

Modifications to our Privacy Policies

All changes to local privacy policies must be notified to the Owners through a communication posted on the corresponding websites, informing the date of modification thereof.

Prevention

To prevent any breach of Personal Data Protection regulations, our commitments as a Company and yours as a Chariklo Employee or as a Third Party are:

  • Adhere to our Code of Ethics, this Policy, the Information Security Policy, the other applicable policies of the Company and the regulations on Personal Data Protection applicable in each of the countries in which we operate.
  • Guarantee compliance with the principles and provisions detailed in this Policy to carry out legitimate, responsible and transparent use of the Personal Data of the Owners.
  • Prior to collecting any Personal Data, the Owners must be notified of the conditions to which the Treatment of their personal information will be subject through the corresponding Privacy Policy/Notice. In the countries where we operate and where there is a specific regulation regarding Privacy, it is possible to consult the Privacy Notice and/or Privacy Policy of the subsidiary responsible for the use of Personal Data on its own websites. These documents will inform in detail and in accordance with the regulatory requirements in force in the corresponding country, about the conditions to which the Processing of the Personal Data that applies will be subject, as well as the procedures so that the Owners can exercise their rights.
  • The consent of the Owner of the Personal Data must be obtained when it is necessary in terms of the applicable provisions.
  • Obtaining Personal Data should not be done through deceptive or fraudulent means in order to protect the interests of the Owners at all times.
  • Only access should be made to that information that is appropriate and strictly necessary for the performance of job duties. Personal Data may not be collected or processed that does not are necessary to fulfill the purposes of the treatment informed to the Owners.
  • Personal Data must be collected and stored in accordance with the internal procedures of each operation, kept intact, seeking to update it as appropriate, and deleted securely and definitively, once the purpose of its Treatment has been completed.
  • Know, adopt and comply with physical, technical and organizational security measures to protect Personal Data against damage, loss, alteration, destruction or unauthorized use, access or Treatment and seek continuous improvement thereof.
  • Guarantee the Owners the exercise of their rights regarding Personal Data Protection. If you receive a request of this nature, the Local Privacy Officer must be notified immediately. These requests cannot be attended to by Employees, Data Processors or Third Parties.
  • Adhere to the duty of Confidentiality regarding the Personal Data that is in your custody, including the following:
  • Have agreements and/or Confidentiality clauses with staff, suppliers, subcontractors and/or any Third Party that may have access to the information so that it is properly protected.
  • Ensure that Employees understand, recognize and accept their obligations with respect to the information to which they have access, and require that the use of such information is exclusively for authorized purposes.
  • Implement corrective mechanisms in case any violation of the duty of Confidentiality occurs by staff.
  • Ensure compliance with the duties of Confidentiality and Security when Personal Data is processed by Third Parties.
  • Immediately notify the Company of any event and/or threat that may compromise the Security of the Company’s information and/or the Personal Data of the Owners.
  • Adopt appropriate measures and mechanisms to demonstrate compliance with Personal Data Protection obligations that are applicable in terms of current legislation.
  • Adopt internal controls and report, if necessary, through the Complaints Portal and/or to the corresponding authorities, those cases in which an Employee or Third Party commits an act that violates the Company’s Code of Ethics, this Policy and the Information Security Policy or applicable regulation.
  • Promote Personal Data Protection practices throughout the value chain, train staff on preventive measures and carry out dissemination campaigns.
  • Establish necessary measures and procedures to ensure that no one can listen to or monitor any conversation, data transmission or other form of communication, nor reveal its existence or content, unless it is authorized personnel or we must comply with a duly founded written order and motivated by the competent authorities.

Likewise, Chariklo prohibits its Employees or Third Parties, either directly or on its behalf and on behalf of:

  • Disclose the Personal Data of the Owners with unauthorized Third Parties, unless it is a Transfer legally required and/or authorized by the Divisions’ legal team.
  • Do not communicate Personal Data to third parties that do not guarantee adequate compliance with applicable Personal Data Protection standards. Before sharing Personal Data with a Third Party Service Provider, it must be evaluated that said third party complies with the conditions and safeguards necessary for Data Protection.
  • Do not transfer Personal Data to Third States or jurisdictions in which there is no adequate level of protection in terms of the applicable regulations.
  • Use the Personal Data in Chariklo’s possession for a purpose outside its functions.
  • Access personal information when it has not been requested and/or is necessary.

Supervision and Verification of Compliance with the Policy

Management is responsible for supervising, monitoring and, where appropriate, auditing due compliance with the provisions indicated in this Policy and must periodically evaluate its effectiveness.

Management is responsible for periodically evaluating the Privacy Program, which includes, among others, a series of measures that aim to prevent non-compliance with regulations regarding the Protection of Personal Data. Likewise, they are responsible for providing guidance to Employees regarding this Policy, through the email info@chariklo.net jointly with their immediate employees.

If it is necessary to carry out audits, these will be carried out periodically and randomly in the different areas of the Company.

All Company Employees must be committed to supporting and collaborating with the work teams in charge of carrying out said audits without hindering or obstructing the audit processes and without providing false or incorrect information.

Remember that it is everyone’s obligation to comply with and enforce this Policy and report any act that goes against it to info@chariklo.net 

Training and Dissemination

For us it is very important to understand and put into practice what is described in this Policy and in order to promote a culture of transparency, ethics and values, Chariklo offers its Employees and Third Parties, online or in-person courses, which will be announced through the official means of communication of the Company in order to train them so that they can understand the concepts, scope, situations, as well as expose concerns that may occur in the day-to-day work of our work.

It is the responsibility of all of us who work at Chariklo or its Divisions to attend the assigned sessions, comply with the times and with the requested evaluations.

It is your commitment as a Chariklo Employee to disseminate the terms and principles of this Policy and invite Third Parties with whom you maintain business relationships to comply with them.

Cooperation and Coordination

Management is responsible for generating and standardizing, to the extent possible, the Privacy and Personal Data Protection Policy for the Company. However, the Divisions are responsible for complying with applicable legal obligations before the authorities of each country.

Therefore, the Divisions must have an internal regulatory compliance procedure considering the specific obligations of each country on Personal Data Protection issues.

Likewise, the Divisions must ensure that they have effective mechanisms that allow them to cooperate and, when appropriate, establish internal coordination among themselves in the development and implementation of policies and activities for the general due protection of Privacy and Personal Data.

Sanctions

The sanctions for non-compliance with this Policy, both for Employees and Third Parties, may be administrative, labor or even criminal, depending on the severity of the act and will be sanctioned in accordance with the applicable internal work regulations and/or legislation.

Within Chariklo, the Ethics Committee of each Subsidiary will be the last instance in determining the sanction in case of non-compliance with this Policy, without prejudice to the fact that said non-compliance may be additionally sanctioned by applicable legislation and the competent authorities.

Complaints

You, as well as each of the Chariklo Employees and Third Parties, have the right and obligation to report directly to our line manager or Management, any conduct that violates this Policy, our Code of Ethics or any law, regulation, applicable internal policy or procedure and in general any unethical conduct.

Likewise, it is our duty to cooperate with any internal or external investigation and maintain its confidentiality. Employees who make a false or malicious report could be subject to disciplinary sanctions.

Remember that failure to report a serious ethical breach may have disciplinary consequences for you, as you could be covering up an unethical act or crime. Anonymous complaints may be submitted if the complainant so wishes, however, it is recommended to leave a contact person to follow up on the investigation.

It is important that you know that Chariklo has adopted all reasonable and justified measures to protect the confidentiality of the complaint and the complainant and also guarantees at all times that no type of retaliation will be taken against you for reporting.

Likewise, it is important to make it clear that no provision of this Policy will be understood as an obstacle for people to directly file complaints with the competent authorities. In such cases, it is recommended to notify our Legal Department and/or Management so that, if necessary, they can assist with the corresponding authorities.

All complaints will be monitored by Chariklo Management.

Management is the body in charge of supervising and operating the corresponding complaints for proper investigation.

Questions and Comments

If you have any questions related to this Policy or any comments or suggestions, write to us at info@chariklo.net