In compliance with the provisions of the Ley Federal de Protección de Datos Personales en Posesión de los Particulares (Federal Law for the Protection of Personal Data Held by Private Parties, the “LFPDPPP” or the “Law”),its Regulations (the “Regulations”) and the Privacy Notice Guidelines (the “Guidelines”)among other applicable provisions in force in the United Mexican States (“Mexico”),the following Privacy Notice is made available to the holder of personal data.

PRIVACY NOTICE

FOR CUSTOMERS AND POTENTIAL CUSTOMERS

ENESTAS, S. DE R.L. DE C.V.

In your capacity as Data Holder (in terms of the LFPDPPP), we inform you of the terms and conditions under which ENESTAS, S. DE R.L. DE C.V., (“Énestas” or the “Responsible Party”) will carry out the processing of the personal data that you provide to us and are under our control and scope of reasonable decision, as well as the form and means under which you may exercise your rights to privacy, to exercise control over your personal data and to the protection thereof, in accordance with the Law, the Regulations, the Guidelines and other applicable provisions for complying with the principles of legality, quality, consent, information, purpose, loyalty, proportionality and responsibility.

FIRST. Identity and address of the Responsible Party. For the purposes of this Privacy Notice, the Responsible Party is domiciled at  Paseo de los Tamarindos 100, Piso 2, Colonia Bosques de las Lomas, Demarcación Territorial Cuajimalpa de Morelos, C.P. 05120, Mexico City, and it will process the Holder’s obtained personal data solely and exclusively for the purposes set forth herein.

SECOND. Purpose of processing the personal data. The personal data that you freely and voluntarily submit to the Responsible Party by any means that we make available to you, or that reach us through publicly accessible media, or by any other lawful source (hereinafter and as a whole the “Personal Data”) considering at all times the interests that assist you in terms of the Law and the Regulations, may include:

Personal data: full name, place and date of birth, official identification document, home address, photograph, INE (National Elector Card) or passport number, social security number, employer’s number, company of origin, position, e-mail work address, landline and/or mobile telephone numbers, Federal Taxpayer Registry Number (RFC), contact information, Unique Population Registry Code (CURP), nationality, marital status, educational level, professional experience, professional references, socio-economic study results, e-mail address and data of the same nature, among others and exclusively under this category.

Financial and/or wealth data: tax domicile, tax status, financial statements, information related to tax obligations, information related to your income and expenses, billing information, bank information (account number; CLABE, SWIFT, ABA codes), commercial activity, commercial references, information related to private insurance, information from your employment record, position held and data of the same nature, among others and exclusively under this category.

Sensitive personal data: blood group, chronic diseases, allergies, present and future health status (including symptomatology), medical examination results, psychosocial examination results and data of the same nature, among others and exclusively under this category.

The Personal, Financial and/or Wealth Data and Sensitive Personal Data will be collected directly from the Data Holder, either personally or through other optical, audible or visual means, or by any other legally permitted technology. For consultation and verification purposes – as well as to make sure that the Personal, Financial and/or Patrimonial Data and Sensitive Personal Data that you have freely provided are correct and current – the Responsible Party and/or its affiliates or subsidiaries may collect information from personal references, work references and from other sources, such as telephone or work directories, job boards, databases considered as public, social networks, among others, as well as request its update directly to the Data Holder.

The Law states that the processing of such data must be done in strict observance and compliance with the principles of legality, quality, consent, information, purpose, loyalty and proportionality, so that the Responsible Party is obliged and committed to strict compliance with such principles both in the collection and processing of Personal Data of its present or future customers, including, as the case may be, employees and personnel who are part of said customers.

In this regard, Personal Data may be collected and used for the following purposes:

Primary or necessary purposes:Are those that give rise to or are necessary for the pursuit of a potential, present or past legal relationship between you and the Responsible Party, i.e.:

(i) to contract services or purchase products that the Responsible Party offers and/or markets to the general public;

(ii) to carry out the quotation of the different services and/or products regarding which you need information and that the Responsible Party provides and/or markets to the general public;

(iii) to register the client in the Responsible Party’s system;

(iv) to deliver requirements, proposals and/or information of a commercial nature in relation to your business needs;

(v) to compile your file as a client of the Responsible Party;

(vi) to prepare all the information related to the relevant payments that you will make in favor of the Responsible Party for the services and/or products rendered and/or provided by the Responsible Party;

(vii) for identification purposes;

(viii) to know your present or future state of health (including symptomatology) for those cases in which it is necessary for prevention, medical diagnosis, provision of health care or management of health services, if applicable, or to determine if as a result of your state of health you could put at risk the health of other customers, suppliers or associates and, consequently, to carry out the necessary actions to safeguard your integrity and that of the other associates, customers or suppliers with whom you interact, as well as to execute the necessary actions to protect individual and collective health in the event of any health emergency;

(ix) to carry out the necessary financial evaluations to determine your viability as a present and future client;

(x) to elaborate and/or modify contracts, agreements, commercial agreements and/or any other document in which the processing of your Personal Data is foreseen as necessary to give, generate, fulfill or terminate any commercial, legal or business relationship with the Responsible Party;

(xi) to exchange information with affiliates and/or subsidiaries of the Responsible Party;

(xii) for a possible assignment abroad with affiliates and/or subsidiaries of the Responsible Party;

(xiii) to comply with the applicable requirements of the Ley Federal del Trabajo (Federal Labor Law) or of the applicable tax legislation, and

(xiv) in case of any requirement by the competent Authorities to comply with the applicable laws.

Secondary or Non-Necessary Purposes: Are those that do not address the commercial, legal or business relationship, i.e.:

(i) to evaluate the quality of the products and/or services exchanged and/or provided, and

(ii) to contact you personally, via telephone or e-mail for marketing, advertising or commercial prospecting purposes.

The Personal Data collected or obtained will be processed for the aforementioned purposes, so that the Responsible Party   will store such Personal Data for the duration of the contractual, commercial or legal relationship between the Data Holder and the Responsible Party, whether it is of a civil, commercial, labor or any other nature.

THIRD. Options and means to limit the use or dissemination of Personal Data. In order for the Data Holder to limit the use and/or disclosure of his/her Personal Data, the Data Holder may visit the address located at Paseo de los Tamarindos 100, Piso 2, Colonia Bosques de las Lomas, Demarcación Territorial Cuajimalpa de Morelos, C.P. 05120, Mexico City; send an e-mail to marketing@enestas.com.mx, or call the following number: +(52)5568320752.

Likewise, the Data Holder is informed that the Personal Data will be stored and protected in computer equipment or databases that are classified as confidential information, with sufficient security and access controls to protect and maintain the security of the data collected and contained in the systems of the Responsible Party.

FOURTH. Means to exercise the rights of access, rectification, cancellation or opposition (ARCO). The Data Holder at all times shall have the right to access, rectify, cancel his/her Personal Data, and even to oppose its use thereof; therefore, in order to exercise the so-called ARCO rights, the Data Holder shall contact the Responsible Party at the address located at Paseo de los Tamarindos 100, Piso 2, Colonia Bosques de las Lomas, Demarcación Territorial Cuajimalpa de Morelos, C. P. 05120, Mexico City, at the website www.enestas.com or by e-mail addressed to marketing@enestas.com.mxby means of the ARCO rights request, which must contain the following information:

• Full name of the Data Holder and e-mail address where he/she can be contacted regarding the request submitted.
• Copy of the Data Holder’s official identification.
• In case of submitting such request on behalf of the Holder, a Notarial Testimony or Simple Power of Attorney in the terms of the Federal Civil Code accrediting the applicant as the legal representative of the Data Holder must be attached.
• Clear and precise description of the Personal Data with respect to which it is sought to exercise any of the ARCO rights, as well as the declaration of the specific right to be exercised.
• Elements or documents that facilitate the location of the Personal Data.
• Any other document required by the applicable laws in force at the time the request is submitted.

 

Likewise, the Data Holder may revoke his/her consent for the processing of his/her Personal Data at any time, for which he/she must send a written request to the Responsible Party in the terms indicated above, for which purpose the Responsible Party will analyze the revocation request and, if appropriate, will notify the result, in the understanding that as of said date the data of the Data Holder will not be used.

The Responsible Party shall not be obliged to cancel the Personal Data in the following cases:

• That such Personal Data relate to the parties of a private, social or administrative agreement and are necessary for its implementation and fulfillment.
• That they must be processed by legal provision.
• That judicial or administrative actions related to tax obligations, investigation and prosecution of crimes may be hindered.
• Those that are necessary to protect the legally protected interests of the Data Holder, to carry out an action in the public interest, to fulfill an obligation legally acquired by the Data Holder and that are subject to processing for health prevention, for medical diagnosis or for the management of health services, provided that such processing is carried out by a health professional subject to a duty of confidentiality.

FIVE. Transfer of Personal Data. The Responsible Party may disclose or transfer the Personal Data you provide in accordance with the applicable legislation or by requirement of the competent authority, for which it is not required the express consent granted by the Holder of such Personal Data, as defined by the Law and its Regulations.

Furthermore, the Responsible Party may transfer your Personal, Financial and/or Wealth Data, and your Sensitive Personal Data, for commercial purposes to any controlling, controlled, subsidiary and/or affiliated company that operates under the same standards, processes and/or internal policies under which the Responsible Party operates.

The Responsible Party may transfer your Personal, Financial and/or Patrimonial Data, and your Sensitive Personal Data, to selected third party suppliers and/or customers with whom the Responsible Party enters into contracts, provided that the transmission of the Personal, Financial and/or Patrimonial Data, and the Sensitive Personal Data, is necessary for the potential, present or past contractual relationship maintained with you.

The Personal, Financial and/or Patrimonial Data, and the Sensitive Personal Data that you provide to the Responsible Party may be compiled and stored in a database exclusively owned by the Responsible Party, which will have a treatment limited to the fulfillment of the purposes set forth in this Privacy Notice and the regulations in force.

The Responsible Party undertakes to respect this Privacy Notice at all times, and to ensure that its business partners respect it as well.

In terms of article 37 of the Law, your consent is not necessary to carry out the transfers of personal data mentioned herein.

SIX. Changes or modifications to the Privacy Notice. The Responsible Party may modify, change or update this Privacy Notice as a result of new legal requirements, its own needs for the services offered, its privacy practices, changes to its business model or other causes. The Responsible Party undertakes to keep the Data Holder informed about the changes, modifications or updates to the Privacy Notice.

The Responsible Party will notify of any change, modification or update to the Privacy Notice by publishing a modification paragraph to the Privacy Notice on its website. The Responsible Party will issue such notification fifteen (15) days prior to the date on which the changes, modifications or updates to the Privacy Notice are to take place.

Holder’s consent

I hereby give my express consent for my Personal, Financial and/or Patrimonial Data, and my Sensitive Personal Data, to be processed by the Responsible Party in accordance with the terms and conditions of this Privacy Notice. Likewise, I acknowledge that I may have access to Personal, Financial and/or Patrimonial Data, and Sensitive Personal Data of clients, suppliers, service providers, representatives of the Responsible Party and its employees, for which I hereby agree to treat such Personal Data in a responsible manner and under the strictest confidentiality, in accordance with the provisions of the Law, its Regulations, the Guidelines and other applicable legal provisions, including but not limited to the Federal Law for the Protection of Industrial Property and the Federal Labor Law.

Date this Privacy Notice was last updated: [01/Dec/2023]