PRIVACY NOTICE

    I. Data Controller’s Identity and Domicile

Galicia Abogados, S.C. (the "Data Controller"), in compliance with the provisions of the (Mexican) Federal Law for the Protection of Personal Data held by Private Parties, its Regulations and the Privacy Notice Guidelines (the "Law"[1]) and considering the principles of legality, quality, consent, information, purpose, loyalty, proportionality and responsibility, makes available this privacy notice (the "Privacy Notice"), to disclose the terms and conditions for the processing of personal data that from time to time the Data Controller may collect, use, store, share, transmit and/or transfer.

For the purposes of this Privacy Notice, the Data Controller’s domicile is Boulevard Manuel Ávila Camacho, number 24, 7th floor, Lomas de Chapultepec, C.P. 11000, Mexico City, Mexico.

    II. Personal Information

For the purposes set forth in this Privacy Notice, the Data Controller may require the following personal information: full name, address, date and place of birth, nationality, citizenship, data of their representatives or legal representatives, place of residence, email, telephone, cell phone, general contact and identification information, institution or company to which it belongs, Unique Population Registry Number (Clave Única de Registro de Población), Federal Tax Payers Registration Number (Registro Federal de Contribuyentes) Foreign Tax Identification Number (TIN) or other tax information (such as a tax status certificate), as well as the answers related to your identification contained in the Know- Your-Client form (KYC), and the bank account information that you provide us (in case of bank account information prior express consent that we request and obtain from you), (hereinafter the "Personal Information").

Sensitive Personal Information: Image, for instance, when you provide us with your official identification and Biometric Information in case you are videotaped, photographed or as part of the security and access controls implemented by the Data Controller.

Through your relationship with the Data Controller, some of this information is collected directly from you or indirectly, such as through video recording at events, meetings, or conferences (online or offline) and closed-circuit video surveillance at the Data Controller’s premises. Obtaining this data may also be required by legal or judicial order.

Third Parties Information: whenever you provide us with information from a third party, you must (i) communicate and share with them this Privacy Notice in order to inform them about the scope and characteristics of the processing of their information for the purposes described herein and (ii) only in cases where it is legally required, provide the Data Controller with a copy of the document evidencing the consent granted by such third parties.

    III. Purposes of Processing Personal Information

The Personal Information will be used to (i) contact you; (ii) provide the legal services requested and/or contracted; (iii) create, upload and keep your profile updated in the Data Controller’s database, carry out collection, billing, administrative purposes and other activities inherent to the relationship that you will establish with the Data Controller, create databases to improve customer service, generate statistics, prepare reports, and other necessary within the internal operation of the Data Controller as a service provider; (iv) comply with the purpose of the relationship that has given rise to the processing of Personal Information. (v) to comply with its obligations by virtue of a law, regulation, decree, rule, administrative provision, order, circular, notice and other applicable standards or norms to the Data Controller; (vi) to provide the information required by competent authorities; (viii) to verify your identity and perform background checks, against national and international sanctions lists, in order to perform the commonly known process of screening or background check and activities related to regulatory compliance and due diligence. These purposes are necessary to comply with our legal and contractual obligations.

Secondary purposes: the Data Controller may use your Personal Information for purposes other than those that gave rise to the legal relationship with you. These purposes include offering you the services that the Data Controller provides, as well as sending you directly or through third parties, newsletters, legislative updates, or to inform you about events, news or current issues, communications for advertising purposes, conducting surveys to measure satisfaction and/or quality of the services that the Data Controller provides, to measure the level of interest and your behavior through the navigation on our website, the use and navigation in our social networks, carrying out actions to promote our brand or services, brand positioning, commercial prospecting and for academic purposes or dissemination of legal knowledge.

If you do not want your Personal Information to be used for any of the secondary purposes, please inform us of your refusal by sending an email to comitededatospersonales@galicia.com.mx.

Whenever your Personal Information is no longer necessary for the fulfilment of the purposes described above and those provided for in the applicable legal provisions, the Personal Information will be cancelled, in the terms provided in this Privacy Notice and the Law.

    IV. Transfer of your Personal Information

For the fulfillment of the purposes set forth in this Privacy Notice, the Data Controller may share and transfer, within and outside the national territory, all or part of your Personal Information in the following cases:

  1. With our business partners, contractors, service providers, suppliers, consultants, notaries, public brokerage firms, experts, translators, auditors, insurance companies, and/or advisors of any nature of the Data Controller;
  2. With authorities or regulators, in which case, the information to be transferred will be only those necessary to comply with regulatory or contractual requirements and always in compliance with this Privacy Notice;
  • With auditors and/or companies acquiring all or part of the business or Data Controller businesses and/or its related parties, or to other third parties receiving information by virtue of merger, acquisition or consolidation, for the purpose of perfecting the latter;
  1. In the cases of exception allowed by the Law, or
  2. In cases in which such transfer is necessary in order to comply with legal, accounting, regulatory or contractual obligations of the Data Controller.

The aforementioned transfers are necessary to comply with our legal and contractual obligations. Likewise, we inform you that the Data Controller may share your personal information to third-party service providers necessary to comply with legal, accounting, regulatory or contractual obligations of the Data Controller, as well as to third parties that provide services related to information technology, operation and administration, maintenance and installation.

    V. Security Measures

The Data Controller has adopted the security measures required by Law, and such security measures are identical to those used by the Data Controller to keep its own information. Likewise, due to the nature of the services rendered by the Data Controller, all information containing personal information is considered confidential.

    VI. Means to access, rectify, delete and/or restrict the processing of personal information (ARCO Rights)

In case you have any concern or doubt about how the Data Controller processes your Personal Information or if you wish to access, rectify, delete or restrict the processing of Personal Information, please contact the Personal Information Committee by sending an email to comitededatospersonales@galicia.com.mx providing the information and attaching sufficient documentation that allows us to identify you as the owner of the Personal Information, or at least the following:

(1) Provide your full name and email address. If you do not provide this information completely, the request will be deemed not to have been received.

(2) The document that proves your identity or, if applicable, the identity and faculties of your representative (for instance, a copy of an official identification). The representative must prove the identity of the holder (you), his/her representative identity, and his/her powers to represent you by a public instrument, a power of attorney, a letter signed before two witnesses, or a written statement made by the holder (you) in personal appearance before the Data Controller;

(3) A clear and precise description of the personal information you wish to access, rectify, delete or restrict (i.e., your request);

(4) Description of other elements that facilitate the location of your personal information.

The documents must be scanned and attached to the email to verify the veracity of such documents.

The Personal Information Committee will acknowledge receipt of your request. The request will be analyzed in accordance with the Law, and the corresponding response will be given no later than 20 business days after the day on which it was received to the email address used by you to file your request.

If your request is valid, it will be effective within 15 business days after we communicate our response. If you are dissatisfied with the notified response, you will have a period of 20 business days to contact us, indicating your disagreement or concern, in order to solve the situation. The Data Controller may extend the deadlines referred to in this paragraph only once, for a period equal to the original one, which will be communicated to you.

Please note that certain Personal Information may be exempt from such access, rectification, suppression, copying and deletion in accordance with the Law. The Data Controller may deny the request to exercise your “ARCO Rights” in the cases permitted by Law. The reason for such a decision will be communicated to you. Our refusal may be partial, in which case the Data Controller will carry out the request to access, rectify, delete or restrict the processing of your data in the appropriate part.

    VII. How you can revoke your consent

To revoke your consent to the processing of your Personal Information, you should send an email to comitededatospersonales@galicia.com.mx. However, we may not be able to respond to your request and conclude the processing of your Personal Information immediately since it is possible that, due to some legal obligation, we may need to continue processing your Personal Information. Please also note that the revocation of your consent may result in the impossibility of rendering our services to you.

    VIII. How you can limit the use or disclosure of your Personal Information

You may limit the use or disclosure of your Personal Information to prevent it from being used or disclosed for purposes other than those that gave rise to or are necessary for your legal relationship with the Data Controller. If you wish to limit the use or disclosure of your Personal Information, you must send an email to comitededatospersonales@galicia.com.mx in order to be included in an exclusion list to be created by the Data Controller.

    IX. Amendments to the Privacy Notice

This Privacy Notice may be modified due to the implementation of improvements or additional security measures or due to legal requirements or updates required by the Data Controller concerning the purpose of processing personal information and/or as part of its operations as a service provider. Any modification to the same will be published on the web page www.galicia.com.mx. The modified Privacy Notice will take effect seven business days after its publication.

    X. Consent

If you do not agree with this Privacy Notice, you should refrain from providing personal information to the Data Controller, using or requesting the Data Controller’s services and entering, browsing and/or using the functions and services of the Data Controller’s website. Your consent to the processing of your personal information in accordance with the terms herein provided shall be considered tacitly granted; understanding tacit consent when having made this Privacy Notice available to you, you do not express any opposition. Likewise, we will understand any delivery of information, as well as your access and use of our platforms and/or services, or participation in our forums and events as a manifestation of your consent and acceptance of this Privacy Notice.

Whenever required by law, with respect to certain types of personal information, the Data Controller will take positive and affirmative measures to obtain your consent. Your consent to the processing of personal information in accordance with the terms provided herein shall be deemed expressly granted when any of the following events occur: (i) you sign a copy of this Privacy Notice, or (ii) by signing any contract, service proposal or engagement letter that refers to it, or (iii) you expressly state your consent by checking a checkbox that we will enable on our website or platforms (so that this requirement is clearly and unequivocally met), or (iv) any mechanism or procedure permitted by Law. By your acceptance (tacit or express, as the case may be), you also agree to any transfer of personal information that may be made by the Data Controller in accordance with the terms of this Privacy Notice.

March 2024

[1] Ley Federal de Protección de Datos Personales en Posesión de los Particulares, su Reglamento y los Lineamientos del Aviso de Privacidad