INTERNAL PRIVACY AND PERSONAL DATA PROTECTION POLICY
SSBCC México, S.R.L. de C.V. (“CONFIE”) hereby establishes this Internal Privacy Policy to ensure the responsible, lawful, and proportionate processing of personal data under its custody, in accordance with the Federal Law on Protection of Personal Data Held by Private Parties (Ley Federal de Protección de Datos Personales en Posesión de los Particulares, “LFPDPPP”) and its Regulations.
1. Scope and Objectives
This Internal Privacy Policy establishes the principles and responsibilities that must be observed by all employees, executives, contractors, suppliers, field operational personnel, and any third party processing personal data on behalf of CONFIE, in compliance with applicable regulations.
This Policy applies to the processing of personal data in any format (physical and/or electronic) and in any operational environment, including but not limited to: corporate offices, field operations, commercial activities, administration, finance, and customer service.
2. Definitions
Model Clauses: Contractual clauses establishing the duties and obligations of third parties to whom CONFIE transfers personal data under any legal basis, or through which CONFIE receives personal data from third parties.
Banking and Financial Data: Personal data related to financial information, ownership titles, economic transactions, payments, invoicing, account management, and records of transactions derived from commercial or contractual relationships. Such data is used to verify ownership, process transactions, comply with accounting or tax requirements, and provide services related to CONFIE’s corporate purpose. Examples include:
- Banking information
- Billing information
- Payment and/or collection history
- Transactional information
Identification Data: Personal data that allows an individual to be distinguished or identified individually within a group. Such data includes, among others:
- Full name
- Date of birth
- Unique Population Registry Code (CURP)
- Federal Taxpayer Registry (RFC)
- Official identification
- Handwritten or digital signature
- Employee accreditation data
- Identifiers assigned by the controller for internal management purposes (customer ID, system user ID)
Employment Data: Personal data related to the management of the employment relationship, from recruitment through termination. Such data allows the evaluation, administration, and documentation of the relationship between the individual and CONFIE, as well as compliance with legal obligations in labor, tax, social security, and other applicable matters. This includes, but is not limited to:
- Résumé/CV information
- Academic background
- Employment records
- Administrative information (vacations, absences, social security data, contributions)
Personal Data: Any information relating to an identified or identifiable natural person.
Processors: Any third party processing personal data in the name and on behalf of CONFIE (suppliers, affiliated companies, and/or service providers).
Processing: Any activity, operation, or set of operations performed on personal data, whether by manual or automated means, with or without the use of information technologies. Examples include: collection, use, transfer, registration, organization, storage, access, consultation, and deletion.
3. Governing Principles for the Processing of Personal Data
At CONFIE, all processing of personal data must comply with the following principles:
- Quality: Personal Data under custody must be accurate, complete, relevant, and up to date.
- Confidentiality: Any person with access to Personal Data under CONFIE’s custody must protect and maintain the confidentiality thereof, using such data exclusively for purposes necessary in the performance of their duties.
- Consent: As a general rule, all processing of Personal Data shall be subject to the data subject’s consent. Consent may be express or implied, depending on the sensitivity of the information.
- Purpose Limitation: Personal Data shall only be used for the explicit purposes for which it was collected and, where applicable, to comply with Client instructions.
- Loyalty and Transparency: When CONFIE acts as the Data Controller for Personal Data, data subjects shall be informed of the use of their data through truthful, complete, and up-to-date privacy notices.
- Lawfulness: All processing activities must have a legitimate purpose aligned with CONFIE’s commercial business needs or internal operational management.
- Proportionality: Only strictly necessary data shall be collected.
- Security: Administrative, physical, and technical measures shall be implemented to protect personal data from unauthorized use or disclosure.
4. Personal Data Collected and Purposes
- 4.1 Employees and Former Employees. Identification Data, Banking and Financial Data, Employment Data, and Sensitive Personal Data. Purposes: To maintain the legal relationship, create employment and medical records, comply with labor, tax, and social security obligations. In the case of former employees, the purpose is to preserve evidence of the employment relationship and process employer deregistration when applicable.
- 4.2 Candidates. Identification Data and Employment Data. Purposes: To identify and evaluate suitability for recruitment and selection processes.
- 4.3 Clients and Suppliers. Identification Data and Banking and Financial Data. Purposes: To maintain the legal relationship and fulfill CONFIE’s corporate purpose.
5. Legal Basis for the Processing of Personal Data
All processing is carried out based on: (i) the data subject’s consent when required; (ii) performance of a contract; (iii) compliance with legal obligations (labor, tax, and social security); and/or (iv) where necessary to address an emergency.
6. Transfers and Processors
Transfers shall be limited to those necessary among affiliated entities within the same corporate group, service providers acting as Processors, transfers required to comply with legal obligations, and/or those necessary pursuant to a contract executed or to be executed in the interest of the data subject.
All Controller-Processor relationships involving the processing of personal data must be documented through contractual clauses including instructions, security measures, confidentiality obligations, subprocessors, and deletion obligations upon termination of services, in accordance with CONFIE’s Model Clauses.
7. Retention Periods and Information Deletion
Personal Data shall only be retained for the time necessary to fulfill the applicable purposes and legal obligations. Once the retention period has expired, CONFIE departments must securely delete the information (in physical or electronic format) and document such deletion as evidence.
Specifically, the following rules shall apply to the Human Resources department:
- Employment files: 5 years following termination of the relationship or for the period required by applicable legal obligations.
- Candidates: If not selected for the position, their information shall be deleted.
8. ARCO Rights and Communication Channels
Consistent with CONFIE’s privacy notices, the formal channel for receiving and processing requests for access, rectification, cancellation, and opposition (ARCO Rights), as well as requests to limit use or revoke consent, is the email address ComplianceTJ@confie.com.
Notwithstanding the foregoing, any CONFIE employee who receives or becomes aware of an ARCO Rights request submitted through another channel must forward it to the aforementioned email address within 24 hours of receipt, in order for it to be reviewed and addressed in accordance with applicable regulations.
9. Security Measures
CONFIE shall adopt administrative, physical, and technical security measures to protect Personal Data, according to the risk associated with the nature of the data, including but not limited to:
- Access controls based on minimum necessary privileges
- Cybersecurity protocols
- Training for all employees regarding personal data processing matters
10. Roles and Responsibilities
Employees: All CONFIE personnel must know and comply with this Policy and ensure that any third party processing Personal Data for which CONFIE acts as Data Controller also complies with confidentiality and data protection obligations.
Privacy Officer: The individual serving as Legal and Compliance Manager shall be responsible for coordinating responses to ARCO Rights requests, promoting a culture of privacy within CONFIE, validating that contracts with Controllers and/or Processors include the Model Clause, and assessing personal data breaches arising from information security incidents.
Information Security: Personnel must notify the Privacy Officer if they become aware of any information security incident affecting personal data, including unauthorized use, access, modification, deletion, or disclosure.
11. Incident Management
In the event of unauthorized access, loss, or disclosure of personal data, the internal protocol shall be activated, including containment, impact assessment, and notification to data subjects when required under applicable regulations. The incident shall be documented, and root causes shall be reviewed.
12. Training and Awareness
All CONFIE employees must participate in the training sessions and courses provided by the organization, whether in person or virtually through Confie University, regarding privacy and personal data protection awareness, in order to understand the content of this Policy and applicable legal obligations.
13. Policy Review and Updates
This Policy shall be reviewed at least once per year to confirm its validity and relevance. Notwithstanding the foregoing, this Policy may be updated as necessary to reflect regulatory or process changes. The current version shall be communicated through email and intranet (Confie Desk).
14. Relationship with Privacy Notices
This Policy supplements CONFIE’s Privacy Notices and operationalizes compliance within the organization.
| Version: | 1.0 |
| Issue Date: | January 2026 |
| Last Review Date: | |
| Last Update Date: | |
| Internal Owner: | Legal & Compliance Manager |