Legal Framework

– Article 43 of the Argentine National Constitution.

– Law 25,326 on the protection of personal data.

– Decree 1558/2001 of regulation of the law of protection of personal data.

– Provision DNPDP 11/2006 on security measures for the treatment and conservation of personal data.

– All those rules complementary to those indicated above.

Generalities

The policies and procedures of Grupo Costa SRL are based on the aforementioned legal framework, whose purpose is the protection of the information entrusted to Grupo Costa SRL, with the intention of Grupo Costa SRL exclusively to collect information that has been voluntarily provided . This information can be obtained, among others, through any of the following channels or means: (i) commercial or professional relationship; (ii) execution of services; (iii) labor relationship; (iv) application to selection processes; (v) assistance to trainings, seminars or courses; (vi) sending emails requesting information; and (vii) website of Grupo Costa S.R.L.

Grupo Costa S.R.L does not collect or form and / or manage files, banks or records that store information related to personal data, except to be able to contact its owners, comply with legal or contractual obligations by Grupo Costa S.R.L. or to send information of interest or invitations to the activities carried out by Grupo Costa S.R.L. in compliance with its corporate purpose.

Definitions

For the purposes of Law 25,326 it is understood as:

• Personal Data: Information of any kind referred to determined or determinable individuals or persons of ideal existence.
• Sensitive Data: Personal data that reveal racial and ethnic origin, political opinions, religious, philosophical or moral beliefs, union affiliation, income and information regarding health or sexual life.

• File, record, database or database: Indistinctly, they designate the organized set of personal data that is subject to processing or processing, electronic or not, whatever the modality of their training, storage, organization or access.

• Data processing: Operations and systematic procedures, electronic or not, that allow the collection, conservation, management, storage, modification, relationship, evaluation, blocking, destruction, and in general the processing of personal data, as well as its transfer to third parties through communications, inquiries, interconnections or transfers.

• Person in charge of archiving, registration, database or database: Individual or of an ideal public or private existence, who is the owner of a file, registry, database or database.

• Computerized data: Personal data submitted to electronic or automated processing or processing.

• Data owner: Any natural person or person of ideal existence with legal domicile or branches or branches in the country, whose data are subject to the treatment referred to in Law 25.326.

• Data user: Any person, public or private, who performs data processing at their discretion, either in their own files, records or databases or through connection with them.

• Dissociation of data: All processing of personal data so that the information obtained cannot be associated with a specific or determinable person.

BASIC PRINCIPLES IN HABEAS DATA
Generalities
Personal data is understood as all information of any kind referred to determined or determinable individuals or persons of ideal existence.

Sensitive data is understood as personal data whose misuse may affect the privacy of the owner of said data or generate discrimination, among others, personal data that reveal racial and ethnic origin, political opinions, religious, philosophical or moral beliefs, affiliation union, income and information regarding health or sexual life.

Provision of sensitive data

No person can be forced to provide sensitive data.

Sensitive data can only be collected and processed when there are reasons of general interest authorized by law. They may also be treated for statistical or scientific purposes when their holders cannot be identified.

The formation of files, banks or records that store information that directly or indirectly discloses sensitive data is prohibited, unless the owners agree.

Data relating to criminal or contravention records can only be processed by the competent public authorities, within the framework of the respective laws and regulations.

Data collection and storage

The personal data that are collected for the purposes of their treatment must be adequate, relevant and not excessive in relation to the scope and purpose for which they were obtained.

Data collection cannot be done by unfair, fraudulent means or in a manner contrary to the provisions of the law.

The data subject to processing cannot be used for purposes other than or incompatible with those that motivated its obtaining.

The data that is totally or partially inaccurate, or that is incomplete, must be deleted and replaced, or if completed, by the person in charge of the file or database when the inaccuracy or incompleteness of the information in question is known.

The data must be stored in a way that allows the exercise of the right of access of its owner.

The data must be destroyed when they are no longer necessary or relevant for the purposes for which they were collected.

Consent and / or authorization to obtain the data The processing of personal and / or sensitive data is illegal when the holder has not given his free, express and informed consent, which must be recorded in writing, or by other means that allows him to be equated, according to the circumstances.

The aforementioned consent given with other declarations, must appear expressly and prominently, prior notification to the requested data.

Grupo Costa S.R.L requires prior authorization from its customers, suppliers and employees for the treatment of personal data provided to Grupo Costa S.R.L in the framework of the contractual relationship reached with them.

Exceptions to the prior and express authorization of the owner of the data:

• Authorization will not be necessary when:

• The data is obtained from unrestricted public access sources;

• They are collected for the exercise of functions proper to the powers of the State or under a legal obligation;

• These are listings whose data is limited to name, national identity document, tax or social security identification, occupation, date of birth and address;

• They derive from a contractual, scientific or professional relationship of the owner of the data, and are necessary for its development or compliance;

• These are the operations carried out by financial institutions and the information they receive from their clients in accordance with the provisions of article 39 of Law 21,526.

TREATMENT OF PERSONAL DATA

Grupo Costa S.R.L uses the personal data it collects for lawful purposes, seeking continuous improvement in the activities it carries out and in the relationship it maintains with its customers, suppliers, employees, control bodies and other third parties.

TRANSFER OF PERSONAL DATA

The personal data collected by Grupo Costa SRL may be communicated / transferred to (i) any of the members of Grupo Costa SRL and / or related, affiliated, controlled, controlling, subsidiaries, representations or related companies of Grupo Costa SRL, (ii) third-party providers of data processing and processing services and (iii) other third parties that may correspond according to Grupo Costa SRL’s relationship with the owner of the data or to the lawful reasons and purposes for which they were collected by Grupo Costa SRL

Grupo Costa SRL requires those who transfer personal data compliance with adequate standards of confidentiality, protection and security, and especially when said third parties are in countries that do not have adequate data protection legislation according to the parameters established by the authorities and regulations from Argentina.

RIGHTS OF THE PERSONAL DATA HOLDER

Information right:

Any person may request information from the control body regarding the existence of files, records, databases or personal data banks, their purposes and the identity of those responsible.

The registration carried out for this purpose will be free public consultation.

Right of access

The owner of the data, prior accreditation of their identity, has the right to request and obtain information of their personal data included in public or private data banks intended to provide reports.

The person responsible or user must provide the requested information within ten (10) calendar days of having been reliably intimidated.

Once the deadline has elapsed without the request being satisfied, or if the report has been evacuated, it is deemed insufficient, the action for the protection of personal or habeas data provided in this law will be expedited.

The right of access referred to in this article can only be exercised free of charge at intervals of not less than six (6) months, unless a legitimate interest is evidenced for that purpose.

The exercise of the right to which this point refers in the case of data of deceased persons shall correspond to their universal successors.

The request referred to in this point does not require specific formulas, as long as it guarantees the identification of the owner of the data. It can be done directly, presenting the interested party to the person in charge or user of the file, registration, database or database, or indirectly, through reliable intimidation by written means to record receipt. Other direct or semi-direct access services such as electronic media, telephone lines, receipt of the claim on screen or other suitable means for this purpose may also be used.

In each case, media preferences may be offered to know the required response.

• Know whether or not the owner of the data is in the file, registry, database or database;

• Know all the data related to your person that appear in the file;

• Request information on the sources and means through which your data were obtained;

• Request the purposes for which they were collected;

• Know the intended destination for personal data;

• Know if the file is registered according to the requirements of Law No. 25,326.

Once the deadline for replying has elapsed, the interested party may take the action to protect personal data and report the fact to the National Directorate for the Protection of Personal Data for the purposes of the relevant control of this body.

In the case of data of deceased persons, the link must be accredited by the corresponding declaration of heirs, or by reliable document that verifies the character of the universal successor of the interested party.

Content of the information provided to the owner of the personal data

The information must be provided clearly, free of codifications and, where appropriate, accompanied by an explanation, in language accessible to the average knowledge of the population, of the terms used.

The information must be comprehensive and deal with the entire record belonging to the holder, even if the requirement only includes one aspect of personal data. In no case may the report disclose data belonging to third parties, even when linked to the interested party.

The information, at the option of the owner, may be provided in writing, by electronic, telephone, image, or other suitable means for that purpose.

Right to rectification, update or deletion

Everyone has the right to be rectified, updated and, where appropriate, deleted or confidentially the personal data of which he is the owner, which are included in a data bank.

The person in charge or user of the data bank, must proceed to rectify, delete or update the personal data of the affected party, carrying out the necessary operations for this purpose within a maximum period of five (5) business days of receiving the claim from the owner of the data or noticed the error or falsehood.

The breach of this obligation within the term agreed in the preceding paragraph, will enable the interested party to promote without further action the protection of personal data or habeas data provided in Law 25.326.

In the event of transfer, or transfer of data, the person in charge or user of the data bank must notify the assignee of the rectification or deletion within the fifth business day after the data is processed.

The deletion does not apply when it could cause damage to legitimate rights or interests of third parties, or when there is a legal obligation to keep the data.

During the process of verification and rectification of the error or falsity of the information in question, the person in charge or user of the data bank must either block the file, or consign when providing information related to it the circumstance that is subject to review.

The personal data must be kept for the periods provided in the applicable provisions or, where appropriate, in the contractual terms between the person in charge or user of the data bank and the data owner.

AREA IN CHARGE OF PROCESSING DOUBTS, PETITIONS, COMPLAINTS AND / OR CLAIMS

In all cases in which the owner of the data intends to direct to Grupo Costa SRL a doubt and / or a request and / or a complaint and / or a claim and / or a request for rectification, updating or deletion of data, you must send said note indicating its object to the following email box: marcelo@grupomcosta.com or to the following address:

Grupo Costa S.R.L

Av. Pres. Julio A. Roca 771, 1067 CABA, Buenos Aires, Argentina
Atte: Dpto de Seguridad Informática

Grupo Costa S.R.L will process said note within ten (10) days after it is received and will respond through the contact information provided in the note.

The Agency for Access to Public Information, the control body of Law 25.326 has the authority to respond to complaints and claims that are filed in relation to non-compliance with the rules on protection of personal data.

The Public Information Access Agency has its offices in Av. Pte Gral Julio A. Roca 710, 2nd floor, Autonomous City of Buenos Aires. T.E.011-2821-0047 http://www.jus.gob.ar/datos-personales.aspx

COMMITMENT OF SUPPLY CUSTOMERS AND STAFF

Customers and suppliers that contract with Grupo Costa SRL, as well as employees of Grupo Costa SRL must act in full in accordance with these policies and with the Personal Data Protection Law No. 25,326 and other regulations that complement or replace it in the future.

PROVISION 11/2006 and 9/2008 – SECURITY MEASURES FOR THE PROCESSING AND CONSERVATION OF PERSONAL DATA

Grupo Costa SRL, its suppliers and its customers must adjust their actions and comply with the different levels of security (basic, medium and critical) provided by Provisions 11/2006 and 9/2008 of the National Directorate of Protection of Personal Data and / or rules that replace them in the future.

Grupo Costa SRL implements all the necessary measures to maintain the security of the personal information of its customers, suppliers and employees contemplating the internal practical, technical and organizational measures necessary to guarantee the security, integrity and confidentiality of the data, diligently trying to avoid the unauthorized access, destruction, use, modification or disclosure of the data, in accordance with the provisions of art. 9 of Law 25,326, complementary rules and in particular in Provisions 11/2006 and 9/2008 of the National Directorate of Protection of Personal Data, which establishes the different security measures for the treatment and conservation of personal data contained in banks of private data.

Grupo Costa S.R.L will make its best efforts to prevent unauthorized access to the personal information of its customers, suppliers and employees. The area responsible for Technology and Systems of Grupo Costa S.R.L is responsible for complying with the regulations related to information security, through the security policies, standards, manuals and procedures approved for this purpose.

AWARENESS – TRAINING

In order to guarantee the dissemination of these policies and their correct understanding by the staff of Grupo Costa S.R.L, periodic awareness and training activities are carried out in the field of personal data protection.

CONTINUOUS CONTROL AND IMPROVEMENT

Grupo Costa S.R.L carries out internal controls with the objective of ensuring compliance with these policies and suggesting possible changes to improve the mechanisms for the collection, security and processing of personal data.

VALIDITY

This policy is effective as of the date of its publication.

Last update: 07/10/2019.