DATA LAW POLICY

Introduction

We are a company founded in 1972, with the purpose of manufacturing personal care products. Its flagship brand is TIP’S, proudly Ecuadorian, characterized by innovation and constant evolution, delivering quality products for home care. In addition to national production, CALBAQ today also imports and markets highly prestigious products internationally. Our reason for existing and the reason why we get up every day is: “Develop and represent successful mass consumption brands that generate value for our clients, strategic allies and collaborators.” –

Recipients
This Policy is directed to our Clients, Affiliated Business Establishments, users, employees or collaborators, suppliers, allies, visitors to the website and in general the interest groups on which CALBAQ processes information.

Definitions
The words and terms defined, when they are written with an initial capital letter, whether or not it is necessary according to the spelling rules for the use of capital letters, and regardless of the place in the Policy where they are used, will have the following meaning:

• Personal Data Protection Authority: Independent public authority in charge of supervising the application of this law, regulations and resolutions issued by it, in order to protect the fundamental rights and freedoms of natural persons, with regard to the processing of their personal data.

• Anonymization: The application of measures aimed at preventing the identification or re-identification of a natural person, without disproportionate efforts.

• Database or file: Structured set of data regardless of the form, method of creation, storage, organization, type of support, treatment, processing, location or access, centralized, decentralized or distributed in a functional or geographical manner.

• Consent: Manifestation of free, specific, informed and unequivocal will, by which the owner of the personal data authorizes the person responsible for the processing of personal data to process them.

• Biometric data: Unique personal data, related to the physical or physiological characteristics, or behaviors of a natural person that allows or confirms the unique identification of said person, such as facial images or fingerprint data, among others.

• Genetic data: Unique personal data related to inherited or acquired genetic characteristics of a natural person that provide unique information about the physiology or health of an individual.

• Personal data: Data that identifies or makes a natural person identifiable, directly or indirectly.

• Credit personal data: Data that integrates the economic behavior of natural persons, to analyze their financial capacity.

• Data relating to: ethnicity, gender identity, cultural identity, religion, ideology, political affiliation, criminal record, immigration status, sexual orientation, health, biometric data, genetic data, data relating to stateless persons and refugees requiring international protection, and data whose improper treatment may give rise to discrimination, violate or may violate fundamental rights and freedoms.

• Data relating to health: personal data relating to the physical or mental health of a person, including the provision of health care services, which reveal information about their health status.

• Sensitive data: Data relating to: ethnicity, gender identity, cultural identity, religion, ideology, political affiliation, criminal record, immigration status, sexual orientation, health, biometric data, genetic data, and data whose improper treatment may give rise to discrimination, violate or may violate fundamental rights and freedoms.

• Data protection officer: Natural person in charge of informing the controller or processor of their legal obligations regarding data protection, as well as ensuring or supervising regulatory compliance in this regard, and cooperating with the Personal Data Protection Authority, serving as a point of contact between the latter and the entity responsible for data processing.

• Recipient: Natural or legal person who has been provided with personal data.
Profiling: All processing of personal data that allows the evaluation, analysis or prediction of aspects of a natural person to determine behaviors or standards related to: professional performance, economic situation, health, personal preferences, interests, reliability, location, physical movement of a person, among others.

• Data processor: Natural or legal person, public or private, public authority, or other body that alone or jointly with others processes personal data on behalf of and on behalf of a data controller.

• Certifying Entity: Entity recognized by the Personal Data Protection Authority, which may, on a non-exclusive basis, provide certifications regarding personal data protection.

• Publicly accessible source: Databases that can be consulted by any person, whose access is public, unconditional and generalized.

• Data controller: Natural or legal person, public or private, public authority, or other body, that alone or jointly with others decides on the purpose and processing of personal data.

• Personal data protection seals: Accreditation granted by the certifying entity to the data controller or data processor, for having implemented best practices in their processes, with the aim of promoting the trust of the owner, in accordance with the technical regulations issued by the Personal Data Protection Authority.

• Pseudonymisation: Processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person.

• Owner: Natural person whose data is being processed.

• Transfer or communication: Manifestation, declaration, delivery, consultation, interconnection, assignment, transmission, diffusion, disclosure or any form of disclosure of personal data made to a person other than the owner, person responsible for or in charge of processing personal data. The personal data communicated must be accurate, complete and up to date.

• Processing: Any operation or set of operations carried out on personal data, whether by automated, partially automated or non-automated technical procedures, such as: collection, compilation, obtaining, recording, organization, structuring, conservation, custody, adaptation, modification, elimination, indexing, extraction, consultation, elaboration, use, possession, exploitation, distribution, assignment, communication or transfer, or any other form of enabling access, comparison, interconnection, limitation, deletion, destruction and, in general, any use of personal data.

• Breach of the security of personal data: Security incident that affects the confidentiality, availability or integrity of personal data. Principles for the Processing of Personal Data

In the development, interpretation and application of this Policy, the following principles will be applied in a harmonious and comprehensive manner:

• Legality.- Personal data must be processed in strict compliance with the principles, rights and obligations established in the Constitution, international instruments, this Law, its Regulations and other applicable regulations and jurisprudence.
Loyalty.- The processing of personal data must be loyal, so that it must be clear to the owners that personal data concerning them is being collected, used, consulted or otherwise processed, as well as the ways in which such data is or will be processed.
In no case may personal data be processed through means or for purposes that are illicit or unfair.

Transparency.- The processing of personal data must be transparent. Therefore, all information or communication related to this processing must be easily accessible and easy to understand and simple and clear language must be used.
The relationships arising from the processing of personal data must be transparent and governed by the provisions contained in this Law, its regulations and other regulations relevant to the subject matter.

• Purpose.- The purposes of the processing must be determined, explicit, legitimate and communicated to the owner; personal data may not be processed for purposes other than those for which they were collected, unless one of the causes that enable a new processing in accordance with the assumptions of legitimate processing indicated in this law occurs. The processing of personal data for purposes other than those for which they were initially collected should only be permitted when it is compatible with the purposes of their initial collection. For this purpose, consideration must be given to the context in which the data were collected, the information provided to the data subject in that process and, in particular, the reasonable expectations of the data subject based on his/her relationship with the controller regarding its further use, the nature of the personal data, the consequences for the data subjects of the intended further processing and the existence of adequate guarantees both in the original processing operation and in the intended further processing operation.

• Relevance and minimisation of personal data. Personal data must be relevant and limited to what is strictly necessary for the fulfilment of the purpose of the processing.

• Proportionality of processing.- The processing must be adequate, necessary, timely, relevant and not excessive in relation to the purposes for which they were collected or to the nature of the special categories of data.

• Confidentiality.- The processing of personal data must be based on due confidentiality and secrecy, that is, it must not be processed or communicated for a purpose other than that for which it was collected, unless one of the causes that enable a new processing occurs in accordance with the assumptions of legitimate processing indicated in this law. For this purpose, the person responsible for the processing must adapt the technical organizational measures to comply with this principle.

• Quality and accuracy.- The personal data that are subject to processing must be exact, complete, precise, complete, verifiable, clear; and, if applicable, duly updated; in such a way that their veracity is not altered. All reasonable measures shall be taken to ensure that personal data that are inaccurate with respect to the purposes for which they are processed are erased or rectified without delay.

In the case of processing by a processor, the quality and accuracy of the data shall be the obligation of the controller of the personal data.

Provided that the controller has taken all reasonable measures to ensure that the personal data are erased or rectified without delay, the inaccuracy of the personal data shall not be attributable to the controller, with respect to the purposes for which they are processed, when the inaccurate data:

a) Were obtained by the controller directly from the data subject.
b) Were obtained by the controller from an intermediary if the rules applicable to the sector of activity to which the controller belongs establish the possibility of the intervention of an intermediary who collects the data of the affected parties on their own behalf for transmission to the controller.
c) Were obtained from a public register by the controller.

• Conservation.- Personal data will be kept for a period of time not longer than necessary to fulfil the purpose of its processing. To ensure that personal data are not kept for longer than necessary, the data controller will establish deadlines for their deletion or periodic review.
The extended conservation of personal data processing will only be carried out for archiving purposes in the public interest, scientific, historical or statistical research purposes, provided that appropriate and necessary guarantees of security and protection of personal data are established to safeguard the rights provided for in this regulation.

• Security of personal data.- Those responsible for and in charge of processing personal data must implement all appropriate and necessary security measures, understood as those accepted by the state of the art, whether these are organisational, technical or of any other nature, to protect personal data against any risk, threat or vulnerability, taking into account the nature of the personal data, the scope and the context.
Proactive and proven responsibility.- The person responsible for the processing of personal data must prove that he has implemented mechanisms for the protection of personal data; that is, compliance with the principles, rights and obligations established in this Law, for which, in addition to what is established in the applicable regulations, he may use standards, best practices, self- and co-regulation schemes, protection codes, certification systems, personal data protection seals or any other mechanism that is determined to be appropriate for the purposes, the nature of the personal data or the risk of the processing.

The person responsible for the processing of personal data is obliged to account for the processing to the owner and to the Personal Data Protection Authority.

The person responsible for the processing of personal data must evaluate and review the mechanisms adopted to comply with the principle of responsibility on an ongoing and permanent basis, in order to improve his level of effectiveness in the application of this Law.

• Application favorable to the owner. – In case of doubt about the scope of the provisions of the legal system or contracts applicable to the protection of personal data, judicial and administrative officials shall interpret and apply them in the most favorable way to the owner of said data.

• Independence of control. – For the effective exercise of the right to the protection of personal data, and in compliance with the obligations of the State to protect the rights, the Data Protection Authority must exercise independent, impartial and autonomous control, as well as carry out the respective prevention, investigation and sanction actions.

Type of personal data collected by CALBAQ

CALBAQ may obtain information directly from the Holders or from different sources, telecommunications service providers, natural persons, Clients or Users, as well as from their employees and suppliers, through the use of the different digital platforms (our website), or when there is a commercial, labor or service provision relationship with us.

Additionally, we may obtain personal information from natural persons who have allowed their financial institution to share. Likewise, we obtain information from companies that use CALBAQ products or services, publicly available information systems, database operators and commercial information services.

The types of personal data we collect are:

• Contact information, such as name and surname, type and identification number, home and email address and telephone number. Business photo.

• Credit or debit card number and card expiration date, bank account number and expiration date, and, in the case of merchants or businesses, business category and certain information about sales and transaction volume. Financial results as required, business references and business structure.

• Information about your geographic location or physical location, for example, through information from GPS signals sent by a mobile device, or through different technologies to determine location, such as data from device sensors that provide, for example, information about the nearest Wi-Fi access points and mobile phone antennas.

• Data about the mobile device (such as, for example, brand and model of the device, operating system version, unique identifiers and data about the mobile network, IP address, including phone number, and telecommunications service provider).

• Information about you collected through third-party verification services linked to CALBAQ.

• Personal information of employees related to their date and place of birth, nationality, marital status, sex, educational levels, work experience, personal references, socioeconomic level and status and financial situation, information related to their health status, social security entities to which they are affiliated, disciplinary and judicial records. Additionally, information related to their family unit and dependents, as well as personal preferences in terms of activities and hobbies.

• Personal information of candidates for any position or job, including their first and last names, type and ID number, landline and cell phone numbers, postal and email addresses (personal and/or work), profession or trade, degrees, academic profile (college, university, etc.), professional profile (jobs, background, etc.), membership in professional or academic associations, salaries and work hours, performance evaluations and/or any other information included in the applicant’s or candidate’s resume. Once the employment relationship is formalized, the candidate will be governed by the rules of CALBAQ employees, regarding the personal data protection regime. When we talk about candidates, we refer to both professionals who wish to work at CALBAQ and those students who wish to do their professional internship with us, under the scheme that best fits their profile.

• Information such as type and percentage of disability, both of the holder and of their direct and/or substitute relatives. Information on medical diagnoses provided by the holder in relation to him or her and his or her family members, for health insurance purposes. Information on date of birth, ID numbers, full names and surnames of the employee’s direct family members. Information on salary income, positions, area, benefits, bonuses, extraordinary compensation. Information on telephone contact numbers of collaborators and their direct family members.

Users, Clients, collaborators and suppliers expressly authorize CALBAQ to confirm the personal information provided by contacting public entities, specialized companies or risk centers, their contacts or the employer, as well as their personal, banking, commercial or work references, among others.

Processing of Personal Data and Purposes

With the authorization of the Owner to CALBAQ, the latter is authorized to process the data provided. The information collected will be used for the following purposes:

• To make the payment/collection to our business partners (suppliers/customers) through the system and processes established by the company.

• To carry out the procedures and processes for the fulfillment of CALBAQ’s tax, accounting and administrative obligations.

• To carry out all the activities necessary for the fulfillment of the different contractual stages in the relationships with suppliers.

• To use personal information to contact the owner via email to send extracts, account statements or invoices in relation to the obligations.

• To use and store the information to contact the owner for the development of activities related to collections or others of a similar nature.

• To manage the processing of requests, complaints and claims of the client. (Claims for billing issues, related to the sale.

• Use and distribute the information to third parties with whom CALBAQ has a contractual relationship and that it is necessary to deliver it for the fulfillment of the contracted object. (EXTERNAL LOAN MANAGER AND CREDIT INSURANCE)

• Record pertinent information in the CALBAQ database, and processes of registration and/or modification of data in its respective ERP

• Guarantee compliance with the legal standards required by the company, as well as others that are established in the Policy for the Protection and Treatment of Personal Data of the company that will be published on the website: https://calbaq.dr-moodle.com/es/

• Carry out the pertinent procedures for the development and execution of the corporate purpose of CALBAQ, in what has to do with the fulfillment of the object of the contract entered into with the Owner of the personal data

• Carry out the procedures and formalities for the fulfillment of tax obligations, accounting and administrative services of CALBAQ.

• Manage billing and payment for services.

• Celebration of the Employment Contract.

• To allow the use of geolocation to reference the business partner.

• Information such as the type and percentage of disability of both the holder and the direct family members, this is used to present in audits with the Ministry of Labor.

• Information on medical diagnoses provided by the holder for management of private health insurance reimbursements.

• Information on the date of birth, ID number, full names and surnames of family members and date of marriage for internal company management such as profits, corporate events and multiple internal benefits.

• Information on salary income, area, position, full names and surnames, ID number and time in the company for the realization of labor references.

• Information on telephone contact numbers of collaborators and direct family members for the management of any internal or external medical emergency.

• Allow the use of cell phone and email to receive notifications related to payment/collection via text messages to cell phone (SMS) and/or email

• Calbaq provides the Actuarial Consulting Firm with information about employees, including their first and last names, ID number, sex, date of birth, date of entry and/or exit, current remuneration and remuneration from previous years, as well as accounting balances for the assessment in order to establish the calculation of provisions for employer retirement.

• For the Banking system, we provide employee information such as first and last names, ID number, account type and number, for the purpose of accrediting the value of monthly remuneration, social benefits and/or profits.

Processing of Special Data
In the event that we collect and process your sensitive data, these will be treated with careful compliance with the provisions of the Organic Law on Personal Data Protection and this Policy. Data Subjects are informed that they will not be required in any event to authorize the Processing of sensitive data, and therefore the provision of our services is not conditioned to the delivery of this sensitive information. CALBAQ takes the privacy of children and adolescents seriously and responsibly.

We will ensure the proper use of the personal data of children and adolescents under the age of majority, guaranteeing that the processing of their data respects their best interests and fundamental rights and, as far as possible, taking into account their opinion as Holders of their personal data.

Authorization for the processing of special data:

When it comes to the collection of sensitive data, the following requirements must be met:

• The Authorization must be explicit.
• The Holder must be informed that he or she is not obliged to authorize the Processing of said information.
• The Holder must be informed explicitly and in advance which of the data that will be processed are sensitive and the purpose of the Processing thereof.

Processing of Sensitive Personal Data obtained through video surveillance
• CALBAQ uses various video surveillance media installed in different internal and external sites of its facilities or offices. For this reason, CALBAQ informs the general public about the existence of these mechanisms by disseminating video surveillance announcements on visible sites.
The information collected through this mechanism is used for security purposes, to improve our service and the experience at CALBAQ facilities, as well as as evidence in any type of process before any type of authority or organization.

• CALBAQ does not deliver video recordings obtained to any third party, unless there is a court order or a competent authority or the law allows it.
Regarding body-cams or personal video surveillance of workers, CALBAQ obtains the respective authorization from its workers through their employment contracts or addenda and they are used by CALBAQ exclusively for the security and integrity of the company.

Rights of the Owners

The Owners of the data have the right to:

• Rights of access, cancellation and rectification of personal information and procedure for the exercise of the rights of the Owners.
• To know, update and rectify your personal data before the entity responsible for the Treatment or in charge of the treatment of your personal data. This right may also be exercised, in the case of partial, inaccurate, incomplete, fractional data, which lead to error, or those whose Treatment is expressly prohibited or has not been authorized.
• To request proof of the Authorization granted to the Data Controller except when it is expressly excepted as a requirement for the Treatment.
• To be informed by the Data Controller or the Data Processor, upon request, regarding the use that has been given to the personal data.
• To submit complaints to the Personal Data Protection Authority for violations of the personal data protection regime.
• To revoke the Authorization and/or request the deletion of the Personal Data in the terms of the Organic Law on Personal Data Protection.
• To access free of charge your personal data that have been subject to Treatment.

CALBAQ’s duties as Data Controller
CALBAQ is obliged to comply with the duties imposed by law. Therefore, it must act in such a way that it complies with the following duties:

With respect to the Data Owner:
a. Guarantee the Owner, at all times, the full and effective exercise of the rights mentioned in section IX of this Policy.
b. Regarding the quality, security and confidentiality of Personal Data.
c. Observe the principles of veracity, quality, security and confidentiality in the terms established in this Policy.
d. Keep the information under the necessary security conditions to prevent its adulteration, loss, consultation, use or unauthorized or fraudulent access.
e. Update the information when necessary.
f. Rectify the Personal Data when appropriate.

Regarding the Processing carried out through a Manager:
a. Provide the Data Processor only with the Personal Data whose Processing has been previously authorized.
b. Ensure that the information provided to the Data Processor is true, complete, accurate, up-to-date, verifiable and understandable.
c. Communicate in a timely manner to the Data Processor all new developments regarding the data previously provided and adopt the other measures necessary to ensure that the information provided to the Data Processor remains up-to-date.
d. Inform the Data Processor in a timely manner of any corrections made to the Personal Data so that the Data Processor may proceed to make the relevant adjustments.
e. Demand from the Data Processor at all times that he/she respects the security and privacy conditions of the Owner’s information.
f. Inform the Data Processor when certain information is being discussed by the Owner, once the claim has been submitted and the respective process has not been completed.

Regarding the Personal Data Protection Authority:

a. Inform you when security code violations occur and there are risks in the management of the information of the Holders.
b. Comply with the instructions and requirements issued by the Superintendence of Industry and Commerce.

CALBAQ’s Duties as Data Processor

In the event of data processing on behalf of another entity or organization that is the Data Controller, CALBAQ must comply with the following duties:

• Guarantee the Holder, at all times, the full and effective exercise of the right to habeas data.
• Keep the information under the security conditions necessary to prevent its adulteration, loss, consultation, unauthorized or fraudulent use or access.
• Carry out the timely update, rectification or deletion of the data.
• Update the information reported by those responsible for the Processing within the following five (5) business days from its receipt.
• Process the Queries and Complaints formulated by the Holders in the terms indicated in this Policy.
• Refrain from circulating information that is being disputed by the Holder and whose blocking has been ordered by the Personal Data Protection Authority or any other authority.
• Allow access to the information only to persons authorized by the Holder or empowered by law for this purpose.
• Inform the Personal Data Protection Authority when security code violations occur and there are risks in the management of the Holders’ information.
• Comply with the instructions and requirements issued by the Personal Data Protection Authority.

Authorization for the Processing of Personal Data

CALBAQ must obtain from the Holder the prior, express and informed Authorization to collect and process their Personal Data. This obligation is not necessary when dealing with data of a public nature, such as, for example, Public Data existing in public records, among others. In order to obtain Authorization, it is necessary to inform the Owner of the Personal Data in a clear and express manner of the following:

• The Processing to which his/her Personal Data will be subjected and the purpose thereof.
• The optional nature of the response to the questions asked, when these relate to sensitive data or the data of girls, boys and adolescents.
• The rights that assist him/her as Owner provided for in the Organic Law on the Protection of Personal Data.
• The identification, physical or electronic address of CALBAQ.

The Data Subject’s Authorization must be obtained through any means that may be subject to subsequent consultation, such as the website, forms, formats, activities, contests, in person or on social networks, PQR format, data messages, phone calls or Apps.

In all cases, proof of compliance with the above points must be left. The Authorization may also be obtained from unequivocal conduct of the Data Subject that allows a reasonable conclusion that he/she has given his/her consent for the Processing. Such conduct(s) must be very clear so as not to allow doubt or mistake about the will to authorize the Processing, such as in video surveillance areas where the Data Subject has previously read the Privacy Notice.

National or International Transfer of Personal Data

CALBAQ may transfer data to other Data Processors when authorized by the Data Subject, by law or by an administrative or judicial mandate.

For the event of international transfers, in which the Holder’s Authorization is not available, CALBAQ will carry out the corresponding declaration of compliance procedure before the Personal Data Protection Authority, complying with the Organic Law on Personal Data Protection and all those regulations that modify, substitute and replace it.

National or International Transmission of Personal Data

CALBAQ may transmit data to one or more Managers located within and outside the territory of the Republic of Ecuador in the following cases:

• When it has the Holder’s Authorization to carry out the Transmission of their data.
• When, without having the Authorization, there is a data Transmission contract between the Responsible Party and the Manager, taking into account the provisions of the regulations on Personal Data Protection.

Procedure for exercising the rights of the holders
In compliance with the regulations on personal data protection, CALBAQ presents the procedure and minimum requirements for exercising your rights:
To address your request, we ask you to provide the following information:

• Full name and surname of the holder and/or his/her representative and/or successors in title
• Identification number
• Contact information (physical and/or electronic address and contact telephone numbers),
• Means to receive a response to your request,
• Reason(s)/fact(s) that give rise to the claim with a brief description of the right you wish to exercise (know, update, rectify, request proof of the authorization granted, revoke it, delete, access information, among others)
• The respective support that verifies the legal representation must be provided
• The request for information consultation may be made by the holder or his/her representative, for which, CALBAQ will provide them with all the information contained in the individual record or that is linked to the identification of the Holder. This query will be attended to within a maximum period of fifteen (15) business days from the date of receipt of this query and will be free of charge.
Once the complete claim has been received, a legend stating “claim in process” and the reason for this will be included in the database within a period of no more than two (2) business days. This legend must be maintained until the claim is decided. The maximum period for addressing the claim will be fifteen (15) business days from the day following the date of receipt.

Permanence of Personal Data

The Personal Data that is Processed must remain in the CALBAQ Databases for as long as necessary to fulfill the purposes mentioned in the Policy, for which it was collected.

The Owner must bear in mind that, in accordance with the terms of the Organic Law on Personal Data Protection, the request for deletion of information and the revocation of authorization will not proceed when the owner has a legal or contractual obligation to remain in the CALBAQ database.

Cookies

The User and the visitor of the CALBAQ website know and accept that CALBAQ may collect certain information through the use of cookies.

Cookies are small files that are installed on the hard drive of the User’s computer, with a limited duration in time that help to personalize the services. We also offer certain functionalities that are only available through the use of cookies.

The information collected through cookies is, among others, the User’s access path to the website, pages visited, IP address of origin, browser type, browser language, and the date and time of the User’s visit.  This information helps CALBAQ track trends and improve areas of our website based on visits, and is an analysis commonly used by most websites.

At any time, the User can uninstall cookies on their computer (Internet browser), which depends on their exclusive will and can be deleted from their computer when the User so wishes.

Information Security and Confidentiality
CALBAQ is committed to complying with all applicable regulations regarding Information Security and Cybersecurity applicable to personal information.

For this reason, CALBAQ has implemented Information Security and Cybersecurity Policies that contemplate measures to protect the information of the Holders leveraged on the controls established in current industry standards and regulations.
On the other hand, CALBAQ is not responsible for illegal interceptions, misuse and/or violation of the systems or databases of its Clients by unauthorized or malicious persons. In these cases, CALBAQ, in accordance with the law and once it is aware of these violations, will inform the competent authorities.

Third parties contracted by CALBAQ are also obliged to adhere to and comply with the Information Security and Cybersecurity Policies as well as the security protocols that we apply to all our processes. Every contract with third parties (contractors, employees, external consultants, temporary collaborators, etc.) that involves the Processing of information and personal data, includes a confidentiality agreement that details their commitments to the protection, care, security and preservation of the confidentiality, integrity and/or privacy of this information.

Likewise, the Information Security and Cybersecurity Policies under which the information of the Data Owner is kept to prevent its adulteration, loss, consultation, use, unauthorized and/or fraudulent access, are included in CALBAQ’s Comprehensive Personal Data Management Program.

Relationship with third parties
In developing this Policy and the internal provisions for the proper handling of personal data, CALBAQ will do everything necessary to ensure that the related entities, subsidiaries, subordinates or third parties with which they establish labor relations or commercial alliances comply with the personal data protection regime in Ecuador.

Taking into account the above, CALBAQ may request suitable and pertinent information from third parties and/or those in charge to verify and observe compliance with the provisions contained in this policy and in the personal data protection regime in Ecuador.

Finally, CALBAQ will ensure that it has procedures so that once the legal or contractual relationship with the third party and/or person in charge of the personal information has ended, it is collected, eliminated, and destroyed.

Related Entities – Binding Rules

CALBAQ does not have related entities, so as of the date of approval and issuance of this Personal Data Protection and Processing Policy, no binding rules have been approved.

Identification of the person responsible

CALBAQ S.A is a corporation that complies with the provisions of the Organic Law on Personal Data Protection, and whose information is as follows:
Company name CALBAQ S.A.
RUC 0990135630001
Address KM 11.5 VÍA A DAULE
Email: notificacionprotdatos@calbaq.dr-moodle.com
Website https://calbaq.dr-moodle.com/es/
Area in charge of Personal Data General Management
Table 1. Identification information of CALBAQ S.A.

Validity and adjustments to the Personal Data Protection and Processing Policy
CALBAQ may modify the terms and conditions of this Personal Data Protection and Processing Policy at any time. All changes to this Policy will be reported by publishing a new version on the website. Natural persons who are the subject of this policy must ensure that they review this page periodically to verify the aforementioned changes.

If a change is made to the purpose of the Processing of Personal Data, CALBAQ will request a new Authorization from the Data Subjects who are affected by said change.

This Personal Data Protection and Processing Policy was approved on December 11, 2023, entering into force as of that date.