For the purposes of this Policy, terms stated below will have the following meanings:

•  “Database”: Organized set of personal data which is subject to processing, either electronically or otherwise, regardless the modality of its creation, storage, organization or access.
• “Personal Data” Any type of information referred to certain or ascertainable natural persons or legal entities, including biometric data.
• “Sensitive Data” Personal data concerning private sphere of its owner with potentiality to cause unlawful or arbitrary discrimination, in particular, data disclosing race or ethnic origin, political opinions, religious, philosophical or moral convictions, participation or affiliation in a union or political organization, health information, sexual preferences.
•  “Information” Data in general, without making reference to any particular natural person or legal entity, but due to its identity and/or characteristics, is of value for the Firm, and as such, it is processed in a similar manner as the Personal Data.
•  “Data Owner” Any natural person or legal entity which data is subject to Data Processing by G. Breuer.

• “Data Processing”: any organized operation or procedure, electronic or not, that allows gathering, retention, sorting, storage, modification, relating, assessment, blocking or destruction and, in general, processing personal data, as well as its assignment through communications, enquiries, interconnections or transfers.
• “Data Controller”: natural person or legal entity, either public or private, owner of the database, that decides on the data processing, its purposes and means.
• “Data Processor”: natural person or legal entity, either public or private, that processes personal data on behalf of the Party Responsible for Processing.
• “Third Party”: natural person or legal entity, either public or private, different from the Data Owner, Data Controller, Data Processor, or persons directly authorized by the Controller or Processor to process Personal Data.
• “Security Incident”: an event occurred at any stage of processing that implies loss or unauthorized destruction, theft, misplacement or unauthorized copy, unauthorized use, access or processing of data, or damage, alteration or unauthorized modification.

G. Breuer is aware of the fact that, in the strict performance of its tasks, no goal would be achieved without acting according to the ethics, applicable law and due respect and care for the Privacy and Personal Data. It is why that one of its priorities is to encourage its employees and third parties for which it shall be accountable to follow the Principles stated in this Policy and other principles contained in the legislation.

This Policy applies to all employees of G. Breuer and third parties with whom it works and who in the performance of their duties access the Database and/ or process Data in the name of G. Breuer.

G. Breuer will apply the following principles (hereinafter referred to as the “Principles”) at every step of processing of Personal Data:

(i) Legality

As long as the law provides and requires to do so, any new created Database shall be reported and registered with the Argentine Federal Department of Protection of Personal Data, observing the principles of the Act 25.326 and other applicable rules in its creation and operation.

(ii) Loyalty and transparency:

Personal data will be processed in a loyal and transparent manner, that is to say, refraining from using deceitful or fraudulent means.

(iii) Purpose

Gathering and/ or processing of personal data will have specific, explicit and lawful purposes, and never have different or incompatible purposes with those that triggered its obtention.

(iv) Accuracy

Personal Data that is subject to processing will be accurate and complete. In case it is required to adjust it, all reasonable measures will be taken in order to eliminate or rectify same.

(v) Retention

Personal data will not be stored beyond strictly necessary time for the fulfillment of the purpose of the processing.

(vi) Consent

In case when G. Breuer acts as Data Controller, it will seek to obtain free and informed consent from the owner of the data for one or several specific purposes, if applicable. In case when G. Breuer acts as Data Processor, it will always perform within the framework of the agreement signed with the Data Controller, refraining from applying or using data for a purpose other than the agreed one.

(vii) Revocation

Simple and free of charge means will be provided so that the owner of Personal Data may use his right to revoke the granted consent.

(viii) Sensitive data

Data concerning race or ethnic origin, political opinions, religious, philosophical or moral convictions, participation or affiliation in a union or political organization, health information, sexual preferences will not be disclosed in the bases since same may give way to unlawful or arbitrary discrimination, unless its obtention and Processing arises from a legal duty of the Firm.

(ix) Data processing related to children and adolescents

In case of processing data of this identity and characteristics, G. Breuer will favor the protection of the paramount interest of the children and/or adolescents in accordance with the Convention on the Rights of the Child and other international instruments that seek their welfare and comprehensive protection

(x) Security

Technical and organizational measures will be always adopted in each case in order to guarantee security and confidentiality of personal data, so that falsification, loss, query or unauthorized processing is avoided.

(xi) Notification

In case a security incident occurs, control authority will be given notice with no further delay and, if possible, within seventy two (72) hours after having taken cognizance of the incident.

(xii) Confidentiality

G. Breuer commits to maintain confidentiality of the personal data during the whole processing period and even after ending its relationship with the owner of the data, the Data Controller or Data Processor, as appropriate.

G. Breuer recognizes and assures respect of the following rights of the owners of Personal Data:

(i) Access

After accreditation of identity, owners will be granted access to their Personal Data that is subject to processing. In no case the prepared report will disclose data belonging to third parties, even when same are related to the owner of the data.

(ii) Rectification

Rectification of Personal Data will be made in case their owners prove that it is inaccurate, false, wrong, incomplete or outdated.

(iii) Opposition

In case the data owner objects to data processing, or a specific purpose of same, when no consent has been given, processing of personal data that is subject to opposition will be

stopped. This obligation will be fulfilled as long as no legitimate grounds for the processing prevail above the rights of the owner of the data.

(iv) Suppression

Upon the request of the owner to delete his Personal Data, same will be deleted provided there is one of the cases set forth in the Clause 11.

G. Breuer will always guarantee the exercise of these rights in accordance with the regulation in force and implement procedures for such purpose, which must follow these guidelines:

(i)  Reporting to the Owner of Data about his rights in accordance with the law and means through which he will be able to exercise them;

(ii)  Guaranteeing the right of access of the Owner of Data in a free manner within intervals no shorter than six months (or other larger intervals, according to local legislation), unless a legitimate interest to do otherwise is shown.

(iii)  Implement easy, accessible and free of charge means to allow the owner of the data to exercise his rights;

(iv)  Reply to the requests within the following terms:

a. 10 (ten) running days with respect to the right of access;

b. 5(five)workingdayswithrespecttotherightsofrectification,updatingand suppression;

(v)  Keeping a record of received requests and its corresponding replies;

(vi)  Demanding to any Owner of Data to submit a request, once he has duly evidenced his identity, in order to preserve the confidentiality and security of Personal data and avoid unauthorized access;

(vii) During updating and/or rectification process, part of the Database containing the Personal Data under review will be blocked, or it will be indicated that same is under review when providing information relating to same.

As an exception, G. Breuer will have the right to refuse to follow the request for suppression or rectification of data in the following cases:

(i) When suppression or rectification of Personal data causes perjury to rights or legitimate interests of third parties;

(ii) When reasons of public interest prevails for the data processing in question;

(iii)  When the personal data must be kept during the terms established in the applicable regulations or, where appropriate, in the agreement regulations between the Data Controller and the owner of the data.

(iv)  When the data processing is required for exercising the right to freedom of expression and information.

Pursuant to the principles stated in the Point 5., from the moment of collection of Personal Data, and at any time, G. Breuer will seek to ensure compliance of the applicable regulation in force in the matter and the Principles mentioned in this Policy. Particularly, G. Breuer will limit the collection of Personal Data to those that are appropriate, relevant and not excessive for the particular purpose. In view of the above, it will always request the Personal Data that are necessary for the Processing pursuant to the appropriate purposes, refraining from using same for different or incompatible purposes with those that motivated its obtention, unless its owner gave his consent.

In order to guarantee the principle of Transparency, G. Breuer will implement measures required to reveal to the owner of the Personal Data the purpose of collection, unless the owner has been already informed, or its purpose was clear from the context. For the same purpose, G. Breuer will provide to the Owner of Data all mandatory information in accordance with the requirements of the applicable regulation. Specifically, it will report:

(i) Purposes of the processing of data to which the collected personal data will be used;

(ii) The identity and contact information of the data collector;

(iii) The rights in accordance with the law (right of access, rectification, opposition, suppression);

(iv) Means for exercising the rights determined by the law;

(v) When applicable, assignments or international transfers of data which are made or are expected to be made;

(vi) The compulsory or discretionary character of providing personal data and the consequences of providing same, of refusing to provide such data, or of their inaccuracy;

(vii) The right of the owner of the data to revoke the consent;

(viii) The right to file a complaint, to file an action for the protection of personal data with the control authority, or to exercise the right to file habeas data action should it not comply with the law.

Likewise, pursuant to the recommendations of the Agency of Access to the Public Information in the Annex I of the Resolution 47/ 2018, the collection of data will respect the integrity and confidentiality of the information, ensuring the following:

• Completeness of the information, verifying that the fields composing the data collection form allow a complete input of the required data;
• Minimization of the input errors, indicating the type of information to input and the format of same in a clear and precise manner;
• The integrity, verifying, if possible, the accuracy of the input data in case the type of register allows so;
• The confidentiality during the process of collection, using encrypted media of client-server communication;
• The limitation of the access to the collection of the data;
• The limitation of the unauthorized access during the collection, using safe digital certificates validated by authorized entities (CA) and encrypting the communication during the transfer from the server of application to the database;

G. Breuer will seek to store all Personal Data that is collected and used for its purposes in Databases, which will be duly registered with the Agency of Access to the Public Information, insomuch as it is mandatory by the law.

In this context, pertinent procedures and actions will be implemented so that those Personal Data are not stored indefinitely and which purpose has become abstract, as long as there is no sufficient legitimate reason for keeping same. To this end, among other aspects, the cases that will be especially taken into consideration will be those in which G. Breuer must keep information and/or documentation that are required by law, because of fraud prevention in relation to any of its services, possible investigations, infringement of terms and conditions of the sites of the Firm (included but not limited to possible infringements to intellectual property rights), and/or in order to reply to requests for information from different authorities.

The Firm will take appropriate security measures to protect the Databases and the Personal Data against different risks, such as accidental loss, falsification, accidental destruction, unauthorized access, concealed use of Personal Data or infection by computer virus. To this end, G. Breuer will implement means described in the Security Document, complementary to this Policy.

Likewise, G. Breuer will foresee contingency plans in case of security incidents of the Personal Data to control the damages that may arise.

To the effects of this Policy, it will be understood that a security incident has occurred when Personal Data has been or might have been disclosed to somebody or might have been obtained by somebody who should not have had access to said information, pursuant to the Security Document.

All the employees of G. Breuer are responsible for identifying incidents related to personal data. The employees who identify, or even suspect of, the existence of a Security Incident shall report it immediately to the person in charge of the protection of Personal Data and/or the person responsible for the security, who, in turn, will give notice to the control authority and the Owner of the Data with no further delay, and, if possible, within seventy two (72) hours after having taking cognizance of the incident.

The security measures used by G. Breuer will respect the minimum levels established by the Resolution 47/2018 of the Agency of Access to the Public Information. In order to achieve that, it will ensure implementation of security measures and authentication means, along with the separation of roles and functions of the employees and members, in the access to the data backup systems, particularly, taking into account the following measures:

(i) Identification of assets: an inventory of technological assets storing or managing personal data will be made.

(ii) Definition of responsible persons and responsibilities: access authorizations of owners of technological assets storing or managing personal data within the organization will be defined, notified and provided.

(iii) Verification of the control applications: a periodic update procedure of the inventory, a verification procedure of authorizations and a procedure for new technological assets, defining the assigned responsible person and authorizations will be made.

(iv) System and data access management: the controls of access to each system will be defined. Those users that by their role of administrators can avoid the controls of access defined for the owner will be identified. Said users will be also duly controlled and monitored.

(v) Assignment of permits: a particular, formal and reliable notification of the responsibilities undertaken by each user that has internal access to the systems will be provided.

(vi) Verification of identification and authorization: a system clearly identifying each user, establishing a policy of secure passwords, an access log to the systems, a register of use of the systems, a procedure of user registrations, cancellations and modifications, a limit of access of the administrators to the personal data or a follow- up of his activity, as well as avoidance of use of generic users will be provided.

(vii) Control of physical access to the data center: a control of physical access to the data center will be provided.

(viii) Monitoring of the activity: a clean-up procedure of inactive accounts with access privilege, a limit of interior access to the systems with the same user to a sole coincident account, monitoring and control of the user accounts with special privileges and the identification and analysis of failed authentication attempts will be defined.

In cases where G. Breuer acts as Controller of the Information and Personal Data, same will be only assigned or transferred to third parties for the fulfillment of purposes that are directly related to the legitimate interest of the assignor and the assignee and following express consent of the owner of the Personal Data, who must be informed about the purpose of the assignment and identify the assignee (or the elements that allow to do so).

In cases where G. Breuer acts as Processor of Information and Personal Data, it shall act in accordance with the written instructions provided by the Controller, refraining from any action involving use of the data for a purpose other than the agreed one.

In case where G. Breuer delegates by itself (when acting as Processor), or with a written authorization granted by the responsible person (when acting as Controller), the Processing of Information and Personal Data to a third party, an agreement shall be signed between them stating at least the following:

(i)  The processing will be made under exclusive instructions provided by G. Breuer;

(ii)  The third party (processor) shall adopt security measures established by law;

(iii)  Duty of discretion and confidentiality with respect to the Personal data for an indefinite period;

(iv) The Personal Data will be used and processed by the third party exclusively contracted for the purpose established in the agreement and authorized by the owner of the Personal Data;

(v)  Prohibition of assignment to third parties, not even for storage purposes;

(vi)  Destruction of Personal data upon agreement termination;

In case there is a possibility of new contracts, in which case the data may be stored for a maximum term of up to two years after the agreement termination.

G. Breuer will seek to ensure that the contracting is made with third parties that have an adequate policy of privacy and processing of Personal Data. The agreements will contain the subject matter, scope, content, duration, nature and purpose of the data processing, the type of personal data, the categories of the data owners and obligations and responsibilities of the Controller and Processor of the processing.

In case of international transfer of Personal Data to third countries, if the receiving country does not have adequate legislation for the protection of Personal Data in accordance with the applicable regulation (particularly, the Provision 60-E/2016 of the National Office for the Protection of Personal Data), G. Breuer will take reasonable measures to maintain an adequate protection level of the Personal Data in transfer.

To that effect and in accordance with the legislation, one of the following requirements shall be adopted:

(i)  Obtaining the express consent of the Data Owner, clearly indicating that the jurisdiction of the receiver of the personal data does not have adequate levels of protection;

(ii)  The adequate levels of protection shall stem from an international transfer agreement (in line with the models included in the Provision 60-E/2016) or from systems of self-regulation.

The general principle is that, once the personal data have ceased to be necessary or relevant to the purposes for which it has been collected, G. Breuer shall proceed to destroy it.

In this sense, G. Breuer shall delete the Personal Data available in the systems as well as on paper support or any other storage device, using a secure and adequate deletion mechanism as long as it complies with the legislation in force, when one of the following conditions is verified:

(i)  Inasmuch as the data lose its utility pursuant to the purpose of the Processing;

(ii)  The data owner revokes the consent on which the data processing is based and it is not protected in no other legal basis;

(iii)  The data owner has exercised his right of opposition, and there are no other legitimate grounds for the processing of his data;

(iv)  The personal data have been illegally processed;

(v)  The personal data must be eliminated in order to comply with a legal obligation;

Deletion thereof will be made once all terms, and corresponding legal or agreement provisions, pursuant to which the Firm is under obligation to keep the documentation (for example, commercial tax, social security documents, etc.) are fulfilled. The deletion will be also made provided it does not cause perjury to the rights or lawful interests of third parties and/or reasons of public interests do not prevail over the data processing in question and/or the data processing is necessary for exercising the right to freedom of expression and information, in accordance with the Clause 5 of this Policy.

In case of receiving a requirement from a competent administrative or judicial authority releasing the Firm from its obligation of professional secrecy and compelling it to disclose information and/or personal data of the clients, the Firm will take all necessary measures to protect the privacy thereof and take care of the disclosure so that it is strictly adjusted to the request, limiting, if appropriate, any request of access to the information that may seem excessive or out of the legal parameters.

In the collection of Personal Data for advertising, newsletters and promotions, G. Breuer will be able to process Personal Data that is suitable for establishing certain profiles when same appear in the documents available to the public, or have been provided by the owners themselves or obtained with their consent in any manner, including but not limiting to the acceptance of the Privacy Policy placed on the sites of G. Breuer

As to the delivery of the communications, G. Breuer will adopt the principle by which in the first place the addressees of said communications will give their express consent in a general manner (opt-in) before receiving them. After that, the addressees will be able to define the types of communications they wish to receive and which do not, or to reject advertising deliveries (opt- out). To this end, the possibility of the Data Owner to request the withdrawal or blocking -in a partial or total manner- of his name from the Database shall be indicated, in an express and prominent manner, in any communication with advertising or promotion purposes. Likewise, the name of the responsible person or user of the Data Bank that provided the information shall be informed (if appropriate).

G. Breuer will follow the local rulings referred to the texts and captions required for marketing and advertising actions. Thus, in accordance with the Provision 4/2009 of the National Office for Protection of Personal Data, any communication with advertising purposes shall:

(i) Inform the owner about the right to withdraw or block in a partial or total manner his name from the database and the means provided to do so;

(ii) Include the transcription of the section 27, subsection 3, of the Act 25.326 (or, otherwise, the text that the law provides): “The owner may at any time request the withdrawal or blocking of his name from any of the data banks referred to in this Section.” Along with this section, the transcription of the third paragraph of the section 27 of the Annex I of the Decree 1558/01 shall be included (or, otherwise, the text that the law provides): “In all communication with advertising purposes that is done by mail, telephone, e-mail, Internet or any other media, it must be stated, in an express and prominent manner, the possibility of the data owner to request the withdrawal or blocking, either in a total or partial manner, of his name from the database. At the request of the interested party, the name of the responsible person or user of the data bank who provided the information shall be informed”; and

(iii) In case of communications of direct advertising, which were not required or consented previously by the data owner, it has to be warned in a prominent manner that it is an advertising (and if same is done by email, a sole term “advertising” must be inserted in the headline.)

G. Breuer will appoint a “Data Protection Officer”, who will be in charge of the following functions:

(i)  Informing and reporting to the Firm and the Security Responsible Officer, as well the employees, on their obligations, stemmed from the data protection regulations;

(ii)  Boosting and participating in the design and application of a data protection policy that provides data processing made by the Firm;

(iii)  Supervising the compliance of the legislation and the Data Protection;

(iv)  Assigning responsibilities, raise awareness and prepare the staff, and perform corresponding audits;

(v)  Offering assistance to assess an impact related to the data protection, when there is a high risk of affecting the rights of the data owners, and supervising after its application;

(vi)  Cooperating and acting as a referent before the control authority for any query about the data processing made by the Firm.

G. Breuer agrees to establish a private impact assessment in order to efficiently comply with this Policy and the regulation applied in the processes of engaging third parties or implementing any system, service, technology, application, administrative action, product or initiative, from the design of all of them.

The Firm will control the compliance of this Policy in the regular processes of internal audit for the purpose of assessing the implementation of this Policy and the compliance of the applicable privacy law/regulations.

These audits will include an assessment of effectiveness and quality of the procedures of G. Breuer, documentation, internal control, training procedures, compliance tests and any corrective action taken as a reply to the previous audits and assessments by the regulating entities. A written report summarizing the results of the audit and any suggested corrective action which shall be reported to the Data Protection Officer and/or the Security Responsible Officer (in accordance with the Security Document), who will define solutions and courses of action, shall be supplied at least.

G. Breuer will implement strict measures to maintain the confidentiality of the Information and Personal Data.

Individuals involved in the processing of the Information and Personal Data are under obligation to keep the professional secrecy and maintain the confidentiality regarding same. Such obligation will remain indefinitely even after ending their relationship with the Firm.

The individuals having access to the Personal Data shall sign confidentiality statements, through which they will commit to maintain strict secrecy and confidentiality of the information kept in the Databases which they access and not to share it without an express authorization.

The Personal Data shall not be disclosed without previous consent of the Owner, apart from the exceptions provided in the corresponding legislation and/or previsions of the privacy policies of the sites of G. Breuer. Same may be only disclosed to third parties without the Owner’s consent when:

(i)  It is required for an operation for which the Personal Data have been collected, within the framework of a contractual relationship with the Data Owner;

(ii)  The owner of the Personal Data is informed before the disclosure or at the time of collecting of the Personal Data;

(iii)  The owner of the Personal Data gives his express consent, and/or when the consent is not required by the applicable law;

(iv)  The Personal Data are required by the competent authorities or applicable laws;

(v)  Auditors and lawyers and other professionals who are obliged to keep the professional secrecy have access to the Personal Data;

(vi)  It is at the request of third parties due to an activity that is suspicious and/or contrary to the law, in which case the requested information will be supplied within the scope allowed by the applicable regulations; and/or

(vii)  It is a case included in the point 9 (nine) “Processing of Information and Personal Data by Third Parties”.

G. Breuer will seek to verify the education and previous jobs of the candidates and look for internal and external references about same. The extension of these verifications will depend on the position and responsibilities to undertake.

Likewise, pursuant to the framework of the Resolution No. 11/2018 (Argentine Ministry of Labor, Employment and Social Security) and other supplementary laws, the Firm may request the applicants to submit a certificate of criminal records with an aim of knowing if there is any pending criminal conviction. Under no circumstance the Firm will keep the original or copy thereof, or create a database mentioning such information.

On the other hand, the employment offers of G. Breuer will not contain restrictions for reasons such as race, ethnic group, nationality, ideology, political or union opinion, gender, economic position, social condition, physical characteristics, disability, residence, family responsibilities or criminal records of those individuals who has served the sentence completely.

G. Breuer will seek to train its employees and third parties taking part in the Processing of Information and/or Personal Data on the content of this Policy. In order to do so, it will provide regular mandatory trainings to its employees and make public this Policy on the G. Breuer site, so that it can be visited at any moment.

Infringement of this Policy will be considered as a serious offense and punished accordingly.

In case of non-compliance, G. Breuer will adopt disciplinary measures as it deems appropriate pursuant to the specific characteristics and seriousness of the infringement.

Also, in a case in which the infringement is made by an engaged third party, it will suffice to rescind without prejudice of the actions for damages that may correspond by law.