PERSONAL DATA PROTECTION POLICY
DELENCANTO FOODS S.A.S.

1. Introduction:

DELENCANTO FOODS S.A.S., hereinafter referred to as “DELENCANTO,” is an Ecuadorian company committed to national agro-industrial development, focused on the production and commercialization of foods made from locally sourced raw materials. DELENCANTO deeply values the privacy, intimacy, identity, and dignity of its employees, consumers, clients, users, suppliers, and, in general, all individuals who provide personal data within the context of commercial, labor, or professional relationships. Accordingly, this Personal Data Protection Policy outlines the practices and procedures to which DELENCANTO is committed in order to ensure compliance with Ecuadorian regulations on personal data protection.DELENCANTO FOODS S.A.S., hereinafter referred to as “DELENCANTO,” is an Ecuadorian company committed to national agro-industrial development, focused on the production and commercialization of foods made from locally sourced raw materials. DELENCANTO deeply values the privacy, intimacy, identity, and dignity of its employees, consumers, clients, users, suppliers, and, in general, all individuals who provide personal data within the context of commercial, labor, or professional relationships. Accordingly, this Personal Data Protection Policy outlines the practices and procedures to which DELENCANTO is committed in order to ensure compliance with Ecuadorian regulations on personal data protection.

2. Scope:

In accordance with Article 47, numeral 4 of the Organic Law on Personal Data Protection (“OLPPD”), concerning the obligation to implement personal data protection policies, DELENCANTO issues this Policy applicable to the organization and all Databases and/or Documentation containing Personal Data and subject to processing by DELENCANTO. This policy aims to establish the principles and rules to be applied for the collection, processing, and potential transfer of personal data of data subjects with whom DELENCANTO maintains a relationship.

3. Definitions:

For the purposes of this policy, the following definitions shall apply:
  • Anonymization: The process by which the identification of the data subject is made impossible by eliminating or altering personal information that would allow their identification.
  • Database: The organized set of data, regardless of its form, medium, processing, storage, or method of creation.
  • Consent: The unequivocal, free, informed, and specific expression of the data subject’s will, authorizing the data controller to process their personal data.
  • Personal data: Any information that makes a natural person identified or identifiable. This may include information such as name, address, telephone number, email address, credit card number, among others. Personal data should also be understood as biometric data—which can be captured by video, fingerprints, etc.—genetic, credit, health, among others.
  • Sensitive data: Personal data that affects the data subject’s privacy or whose misuse may lead to discrimination, such as sexual orientation, political affiliation, religion, among others.
  • Personal Data Protection Officer: The person responsible for informing the data (vii) controller and data processors of their obligations and ensuring compliance with regulations related to personal data protection, and cooperating with the Personal Data Protection Authority.
  • ARCO Rights: A set of rights that data subjects have, such as Access, Rectification, Erasure, and Objection to the processing of their personal data.
  • Data processor: The natural or legal person who processes personal data on behalf of the data controller.
  • Incident affecting the security of personal data or personal data breach: A personal data security incident is any event or situation that compromises the integrity, availability, confidentiality, or rights of the data subject.
  • Identifiable Person: A person is considered identifiable when their identity can be determined directly or indirectly, provided this does not require disproportionate time or effort.
  • Data Portability: The right of the data subject to receive their personal data in a structured, commonly used, and readable format.
  • Collection: The process by which a person’s personal data is obtained.
  • Data Controller: The natural or legal person who decides on the purposes and means of processing personal data.
  • Personal Data Security: The measures taken to protect personal data against loss, theft, misuse, unauthorized access, modification, or destruction.
  • Pseudonymization: The process by which the data subject’s personal information is replaced by an identifier or alias, with the aim of protecting the data subject’s privacy.
  • Third Party: A natural or legal person, public authority, agency, or body other than the data subject, the data controller, the data processor, and the persons authorized to process personal data under the direct authority of the data controller.
  • Data Subject: The natural person whose personal data is being processed.
  • Transfer or Communication: The process by which personal data is shared with a third party other than the data subject, controller, or processor.
  • Data Processing: Any operation or set of operations performed on personal data, such as collection, storage, use, disclosure, transfer, and deletion.

4. Principles of Processing:

This policy is based on the fundamental principles of personal data protection in Ecuador, as established by the Constitution, the OLPPD, its General Regulations, and other related regulations. DELENCANTO undertakes to apply the following principles:
  • Legality: Personal data will be processed in strict adherence to and compliance with the principles, rights, and obligations established in the Constitution, international instruments, the LOPDP (Property and Personal Data Protection Act), its Regulations, this Policy, and other applicable regulations and jurisprudence.
  • Loyalty: Personal data will be processed fairly and may never be processed through illegal or unfair means or for unlawful purposes.
  • Transparency: Personal data will be processed transparently, so all information or communication related to this processing will be accessible and easy to understand, using simple and clear language.
  • Purpose: The purposes of the processing will be determined, explicit, legitimate, and communicated to the data subject.
  • Relevance and minimization of personal data: Personal data must be relevant and limited to what is strictly necessary to fulfill the purpose of the processing.
  • Proportionality of processing: Processing must be adequate, necessary, timely, relevant, and not excessive in relation to the purposes.
  • Confidentiality: Personal data will be processed confidentially.
  • Quality and accuracy: The personal data processed by DELENCANTO will be accurate, complete, precise, complete, verifiable, and clear; and, where applicable, duly updated; in such a way that their veracity is not altered to the extent permitted by technical and organizational measures.
  • Retention: Personal data will be retained for no longer than necessary to fulfill the purpose of their processing or as required by law. DELENCANTO will establish deadlines and procedures for deletion or elimination in accordance with the provisions of the LOPDP (Spanish Data Protection Act).
  • Personal Data Security: DELENCANTO will carry out all necessary activities to implement appropriate security measures, whether organizational, technical, or otherwise, to protect personal data against any risk, threat, or vulnerability, taking into account the nature of the personal data, the scope, and the context.
  • Proactive and Demonstrated Responsibility: DELENCANTO will implement mechanisms for the protection of personal data in compliance with the principles, rights, and obligations established in the LOPDP (Spanish Data Protection Act), adhering to best practices in this area and seeking efficiency in its adopted measures.

5. Data Processors:

DELENCANTO may entrust the processing of personal data to direct employees, as well as to external providers, solely for the purposes for which such data was obtained and with the limitations and stipulations mandated by law and the applicable regulations. All data processors, pursuant to Section 10 of Article 47 of the Organic Law on Personal Data Protection, shall sign confidentiality and appropriate personal data handling agreements, including a penalty clause and the possibility of recourse against them for breach of their obligations regarding the processing of personal data. Data processors, whether internal or external, shall be directly responsible for the processing activities on an individual basis and must therefore guarantee an adequate level of protection for the processing of data, considering its nature, volume, potential risks, threats, and vulnerabilities, as well as other considerations established by law. DELENCANTO has the authority to terminate the contract with the data processor and apply penalties if a breach is verified. If applicable, it will inform the data subjects and the civil, administrative, and criminal authorities for the corresponding investigation. If the breach is committed by an employee, the respective internal, civil, and labor sanctions will be applied. Once the processing of the data for which they were delegated has been completed, the data processors are obligated to delete or return the data in their possession without exception. All data processors declare that they are aware of their obligation to allow any type of audit or investigation by the Controller or the Authority at any time. Furthermore, the data processors declare that they are aware of and accept the internal protocols for handling requests to exercise rights and identifying and reporting information security breaches.

6.Security Measures:

In compliance with Articles 37, 39, 40, and 41 of the OLPPD and related regulations, DELENCANTO shall implement and maintain appropriate technical, organizational, legal, and IT security measures based on risk assessments considering the nature and volume of the personal data processed.

7. Data Collection and Processing:

DELENCANTO, within its processes, is responsible for collecting data from visitors, employees, collaborators, partners, clients, suppliers, dependents, and other individuals who maintain a relationship with DELENCANTO. Personal data is collected through various means, whether digital or physical, always within a framework of transparency and legitimate processing. The data subject’s free consent is sought in all cases where required, for informed, specific purposes, communicated transparently, and in compliance with the provisions of the LOPDP (Personal Data Protection Act) and binding regulations. Specifically, data may be obtained and processed provided that at least one of the following legitimate grounds exists:
  • Free, unequivocal, specific, and informed consent of the data subject.
  • Existence of a contractual relationship between the data controller and the data subject.
  • Legal mandate.
  • Need to implement pre-contractual measures at the request of the data subject.
  • Need to protect the vital interests of the data subject or another natural person.
  • Legitimate interest of the Data Controller, taking into account the balancing principle.
  • When the data comes from a publicly accessible database
The data collected and processed may include, but is not limited to: names, dates of birth, home addresses, telephone numbers, email addresses, gender, age, personal image, financial status and transactions; in any case, only the data necessary to fulfill the purpose of the processing will be processed, applying the minimization principle. All collection and processing of personal data is carried out in strict compliance with the provisions of the LOPDP (Spanish Data Protection Act), and the rights of data subjects are guaranteed.

8. Purposes of Processing:

DELENCANTO communicates that personal data collected will be processed according to specific, legitimate purposes relevant to the nature of the relationship between DELENCANTO and the data subject. These include:

8.1. In relation to clients, consumers, visitors, and event participants:

  • Commercial and customer relationship management: Manage the sales, distribution, and delivery process of products, including order processing, invoicing, after-sales follow-up, and warranty management.
  • Employees, Suppliers, Contractors: HR management, legal compliance, supplier evaluation, payment processing, and site security.
  • Promotional and marketing activities: Send information about promotions, new product launches, events, and other commercial activities that may be of interest to customers, provided the data subject’s consent is obtained.
  • Satisfaction surveys and market research: Conduct surveys to evaluate the quality of products and services, as well as market research to improve the commercial offering.
  • Compliance with legal and contractual obligations: Process personal data to comply with legal, tax, accounting, and contractual obligations arising from the relationship with the customer.

8.2. In relation to employees, collaborators, suppliers, and contractors:

  • Human talent management: Manage staff selection, hiring, evaluation, training, development, and termination processes.
  • Labor relations and compliance with legal obligations: Manage the employment relationship, including compliance with obligations related to social security, occupational health, occupational risk prevention, and other applicable legal provisions.
  • Supplier and contractor management: Evaluate, select, and manage the relationship with suppliers and contractors, including verifying compliance with legal, technical, and financial requirements.
  • Payment and invoicing management: Process payments, issue invoices, and carry out accounting and financial procedures related to the contractual relationship.
  • Security and access control: Ensure the security of facilities, assets, and people through access control and the implementation of surveillance measures.

8.3. Regarding job applicants and interns:

  • Selection and recruitment processes: Evaluate and select candidates to fill vacancies within the company, including checking references and employment history.
  • Internship and internship management: Manage internship and pre-professional internship programs, including assigning tasks, monitoring, and evaluating performance.

8.4. General purposes applicable to all data subjects:

  • Compliance with legal and regulatory standards: Ensure compliance with the legal and regulatory provisions applicable to DELENCANTO’s activities.
  • Risk management and audits: Conduct internal and external audits, as well as risk assessments, to ensure the integrity and efficiency of business processes.
  • Attending to requests from competent authorities: Responding to requests for information from judicial, administrative, or supervisory authorities, within the framework of legal proceedings or investigations.
  • Continuous improvement of processes and services: Analyze data to improve internal processes, product quality, and customer satisfaction
DELENCANTO is committed to processing personal data in accordance with the principles of legality, loyalty, transparency, purpose, data minimization, accuracy, retention period limitation, integrity, confidentiality, and proactive accountability, in accordance with the provisions of the Organic Law on Personal Data Protection of Ecuador. This list is not limited to the aforementioned purposes and the specific determination of the purpose. This will depend on each relationship between the different Data Subjects and DELENCANTO; in any case, the purpose will be communicated to the Data Subjects. Data Subjects will never be subject to a decision based solely or partially on automated assessments, and DELENCANTO undertakes to process their data in strict compliance with the LOPDP and other binding regulations. For each processing activity, DELENCANTO will prepare and maintain a Processing Activities Record Matrix (RAT), which the Data Subject may access upon request. This matrix will specify the purposes and legitimate grounds that, in each case, motivate and justify the processing, from collection to deletion or anonymization. Furthermore, this matrix will describe each of the processing activities, including assignments and transfers.

9. Processing Operations:

Personal data processing includes, but is not limited to: collection, storage, use, disclosure, transfer, deletion, anonymization, and other permitted uses under the OLPPD. All processing activities are registered and justified in the RAT.

10. Data Transfers:

DELENCANTO shall transfer personal data only for the purposes consented to by the data subject or as required by law or contract, in accordance with Article 33 of the OLPPD. Any international transfers will comply with applicable legal safeguards, ensuring adequate data protection.

11. Data Retention:

Retention periods will depend on the nature of the relationship with the data subject and the purpose for which the data were collected. Personal data will be retained for the duration of the contractual relationship and any legally required period thereafter. Once expired, DELENCANTO will delete, anonymize, or pseudonymous the data.

12. Special Category Data:

As a general rule, DELENCANTO does not process sensitive personal data unless justified under Article 26 of the OLPPD. When necessary (e.g., health data), DELENCANTO ensures minimal collection, confidentiality, and compliance with applicable regulations.

13. Data Subject Rights:

DELENCANTO guarantees compliance with the rights guaranteed to personal data subjects in the LOPDP (Spanish Data Protection Act). To this end, it maintains appropriate internal procedures for receiving, analyzing, and resolving data subjects’ requests, as well as ongoing monitoring to verify compliance with their rights in relation to the Rights of Access, Rectification and Update, Deletion, Objection, and Portability, among others. The following stipulations will be taken into account: i. Right of Access: The personal data subject(s), or their legal representatives, whose data are processed by DELENCANTO, have the right to know and obtain, free of charge, all their personal data and the details of the processing of said data, without needing to provide any justification. DELENCANTO provides the “Form for the Exercise of the Rights of Access, Rectification, Cancellation, and Objection (ARCO)” and guarantees that once this form is received, it will be addressed within fifteen (15) days. ii. Right to rectification and update: The data subject(s) whose personal data are processed by DELENCANTO, or their legal representatives, have the right to have their inaccurate or incomplete personal data rectified and updated. To exercise this right, DELENCANTO provides the “Form for the Exercise of the Rights of Access, Rectification, Cancellation, and Opposition (ARCO)”, which contains a field where the data subject(s) must submit supporting documentation for their request. DELENCANTO guarantees a response within fifteen (15) days. iii. Right to deletion: Personal data may be deleted, at the request of the data subject(s) in the cases established in the LOPDP (Spanish Data Protection Act). To this end, DELENCANTO provides data subjects with the “Form for the Exercise of the Rights of Access, Rectification, Cancellation, and Opposition (ARCO)” and guarantees a response to these requests within fifteen (15) days of receiving the request from the data subject. iv. Right to object: The data subject(s) whose data are processed by DELENCANTO have the right to object to the processing of their data in the cases established in the LOPDP (Spanish Data Protection Act). To this end, DELENCANTO makes available to data subjects the “Form for the Exercise of the Rights of Access, Rectification, Cancellation, and Opposition (ARCO)” and guarantees a response to these requests within fifteen (15) days of receiving the request from the data subject. v. Right to portability: The data subject(s) whose data are processed by DELENCANTO have the right to receive their personal data in a compatible, updated, structured, common, interoperable, and machine-readable format, preserving their characteristics; or, upon express request by the data subject, to transfer their data to another new data controller when technically possible, provided that one of the conditions established in the Law is met. For this purpose, DELENCANTO makes available to data subjects the Right to Portability Request Form. vi. Revocation of consent: If consent is granted for the processing of personal data, the decision to revoke it will be made through the process established by DELENCANTO. For this purpose, DELENCANTO makes the Consent Revocation Form available to data subjects. The forms for exercising rights can be requested from the company at any time. The exercise of rights will be subject to analysis by DELENCANTO to determine whether the request to exercise rights is admissible or not. The data subject will be notified in the terms and manner provided by the Law and its Regulations.

14. Notification of Data Breaches:

DELENCANTO will implement all technical, organizational, and other measures to minimize risks, threats, and vulnerabilities. It will be especially diligent in maintaining the security of its own information and that of its processors and will ensure that all processes, from the design stage and by default, maintain an adequate level of protection. If DELENCANTO detects a breach of its information security that may pose a risk to the fundamental rights and individual freedoms of data subjects, it will activate the protocol previously established for this purpose and notify each data subject and the corresponding supervisory authorities, taking into account the provisions of Article 46 of the LOPDP (Spanish Data Protection Act). A risk to the fundamental rights and individual freedoms of data subjects is considered to exist in the following cases: i. When the data has been destroyed, no longer exists, or is no longer available in a form that is useful to the data controller; ii. When the personal data has been altered, corrupted, or is incomplete; iii. When the data controller has lost control or access to the data, or the data is no longer in its possession; or iv. When the processing has not been authorized or is unlawful, which includes the disclosure of personal data or access by recipients who are not authorized to receive or access the data, or any other form of processing carried out in violation of the provisions of the Law.

15. Policy Updates:

This policy may be updated at any time. Pursuant to Article 76 of the OLPPD, it may also be modified following official guidelines issued by the Data Protection Authority.

16. Data Controller Contact Information:

Data Controller Contact Information: For any rights-related requests or data protection inquiries, data subjects may contact: Company Name: Delencanto Foods S.A.S Tax ID: 1793191092001 Current Legal Representative: Andrea Carolina Miño Lara Address: Oriente S/N y García Moreno, Calacalí, Ecuador Email: info@delencantoec.com Phone: +593 96 352 4576

17. Change and/or Revision History

Update Date Version N°: Description of Changes Reason for the Update
28-04-2025 1

17. Change and/or Revision History

Update Date 28-04-2025
Version N° 1
Description of Changes
Reason for the Update