Privacy Policy

Introduction and General Guidelines
‍
This Policy for the Treatment and Protection of Personal Data (the “Policy”) of JJ Associates (“Company”) establishes the criteria that must be applied for the treatment and protection of Personal Data, such as the collection, storage, use, circulation, elimination, and, in general, all those activities that imply the Treatment of Personal Data.

Likewise, the purpose of this policy is to provide a common understanding of the Company’s data as a critical resource for the business line and to establish the responsibilities that accompany the use of this data and its management by all employees of JJ Associates.

Company data is defined as any information that is created, collected, and stored by the Company or any office of the Company in support of its functions. Such data may relate to employees, customers, customers of our customers, or other members of the Company. This includes both current and former employees, customers, customers of our customers, and other members of the Company, which may consist of personal, financial, medical, or job performance information.

Our customers’ data is one of JJ Associates’ most valuable resources and represents a significant investment. Sound data management policies, procedures, and practices will effectively support informed decision-making based on real data that can significantly contribute to furthering the Company’s strategic directions. Our data management policies, procedures, and practices are designed to safeguard three vital aspects of data: Integrity, Security, and Access.Data integrity includes qualities of accuracy, consistency, and timeliness. This data is a company resource that can be used by many users and is trustworthy. Data integrity begins with the person or office that creates it, and it is the responsibility of the IT department and every office in JJ Associates to ensure that it exists. Data security encompasses more than electronic security. While some aspects of security may be assured by technology, security also encompasses a measure of trust. As a business-critical company resource, data must be safeguarded at all levels against damage, loss, and corruption and security breaches, and all users share this responsibility.

Access to institutional data is granted internally when there is a demonstrated legitimate business or research need for the data and externally when disclosure of such data would not violate obligations, privacy legislation, or legal contracts. Whenever possible, data should be collected at the source and made available to all members of the Company who have a legitimate business need for the data for commercial purposes.

1. Definitions

These terms correspond to generalities and guidelines regarding the protection of personal data, which should be interpreted in accordance with the regulations governing each country.
‍
- Personal data: This is any information linked or that can be associated to a specific person, such as name or identification number, or that can make it determinable, such as physical features.
- Public data: This is one of the existing types of personal data. Public data includes, among others, data relating to the marital status of individuals, their profession or trade, and their status as a merchant or public servant. By their nature, public data may be contained, among others, in public records, public documents, official gazettes and bulletins and duly executed court rulings that are not subject to reserve.
- Semi-private data: Data that are not of an intimate, reserved or public nature and whose knowledge or disclosure may be of interest not only to the owner but also to a certain sector or society in general. Financial and credit data from commercial or service activities are some examples.
- Private data: It is the data that due to its intimate or reserved nature is only relevant to the holder. The tastes or preferences of individuals, for example, correspond to private data.
- Sensitive data: It is information of a personal nature that reveals, for example, but not limited to: racial or ethnic origin, political preferences, religious convictions or beliefs, sexual orientation, self-determination in its different spheres, exercise of the right to privacy, and the exercise of the right to freedom of expression unionization, political affiliations, membership in social groups, information on the person’s health status, biometric data, among others.
- Authorization: It is the consent conferred to any person so that the companies or persons responsible for the processing of information, can use their personal data.
- Database: Organized set of personal data subject to processing and use.Organized set of personal data that are subject to processing and use.
- Data processor: The natural or legal person who carries out the processing of personal data, based on a delegation made by the data controller, receiving instructions about the way in which the data should be managed.
- Data controller: The natural or legal person, public or private, who decides on the purpose of the databases and/or the use of the data.
- Data subject: The natural person whose personal data is the object of processing.
- Processing: Any operation or set of operations on personal data, such as collection, storage, use, circulation or suppression.
- Privacy notice: It is one of the verbal or written communication options granted by law to inform the owners of the information, the existence and ways to access the information processing policies and the purpose of its collection and use.
- Data protection officer: Person responsible for supervising and controlling that the measures on the treatment of personal data implemented by the company, are fully complied with. in turn, becomes responsible for the treatment of such data.
- Data transmission: Processing of personal data that involves the communication of such data within or outside the territory of each country when the purpose of the processing is to be carried out by the Data Processor on behalf of the Controller.
- Transfer of data: Refers to the transfer by the person responsible or directly in charge of the processing of personal data of the information or personal data, to another person or public or private entity; which in turn, is responsible for the processing of the data; which may be located within or outside of each country.

2. General Principles

- Principle of legality: The processing referred to in the law is a regulated activity that must be subject to the provisions of the law and other provisions that develop it.
- Principle of purpose: The processing must obey a legitimate purpose in accordance with the laws that regulate it, which must be informed to the Data Subject.
- Principle of freedom: Processing may only be carried out with the prior, express and informed consent of the Data Subject. Personal data may not be obtained or disclosed without prior authorization, or in the absence of a legal mandate that relieves the consent.
- Principle of truthfulness or quality: The information subject to processing must be truthful, complete, accurate, updated, verifiable and understandable. The processing of partial, incomplete, fractioned or misleading data is prohibited.
- Principle of transparency: The right of the Data Subject to obtain from the Data Controller or the Data Processor, at any time and without restrictions, information about the existence of data concerning him/her, must be guaranteed in the Processing.
- Principle of restricted access: Processing is subject to the limits that derive from the nature of the personal data, from the provisions of the laws that regulate it. Processing may only be carried out by persons authorized by the Data Controller and/or by the persons provided for in the laws that regulate it.
- Principle of security: The information subject to Processing by the Responsible or Responsible party referred to in the laws that regulate it, shall be handled with the technical, human and administrative measures that are necessary to provide security to the records avoiding their adulteration, loss, consultation, use or unauthorized or fraudulent access.
- Principle of confidentiality: All persons involved in the processing of personal data that are not of a public nature are obliged to guarantee the confidentiality of the information, even after the end of their relationship with any of the tasks involved in the processing, and may only provide or communicate personal data when it corresponds to the development of the activities authorized by law and under the terms of this.

3. Responsible for Data Processing

Any request, complaint or claim related to the handling of personal data, in application of the provisions of the law of each country, should be sent to:

Name: JJ Associates
Telephone number: +1 (205) 843-1921
Principal Data Protection Officer: IT Manager
Alternate Data Protection Officer: COO
Email: dataprotection@jj-associate.com
Website: https://www.jj-associate.com

4. General Provisions set forth in the GDPR (General Data Protection Regulation)

The GDRP develops the right to know, update and rectify the information collected in databases and the other rights, freedoms and guarantees (right to privacy and right to information, respectively.) Considering the way a database is stored, a distinction can be made between automated databases and manual databases or archives. Automated databases are those that are stored and managed with the help of computer tools. Manual databases or archives are those whose information is organized and stored in a physical way, such as and stored in a physical form, such as supplier order forms containing personal information relating to the supplier, such as name, identification, telephone numbers, e-mail addresses, etc.

The guidelines exempt from the protection regime the following:
(i) files and databases belonging to the personal or domestic sphere;
(ii) those whose purpose is national security and defense, prevention, detection, monitoring and control of money laundering and financing of terrorism,
(iii) those whose purpose and contain intelligence and counterintelligence information,
(iv) journalistic information and other editorial content,
(v) financial and credit information, commercial, services and from third countries and
(vi) information on population and housing censuses.

5. Confidentiality Guarantee

At JJ Associates, all employee and customer information of a personal nature is handled with the utmost confidentiality. Internally, different controls and processes are managed to ensure that all information is handled confidentially.

A. Employees
‍Virtual Databases
The Human Resources and Recruitment team maintains confidential databases to which only the department has access. Additionally, everything is handled by Google Drive, an encrypted storage system that meets the highest standards of confidentiality.

‍Physical Databases
As far as possible, JJ Associates refrains from storing physical documents concerning employees. When a document is received, the team in charge scans it and stores it within the private shared drive where the relevant client information is stored.

B. Clients
‍Virtual Storage Units (“Drives”)
Each JJ Associates office has established protocols for the storage and handling of client information. In general, JJ Associates has computer programs that comply with the following standards. The main storage resource is the Google Drive “cloud,” a protected service for the exclusive use of JJ Associates members.

‍Physical Storage Units
Additionally, for the handling of customer data, JJ Associates has physical storage units for the storage of physical customer documents. These units are usually secured or padlocked cabinets, with restricted access granted only to employees working directly with the client or to office managers.As in previous points, JJ Associates takes care not to store physical information in any of its locations as much as possible. Most of the time, JJ Associates stores information virtually with the highest security standards.

6. Comprehensive Data Protection Program

Program Controls

‍1. Classification of personal data
The data that the company processes is defined and classified as follows:
- General identification data such as: first name, last name, type of identification, identification number, date and place of issue, name, marital status, sex, etc.
- Specific identification data such as: signature, nationality, electronic signature, other identification documents, place and date of birth, age, etc.Biometric data such as: fingerprints, photographs, videos, etc.
- Location data related to the private activity of individuals such as: address, telephone, e-mail, etc.
- Data related to the person’s health in terms of orders and list of complementary tests such as laboratory, imaging, endoscopies, pathological studies, etc.
- Data on persons with disabilities.
- Data related to the person’s work history, work experience, position, dates of entry and retirement, annotations, calls for attention, etc.
- Data related to the person’s educational level, training, and/or academic history, etc.
- General data related to affiliation and contributions to the social security systems of each country.
- Personal data of access to information systems such as: users, IP, passwords, profiles, etc.

‍2. Personal Data Protection Committee
The Personal Data Protection Committee will be made up of:
- The Group Operations Manager of the company.
- The Chief Data Protection Officer.
- The Deputy Data Protection Officer.

Duties of the Members of the Personal Data Protection Committee:
- The committee shall meet in January of each year. The following topics will be discussed at this meeting:
   - Current status of data protection compliance in all JJ Associates offices.
   - Review of particular cases where action needs to be taken.
   - Review of the “checklists” of all offices detailing compliance with the provisions of this policy.

From the member of each department that manages databases within the company:
- Annual data report addressed to the Data Protection Officer of the group by each of the departments of JJ Associates, including the updating of all databases, if applicable.
- That within the report submitted to the Data Protection Officer, an assessment is made of the relevance and necessity of the data held in the databases for which they are responsible, in order to determine whether they are still being used or whether, on the contrary, they should be deleted.

From the Data Protection Officer:
- Semi-annual data report addressed to the Senior Management of the company regarding the reports submitted by each of the departments of JJ Associates, in which all databases are included.
- Follow up on the controls, evaluation, and review of the Integral Personal Data Protection Management Program and present a report on the progress of its management at least once a year within the framework of the Personal Data Protection Committee.
- Supervise, coordinate efforts among the group’s departments and provide effective response to requests from holders for the exercise of rights.
- Control that the databases reported to the SIC are kept intact and unaltered.
- Evaluate that the data processed within JJ Associates continues to comply with the purpose for which they were collected, in accordance with the principles of necessity and relevance of personal data. If this is not the case, instruct the team responsible for their elimination from the databases.
- Liaise and coordinate with the other areas of JJ Associates that manage databases to ensure a cross-cutting implementation of the Integral Personal Data Management Program.
- Report, update, supervise, and approve the databases in the Database Registry in accordance with the regulations of each country.
- Accompany and assist JJ Associates in the inspection visits and requirements made by the designated authorities to verify compliance with the laws on personal data protection in each country.
- Submit reports or progress reports on the status of the comprehensive data protection management program that the control bodies require on personal data protection.
- Any other functions established by the regulations related to personal data protection.
- Conduct training around the JJ Associates data policy to new employees of the group.
- Conduct refresher training around current legislation, as well as JJ Associates’ data policy.
- Promote a culture of personal data protection through awareness-raising activities for employees and senior management of JJ Associates, which should respond to the organization’s internal data management cycles.

‍From the company’s Senior Management:
‍Lead decision-making around the personal data protection policy, based on the reports received by the Data Protection Officer.
Articulate efforts, resources, methodologies, and strategies to ensure the implementation, sustainability, and improvement of the Integrated Personal Data Protection Management Program.

7. Duties of the Data Controller

JJ Associates, in addition to being the authority for the protection of personal data, has the status of Data Controller for the databases created by the entity. These are duties of the Controllers and, consequently:
‍
The Data Controllers must comply with the following duties, without prejudice to the other provisions of the laws governing their activities:
- Guarantee the Data Subject, at all times, the full and effective exercise of the right to protection of personal data.
- Request and keep, under the conditions provided for in the laws governing the matter, a copy of the respective authorization granted by the Data Subject.
- Duly inform the Data Subject about the purpose of the collection and the rights they are entitled to by virtue of the authorization granted.
- Keep the information under the security conditions necessary to prevent its adulteration, loss, consultation, use, or unauthorized or fraudulent access.
- Ensure that the information provided to the Data Processor is truthful, complete, accurate, current, verifiable, and understandable.
- Update the information, communicating in a timely manner to the Data Processor, all developments with respect to the data previously provided, and take other necessary measures to ensure that the information provided to this is kept up to date.
- Rectify the information when it is incorrect and communicate the relevant information to the Data Processor.
- Provide the Data Processor, as the case may be, only data whose processing is previously authorized in accordance with the provisions of this law.
- Require the Data Processor at all times to respect the security and privacy conditions of the Data Subject’s information.Inform at the request of the Data Subject about the use given to their data.

The Data Processors shall comply with the following duties, without prejudice to the other provisions set forth in the laws governing their activity:
- Guarantee the Data Subject, at all times, the full and effective exercise of the right to protection of personal data.
- Keep the information under the security conditions necessary to prevent its adulteration, loss, consultation, use, or unauthorized or fraudulent access.
- Timely update, rectify, or delete data in accordance with the terms of the laws in force in each country.

8. Rights of the Holders
‍
The holders of the personal data shall have the following rights:
(a) To know, update, and rectify their personal data before the Data Controllers or Data Processors. This right may be exercised, among others, against partial, inaccurate, incomplete, fractioned, misleading data, or data whose processing is expressly prohibited or has not been authorized.
(b) Request proof of the authorization granted to the Data Controller, except when expressly exempted as a requirement for the Processing, in accordance with the provisions of the GDPR.
(c) Be informed by the Data Controller or the Data Processor, upon request, regarding the use given to their personal data.
(d) To revoke the authorization and/or request the deletion of the data when the Processing does not respect the principles, rights, and constitutional and legal guarantees. The revocation and/or deletion will proceed when the entity in charge of each country has determined that JJ Associates or the person in charge has incurred in conduct contrary to the law of each country.(e) Access free of charge to your personal data that has been subject to Processing.

9. Processing
‍
The information provided to JJ Associates by customers, suppliers, employees, and shareholders, for their treatment have, without being limited to those listed, the following purposes:
- The proper provision of the services contracted with JJ Associates.
- To be contacted for product offerings and contract renewals.
- To send you commercial and promotional information or invitations from JJ Associates.
- To manage and operate, directly or through third parties, the processes of selection and recruitment of personnel, including the evaluation and qualification of participants, as well as the verification of employment and personal references, and the performance of security studies.
- For the attention of judicial or administrative requirements and compliance with legal mandates, as well as the provision of information to the competent authorities if required.
- To eventually contact, via email or by any other means, natural persons with whom it has or has had a relationship, employees, shareholders, customers, suppliers, for invitations or meetings with JJ Associates.
- For the development of administrative processes that have to do with employees, customers, suppliers, and/or shareholders in accordance with the corporate purpose of JJ Associates.
In the case of suppliers, we seek to know the national services they offer and their commercial behavior.
- Attention to petitions, complaints, claims, and suggestions from customers, suppliers, and employees of JJ Associates, as well as other interested parties.
- Updating of data provided by the owner.
- To respond to requirements to control entities.
- To send information, through corporate mail or any other means of communication about the status of the service, as well as administrative and commercial activities that support the provision and management of the service.
- To carry out the contractual and/or commercial linkage.
- Carry out the economic recognition for the provision of the service.
- Linkage, identification, and validation of acquired products.
- Recognizing, protecting, and exercising shareholder rights and payment of dividends.
- Compliance and recording of wellness activities, training, and other events conducted by JJ Associates for employees, contractors, suppliers, shareholders, and other interested parties.
- To monitor the security of persons entering the facilities, as well as the organization’s assets.
- In general, for any other purpose arising from the legal nature of JJ Associates.

10. Guidelines on the Use of Data and Information
‍
The Company’s data should be used only by those persons duly authorized to access and use specific data by virtue of their position in the Company, and only for the purpose for which they have been authorized. Authorization to access data is not transferable.

Company data may not be accessed or manipulated for personal gain or for a particular interest. Data users must perform all tasks related to the creation, storage, maintenance, use, distribution, and disposal of Company data responsibly, promptly, and with the greatest possible care.

Data users must not knowingly falsify data, delete data that should not be deleted, or reproduce data that should not be reproduced. Data users must respect the privacy of individuals to whose records they may have access.

Personal information contained in database files may not be disclosed. Disclosure is understood to include, but is not limited to, verbal references or inferences, correspondence, memoranda, and electronic file sharing.

The Company and all its employees will ensure that users are aware of the application of privacy legislation and compliance with it. The appropriate Department Head will grant access to Company data. Its use is subject to the Company’s policies on intellectual property and ethics, as well as applicable privacy legislation.

If there is reasonable evidence that laws or Company policies are being or have been violated, or that continued access threatens the normal operations or reputation of the Company, the Company may withdraw or restrict access privileges to any employee. Any violation of this policy may be grounds for disciplinary action, up to and including termination of employment and criminal prosecution.

11. Technology and Information Management Guidelines

- Maintain the anti-virus system up to date: One of the fundamental axes of security is to have a good antivirus and antispyware to help protect against various viruses, Trojans, spyware, and other malicious software that can damage our computers. It is necessary to keep the antivirus that comes with Windows updated on all computers.
- Do not download suspicious files: It is important not to download unidentified attachments that arrive via e-mail, especially from unidentified senders. Likewise, downloading programs directly from the Internet can bring with it a malicious executable. If you need to download or install software, it is necessary to consult with the IT team.
- Protection against phishing: Banks do not usually request personal information via e-mail or instant messaging. When receiving such emails, before sharing any information, it is essential to verify the origin and veracity of the senders.
- Changing passwords: A recommended practice is not to always use the same password for email and computer accounts. Any identity theft could allow unauthorized access to multiple accounts. Therefore, it is advisable to have different passwords for each platform.
- Information management: It is important that JJ Associates' business files are only handled through the company’s G-Suite (Drive), especially in shared drives where all the information of your department is centralized.
- Do not access links from strange sources: A common strategy for information theft is to hide viruses through links that are sent via chains or promotions that may seem harmless. For this reason, no JJ Associates employee is authorized to share sensitive information about their team and/or clients.
- Information about suppliers: Before accessing or purchasing any type of software, it is necessary for the technology department (IT) to be informed. Only with their approval will it be possible to proceed.
- Secure computer information: When leaving the workspace, all employees must block access to their computers in order to protect the information.

12. Database Inventories

JJ Associates will keep a record of all databases of the organization, in order to have knowledge of the data being processed in the processes, purposes of treatment, the positions responsible for the databases, updates, database managers, creation of new databases, among others.

The Inventory of Personal Data Bases is built with the support of each process leader, who must inform the number of databases in their charge at the time of identification and the news about them when they occur, for example, the inactivation of databases, creation of new databases, updating of the information contained in the databases, among others. These new developments must be notified to the personal data protection officer by e-mail.

Keeping the database inventory form updated is of great importance since it is a tool that provides the necessary information to report to the National Registry of Databases (RNBD) of the Superintendence of Industry and Commerce.

The fields of the Database Inventory format are described below:
- No: This is the consecutive number to keep track of the number of databases; it must start at 01.
- Name of the database: Corresponds to the name given to the database.
- Responsible and in charge of the database: Position responsible for the custody and administration of the database.
- Way of Obtaining Personal Data: Collection channel. Manner in which the information is received, it can be through email, physical, phone call, certified mail, web page, among others.
- Type of Personal Data Contained: Brief list of the information contained in the database. Define whether it contains private, sensitive, or public data.
- Number of Data Holders: This is the number of data subjects registered in the database.
- Data Storage: The place where the database is located. For example, an office, in the cloud, computer, own or external server.
- Purpose of Processing: Process for which the information is required internally in the organization.
- Need for the Data: Description of the purpose for which the database is created.

Additionally, there is an annex defined to keep the record of the persons in charge of the databases of JJ Associates, in case they exist.

The purpose of the registry of the database managers is to have clarity on the number of managers the company has, their security measures regarding the information transmitted to them, existing confidentiality agreements to protect the data, and their contacts for personal data protection issues.

13. Additional Security Considerations
‍
JJ Associates, committed to the security of its employees’ and clients’ information, adheres to the following parameters to ensure that personal information is safeguarded in a secure manner:
- Normal office hours of operation will be Monday through Friday between 8 am to 6 pm, and those will be the hours that employees will be allowed to be present in the office(s).
- No employee shall enter any JJ Associates office outside of the established hours. Only by exception, employees may request written permission from managers or country coordinators to enter or stay longer than permitted in the office, outside of working hours.For security reasons, JJ Associates offices are located in buildings with private security and controlled access by building personnel.No visitor should be granted access to any JJ Associates office unless accompanied by a member of the JJ Associates team and with formal authorization.All visitors must be registered at the reception desk of the building where the JJ Associates office is located.

14. Validity

JJ Associates’ Personal Information Processing Policies will be effective as of December 1, 2024. JJ Associates reserves the right to modify them, under the terms and limitations set forth in the recommendations made by the GDPR. The databases managed by JJ Associates will be maintained indefinitely, as long as it develops its purpose, and as long as necessary to ensure compliance with legal obligations, particularly labor and accounting. However, the data may be deleted at any time at the request of the holder, as long as this request does not contravene a legal obligation of JJ Associates or an obligation contained in a contract between JJ Associates and the Holder.

Privacy Policy

We would love to help