Protection and Use of Personal Data by Terminal Aeroportuaria de Guayaquil S.A. TAGSA

Who is responsible for processing your personal data?

TERMINAL AEROPORTUARIA DE GUAYAQUIL S.A. TAGSA (“TAGSA”), located at Av. De las Américas and Isidro Ayora, José Joaquín de Olmedo International Airport, Corporate Building, first floor, in accordance with the provisions of the Organic Law on Personal Data Protection (“LOPDP”) and its Regulations (“RLOPDP”), is responsible for processing the personal data covered by this document and makes available this policy on the protection and use of personal data, in order to carry out the processing of your personal data and ensure its protection.

This document shall apply to all processing of personal data of clients with whom TAGSA has a commercial relationship.

This Policy applies not only to the processing of personal data stored electronically, but also includes those archived on paper.

How is your personal data collected?

The data processed by TAGSA will be those provided by the Client for product requests and the maintenance of the contractual relationship, through any channel; in this regard, we obtain your data generated as a result of this relationship, as well as from publicly accessible databases.

When data about third parties is provided, it will be processed as part of the request and for the maintenance of the contractual relationship when it begins. By accepting these conditions regarding the processing of personal data, you consent to this processing, declare that the data is accurate, and have informed these third parties of its content and the corresponding data protection rights. Nevertheless, TAGSA will make every effort to act appropriately in relation to the processing of such third-party data.

The Client acknowledges that the information provided is complete, accurate, and up-to-date, and in the case of providing information about third parties, such as but not limited to their beneficiaries, acknowledges that prior consent was obtained from them to share their Personal and sensitive Data with the data controller.

What personal data is being processed?

Non-sensitive personal data

• Identification data (such as names, surnames, ID number, photograph or image, RUC, appointment of legal representative, passport, aviation license);
• Contact details (such as email address, mobile phone number, home address);
• Personal characteristics (such as marital status, family data, date of birth, place of birth, age, gender, nationality, physical characteristics, religion, sexual orientation, ethnic self-identification, habits such as regular medication use, drugs or alcohol, sports practice, presence of tattoos or scars, laterality);
• Social circumstances (such as properties, possessions, hobbies, lifestyles);
• Academic and professional data (such as education, student history, qualifications, position, professional experience, resumes, professional references, current position, training, work accidents);
• Economic and financial data (such as bank account details, financial situation, credit card data, income data);
• Contractual information, such as data derived from contracted products and services.

Sensitive personal data

In general, TAGSA will only process the Personal Data of children and adolescents when their legal representative has given consent for such processing, when it is necessary to comply with a legal obligation and/or to satisfy a legitimate interest of TAGSA.

However, in accordance with current regulations, adolescents over fifteen (15) years of age and under eighteen (18) years of age may exercise their rights directly before the data controller or the Personal Data Protection Authority.

To this end, the data controller has implemented special actions, measures, and provisions to safeguard the right to personal data protection of children and adolescents.

Likewise, sensitive data including those related to health, biometric data, criminal records, and disability will be processed only with the authorization of the data subject. However, in all these cases, the data may be processed without prior authorization when necessary to comply with a legal obligation, for the defense or sponsorship of an extrajudicial or judicial action, to protect the vital interests of the data subject and/or to satisfy a legitimate interest of the data controller.

TAGSA will process sensitive data only when necessary to fulfill the purposes described below.

How and why are your personal data being processed?

TAGSA will process personal data for the following purposes and legal bases:

Based on the fulfillment of contractual obligations

• For the selection and verification of personnel suitability: we use your personal data to identify the ideal candidate for the offered position, get to know the new collaborator, and verify if the personnel in charge of security functions complies with the regulations established for this purpose.
• For automated business management of clients: we use your personal data for purchases, accounting registration, collections, and payments, through the generation of individualized codes.
• For collection management: we use your personal data to inform you about the collection process and to send or contact you to organize the scheduled payments.
• For the issuance of electronic sales and withholding receipts, as well as invoice validation: we use your personal data to issue invoices for the percentage established in the contract and to verify that the client's information is up to date in the already issued invoices.
• For the issuance of credential requests: we use your personal data to issue documents, airport credentials, and identifications for circulation within airport facilities and for granting driving credentials on platforms.
• For document preparation: we use your personal data to prepare contracts, registration forms, visitor logs, payment certifications, and purchase certifications.
• For due diligence preparation: we use your personal data to conduct client due diligence to ensure they are not involved in illicit activities.
• To report information to Management: we use your personal data to report on the salary situation of workers to Management, in order to verify equity.
• To update our website: we use your personal data to keep our website constantly updated.
• To respond to suggestions and complaints: we use your personal data to provide 24/7 attention to your various requests and to follow up on received suggestions.
• For wheelchair lending: we use your personal data to provide assistance in case you have any type of disability, reduced mobility, or belong to a priority group.
• To report infractions: we use your personal data to control and manage operational safety within the aerodrome.
• To manage contractor activity risks: we use your personal data to know the activity performed by each contractor and the personnel insured with the IESS.
• To provide internet service at the Airport: we will use your personal data to grant you internet access within the Airport; for this, data such as name, surname, and email address will be requested.

Based on compliance with a legal obligation applicable to TAGSA

• To comply with obligations imposed on TAGSA by legal mandate: Personal data of Clients are used to comply with certain legally established obligations. Among others, TAGSA will process Personal Data to prepare reports for public regulatory and control bodies and to comply with obligations established in regulations related to: labor laws, tax laws, commercial code, company law, airport regulations, and current personal data protection regulations, among other applicable and enforceable regulations for TAGSA.

Based on free, informed, unequivocal, and specific consent:

• For data analysis and profiling: TAGSA may process the Client's Personal Data whose processing is explicitly consented to, with the aim of tailoring the Client's experience or service provision with TAGSA as closely as possible to the Client, and to continue using it to analyze acquisition behavior. This includes acquisition behavior analysis and additionally risk analysis for the company in case the client decides to pay in installments and TAGSA must make a decision regarding the approval and execution of a credit in favor of one of our clients.
• For sending commercial communications through any channel: including, but not limited to, electronically, in accordance with applicable regulations, TAGSA will process your Personal Data to maintain contact for the initiation of the commercial relationship, inform and advise you personally, taking into account your interests and specific needs in TAGSA's services. Thus, TAGSA will process the Client's Personal Data to send commercial communications related to products and services, through any means, including electronically, about personalized offers that match your interests. Personalization of commercial communications involves processing personal data to create customer profiles according to their interests, and under no circumstances are profiles used to make automated decisions with legal effects for the data subject.
• To transfer Personal Data to third-party companies: TAGSA may transfer the Client's Personal Data to any other entity with which it establishes collaboration links, cooperation, strategic alliances, or commercial partnerships to ensure the effectiveness of contractual relationships with the Client for risk analysis purposes, as well as for sending commercial information related to products and services for sale. For more details, the categories of recipients who will receive the Client's Personal Data are identified in section six “Personal Data Transfers,” including other entities with which a commercial link is established.

Based on legitimate interest:

• To ensure the security of Web services, information, and the network, as well as their normal operation, TAGSA will process your personal data to ensure the security of information and the network, as well as their normal operation within TAGSA's digital tools.
• For our continuous improvement of services and products, as well as for improving the functionality of our offered services, our organizational operations, and analysis for designing our business strategy (financial, cost, marketing analysis, among others), for which TAGSA has a legitimate interest in processing clients' personal data.

Who can access my personal data?

TAGSA will only share the data subject's personal data with third parties if there is a legal basis for doing so or in all cases where you have given us your consent. It will be understood that there is a legal basis for such communications when a legal norm requires the communication or it is necessary for the provision of the contracted service.

Among these recipients are the following:

• Competent public sector entities and supervisory authorities that have the authority to request information about your data, such as: Directorate General of Civil Aviation, International Civil Aviation Organization, Transportation Security Administration, SRI, Undersecretariat of Special Development Zones, Prosecutor's Office, Guayaquil Airport Authority, Superintendence of Companies, Securities and Insurance, Ecuadorian Social Security Institute, Ministry of Public Health, Municipality of Guayaquil, ECU911, Guayaquil Fire Department, Ministry of Labor, Prosecutor's Office, Superintendence of Personal Data Protection.
• Advisors, internal and external auditors, in compliance with contractual and legal obligations applicable to TAGSA.

If we share your Personal Information, we will ensure that adequate protection exists to safeguard your personal information in accordance with data protection laws.

Finally, we inform you that TAGSA uses the services of third-party companies to provide the services contracted by the Client, for which these third parties may need to access personal data. These service providers may be classified into the following categories: technology and IT service providers, security companies, courier companies, transportation services, system, infrastructure and property management and maintenance companies, logistics services, appraisal services, collection and portfolio recovery services on behalf of third parties, payment media service providers, electronic billing services, auditing and consulting services, banking or financial entities, legal and tax advisory services, advertising and marketing and communication agencies, as well as general professional services. The above list is provided as an example, and TAGSA may use services from companies belonging to other sectors of activity to provide quality services. TAGSA will ensure the proper processing of personal data by these service providers.

Although we primarily process your data within Ecuador, in some situations we will transfer your personal data to some of our service providers located in the United States, Uruguay, Argentina, among others. This means that we will occasionally transfer your personal data to these companies in order to carry out all the activities described in this policy.

Any transfer of your personal data outside Ecuador will be carried out in accordance with current regulations and the provisions issued by the Superintendence of Personal Data Protection.

What rights do I have over my personal data and how can I exercise them?

The Client may exercise the following rights regarding the processing of their personal data:

(a) Request more details about how we use your data.

(b) Request a copy of the personal data you have provided to us in accordance with the guidelines of the LOPDP and its Regulations.

(c) Request updates to any data that has changed or been modified and request the correction of any inaccuracies in the personal data we process in accordance with the guidelines of the LOPDP and its Regulations.

(d) Request the deletion of any personal data for which we no longer have a legal basis to use.

(e) When processing is based on consent, withdraw your consent so that we stop that specific processing.

(f) Object to any processing based on legitimate interest when: 1) The rights and fundamental freedoms of third parties are not affected, the law allows it, and it does not involve public information, public interest, or data whose processing is mandated by law. 2) The processing of personal data is for direct marketing purposes; the data subject has the right to object at any time to the processing of personal data concerning them, including profiling; in which case personal data will no longer be processed for such purposes. 3) When consent is not required due to the presence of a legitimate interest, as provided in Article 7, and justified in a specific personal situation of the Client, provided that no law states otherwise, unless our reasons for carrying out such processing outweigh any harm to your data protection rights.

(g) Suspend the processing of your data in the following situations: 1) When the Client challenges the accuracy of the personal data, while the data controller verifies the accuracy; 2) The processing is unlawful and the data subject opposes the deletion of personal data and instead requests the restriction of its use; 3) The controller no longer needs the personal data for processing purposes, but the data subject requires it for the formulation, exercise, or defense of claims; and, 4) When the data subject has objected to the processing under Article 31 of the LOPDP, while it is verified whether the legitimate reasons of the controller prevail over those of the data subject.

(h) Request the portability of your data in a compatible, updated, structured, common, interoperable, and machine-readable format, preserving its characteristics; or request its transmission to other controllers in accordance with the guidelines of the LOPDP and its Regulations.

(i) Not be subject to fully or partially automated decisions, including profiling, that produce legal effects or affect your fundamental rights and freedoms.

The exercise of these rights is subject to certain exceptions, in some cases established in the LOPDP and its Regulations, to safeguard the public interest (e.g., preventing or detecting unlawful acts) and TAGSA's interests. If you exercise any of these rights, the legitimacy of the request will be verified and you will receive a response within up to fifteen (15) days.

If you are not satisfied with how your personal information is used or with the response received when exercising your rights, you have the right to file a complaint with the Personal Data Protection Authority through the channels it enables for this purpose.

Likewise, the Client may request the revocation of the consent granted for the processing of their data, without needing to provide justification. However, the withdrawal of consent will not affect data processing carried out while the consent was valid.

To exercise the aforementioned rights or raise any issue related to the processing of your personal data, the Client must contact TAGSA by submitting a request to the Data Protection Officer at TAGSA's headquarters located at Av. De las Américas and Isidro Ayora, José Joaquín de Olmedo International Airport, Corporate Building, first floor, or via email to: pdp@tagsa.aero.

How do you protect my personal data?

Because TAGSA respects your privacy and values your trust, the only people to whom we provide access to your personal data are those who need to use it in order to provide you with our products and/or services, or to carry out other activities described in this Personal Data Protection Notice.

We use technical, organizational, administrative, and legal security measures to protect the security, confidentiality, integrity, and availability of your personal data. These measures have been implemented to protect your Personal Information against unauthorized access, disclosure, use, and modification, and are reviewed and tested periodically.

Who oversees or monitors compliance?

The Client may file a complaint with the Superintendence of Personal Data Protection through the channels it has enabled for this purpose.

How long will we retain your data?

TAGSA considers different retention periods depending on the type of personal data processing and the regulation that governs it.

Personal data will be retained as long as necessary for the offer or provision of the service, to fulfill any of the processing purposes indicated in this document, or until the Client withdraws their consent. When consent is withdrawn, the data will be deleted, which implies its blocking, unless there is a legal obligation to retain it.

To determine the retention period based on legal obligation, for example but not limited to: data provided for billing management must be retained for at least 7 years according to the Internal Tax Regime Law.

On our digital channels, websites, or mobile applications, additional retention periods may be determined in the Cookie Policies, which we encourage you to review individually.

Once these periods have expired, processing will cease and proceed in accordance with the provisions of the LOPDP and its Regulations.

When does this policy take effect?

This Policy was originally approved at the Board of Directors meeting held on August 2, 2023, for immediate implementation. To ensure it is known by members of the organization, the legal representative is authorized to establish the most appropriate means for its internal dissemination. In any case, the Policy must be available to clients and suppliers, who may request its delivery through the channel established for this purpose, without prejudice to its publication on the institutional or corporate website.

When is this policy updated?

To check any modifications to this Comprehensive Privacy Notice, we recommend visiting our website frequently in the Privacy Notice section.

Last update: October 2024.

If you are not interested in receiving communications with offers of TAGSA products and services, you may withdraw your consent through the previously mentioned channels.