PRIVACY NOTICE

In order to protect personal data, R&G Espinosa International-Adjusters Ajustadora de Siniestros has designed this policy to guarantee the exercise of the right to personal data protection, which includes access to and decision on information and data of this nature, as well as its corresponding protection. This is in accordance with the provisions of Article 12 of the Organic Law on the Protection of Personal Data.

It must also implement a process of verification, evaluation and continuous assessment for the effectiveness of the technical, organizational and any other measures implemented in order to guarantee and improve the security of the processing of personal data.

• Personal Data Security

The personal data controller or processor must demonstrate that the measures adopted and implemented adequately mitigate the risks identified.

Other measures may include:

1) Measures for the anonymization, pseudonymization or encryption of personal data.

2) Measures aimed at maintaining the permanent confidentiality, integrity and availability of the systems and services for the processing of personal data and access to personal data, promptly in the event of incidents.

3) Measures aimed at improving technical, physical, administrative, and legal residence.

4) Personal data controllers and processors may adhere to international standards for adequate risk management focused on the protection of rights and freedoms, as well as for the implementation and management of information security systems or codes of conduct recognized and authorized by the Personal Data Protection Authority.

In addition, the Personal Data Protection Authority will establish other types of processing operations that require a data protection impact assessment. The impact assessment must also be carried out prior to the start of the processing of personal data.

• Security breach notification

The data controller must notify the Personal Data Protection Authority and the Telecommunications Regulation and Control Agency of the breach of personal data as soon as possible.

It should be informed  not later than five (5) days after it has become aware of it, unless it is unlikely that such a breach of security would constitute a risk to the rights and freedoms of individuals.

If the notification to the Data Protection Authority does not take place within five (5) days, it must be accompanied by an indication of the reasons for the delay. The data processor must notify the data controller of any breach of the security of personal data as soon as possible, and at the latest within two (2) days from the date on which it becomes aware of it.

• Guarantee of the secrecy of communications and security of personal data

Ensuring the secrecy of communications and the security of personal data is critical in today's digital world. This means that all information shared , whether through messages, emails, or any other form of communication, must be protected and kept private.

Therefore, our company has implemented security measures to ensure that the data of all our customers is safe from unauthorized access. This can include the use of encryption, clear privacy policies, and robust security protocols.

Minor breaches by the Data Controller

The following are considered minor breaches:

1) Not processing, processing after the established term or unjustifiably denying the requests or complaints made by the data subject.

2) Failing to implement data protection from the design and by default.

3) Failing to maintain personal data protection policies consistent with the processing of personal data.

4) Choosing a personal data processor that does not offer sufficient guarantees to ensure the exercise of the right to personal data protection.

5) Failing to comply with the corrective measures ordered by the Personal Data Protection Authority.

Serious breaches by the Data Controller

The following are considered serious breaches:

1) Failing to implement administrative, technical and physical, organizational and legal measures to guarantee the processing of personal data carried out in accordance with this law, its regulations, guidelines, guides and rules issued by the Personal Data Protection Authority and regulations on the matter.

2) Using information or data for purposes other than those declared.

3) Transferring or communicating personal data without complying with the requirements and procedures established in this law and its regulations, guidelines, guides and rules issued by the Personal Data Protection Authority and regulations on the matter.

4) Not using risk analysis and management methodologies adapted to the nature of the personal data, the particularities of the processing and the parties involved.

5) Not carrying out impact assessments of data processing in cases where it was necessary to carry them out.

Finally, the personal data controller or processor, as the case may be, must be subject to the principle of personal data security, for which it must take into account the categories and volume of personal data, the state of the art, best practices of comprehensive security and the costs of application according to the nature,  scope, context and purposes of the processing, as well as identifying the likelihood of risks.

How to raise your claims

For your knowledge, you are entitled to express any disagreement related to your right to the protection of personal data. You are entitled to resort to:

The Superintendence of Personal Data Protection is responsible for the processing of personal data with the following contact details:

Identity: R&G Espinosa International-Adjusters Ajustadora de Siniestros C.ltda.

Who can you contact at R&G Espinosa International-Adjusters Ajustadora de Siniestros?

To resolve any inquiries about this topic, you can contact:

Email: normatividad@rygespinosa.com and ecuadorclaims@rygespinosa.com

Phone No: +593 9 9991 5443

Address: Av. Shyris y Suecia, Edificio Iqon Oficina 326, Quito, Ecuador

Sincerely,

R&G Espinosa International Adjusters