I. INTRODUCTION
In COFIMAR S.A hereinafter "THE COMPANY", "COFIMAR", we recognize the importance of privacy and the protection of personal data as a fundamental right. In an environment where digitization and information processing are an essential part of our operations, we are committed to ensure that personal data under our responsibility are managed with the highest standards of security, legality and transparency.
This Personal Data Protection Policy establishes the principles and guidelines that govern the treatment of personal information in COFIMAR, in strict compliance with the Organic Law for the Protection of Personal Data (LOPDP) of Ecuador and its complementary regulations. Our commitment goes beyond legal compliance: we seek to generate confidence in our customers, collaborators, suppliers and other interested parties through the responsible use of their data.
This policy is mandatory for all COFIMAR personnel, as well as for third parties who, in the development of their activities, access personal data under our responsibility. Through its compliance, we reaffirm our commitment to the protection of information and privacy of individuals.
II. OBJECTIVE
The purpose of this policy is to disseminate the security rules that affect COFIMAR personnel, in the performance of their duties, and the consequences that may be incurred in case of non-compliance in terms of personal data security.
Likewise, it is intended to establish the common principles and guidelines for action that should govern COFIMAR in matters of personal data protection, ensuring in all cases compliance with the applicable legislation, with the firm will to guarantee the right to data protection of all individuals subject to processing in COFIMAR, thus ensuring respect for the right to honor and privacy of data subjects.
The following are the general aspects of the regulations in force regarding the protection of personal data that are directly related to those jobs within the structure of THE COMPANY that may have direct or accessory access to personal data, and therefore must follow and respect a series of guidelines and procedures. In short, through this policy, we intend to transmit a series of basic knowledge about
Data Protection and confidentiality of information, in addition to awaken the interest for this regulation in all the collaborators, since respecting the precepts included in the regulation is the responsibility of all the components of COFIMAR.
General objectives of COFIMAR's safety policy:
- Ensure confidentiality, integrity and availability of information.
- Comply with all applicable legal requirements.
- Train and raise awareness of information security and personal data protection among all employees, so that all employees are informed of their security and continuity roles and obligations, and are responsible for complying with them.
- Proper management of all incidents that occur.
- That all information processing related to the business processes indicated in the scope is carried out in a secure manner, and only by authorized personnel.
- To guarantee the commitment of the Management of THE COMPANY to information security. The Management is committed to the long-term success of this security policy, and to this end will provide the human, technological and economic resources necessary for its efficient operation and effective maintenance.
III. SCOPE
The scope of the present policy includes all personal data processing activities carried out by COFIMAR S.A.
This policy shall be of mandatory application to all areas and processes of the aforementioned companies, without exception, since any business unit may be involved in the processing of personal data.
Therefore, this policy shall be mandatory for managers, employees, collaborators, suppliers and third parties who, due to their relationship with THE COMPANY, have access to personal data or participate in its processing.
THE COMPANY mentioned above undertakes to implement this policy within its specific responsibilities, ensuring its uniform application in all its operations.
IV. REGULATORY FRAMEWORK
This document is based on the following regulations:
- Organic Law on Personal Data Protection (LOPDP): Ecuadorian legislation that regulates the protection and processing of personal data, establishing rights for the owners and obligations for those responsible and in charge of data processing.
- General Regulations of the Organic Law on Personal Data Protection: complements and details the provisions of the LOPDP, providing specific guidelines on the handling, communication and security of personal data in Ecuador.
- Other applicable regulations on personal data protection and information security.
V. DEFINITIONS
In order to facilitate the understanding and effective application of this personal data protection policy, the essential terms that will govern its interpretation and execution are defined:
- Consent: prior, explicit and informed authorization granted by the holder for the processing of his personal data.
- Personal Data: information linked or associated to an identified or identifiable natural person, such as names, identification numbers, address, financial data, among others.
- Sensitive Data: information with a high degree of privacy that, in case of improper treatment, could generate discrimination or violations of fundamental rights. They include data related to racial or ethnic origin, religious or philosophical beliefs, political affiliations, health, sexual orientation, sexual life and biometric data.
- Data Protection Delegate: person designated to advise the controller or processor on its legal obligations regarding data protection. Supervises regulatory compliance and acts as a point of contact with the Personal Data Protection Authority.
- Responsible for the Processing of Personal Data: natural or legal person, public or private entity, who carries out personal data processing operations on behalf and under the instructions of the controller.
- Claims: requests submitted by owners to correct, update or delete personal data, as well as complaints related to non-compliance with the obligations established in the Organic Law for the Protection of Personal Data (LOPDP).
- Responsible for the treatment: natural or legal person, public or private, who determines the purposes and means of the processing of personal data.
- Personal data subject: natural person whose personal data is processed by the organization.
- Processing of personal data: any operation performed on personal data, which may include the collection, storage, organization, use, modification, transfer, communication, disclosure, deletion or any other lawful use of such information.
- Personal Data Protection Authority: Body in charge of supervising and guaranteeing the protection of citizens' personal data, ensuring compliance with the principles, rights and procedures established by the Organic Law on Personal Data Protection.
VI. PERSON RESPONSIBLE FOR THE PROCESSING OF PERSONAL DATA
Name of the person in charge of the treatment: COFIMAR S.A.
RUC: 0991329331001
Address: Km 10.5 Via Daule. Inmaconsa Industrial Park - Eucalyptus between Cedros and Teca. Guayaquil - Ecuador.
Mail: protecciondedatos@cofimar.com.ec
VII. PERSONAL DATA PROTECTION OFFICER
Name of Delegate: Jefferson Quinde Gonzabay
Address: Km 10.5 Via Daule. Inmaconsa Industrial Park - Eucalyptus between Cedros and Teca. Guayaquil - Ecuador.
Mail: jquindeg@cofimar.com.ec
DATA COLLECTED BY COFIMAR
COFIMAR collects the following personal data:
Identification data:
- First and last names.
- Identity card.
- Home address.
- Telephone number.
- E-mail.
- Signature.
Employment data:
- Position.
- Date of entry.
- Work history.
- Performance evaluations.
- Academic background.
- Personal references.
Bank details:
- Account number.
- Bank certificates.
- Remuneration.
- Social benefits.
Sensitive data:
- medical information related to occupational health certificates, disability or medical conditions relevant to the employment relationship.
- Fingerprint and/or facial recognition.
Other personal information:
- Geolocation.
- Relevant personal data according to the need of the activities in COFIMAR.
VIII. PURPOSE OF THE PROCESSING OF DATA COLLECTED BY COFIMAR
THE COMPANY carries out the processing of personal data of employees, customers and suppliers through automated and non-automated information, such as email servers, computer applications, paper documentation, among others. In order to comply with this point, the following purposes have been identified by the stakeholders.
EMPLOYEE CANDIDATES:
- Manage your application in current and/or future selection and recruitment processes according to the vacancies available in COFIMAR, through the different search channels.
- Evaluate your professional resume according to the profile requested in COFIMAR's requirement.
- Verify that the information provided in your resume is authentic, including the review of public sources, such as judicial/criminal records, in addition to employment references, for the position for which you are applying, in accordance with current regulations.
- Create and maintain digital and/or physical files with your personal information for candidate database management purposes.
- Contact candidates, both selected and unsuccessful, to inform the status of the selection process through the established communication channels.
- Retain their personal data (resume) for a maximum period of two (2) months in the case of administrative personnel (leadership, management), in order to consider them for future vacancies.
- Keep your personal data (resume) for a maximum period of one (1) month in the case of operational personnel, in order to consider it in future vacancies.
COLLABORATORS:
- Manage the labor relationship with the collaborator, which includes hiring processes, compliance with contractual obligations.
- Manage the social benefits offered by the company to the employee and, when applicable, to their dependents (such as spouse, children and people with disabilities), including medical insurance, provide support to health and social security service providers that are managed by the company for the benefit of the personnel.
- Comply with the obligations regarding occupational health and safety, as established by the Ministry of Labor, IESS and other applicable regulations.
- To control compliance with schedules and attendance (entry and exit), and to facilitate internal audits, through the use of biometric identification systems such as fingerprint and/or facial recognition.
- Coordinate internal activities such as social benefits (invitations that may be extended to family members and children at the employee's place of work), internal and external training, corporate programs, compliance awards and organizational communications.
- To store and conserve personal data (in the event that family members visit the company's facilities) during the term of the employment relationship and the time necessary thereafter for the fulfillment of legal or contractual obligations, as well as to transfer them to third parties, inside or outside the country, when necessary and when adequate data protection is guaranteed.
SUPPLIERS:
- Maintain updated and complete information of natural persons who are or wish to be suppliers, in order to manage the contracting processes, make payments for the services offered and ensure the continuity of the business relationship.
- Use suppliers' contact data to manage communications related to orders, deliveries, contractual changes, requests for additional information and other activities related to the fulfillment of the contractual relationship and commercial agreements.
- Evaluate the suitability and performance of suppliers through background analysis, verification of compliance with legal requirements including anti-money laundering and anti-terrorist financing regulations, as well as keeping updated records on the evolution of the business relationship.
- Share supplier information with third parties with whom COFIMAR maintains contractual relations, when necessary to fulfill the purposes of the contract and in accordance with the applicable legal provisions.
- Transfer personal data of suppliers, both nationally and internationally, to third parties with whom COFIMAR has data processing contracts, when necessary for the fulfillment of the contractual purpose and in compliance with applicable legal regulations.
- Ensure the proper execution of the services contracted by COFIMAR to suppliers, according to the terms and conditions set forth in the respective contracts or commercial agreements.
- Record through photographs and/or audiovisual recordings the participation of suppliers or their representatives in trainings, workshops or other activities organized by COFIMAR or contracted third parties, for documentary, informative or continuous improvement purposes. Such material may be used in COFIMAR's internal or institutional media.
CUSTOMERS:
- Manage the commercial and contractual relationship with our customers, including order processing, quotation management, purchase orders, delivery logistics, invoicing, product traceability and after-sales service.
- To attend inquiries, requests and information requirements related to our products, export processes, quality certifications and commercial conditions, providing timely and personalized attention.
- Send newsletters, updates on our products, certifications, quality and sustainability standards, as well as relevant news from the aquaculture sector that may be of interest to our national and international clients.
- Coordinate the participation of clients in international trade fairs, commercial events, technical visits and corporate activities, in order to strengthen commercial relations and promote the transparency of our processes.
- To improve our production, commercial and customer service processes, based on the analysis of information gathered in commercial interactions and satisfaction surveys, in order to offer products that meet their needs and expectations.
- To comply with the legal, regulatory, fiscal, sanitary and foreign trade obligations applicable to COFIMAR S.A. as a food producing and exporting company, both nationally and internationally.
- Maintain updated records for internal and external audits, international certifications (such as BRCGS, ASC, HACCP, among others), as well as traceability or control requirements by national or foreign regulatory entities.
- Manage and formalize contracts and processes related to the national and international commercialization of shrimp, including logistical, customs and regulatory validations with clients and competent authorities.
SHAREHOLDERS:
The purposes of the processing of personal data related to shareholders have been defined in accordance with the principles set forth in the Organic Law on Personal Data Protection. Due to their strategic and confidential nature, these purposes are documented in a confidential annex, access to which is strictly limited to authorized areas.
SECURITY CAMERAS:
- COFIMAR processes the images obtained through automated video surveillance systems, in order to ensure the security of the facilities and protect the people who access them, through continuous monitoring and recording of events that may represent a risk to the physical integrity of persons or the safety of property.
- The recordings obtained may be used, if necessary, as evidence in internal or external procedures, such as investigations for security incidents, fraud detection, disciplinary measures or legal proceedings, always in compliance with current personal data protection regulations. The data will be kept for a maximum period of 40 days in PC1 and 60 days in PC2, unless it is necessary to keep them longer to comply with legal obligations or to document relevant facts.
IX. RIGHTS OF THE HOLDERS OF PERSONAL DATA
COFIMAR reaffirms its commitment to the protection and respect for the rights of the holders of personal data, as established in the Organic Law for the Protection of Personal Data (LOPDP) of Ecuador. In order to guarantee the effective exercise of these rights, COFIMAR has developed clear, accessible and secure procedures that allow the owners to manage their data in an appropriate manner.
RIGHT OF ACCESS:
The holders have the right to know if COFIMAR treats their personal data, as well as to access the information related to its treatment, including:
- The purpose of the treatment.
- The origin of the personal data.
- The categories of data processed.
- The recipients or third parties with whom the data has been shared.
Procedure
- The holder must submit a request in writing or by electronic means, proving his identity.
- COFIMAR will respond within a maximum period of 15 working days from receipt of the request.
RIGHT OF RECTIFICATION AND UPDATING:
Holders may request the correction or updating of their personal data in case it is inaccurate or incomplete.
Procedure
- Submit a request with documentation supporting the correction or update.
- COFIMAR will verify the information and update the records within a maximum period of 15 working days, notifying the holder of the changes.
RIGHT OF REMOVAL
Data subjects may request the deletion of their personal data in the following cases:
- When the treatment is contrary to current regulations.
- If the data is no longer necessary for the purposes for which it was collected.
- When the established conservation period has expired.
Exceptions
- This right may be limited in cases where:
- There is a legal obligation to retain the data.
- The elimination will affect ongoing administrative, legal or regulatory processes.
- The information is required to safeguard vital interests of the holder or third parties.
RIGHT OF OPPOSITION
The holder may object to the processing of his personal data when:
- Do not want your data to be used for specific purposes.
- Consider that the treatment may affect your fundamental rights.
Procedure
- Submit a written request with the justification for the opposition.
- COFIMAR will analyze the viability of the request and issue a response within 15 working days.
RIGHT TO PORTABILITY
The holder has the right to receive his personal data in a structured and commonly used format, in order to be able to transfer it to another data controller.
Procedure
- Submit a request specifying the desired delivery format.
- COFIMAR will provide the data within 15 working days, using secure means of transfer.
THE RIGHT NOT TO BE SUBJECTED TO AUTOMATED INDIVIDUALIZED DECISION-MAKING
Data subjects have the right not to be subject to decisions based solely on automated processing, which produce legal effects or significantly affect them, except in the following cases:
- When necessary for the execution of a contract.
- When the owner has given his explicit consent.
- When permitted by current regulations.
Guarantee Measures
In case COFIMAR uses automated systems for decision making, it shall guarantee:
- Transparency on the criteria used.
- Possibility of human intervention to review the decision.
RIGHT TO DIGITAL EDUCATION
COFIMAR recognizes the importance of digital education as a fundamental pillar for the responsible use of personal data. In this sense, it is committed to:
- Promote awareness of the secure and responsible use of personal data.
- Provide clear and accessible information on the risks associated with the use of digital technologies.
- Implement internal campaigns and training on personal data protection and digital privacy.
RIGHTS OF CHILDREN AND ADOLESCENTS
The processing of personal data of minors will only be carried out under the following conditions:
- Express consent of the legal representative.
- Prohibition of the processing of sensitive data, except in cases of essential public interest.
- Special protective measures to ensure the safety and privacy of the child.
X. CLAIMS, PETITIONS, COMPLAINTS AND CLAIMS MANAGEMENT (RPQR)
THE COMPANY guarantees the right of holders of personal data to submit Requests, Petitions, Complaints and Claims (RPQR) related to the processing of their personal information. The RPQR management process is designed to ensure that all cases are handled efficiently, in accordance with current regulations and with respect for the rights of the holders of personal data.
RECEPTION AND SUBMISSION OF APPLICATIONS
RPQR requests must be submitted in a clear and accurate manner, including the following information:
- Applicant's personal data:
Full name, identification (ID card or passport) and contact information (address or e-mail).
- Description of the request:
Specifically indicate the type of request (access, rectification, cancellation or opposition).
Include details about the personal data involved (if applicable).
- Complementary documentation:
If necessary, a copy of the applicant's or legal representative's identification documents must be attached.
Channels available for the submission of applications:
- In person at our offices: Km 10.5 Via Daule. Parque Industrial Inmaconsa - Eucalyptus between Cedros and Teca.
- E-mail: protecciondedatos@cofimar.com.ec
- Web portal: www.cofimar.ec
RESPONSIBILITY IN THE MANAGEMENT OF RPQR
THE COMPANY will designate a person responsible for the management of applications who will have the following functions:
- Receipt and validation of applications, ensuring that the established requirements are met.
- Registration and follow-up of each request, ensuring that they are dealt with according to type and urgency.
- Communication with the holder: The holder will be informed of the receipt of his request and the status of its processing within the corresponding deadlines.
- Resolution of the request: The person in charge shall ensure that a solution is provided within the established legal deadlines, or shall notify any delay together with the reasons.
RESPONSE AND RESOLUTION TIMES
THE COMPANY undertakes to respond to all requests within the following deadlines:
- Standard deadline: The response will be delivered within a maximum of 15 working days from receipt of the request.
- Extended deadline: In complex cases, if more time is required to investigate or resolve the application, the owner of the application will be notified and the new estimated resolution deadline will be indicated.
EXCEPTIONS AND RESTRICTIONS
There are exceptional situations in which THE COMPANY may not be able to fulfill certain requests. This may occur when:
- The fulfillment of the request violates other regulations or third party rights.
- There is a legal or technical limitation to provide access or rectification of the data.
In such cases, THE COMPANY will inform the holder about the reasons for the refusal and the possible additional actions that could be taken.
NATIONAL AND INTERNATIONAL DATA TRANSFERS
THE COMPANY may transfer personal data to third parties within or outside the country, always guaranteeing the protection of the rights of the owners and complying with the Organic Law on Personal Data Protection (LOPDP).
When the transfer is international, THE COMPANY will verify that the country of destination has adequate data protection regulations or, failing that, will establish contractual guarantees to ensure compliance with the principles of security, confidentiality and legality.
Any transfer of data must comply with the following criteria:
- Legitimate purpose: Data will only be transferred for permitted purposes and in accordance with this policy.
- Security and confidentiality: Measures will be implemented to protect information against unauthorized access.
- Transfer agreements: In case of sharing data with third parties, agreements will be signed to ensure compliance with regulations.
- Data subjects' rights: It shall be ensured that data subjects may exercise their rights over their personal data, even if such data is transferred outside the country.
- The consent of the owner will not be necessary when the transfer is made under exceptions allowed by the LOPDP, such as compliance with contractual obligations or legal requirements.
THE COMPANY will monitor these transfers to ensure proper compliance and protect the privacy of the owners.
XI. SECURITY BREACH NOTIFICATION
THE COMPANY is committed to the protection of personal data and has implemented technical, organizational and administrative measures to prevent unauthorized access, loss, alteration or any other incident that may compromise the security of the information.
In the event of a security breach affecting personal data, THE COMPANY will activate its Security Incident Management Procedure, which includes:
- Incident detection and analysis: Identification of the impact and scope of the breach.
- Containment and mitigation measures: Immediate actions to reduce risk and prevent further damage.
- Notification to the Data Protection Authority: If the breach represents a risk to the rights of data subjects, the competent authority shall be informed within the period established in the regulations.
- Communication to the affected owners: When the breach may generate a significant impact on the owners, THE COMPANY will notify them in due time, indicating:
- Committed data.
- Possible consequences.
- Measures adopted to mitigate the impact.
- Actions that holders can take for their protection.
- Recording and evaluation: The incident will be documented and improvements will be implemented to strengthen safety.
Exceptions to the notification shall be subject to the provisions of the LOPDP, including requests from competent authorities in the framework of investigations or legal proceedings.
THE COMPANY will periodically review and update its security controls to minimize risks and ensure the protection of personal data.
XII. TIME OF CONSERVATION OF PERSONAL DATA
THE COMPANY will keep personal data only for the time necessary to fulfill the specific purposes for which they were collected, in accordance with the provisions of Article 10 of the Organic Law on Personal Data Protection and its regulations.
The retention period may be determined by:
- Applicable legal obligations, such as labor, tax, commercial, corporate and social security regulations, among others.
- Contractual requirements, when the data processing is linked to the execution of contracts with customers, suppliers or collaborators.
- Legitimate interest, provided that the holder's fundamental rights and freedoms are not violated.
- Recommendations from data protection authorities, in the absence of specific regulation (e.g. 2 years to keep resumes after receipt).
Once the relevant period has expired, the data will be deleted, anonymized or securely archived, unless there is a legal obligation to retain it for an additional period of time.
- THE COMPANY maintains an inventory of retention periods differentiated by type of processing and category of personal data, which have been defined considering:
- National legislation in force (Commercial Code, Labor Code, Company Law, among others),
- Applicable sector regulations,
- And the recommendations of European authorities for treatments that are not specifically regulated.
XIII. UPDATES AND MODIFICATIONS TO THE POLICY
This Personal Data Protection Policy is effective as of July 1, 2025 and will remain active as long as COFIMAR continues to carry out personal data processing activities with stakeholders identified as collaborators, customers, suppliers, among others.
The policy may be reviewed at least once a year or whenever it is considered relevant, in order to ensure that it remains aligned with current regulations and international best practices.
XIV. ANNEX
Annex I - PD Protection Policy - Shareholder Purposes