Comprehensive Privacy Notice: Reporting Channel

Bello, Gallardo, Bonequi y García, S.C. ( hereinafter the “Data Controller”) is the Data Controller responsible for the personal data of complainants (when identified upon filing the complaint), the respondent, and any person summoned as a witness or otherwise connected to the facts of the case. The Data Controller designates the following address for service of process and receipt of notifications: Avenida Santa Fe, No. 428, Tower 1, 14th Floor, Cuajimalpa de Morelos Municipality, Postal Code 05300, Mexico City, Mexico.

When processing complaints through institutional channels, the Data Controller may process the following categories or types of personal data: 

• Identifying and contact information.
• Employment data.
• Details regarding the alleged incidents.

Depending on the complaint filed, the Data Controller may process the following categories of personal data, which are not considered essential for filing a complaint:

• Financial and/or asset information.
• Identifying and contact information for the individuals involved in the reported incident.
• Contact information for any witnesses.

The Data Controller will treat complaints submitted through official channels as confidential, as well as the identity of the complainant if the complainant has chosen to disclose it. The relevant department will conduct the necessary investigation.

As a general rule, the Data Controller does not request sensitive personal data when processing complaints through institutional channels. In exceptional cases, the complainant may provide the following information regarding individuals, if it is directly related to the facts being reported:

• Racial or ethnic origin.
• Biometric data.
• Health status.
• Religious, philosophical, or moral beliefs.
• Union membership.
• Political views.
• Sexual preferences and/or habits.

For the purposes set forth in this Privacy Notice, the Data Controller does not collect data from children and adolescents (children are defined as individuals under the age of twelve, and adolescents as individuals who are at least twelve years old but under eighteen). If you provide data regarding minors and the Data Controller determines that you have provided such information, the personal data will be deleted to the extent that such information is not relevant or directly related to the reported facts.

In all cases, the Data Controller will make reasonable efforts to limit the period during which sensitive personal data is processed so that it is kept to the minimum necessary for the purposes of the relevant complaints and investigations.

The Data Controller may process the personal data of complainants (where applicable, as complaints may be submitted anonymously) and of those against whom complaints are filed, provided that such data is provided by the complainant, for the following purposes:

Primary objectives:

1. Management, monitoring, and administration of reports submitted through the institutional channels established by the entity responsible for operating the reporting channel.
2. Review, processing, and investigation of the complaint.
3. Follow-up on complaints submitted through the Reporting Channel. 
4. Management and oversight of communications between the Data Controller and whistleblowers.
5. Management and oversight of communications between the responsible party and individuals connected to or involved in the matters reported by the complainants.
6. Prevent, detect, and correct violations of applicable regulations or the Data Controller’s internal policies.
7. Where applicable, notification to the administrative or judicial authorities responsible for investigating violations or criminal acts brought to the attention of the Data Controller.
8. Statistics and historical record of reports submitted through the Reporting Channel. 

Under no circumstances will personal data that is not necessary for investigating the reported or alleged acts or omissions be processed; such data will be deleted immediately. Likewise, any personal data that may be reported and that relates to conduct not covered by this processing will be deleted.

Secondary purposes: 

• They don't exist.

The Data Controller may share your personal data and transfer it, in accordance with the law and this Privacy Notice, both within and outside of Mexico, in the following cases and for the following purposes:

• Federal, state, and/or municipal government agencies and authorities; commissions; institutes; regulatory bodies; judicial or administrative authorities; and domestic and/or foreign government entities, for the purpose of complying with reporting and transparency obligations and preventing fraud, crimes, or other illegal activities, as well as for complying with judicial or administrative orders issued by competent authorities.

The Law stipulates that the aforementioned data transfers do not require your consent to be carried out, but the Data Controller is required to inform you of them. Any transfer of personal data that requires your consent will be disclosed in advance through this Privacy Notice and prior to the transfer of such data.

The law governs the ARCO rights you have as a data subject. These rights include:

• Access: Your right to know what information we have about you, as well as how we use or share it.
• Correction: Your right to request, at any time, that your data be corrected if, for any reason, it is incorrect, inaccurate, or incomplete in our databases.
• Deletion: the right to request that we delete your information, starting with its blocking and followed by its permanent deletion.
• Objection: Your right to provide a legitimate reason why we should stop using your personal data. 

To exercise any of your ARCO rights, you must submit a request to our Personal Data Department via the following email address: datospersonales@bgbg.mx.

The application must include or be accompanied by:

1. Your full name and address, or another way to contact you regarding the response to your request,
2. A copy of your ID (or a power of attorney, if someone is acting on your behalf),
3. A description of the right you wish to exercise, along with related information, and
4. Any other information you consider important for processing your request or locating your personal data.

Bgbg will respond to your request within 20 (twenty) business days of the date it is submitted and received. If the request is deemed valid, we will process it within 15 (fifteen) business days of the date we notify you of our response. If the information and/or documentation provided in your request is incomplete, incorrect, and/or insufficient, or if the necessary documents to verify your identity or legal representation are not included, we will ask you to correct and remedy these deficiencies so that we may process your request. You will have 10 (ten) business days to comply with the request and correct the application; otherwise, it will be deemed not submitted.

By using electronic means to exercise your ARCO rights, you authorize bgbg to respond to your request via the same means, unless you clearly and explicitly specify another method of contact in your request.

The right to erasure is not absolute. Please note that bgbg must retain certain information to comply with various legal obligations and, in doing so, may share your personal data with other entities or organizations. In such cases, you may need to exercise your right to erasure by contacting the entity that received your personal data.

In some cases, you may withdraw your consent to the processing of your personal data; however, this revocation cannot have retroactive effect; that is, it cannot affect situations, procedures, or transfers carried out prior to the revocation of your consent; nor can it apply in cases where such revocation would result in a breach of general public policy provisions establishing the obligation to continue processing your personal data for a specified period.

You can send a request to revoke your consent to the following email address: datospersonales@bgbg.mx, following the instructions for exercising your ARCO rights.

You may restrict the use or disclosure of your personal data by submitting a request to our Personal Data Department, following the procedure and instructions applicable to the exercise of ARCO rights.

Bgbg has the means and procedures in place to ensure that certain of your data is included in our own opt-out lists, thereby preventing the disclosure of your data. In such cases, we will provide data subjects who request registration with the corresponding proof of registration.

Bgbg reserves the right to modify, update, expand, and/or otherwise change the content and scope of this Privacy Notice at any time and at its sole discretion; in such cases, we will post such changes on the website https://bgbg.mx/, under the Privacy Notices section. At any time, you may request a copy of the latest version of this Privacy Notice from our Personal Data Department via the following email address: datospersonales@bgbg.mx.

The Privacy Notice governing the processing of your personal data is the one published in our Privacy Notices section on the following website: https://bgbg.mx/.

If you have any questions or need clarification regarding this Privacy Notice, please contact our Personal Data Department at the following email address: datospersonales@bgbg.mx.