A. Identification and domicile of the person resposible

Pursuant to the Federal Law on Protection of Personal Data Held by Individuals (hereinafter, the "LFPD"), and the remaining applicable provisions, Bello, Gallardo, Bonequi y García, S. C. (hereinafter, the "Data Comptroller"), with registered office for service of process in Agustín Manuel Chávez, número 1-001, Centro de Ciudad de Santa Fe, Zip Code: 01210, Mexico City, Mexico, hereby expressly informs you:

B. Personal Data Collected and Submitted to Processing

For the development of the purposes described in this Privacy Notice, we gather the following categories of personal data:

• Identification data;
• Personal data;
• Academic and prefessional data;
• Employment details;
• Economic, financial, and insurance data;
• Biometric data; and
• Sensitive personal data (health).

The personal data of third parties you provide to the Data Controller for complying with the identified purposes (for example, familiar data) must be provided after you have informed the third parties of the existence of the processing of their personal data and the content of this Privacy Notice.

C. Sensitive personal data processing.

In order to comply with the applicable legislation in Social Security matters, the Data Controller must gather personal data deemed as sensitive by the applicable legislation, more specifically, those regarding your current and future health condition. Therefore, we request your expressed and written consent for the process of such data:

I consent that the Data Controller processes my sensitive personal data for the purposes described in this Privacy Notice.

D. Processing purposes.

a) Original and necessary purposes

• Personnel management, control, and administration, including training and development.
• Employee file management.
• Employee incident and disability management.
• Personnel payroll management, controll, and administration.
• Work benefit, wage, and allowance management, control, and administration.
• Computing asset and electronic communication documentation and control.
• Institutional email address creation and profile assignation in the Data Controller systems.
• Work tool, key, and password assignation.
• Communication of the corporate, work, and administrative information related to the Data Controller.
• Communication of the instructions related to their work team or position.
• Result measurement through the procedures established by the Data Controller.
• Assurance of the procedures established by the Data Controller.
• Assurance of the compliance of the confidentiality, honor, and transparency obligations, through the implementation of administrative and technical procedures established by the Data Controller for such matters.
• Personal and work reference verification.
• Contact with their relatives and/or economic dependants in case of emergency.
• Historical records and statistics of the employees.

b) Additional purposes

• Communication of activities and events related to our personnel, in order to promote and improve the integration of the Data Controller collaborators.
• Communication of non-working activities to promote activities benefiting the Data Controller personnel and community.

E. Personal data transfers

Your personal data may be transferred to and processed by persons other than the Data Controller in the following cases:

• Controlling companies, subsidiaries, or affiliates of the Data Controller, or to a parent company; for centralized safeguarding of information, control of registrations and cancellations, changes related to their agreement, and the performance of statistical functions and historical record of customers.
• Governmental authorities, agencies, or entities in compliance with the obligations set forth in the applicable legislation and/or in compliance with requirements made by them.
• Insurance companies and agents with which the employee has a legal relationship; for the processing of requests, programs, reports, reimbursements, or accidents requested or authorized by the partners.
• Financial or banking institutionspointed by the partner for the payment of wages, benefits, and other work allowances.

F. Personal data transfers. Consent.

According to LFPD, Article 37, your consent is not required to carry out the transfers indicated in the numerals of the section above. If necessary, we will ask for your consent in order to transfer your data to possible business partners.

In all the other cases, your personal data will not be transferred to third parties without your consent, except on the cases set forth in LFPD, Article 37 and it will be done complying with the conditions set forth in LFPD, Article 17.

H. Consent revocation

You may revoke your consent to the processing of your personal data, without any retroactive effect, if such revocation does not imply the impossibility of complying with obligations arising from a legal relationship in force between you and the Data Controller.

The procedure for the revocation of consent will be the same as the procedure established in the section above for the exercise of ARCO rights, if applicable.

G. ARCO rights exercise

In all legally proceeding cases, you may exercise your rights to Access, Rectify, Cancel, and Oppose (ARCO) through the procedures that we have implemented.

The relevant request must fulfill all the requirements established in the current legislation, through a written notice addressed to our Personal Data Area, to the domicile indicated in this Notice, Item A.

The request must contain and be accompanied by the following:

• Your name and domicile or another mean to inform you the response to your request;
• The documents proving your identity or, when applicable, the legal representation;
• The clear and precise description of the ARCO Rights that you want to exercise; and
• Any other element or document that facilitates the localization of the personal data.

The Data Controller will inform you of the decision taken within a maximum of 20 (twenty) business days from the date it receives the relevant request. If the request is applicable, it will be effective within fifteen business days from the date on which the Data Controller communicates the response. In case the information provided in your request is incorrect or insufficient, or the necessary documents to prove your identity or the corresponding legal representation are not attached, the Data Controller, within five business days following the receipt of your request, will require the amendment of the deficiencies in order to be able to process it. In these cases, you will have ten business days to respond to the request for amendment, counted from the day after you have received this request. The request will be deemed as not filed if you do not respond within that period.

Alternatively, you may direct your request through our Personal Data Area to the email address datospersonales@bgbg.mx, in compliance with all the requirements previously numbered, established as Subject of the communication "ARCO Rights and/or consent withdrawal." The procedure terms will be the same as the ones mentioned in this section. The use of electronic means for the exercise of ARCO Rights authorizes the Data Controller to respond to the relevant request through the same means unless the owner clearly and expressly points out another means.

You may obtain the requested information or personal data through uncertified copies, electronic documents in conventional formats (Word, PDF, etc.), or through any legitimate means guaranteeing and accrediting the effective exercise of the requested right.

You will be responsible for keeping updated your personal data in possession of the Data Controller. Therefore, you guarantee and are responsible, in any case, for the truthfulness, accuracy, validity, and authenticity of the personal data provided and undertake to keep them duly updated, communicating any changes to the Data Controller.

J. Amendments or Updates to this Comprehensive Privacy Notice

The Data Controller may modify, update, extend, or otherwise change the content and scope of this Privacy Notice at any time and at its complete discretion. In such cases, we will post those changes on the website www.bgbg.mx, Section "Privacy Notices". Changes to this Privacy Notice may also be communicated by email when such means had been established as a communication channel between you and the Data Controller during the term of the legal relationship.

I. Limitations on the Use and Disclosure of your Personal Information

You may limit the use or disclosure of your personal data by addressing the relevant request to our Personal Data Area. The requirements for proving your identity, as well as the procedure for handling your request, will be the same requirements indicated in section "Exercise of ARCO rights".

The Data Controller has the means and procedures to ensure the inclusion of some of your data in its own exclusion lists when you expressly request their inclusion in them. The Data Controller will grant the relevant registration certificate to the registered owners.