General Policy for the Protection of Personal Data

General Personal Data Protection Policy

This document implements the Personal Data Protection Policy (the “Policy"), which will be mandatory for all workers, suppliers and clients of BMI DEL ECUADOR LIFE INSURANCE COMPANY SA (“ECUADOR BMI"). The Policy will establish the guide and principles under which BMI ECUADOR will be governed in its relationships and processes in which personal data is processed.

1. Aim. –

1.1. General: BMI ECUADOR's main objective is to comply with the rights, principles and obligations established in the Organic Law on Protection of Personal Data ("LOPDP"), secondary regulations and resolutions issued by the Data Protection Authority. For this reason, it is important to establish the general guidelines by which BMI ECUADOR will use the personal data it accesses as a result of the development of its activities.

1.2. Specifics:

1.2.1. Establish the principles that will guide BMI ECUADOR in the management of the personal data of its clients, workers and/or suppliers.

1.2.2. Establish guidelines to create control mechanisms related to personal data.

1.2.3. Establish the main guidelines for contracting suppliers with a focus on the protection of personal data.

1.2.4. Establish guidelines to implement technical, physical and organizational security mechanisms to guarantee the confidentiality and security of personal data.

2. Area of application. –

2.1. The General Personal Data Protection Policy (“Politics"), is directed and is mandatory for all its clients, workers, suppliers, people related to BMI ECUADOR (shareholders and management bodies) and related companies in the processing of the personal data of the Holders.

3. Responsibility in data processing. –

3.1. BMI ECUADOR is responsible for the custody and proper conservation of the registered data; However, said responsibility for the veracity and authenticity of the recorded data is exclusive of the declarant when he or she provides all the information.

3.2. In the event that there is poor processing of Personal Data in the custody of BMI ECUADOR, people affected by false or inaccurate information, or disseminated without express authorization from its Owner, will have the right to the corresponding compensation, prior to the exercise of the respective legal action. .

3.3. In our criminal legislation, it is considered a violation of privacy when, without prior consent or legal authorization, personal data, data messages, voice, audio and video are accessed, intercepted, examined, retained, recorded, reproduced, disseminated or published. , postal items, information contained on computer media, private or reserved communications. from another person by any means.

3.4. If you require more information about this Policy, you can do so by email postventaec@bmicos.com, at the registered office of BMI ECUADOR or through customer service telephone contact 1800-264-264.

4. Glossary of terms. –

The definitions of the LOPDP are taken, especially the following:

4.1. Authorization: Legitimizing basis that allows companies or people responsible or in charge of managing the information to use your personal data.

4.2. Database: Structured set of data regardless of the form, method of creation, storage, organization, type of support, treatment, processing, location or access, centralized, decentralized or distributed functionally or geographically.

4.3. Data Custodian: Role in charge of functionally guaranteeing the implementation of Data Governance. Process Owner Designation used to identify the person who is responsible for a process that must manage the correct execution of the processes under their responsibility and continuous improvement, to organize work practices, provide greater satisfaction to internal customers and increase productivity. efficiency, with the support of all participants in the designated process.

4.4. Personal Data: Data that identifies or makes a natural person identifiable, directly or indirectly. For example: name, identity card, address, email, telephone number, marital status, health data, fingerprint, salary, assets, financial statements, among others.

4.5. Sensitive Data: Data related to: ethnicity, gender identity, cultural identity, religion, ideology, political affiliation, judicial past, immigration status, sexual orientation, health, biometric data, genetic data and those whose improper treatment may give rise to discrimination, attempt or may attack fundamental rights and freedoms.

4.6. Treatment Manager: Natural or legal person, public or private, who, by themselves or in association with others, carries out the Processing of Personal Data on behalf of the Data Controller (BMI ECUADOR), as an ally or supplier. In events in which the person responsible does not act as the person in charge of the database, who will be the person in charge will be expressly identified.

4.7. Natural person: Individuals capable of exercising rights and contracting obligations.

4.8. Headline: Natural person whose data is the subject of processing.

4.9. Treatment: Any operation or set of operations carried out on personal data, whether by technical procedures of an automated, partially automated or non-automated nature, such as: collection, compilation, obtaining, registration, organization, structuring, conservation, custody, adaptation, modification, elimination, indexing, extraction, consultation, elaboration, use, possession, use, distribution, assignment, communication or transfer, or any other form of enabling access, collation, interconnection, limitation, deletion, destruction and, in general, any use of personal information.

5. Guidelines regarding data collection. –

5.1. BMI ECUADOR in the performance of its activities must collect, manage, archive and use Data from its employees or collaborators, suppliers, contractors, suppliers, strategic partners and clients, for this reason it is important that prior to obtaining the Personal Data you have the express authorization of its Owner.

5.2. Authorization of the Owner for the collection, use and transfer of their data

5.2.1. The Owners must grant, prior to the delivery of personal information, express and voluntary authorization for the processing of their Personal Data. BMI ECUADOR may not use information for any purpose that has not been duly authorized by its Owner.

5.2.2. The Authorization for the processing of Personal Data is the express and voluntary consent given by any person so that the companies or people responsible for processing the information can use their personal data.

5.2.3. The formats that BMI ECUADOR prepares to obtain said authorization must contemplate in their text the rights of the Owner mentioned in point 7 of this Policy.

5.2.4. The Authorization of the Owner of the information will not be necessary in the following cases:

5.2.4.1. Order of competent authority.

5.2.4.2. In cases where the information is found in publicly accessible databases.

5.3. Other forms of data collection

5.3.1. The Data may be explicitly provided to BMI ECUADOR through entry or linking formats, collected personally through its employees, service providers or commercial representatives, implicitly collected from market analysis operations, target groups, acquisition of the services that are offered by BMI ECUADOR, or the behavior of the Owners such as complaints, requests for quotes, surveys, proposals, offers, requests for employment, participation in projects, programs, events, etc. However, in order for these data to be used for other purposes or transferred, the express authorization of the Owner is necessary.

6. Principles of Personal Data Processing. –

6.1. The principles that govern this policy and the processing of personal data carried out by BMI ECUADOR are the following:

6.1.1. Loyalty

6.1.1.1. Personal data will be collected in a fair and lawful manner for one or more specific purposes informed to the data subject. BMI ECUADOR may use any legitimizing basis that is applicable for the processing of personal data.

6.1.1.2. As far as possible, personal data that are considered sensitive such as ethnicity, sexual orientation, philosophical and political convictions, and gender ideology will not be processed. In the event that BMI ECUADOR requires sensitive data, it will do so in cases where the law orders it or it has express authorization from the owner of the personal data. In the case of health data, especially and not limited to worker data, these will be treated in accordance with the provisions of the corresponding labor regulations.

6.1.1.3. For the collection or compilation of personal data, this will be done by informing the owner of the data regarding the type of data, conservation time, basis of treatment and all the requirements established in the LOPDP.

6.1.1.4. The data owner will be responsible for providing accurate and correct data. BMI ECUADOR may carry out the update or request their update.

6.1.1.5. BMI ECUADOR will not acquire personal data or databases that do not have the corresponding legitimation mechanisms, nor will it transfer the data to third party recipients without having the corresponding authorization or legitimating basis.

6.1.2. Transparency

6.1.2.1. The processing of personal data will be transparent with respect to the owner thereof. In this way, BMI ECUADOR will inform and communicate to the Owners of the personal data in a clear and simple manner everything that the owner of the personal data requires to know regarding the processing of personal data. BMI ECUADOR will inform the owner of the data through the policy and constant documents in the offices, warehouses, websites and/or locations managed and owned by BMI ECUADOR, as well as through campaigns, contracts, clauses and documents prepared. by BMI ECUADOR for this purpose.

6.1.2.2. BMI ECUADOR guarantees that the Owners of personal data can exercise their rights, making available different channels through which the owner can submit the corresponding requests.

6.1.3. Purpose

6.1.3.1. BMI ECUADOR will inform the owner of the personal data of the purposes for which the personal data have been collected and will be processed. The purposes will be determined and specific according to the legitimizing basis with which the data was collected.

6.1.4. Minimization and Proportionality

6.1.4.1. BMI ECUADOR will process the personal data that is necessary for the purposes informed to the owner of the personal data, excessive data or data that are not necessary for a previously established purpose will not be collected. If there is excessive data, BMI ECUADOR will proceed to delete or eliminate it from its databases.

6.1.5. Confidentiality

6.1.5.1. BMI ECUADOR will make the best efforts to guarantee the confidentiality of personal data. BMI ECUADOR will adapt the technology and processes, technically and economically viable, to guarantee the confidentiality, availability and integrity of personal data, limiting as much as possible third parties who do not have the right to access personal data. BMI ECUADOR will not transfer personal data to third party recipients without authorization or the corresponding legitimizing basis.

6.1.6. Security

6.1.6.1. BMI ECUADOR will adopt the security measures that are necessary to guarantee the confidentiality of personal data, taking into consideration the type of personal data to be processed, as well as that the measures are technically and economically viable.

6.1.6.2. All suppliers and clients of BMI ECUADOR with whom personal data is shared must prove the implementation of security measures that guarantee the protection of personal data.

6.1.7. Conservation

6.1.7.1. BMI ECUADOR will keep personal data in accordance with the purposes for which they were provided by the owner or, in accordance with the provisions of the different legitimizing bases. Once the retention period has expired, BMI ECUADOR will delete or delete the data from its systems.

6.1.7.2. BMI ECUADOR may anonymize the data if it considers it necessary. The anonymized data may be freely used by BMI ECUADOR.

6.1.8. Proactive and Demonstrated Responsibility

6.1.8.1. BMI ECUADOR will obtain the necessary and corresponding means of verification to demonstrate compliance with the Personal Data Protection Law. If necessary or at the discretion of BMI ECUADOR, the corresponding certifications will be obtained.

6.1.8.2. If required and in accordance with the corresponding regulations, BMI ECUADOR may have a data protection delegate (“DPO"), who will be responsible for generating the personal data compliance program, obtaining the corresponding means of verification, obtaining the necessary certifications and communicating with the Data Protection Authority.

6.1.9. Data sensitivity

6.1.9.1. The Data Custodian will be responsible for defining the data that can be classified as “Sensitive Data” within the legal basis, considering the following summary:

Guy of Fact	Description	Extent preventive
Fact staff	Fact that identifies or does identifiable to a person natural, direct or indirectly, in he present or future. Includes harmless data, metadata or fragments of data that identify or do identifiable to a be human.	In addition to sharing this data by media insurance, ciphers or encrypted, HE suggests anonymize identifiers direct as CI, name complete (only name 1, last name 1 for example), when sharing with third parties (deliver data strictly necessary).
Personal credit data	Data that integrates the credit behavior (card), financial (account), ability to pay, people natural.	If we have this type of information, you should only come from financial institutions and/or credit bureaus or mechanisms authorized. When sharing, we must avoid sharing data that allow us to rebuild the “capacity of payment” of a natural person, as well how to transfer data that facilitates transactions in line (by example, CVC).
Fact sensitive	Data related to ethnicity, gender identity, cultural identity, religion, ideology, political affiliation, judicial past, condition immigration, orientation sexual, health, data biometric, generic, and all those whose improper treatment may give rise to discrimination, attack or may attack against rights humans or dignity and integrity of the people.	In addition to sharing this data by secure, encrypted or encrypted, it is suggested to anonymize direct identifiers like CI, full name (only name 1, last name 1 for example), when sharing with third parties (deliver data strictly necessary).
special categories	Data on girls, boys and adolescents, and people with disabilities and their substitutes.	This information should be used only for the stated purposes.

7. Rights of Personal Data Holders. –

7.1. The procedure for attention to the rights and requirements of the Owners will be established through the Policy for Attention to the Rights of Personal Data Holders and any other document that BMI ECUADOR issues for this purpose. In any case, the formats used by BMI ECUADOR where the Authorization of the Holders is recorded must contemplate the rights that they have with respect to the LOPDP. The Holders may enjoy the following rights, subject to and in accordance with applicable legislation:

7.1.1. Information transparency: right to be informed in accordance with the principles of loyalty and transparency on all aspects indicated in article 12 of the LOPDP.

7.1.2. Access: right to:

· Obtain confirmation of whether or not your Personal Data is being processed;

· Receive a copy of all your Personal Data that is being processed by BMI ECUADOR, except for the exceptions defined by the relevant legislation (for example, confidential commercial information, or information that would grossly violate the privacy rights of a third party);

· Request information about the sharing of your Personal Data with other organizations.

· Detail of institutional policies and procedures for the protection of personal data privacy; and,

· Online processing service for queries and complaints regarding personal data.

7.1.3. Rectification and update: right to obtain from the controller the rectification and updating of your inaccurate or incomplete personal data.

7.1.4. Elimination: right to have your personal data deleted in the cases determined by article 15 of the LOPDP.

7.1.5. Opposition: right to oppose the processing of your personal data in particular circumstances determined in article 16 of the LOPDP. BMI ECUADOR must stop processing such Data when an opposition is filed, unless there is a specific reason why the opposition is invalid.

7.1.6. Portability: The owner has the right to receive from the data controller their personal data in a compatible, updated, structured, common, inter-operable and machine-readable format, preserving its characteristics; or to transmit them to other responsible parties. The Owner of the personal data will have the right to select the information that can be shared with third parties.

7.1.7. Suspension: right to obtain from the data controller the suspension of data processing, when any of the conditions of article 19 of the LOPDP are met.

7.1.8. Request for review of decisions taken exclusively on the basis of automated processing: right to object, ask for explanations and request human review of decisions based exclusively on automated data processing that affects your interests.

8. Processing of personal data stored in databases

8.1. BMI ECUADOR will only process personal data in accordance with the nature of the data and the purposes established in this Policy, authorizations in documents, privacy notices or other specific ones for the processing of personal data of workers, clients, among other Owners. . Among the purposes for which BMI ECUADOR collects personal data are the following:

8.1.1. Formalization, development and execution of the insurance contract; provision and coverage of the healthcare service that is the subject of the insurance contract, being able to request and obtain information regarding your health from healthcare professionals.

8.1.2. To establish communication between BMI ECUADOR and the Owners, for any purpose related to the purposes established in this Policy, whether through calls, text messages, emails and/or physical messages.

8.1.3. Carry out or implement the acquisition or offer of products or services by BMI ECUADOR.

8.1.4. Audit, study and analyze the information in the Database to design commercial strategies and increase and/or improve the products and services offered by BMI ECUADOR.

8.1.5. Combine personal data with information obtained from other allies or companies or send it to them to implement joint commercial strategies.

8.1.6. Audit, study and analyze the information in the Database to design supply strategies.

8.1.7. Audit, study, analyze and use the information in the Database to design, implement and develop programs, projects and events.

8.1.8. Audit, study, analyze and use the information in the Database for the socialization of policies, projects, programs, results and organizational changes.

8.1.9. Provide the information and personal data of the Holders to the subsidiaries, affiliates or affiliated companies of BMI ECUADOR, strategic allies or to other companies or people that BMI ECUADOR commissions to process the information and comply with the purposes described in this Policy.

8.1.10. Carry out financial, legal, commercial and security risk qualification.

8.1.11. Compliance with obligations that correspond to BMI ECUADOR by legal mandate, among others, those related to insurance regulations, tax laws, money laundering, labor and data protection regulations

8.1.12. When the information must be disclosed to comply with laws, regulations or legal processes, to ensure compliance with the terms and conditions, to stop or prevent fraud, attacks on the security of BMI ECUADOR, prevent technical problems or protect the rights of others such as Required by terms and conditions or law.

8.1.13. Consult, store and use the financial information obtained from third-party database administrators, with prior authorization from the Owner for said consultation.

8.1.14. The others described in this Policy or applicable Ecuadorian legislation.

9. automated decisions

9.1. For these cases, the purpose of incorporating the personal data into the file, profiling and automated processing is to link the owner with BMI ECUADOR and its respective maintenance, management, administration, provision, expansion, improvement, sending of updates to the services provided. the owner has signed; as well as, the provision of new services that may be of interest to the owner, sending by traditional and electronic means of technical, operational and commercial information about products, promotions and services offered by BMI ECUADOR currently and in the future. The purpose of the registration and automated processing of Personal Data also includes the sending of survey forms, which the owner is not obliged to answer.

9.2. For each processing of personal data that involves an automated decision, BMI ECUADOR will guarantee the right of the owner to object, ask for explanations and request human review of these decisions in accordance with point 7 of this Policy, the Policy for Attention to the Rights of Users. Holders of Personal Data and others that BMI ECUADOR issues for this purpose.

10. National and international transfer of personal data

10.1. In particular, only those third parties to whom BMI ECUADOR has entrusted the provision of services will have access to personal data. Likewise, BMI ECUADOR may communicate your data to related companies, branches and subsidiaries, and also for the purposes of storing information in local and/or foreign databases.

10.2. In cases where such communications involve an international transfer, BMI ECUADOR will require third parties to whom your personal data is transferred to comply with appropriate standards of confidentiality, protection and security, and especially when said third parties are located in countries that do not have with adequate data protection legislation in accordance with the parameters established by the applicable regulations in each jurisdiction. BMI ECUADOR will not communicate said data to third parties, except when necessary to manage the processes and services of BMI ECUADOR.

10.3. Recipients will be subject to the same obligations and security, technical and legal measures described in the LOPDP, secondary regulations and resolutions issued by the Data Protection Authority.

11. Where can I make inquiries?

Whenever you deem it so, you can obtain confirmation on how ECUADOR BMI is processing your personal data, exercise your rights and carry out Any query related to your personal data, the User may send a communication to:

Headquarters Address: Av. De Los Shyris and Sweden, Renazzo Plaza building, 12th floor, Quito -Ecuador.

Branch Address 1: Colón Business Park. Ave. Jaime Roldós Aguilera Edif. Pacifica Center floor 3 and 4, Guayaquil – Ecuador.

Branch Address 2: Cuenca-Azogues Highway, Cardeca Business Center Building, Ground Floor, Cuenca – Ecuador.

Telephone: 1800-264-264

Email: postventaec@bmicos.com

BMI ECUADOR You will have the period established in the LOPDP to respond to any query or exercise of rights.

If there is no response, the User may contact the corresponding Data Protection Authority.

12. Hiring of Suppliers

12.1. All BMI ECUADOR suppliers must process the personal data to which they have access only in accordance with the instructions documented by BMI ECUADOR.

12.2. All suppliers that handle personal data provided by BMI ECUADOR must have appropriate measures to ensure the confidentiality and security of personal data, this includes, but is not limited to, establishing, implementing and maintaining an information security program that include policies and procedures to protect and keep personal data secure in accordance with good industry practices and as required by the LOPDP. Specifically, BMI ECUADOR will verify that there is: a data protection policy, information security policy, certifications (at the discretion of BMI ECUADOR), a data protection delegate or a person responsible for the data issue within the company. organization, among others.

12.3. All BMI ECUADOR suppliers must sign a Data Processing Agreement (“APD"), in which the conditions for the processing of personal data will be established, as well as the technical measures that will be adopted. If a DPA is not signed, provisions regarding the handling of personal data must be incorporated into the framework contract, statement of work, purchase orders or any document where the relationship with the supplier is verified. Any of the aforementioned documents must establish at least: the object and duration of the processing, the nature and purpose of the same, the type of personal data that will be used, the data subjects, as well as the obligations and rights. rights of BMI ECUADOR.

12.4. BMI ECUADOR will not be able to sign contracts for the provision of services in which personal data is included or involved, without the provider (as data processor) having the appropriate technical, physical, legal and organizational measures, and without The provider signs a DPA or a document specifying obligations regarding the protection of personal data.

12.5. If the provider intends to use a subcontractor for the processing of personal data, it must: (i) notify BMI ECUADOR before subcontracting services or making any change related to the addition or substitution of subcontractors; (ii) document the nature and scope of BMI ECUADOR personal data subprocessed by subcontractors, guaranteeing that the information collected is necessary to carry out the activity; (ii) process personal data in accordance with the guidelines of BMI ECUADOR; and, (iv) limit the processing of personal data of BMI ECUADOR by the subcontractor for the purposes necessary to fulfill the supplier's contract with BMI ECUADOR.

13. Training

13.1. BMI ECUADOR will carry out training for all its staff regarding the principles, rights and obligations established in the LOPDP. BMI ECUADOR will adopt the corresponding training and awareness actions periodically so that all people are aware of this Policy and the personal data protection processes, and carry out their functions in accordance with them.

14. Relationship with the Control Authority

14.1. BMI ECUADOR will maintain a fluid dialogue and compliance with the Data Protection Authority. BMI ECUADOR may share information and personal data in accordance with the requirements made by the Data Protection Authority.

14.2. If necessary, BMI ECUADOR will appoint a Data Protection Officer who will be the person in charge of communicating and presenting the information required by the Data Protection Authority.

15. Security of personal data

15.1. BMI ECUADOR must process the data throughout its life cycle, for this it must Take in count the following Actions:

15.2. Storage:

to. Encryption of the disk

b. Protection antivirus (endpoint)

c. Considerations of back of the information

d. Process of storage of information

15.3. Elimination

to. Elimination to low level (Erased sure)

b. Define processes for the elimination of the information

16. References to other documents

to. Rule ISO 9001:2015

b. Rule ISO 20000-1:2018

c. Rule ISO 27001:2013

d. Process Transformation

17. Approval and Entry into Force

17.1. This Policy will be communicated to all related persons who must comply with it in accordance with what is established in the Scope of Application. The Policy will be reviewed annually in accordance with the commercial activities and strategic objectives of BMI ECUADOR. Additionally, the Policy may be reviewed and adapted in accordance with legal, regulatory changes or resolutions of the Competent Authority.

The Policy has been approved on May 8, 2023. The last modification was made on May 8, 2023.