Privacy Policy

Introduction and General Guidelines

This Policy for the Treatment and Protection of Personal Data (the “Policy”) of JJ Associates (“Company”) establishes the criteria that must be applied for the treatment and protection of Personal Data, such as the collection, storage, use, circulation, elimination, and, in general, all those activities that imply the Treatment of Personal Data.

Likewise, the purpose of this policy is to provide a common understanding of the Company’s data as a critical resource for the business line and to establish the responsibilities that accompany the use of this data and its management by all employees of JJ Associates.

Company data is defined as any information that is created, collected, and stored by the Company or any office of the Company in support of its functions. Such data may relate to employees, customers, customers of our customers, or other members of the Company. This includes both current and former employees, customers, customers of our customers, and other members of the Company, which may consist of personal, financial, medical, or job performance information.

Our customers’ data is one of JJ Associates’ most valuable resources and represents a significant investment. Sound data management policies, procedures, and practices will effectively support informed decision-making based on real data that can significantly contribute to furthering the Company’s strategic directions.

Our data management policies, procedures, and practices are designed to safeguard three vital aspects of data: Integrity, Security, and Access.

Data integrity includes qualities of accuracy, consistency, and timeliness. This data is a company resource that can be used by many users and is trustworthy. Data integrity begins with the person or office that creates it, and it is the responsibility of the IT department and every office in JJ Associates to ensure that it exists.

Data security encompasses more than electronic security. While some aspects of security may be assured by technology, security also encompasses a measure of trust. As a business-critical company resource, data must be safeguarded at all levels against damage, loss, and corruption and security breaches, and all users share this responsibility.

Access to institutional data is granted internally when there is a demonstrated legitimate business or research need for the data and externally when disclosure of such data would not violate obligations, privacy legislation, or legal contracts. Whenever possible, data should be collected at the source and made available to all members of the Company who have a legitimate business need for the data for commercial purposes.

1. Definitions

These terms correspond to generalities and guidelines regarding the protection of personal data, which should be interpreted in accordance with the regulations governing each country.

  • Personal data: This is any information linked or that can be associated to a specific person, such as name or identification number, or that can make it determinable, such as physical features.
  • Public data: This is one of the existing types of personal data. Public data includes, among others, data relating to the marital status of individuals, their profession or trade, and their status as a merchant or public servant. By their nature, public data may be contained, among others, in public records, public documents, official gazettes and bulletins and duly executed court rulings that are not subject to reserve.
  • Semi-private data: Data that are not of an intimate, reserved or public nature and whose knowledge or disclosure may be of interest not only to the owner but also to a certain sector or society in general. Financial and credit data from commercial or service activities are some examples.
  • Private data: It is the data that due to its intimate or reserved nature is only relevant to the holder. The tastes or preferences of individuals, for example, correspond to private data.
  • Sensitive data: It is information of a personal nature that reveals, for example, but not limited to: racial or ethnic origin, political preferences, religious convictions or beliefs, sexual orientation, self-determination in its different spheres, exercise of the right to privacy, and the exercise of the right to freedom of expression unionization, political affiliations, membership in social groups, information on the person’s health status, biometric data, among others.
  • Authorization: It is the consent conferred to any person so that the companies or persons responsible for the processing of information, can use their personal data.
  • Database: Organized of personal data subject to processing and use.
  • Data processor: The natural or legal person who carries out the processing of personal data, based on a delegation made by the data controller, receiving instructions about the way in which the data should be managed.
  • Data controller: The natural or legal person, public or private, who decides on the purpose of the databases and/or the use of the data.
  • Data subject: The natural person whose personal data is the object of processing.
  • Processing: Any operation or set of operations on personal data, such as collection, storage, use, circulation or suppression.
  • Privacy notice: It is one of the verbal or written communication options granted by law to inform the owners of the information, the existence and ways to access the information processing policies and the purpose of its collection and use.
  • Data protection officer: Person responsible for supervising and controlling that the measures on the treatment of personal data implemented by the company, are fully complied with. in turn, becomes responsible for the treatment of such data.
  • Data transmission: Processing of personal data that involves the communication of such data within or outside the territory of each country when the purpose of the processing is to be carried out by the Data Processor on behalf of the Controller.
  • Transfer of data: Refers to the transfer by the person responsible or directly in charge of the processing of personal data of the information or personal data, to another person or public or private entity; which in turn, is responsible for the processing of the data; which may be located within or outside of each country.

2. General Principles

  • Principle of legality: The processing referred to in the law is a regulated activity that must be subject to the provisions of the law and other provisions that develop it.
  • Principle of purpose: The processing must obey a legitimate purpose in accordance with the laws that regulate it, which must be informed to the Data Subject.
  • Principle of freedom: Processing may only be carried out with the prior, express and informed consent of the Data Subject. Personal data may not be obtained or disclosed without prior authorization, or in the absence of a legal mandate that relieves the consent.
  • Principle of truthfulness or quality: The information subject to processing must be truthful, complete, accurate, updated, verifiable and understandable. The processing of partial, incomplete, fractioned or misleading data is prohibited.
  • Principle of transparency: The right of the Data Subject to obtain from the Data Controller or the Data Processor, at any time and without restrictions, information about the existence of data concerning him/her, must be guaranteed in the Processing.
  • Principle of restricted access: Processing is subject to the limits that derive from the nature of the personal data, from the provisions of the laws that regulate it. Processing may only be carried out by persons authorized by the Data Controller and/or by the persons provided for in the laws that regulate it.
  • Principle of security: The information subject to Processing by the Responsible or Responsible party referred to in the laws that regulate it, shall be handled with the technical, human and administrative measures that are necessary to provide security to the records avoiding their adulteration, loss, consultation, use or unauthorized or fraudulent access.
  • Principle of confidentiality: All persons involved in the processing of personal data that are not of a public nature are obliged to guarantee the confidentiality of the information, even after the end of their relationship with any of the tasks involved in the processing, and may only provide or communicate personal data when it corresponds to the development of the activities authorized by law and under the terms of this.

3. Responsible for Data Processing

Any request, complaint or claim related to the handling of personal data, in application of the provisions of the law of each country, should be sent to:

Name: JJ Associates
Telephone number: +1 (205) 843-1921
Principal Data Protection Officer: IT Manager
Alternate Data Protection Officer: COO
Email: dataprotection@jj-associate.com
Website: https://www.jj-associate.com

4. General Provisions set forth in the GDPR (General Data Protection Regulation)

The GDRP develops the right to know, update and rectify the information collected in databases and the other rights, freedoms and guarantees (right to privacy and right to information, respectively.)

Considering the way a database is stored, a distinction can be made between automated databases and manual databases or archives. Automated databases are those that are stored and managed with the help of computer tools.

Manual databases or archives are those whose information is organized and stored in a physical way, such as supplier order forms containing personal information relating to the supplier, such as name, identification, telephone numbers, e-mail addresses, etc.

The guidelines exempt from the protection regime the following:

  • Files and databases belonging to the personal or domestic sphere
  • Those whose purpose is national security and defense, prevention, detection, monitoring and control of money laundering and financing of terrorism
  • Those whose purpose and contain intelligence and counterintelligence information
  • Journalistic information and other editorial content
  • Financial and credit information, commercial, services and from third countries
  • Information on population and housing censuses

5. Confidentiality Guarantee

A. Employees

Virtual Databases

The Human Resources and Recruitment team maintains confidential databases to which only the department has access. Additionally, everything is handled by Google Drive, an encrypted storage system that meets the highest standards of confidentiality.

Physical Databases

As far as possible, JJ Associates refrains from storing physical documents concerning employees. When a document is received, the team in charge scans it and stores it within the private shared drive where the relevant client information is stored.

B. Clients

Virtual Storage Units (“Drives”)

Each JJ Associates office has established protocols for the storage and handling of client information. In general, JJ Associates has computer programs that comply with the following standards.

The main storage resource is the Google Drive “cloud,” a protected service for the exclusive use of JJ Associates members.

Physical Storage Units

Additionally, for the handling of customer data, JJ Associates has physical storage units for the storage of physical customer documents. These units are usually secured or padlocked cabinets, with restricted access granted only to employees working directly with the client or to office managers.

As in previous points, JJ Associates takes care not to store physical information in any of its locations as much as possible. Most of the time, JJ Associates stores information virtually with the highest security standards.

6. Comprehensive Data Protection Program

Program Controls

1. Classification of personal data

The data that the company processes is defined and classified as follows:

  • General identification data such as: first name, last name, type of identification, identification number, date and place of issue, name, marital status, sex, etc.
  • Specific identification data such as: signature, nationality, electronic signature, other identification documents, place and date of birth, age, etc.
  • Biometric data such as: fingerprints, photographs, videos, etc.
  • Location data related to the private activity of individuals such as: address, telephone, e-mail, etc.
  • Data related to the person’s health in terms of orders and list of complementary tests such as laboratory, imaging, endoscopies, pathological studies, etc.
  • Data on persons with disabilities.
  • Data related to the person’s work history, work experience, position, dates of entry and retirement, annotations, calls for attention, etc.
  • Data related to the person’s educational level, training, and/or academic history, etc.
  • General data related to affiliation and contributions to the social security systems of each country.
  • Personal data of access to information systems such as: users, IP, passwords, profiles, etc.

7. Duties of the Data Controller

JJ Associates, in addition to being the authority for the protection of personal data, has the status of Data Controller for the databases created by the entity.

The Data Controllers must comply with the following duties, without prejudice to the other provisions of the laws governing their activities:

  • Guarantee the Data Subject, at all times, the full and effective exercise of the right to protection of personal data.
  • Request and keep, under the conditions provided for in the laws governing the matter, a copy of the respective authorization granted by the Data Subject.
  • Duly inform the Data Subject about the purpose of the collection and the rights they are entitled to by virtue of the authorization granted.
  • Keep the information under the security conditions necessary to prevent its adulteration, loss, consultation, use, or unauthorized or fraudulent access.
  • Ensure that the information provided to the Data Processor is truthful, complete, accurate, current, verifiable, and understandable.
  • Update the information, communicating in a timely manner to the Data Processor, all developments with respect to the data previously provided.
  • Rectify the information when it is incorrect and communicate the relevant information to the Data Processor.
  • Provide the Data Processor only data whose processing is previously authorized.
  • Require the Data Processor at all times to respect the security and privacy conditions of the Data Subject’s information.
  • Inform at the request of the Data Subject about the use given to their data.

8. Rights of the Holders

The holders of the personal data shall have the following rights:

  • To know, update, and rectify their personal data before the Data Controllers or Data Processors.
  • Request proof of the authorization granted to the Data Controller.
  • Be informed regarding the use given to their personal data.
  • To revoke the authorization and/or request the deletion of the data.
  • Access free of charge to personal data that has been subject to Processing.

9. Processing

The information provided to JJ Associates by customers, suppliers, employees, and shareholders has, without being limited to those listed, the following purposes:

  • The proper provision of the services contracted with JJ Associates.
  • To be contacted for product offerings and contract renewals.
  • To send commercial and promotional information or invitations.
  • Personnel recruitment and evaluation processes.
  • Judicial or administrative requirements and legal compliance.
  • Invitations or meetings with JJ Associates.
  • Administrative processes related to employees, customers, suppliers, and shareholders.
  • Attention to petitions, complaints, claims, and suggestions.
  • Updating of data.
  • Control entity requirements.
  • Contractual and commercial linkage.
  • Economic recognition for services.
  • Recognition and protection of shareholder rights.
  • Monitoring security of facilities.
  • Any other purpose arising from the legal nature of JJ Associates.

10. Guidelines on the Use of Data and Information

Company data should be used only by authorized persons and only for the purpose for which access has been granted.

Authorization to access data is not transferable. Company data may not be accessed or manipulated for personal gain.

Personal information contained in database files may not be disclosed. Any violation of this policy may result in disciplinary action, including termination and criminal prosecution.

11. Technology and Information Management Guidelines

  • Maintain the anti-virus system up to date.
  • Do not download suspicious files.
  • Protection against phishing.
  • Changing passwords regularly.
  • Information management through company G-Suite only.
  • Do not access links from strange sources.
  • Supplier software approval by IT.
  • Secure computer information when leaving workspaces.

12. Database Inventories

JJ Associates will keep a record of all databases of the organization.

The Inventory of Personal Data Bases includes:

  • Database name
  • Responsible party
  • Collection channel
  • Type of personal data
  • Number of data holders
  • Storage location
  • Purpose of processing
  • Need for the data

Updates must be notified to the Data Protection Officer by e-mail.

13. Additional Security Considerations

  • Office access limited to business hours.
  • No unauthorized access outside hours.
  • Offices secured with private security.
  • Visitor access only with authorization.
  • Visitor registration required.

14. Validity

JJ Associates’ Personal Information Processing Policies will be effective as of December 1, 2024. The databases managed by JJ Associates will be maintained indefinitely as long as necessary to fulfill their purpose and legal obligations.

Data may be deleted at the request of the holder unless doing so contravenes a legal or contractual obligation.

Panama Company Reg