• This Policy applies to personal information about Grupo GA&A’s customers and other individuals that is collected, used or disclosed by Grupo GA&A .
• This Policy does not apply to information about Grupo GA&A’s corporate customers; however, such information is protected by other Grupo GA&A policies and practices and through contractual arrangements.
• This Policy does not apply to information about Grupo GA&A’s employees; however, such information is protected by other Grupo GA&A policies and practices.
• This Policy is subject to change, and may be supplemented or modified by additional terms applicable between Grupo GA&A and an individual.
Collection – the act of gathering, acquiring, recording, or obtaining personal information.
Consent – voluntary agreement with the collection, use and disclosure of personal information for defined purposes. Consent can be either express, implied or deemed, and can be provided directly by the individual or by an authorized representative. Express consent can be given orally, electronically or in writing. Implied consent is consent that can reasonably be inferred from an individual’s action or inaction. Deemed consent is consent that is deemed to be given pursuant to applicable legislation or other regulations.
Personal information – information about an identifiable individual, but does not include aggregated information that cannot be associated with a specific individual. Personal information also excludes certain information as is excluded pursuant to applicable legislation or other regulations, such as publicly available information or business contact information, as and when applicable.
Grupo GA&A and its subsidiaries and affiliates.
Third party – an individual or organization outside Grupo GA&A.
Use – the treatment, handling and management of personal information by and within an organization.
Grupo GA&A is responsible for personal information under its control and shall designate one or more persons who are accountable for Grupo GA&A’s compliance with the following principles.
1.3 Grupo GA&A is responsible for personal information in its possession or under its control. Grupo GA&A shall use appropriate means to protect personal information while information is being processed by a third party on behalf of Grupo GA&A.
1.5 Grupo GA&A shall implement policies and procedures to give effect to this Policy, including:
(b) establishing procedures to receive and respond to inquiries or complaints; and
(c) training and communicating to staff about Grupo GA&A’s policies and practices.
IDENTIFYING PURPOSES FOR COLLECTION OF PERSONAL INFORMATION
Grupo GA&A shall identify and document the purposes for which personal information is collected at or before the time the personal information is collected or, when appropriate, at or before the time the personal information is used for a new purpose.
2.1 Grupo GA&A collects personal information for the following purposes:
(a) to establish and maintain a responsible commercial relationship with customers;
(b) for purposes identified to individuals or purposes obvious to individuals, in respect of particular collections of personal information;
(c) to meet legal and regulatory requirements;
(d) to understand needs and preferences of individuals;
(e) to develop, enhance, market and/or provide products and services;
(f) to manage and develop Grupo GA&A’s business and operations, including transfer of data among affiliated entities.
(Further references to “identified purposes” mean the purposes identified above.)
2.2 Grupo GA&A shall, as appropriate, specify orally, electronically or in writing the identified purposes to the individual at or before the time personal information is collected. Upon request, persons collecting personal information shall explain these identified purposes or refer the individual to a designated person within Grupo GA&A who shall explain the purposes.
The knowledge and consent of an individual are generally required for the collection, use or disclosure of personal information. In certain circumstances personal information can be collected, used or disclosed without the knowledge and consent of the individual, such as in the case of an emergency where the life, health or security of an individual is threatened.
Grupo GA&A may disclose personal information without knowledge or consent to a lawyer or other advisor representing Grupo GA&A, to collect a debt, to comply with a subpoena, warrant or other court order, or as may be otherwise required or authorized by law.
3.1 In obtaining consent, Grupo GA&A shall use reasonable efforts to ensure that an individual is advised of the identified purposes for which personal information will be used or disclosed. Purposes shall be stated in a manner that can be reasonably understood by the individual.
3.2 Generally, Grupo GA&A shall seek consent to use and disclose personal information at the same time it collects the information. However, Grupo GA&A may seek consent to use and disclose personal information after it has been collected, but before it is used or disclosed for a new purpose.
3.3 Grupo GA&A will require individuals to consent to the collection, use or disclosure of personal information as a condition of the supply of a product or service only if such collection, use or disclosure is reasonably required to fulfill the identified purposes.
3.4 In determining the appropriate form of consent, Grupo GA&A shall take into account the sensitivity of the personal information and the reasonable expectations of the individual.
3.5 Where consent is required for a particular use or disclosure, an individual may withdraw consent at any time, subject to legal or contractual restrictions and reasonable notice. Individuals may contact Grupo GA&A for more information regarding the implications of withdrawing consent.
LIMITING COLLECTION OF PERSONAL INFORMATION
Grupo GA&A shall limit the collection of personal information to that which is necessary for the purposes identified by Grupo GA&A and as permitted by law.
4.1 Grupo GA&A collects personal information primarily from the individual to whom the information relates.
4.2 Grupo GA&A may also collect personal information from other sources including credit bureaus or other third parties who represent that they have the right to disclose the information, or as otherwise permitted by law.
LIMITING USE, DISCLOSURE AND RETENTION OF PERSONAL INFORMATION
Grupo GA&A shall not use or disclose personal information for purposes other than those for which it was collected, except with the consent of the individual or as required by law. Grupo GA&A shall retain personal information only as long as necessary for the fulfillment of those purposes or as required or permitted by law.
5.1 Grupo GA&A may disclose an individual’s personal information to:
(a) a person who in the reasonable judgment of Grupo GA&A is seeking the information as an agent of the individual;
(b) a company or individual employed by Grupo GA&A to perform functions on its behalf, such as but not limited to research or data processing;
(c) another company or individual for the development, enhancement, marketing or provision of any of Grupo GA&A’s products and services;
(d) an agent used by Grupo GA&A to evaluate the individual’s creditworthiness or to collect the individual’s account;
(e) a credit reporting agency;
(f) a public authority or agent of a public authority, if in the reasonable judgment of Grupo GA&A, it appears that there is imminent danger to life or property which could be avoided or minimized by disclosure of the information;
(g) another entity as part of a merger, a sale of assets or all or part of a business, or any other corporate change or reorganization;
(h) a third party or parties, where the individual consents to such disclosure or disclosure is required or permitted by law.
5.2 Only Grupo GA&A employees with a business need to know, or whose duties reasonably so require, are granted access to personal information about individuals.
5.3 Depending on the circumstances, where personal information has been used to make a decision about an individual, Grupo GA&A shall retain, for a reasonable period of time, either the actual information or the rationale for making the decision.
5.4 Grupo GA&A shall maintain reasonable and systematic controls, schedules and practices for information and records retention and destruction which apply to personal information that is no longer necessary or relevant for the identified purposes or required or permitted by law to be retained. Such information shall be destroyed, erased or made anonymous.
5.5 Where appropriate, Grupo GA&A may communicate updates of personal information to third parties.
Grupo GA&A shall take steps to ensure that personal information is as accurate, complete and up-to-date as is appropriate for its purposes.
6.1 Personal information used by Grupo GA&A shall be sufficiently accurate, complete and up-to-date to minimize the possibility that inappropriate information may be used to make a decision about an individual.
6.2 Grupo GA&A shall update personal information about individuals as and when reasonably necessary to fulfill the identified purposes or as reasonably requested by the individual.
Grupo GA&A shall protect personal information by security safeguards appropriate to the sensitivity of the information.
7.1 Grupo GA&A shall take appropriate and reasonable steps to protect personal information against such risks as loss or theft, unauthorized access, disclosure, copying, use, modification or destruction.
7.2 Grupo GA&A shall take appropriate and reasonable steps to protect personal information disclosed to third parties, for example by contractual agreements stipulating the confidentiality of the information and the purposes far which it is to be used.
Grupo GA&A shall make readily available to individuals specific information about its policies and practices relating to the management of personal information.
8.1 Copies of this Policy will be made available upon request.
8.2 Grupo GA&A shall make information about its policies and procedures easy to understand, including:
(a) the title and addresses of the person or persons accountable for Grupo GA&A’s compliance with this Policy and to whom inquiries or complaints can be forwarded;
(b) the means of gaining access to personal information held by Grupo GA&A ; and
(c) a description of the type of personal information held by Grupo GA&A, including a general account of its use.
Upon request, Grupo GA&A shall inform an individual of the existence, use and disclosure of his or her personal information, at a minimal or no cost to the individual. An individual shall be able to challenge the accuracy and completeness of the information and have it amended as appropriate.
9.1 In certain situations, Grupo GA&A may not be able to provide access to all the personal information that it holds about an individual. For example, Grupo GA&A may not provide access to information if doing so would likely reveal personal information about a third party or could reasonably be expected to threaten the life or security of an individual. Also, Grupo GA&A may not provide access to information if disclosure would reveal confidential commercial information, if the information is protected by solicitor-client privilege, if the information was generated in the course of a formal dispute resolution process, or if the information was collected in relation to the investigation of a breach of an agreement or a contravention of a law. If access to personal information cannot be provided, Grupo GA&A shall, upon request, provide the reasons for denying access.
9.2 In order to safeguard personal information, an individual may be required to provide sufficient identification information to permit Grupo GA&A to authorize access to the individual’s file.
9.3 Individuals can seek access to their personal information by contacting a designated representative at Grupo GA&A.
9.4 Grupo GA&A will endeavor to respond to all requests within 30 days or, in any event, as required or permitted by applicable law.
HANDLING INQUIRIES AND CHALLENGES
An individual shall be able to address a challenge concerning compliance with the above principles to the designated person or persons accountable for Grupo GA&A’s compliance with this Policy.
10.1 Grupo GA&A shall maintain procedures for addressing and responding to all inquiries or complaints from individuals about Grupo GA&A’s handling of personal information.
10.2 Grupo GA&A shall inform its customers about the existence of these procedures as well as the availability of complaint procedures.
10.3 The person or persons accountable for compliance with this Policy may seek external advice where appropriate before providing a final response to individual complaints.