Personal Data Protection Policy Xtendo Group

 

1 – Introduction

At XTENDO GROUP, the protection of personal data is a strategic priority. We recognize that personal information is one of our most valuable assets, and we are committed to handling it responsibly and securely. We integrate the best practices in cybersecurity and Data Loss Prevention (DLP) into our Information Security Management System (ISMS). This policy outlines how we collect, use, store, share, and protect the personal information of our clients, employees, suppliers, and other data subjects, ensuring compliance with applicable legislation and the respect of their rights.


2 – Purpose

  • Comprehensive Protection: Ensure all personal data is handled with high-security standards, using technical, administrative, and physical controls.

  • Regulatory Compliance: Guarantee compliance with the data protection legislation applicable in the operating country, as well as internal information security policies.

  • Transparency and Data Subject Rights: Clearly inform data subjects about the processing of their data and facilitate the exercise of their rights.

  • Integration with the ISMS: Incorporate controls and security measures in personal data management, such as encryption, access control, incident management, and secure retention and deletion procedures.


3 – Scope

This policy applies to all information and personal data collected by XTENDO GROUP through:

  • Our website www.xtendo.biz and social media channels.

  • Contact forms, user registration, service contracting, and recruitment processes.

  • Events, communications, and any interaction with clients, collaborators, contractors, interns, and third parties that interact directly or indirectly with the Group’s information assets.

  • All systems, devices, and applications that process, store, or transmit personal information, both internally and in cloud environments.

  • Any other physical or digital medium used to manage personal data.


4 – Regulatory Framework

Spain

  • General Data Protection Regulation (GDPR)

  • Organic Law on Personal Data Protection and Guarantee of Digital Rights (LOPDGDD)

France

  • GDPR

  • Loi Informatique et Libertés

Germany

  • GDPR

  • Federal Data Protection Act (BDSG)

Portugal

  • GDPR

  • Personal Data Protection Law adapted to the EU regulation

United States

  • Mosaic of federal and state laws

    • HIPAA

    • GLBA

    • Florida Digital Bill of Rights (FDBR)

Canada

  • Personal Information Protection and Electronic Documents Act (PIPEDA)

Brazil

  • General Data Protection Law (LGPD)

Guatemala

  • Comprehensive Law on Personal Data Protection in the Hands of Third Parties (6103)

  • Data Protection Law (6105)

Uruguay

  • Law No. 18.331

  • Decree No. 64/020

Colombia

  • Law 1581 of 2012

  • Decree 1377 of 2013

Argentina

  • Law 25.326 on Personal Data Protection

Bolivia

  • Law No. 164 of 2011, General Law on Telecommunications, Information and Communication Technologies

Philippines

  • Data Privacy Act of 2012


5 – Principles and Definitions
Principles

  • Lawfulness, Fairness, and Transparency: Data will be processed lawfully, for legitimate purposes, and transparently.

  • Purpose Limitation: Data will only be used for the specific purposes for which it was collected.

  • Data Minimization: Only strictly necessary data will be collected.

  • Accuracy and Updating: Reasonable measures will be taken to keep data accurate and up to date.

  • Storage Limitation: Data will be retained only as long as necessary to fulfill its purpose.

  • Integrity and Confidentiality: Technical and organizational measures will be implemented to protect data against unauthorized access, loss, or alteration.

Definitions

  • Personal Data: Any information related to an identified or identifiable natural person.

  • Processing: Any operation or set of operations performed on personal data, such as collection, storage, use, transmission, or deletion.

  • Data Subject: The person to whom the data belongs.

  • Consent: A free, specific, informed, and unequivocal expression by which the data subject accepts the processing of their data.

  • Security Incident: Any event that compromises the confidentiality, integrity, or availability of personal data.


6 – Roles and Responsibilities

  • Senior Management: Approve and oversee the policy and ensure necessary resources are allocated.

  • ISMS and Data Protection Officer: Coordinate implementation, conduct periodic audits, and manage policy updates.

  • IT/Security Team: Implement technical measures (encryption, access control, DLP) and maintain secure infrastructure.

  • Users: Comply with established guidelines and report any incident or breach.


7 – Collection and Use of Personal Data
Data Collected

XTENDO GROUP collects personal data in various situations, such as:

  • Website Interaction: Access information, behavior (keywords, pages viewed, location, browser, device).

  • Contact and Registration Forms: Basic identification data (name, email, company, country, WhatsApp, messages).

  • Recruitment Processes: Resume information and data collected through LinkedIn or email.

  • Events and Social Media: Data obtained from public or private interactions, always informing the user of processing.

Purposes of Processing

  • Improve User Experience: Adapt services and content to user needs.

  • Service Delivery: Facilitate communication, management, and support of offered services.

  • Marketing and Advertising: Send promotional messages and offers, where consent has been obtained.

  • Recruitment Processes: Evaluate applications and support talent acquisition.

  • Legal Compliance: Retain data in accordance with legal and regulatory obligations.


8 – Data Security and Protection Measures

As part of our Information Security Policy, the following measures are implemented:

  • Access Control and Authentication: Use of strong authentication and, in critical environments, multi-factor authentication to limit access to personal data.

  • Encryption: Encryption of personal data in transit (TLS/SSL) and at rest (AES-256).

  • DLP and Monitoring Solutions: Deployment of Data Loss Prevention tools and systems to detect and respond to incidents.

  • Incident Management: Defined procedures for immediate response to security incidents involving personal data.

  • Secure Retention and Deletion: Establishment of retention periods and secure processes for deletion or anonymization of data after fulfilling its purpose.

  • Training and Awareness: Ongoing training programs on safe data handling and regulatory compliance.


9 – Data Subject Rights and Exercise of Rights

XTENDO GROUP guarantees data subjects the following rights:

  • Access: Know and access their personal data.

  • Rectification: Request correction of inaccurate or incomplete data.

  • Erasure: Request deletion of data when no longer necessary.

  • Restriction of Processing: Limit processing in certain circumstances.

  • Objection: Object to the processing of data.

  • Portability: Receive their data in a structured and transferable format.

  • Withdrawal of Consent: Withdraw previously granted consent.

Data subjects can exercise these rights by submitting a written request to: info@xtendo.biz


10 – Data Retention and Storage

  • Retention Period: Data will only be stored for the time necessary to fulfill service provision, contractual, and legal obligations. Specific periods will be defined in the Data Inventory and updated regularly.

  • Secure Deletion: Once the retention period has expired, data will be securely deleted or anonymized following approved procedures.


11 – Data Transfer

  • International: If data is transferred to other countries, XTENDO GROUP will ensure an adequate level of protection in accordance with GDPR and other regulations.

  • Third Parties: Personal data will not be shared with unauthorized third parties. Transfers are made under contractual agreements that ensure data protection.


12 – Training and Awareness

  • Regular Training: Training sessions will be held for all employees on secure data handling and regulatory compliance.

  • Ongoing Updates: Training will be regularly updated to reflect legislative changes and technological advancements.


13 – Policy Review and Updates

This policy will be reviewed at least annually or when significant changes occur in legislation, technology, or internal processes. Updates will be approved by Senior Management and communicated to all employees.


14 – Approval and Dissemination

This Personal Data Protection Policy is effective as of the stated date and is mandatory for all employees and collaborators who manage the organization’s data and information.

This policy will be filed in the company’s official records and shared internally for awareness among all employees and third parties, reinforcing the culture of information security and commitment that characterizes XTENDO GROUP.


Last Update: February 28, 2025