Mexico Finance Designated Activity Company

1. Introduction

1.1 This is the Privacy Policy of Mexico Finance Designated Activity Company which is referred to as the “Company”, “us” or “we” throughout this Privacy Policy. This Privacy Policy provides details of the way in which we Process Personal Data in line with our obligations under Data Protection Law.

1.2 Capitalised terms used in this Privacy Policy are defined in the Glossary in Annex I.

2. Background and Purpose

2.1 The purpose of this Privacy Policy is to explain what Personal Data we process and how and why we process it. In addition, this Privacy Policy outlines our duties and responsibilities regarding the protection of such Personal Data. The manner in which we Process Personal Data will evolve over time and we will update this Policy from time to time to reflect changing practices.

2.2 In addition, in order to meet our transparency obligations under Data Protection Law, we will incorporate this Privacy Policy by reference into various points of data capture used by us e.g. subscription application forms etc.

2.3 Pursuant to the Servicing Agreement dated 24 May2021, the Company has appointed DOVALUE GREECE LOANS AND CREDITS CLAIM MANAGEMENT SOCIÉTÉ ANONYME, a Greek law 4354/2015 Servicer incorporated and registered under the laws of the Hellenic Republic, registered with the Greek General Commercial Registry (GEMI) under no. 121602601000 (hereinafter referred to as the “Servicer”) to service a portfolio of Greek loans owned by the Company.

3. The Company as a Data Controller

3.1 The Company will act as a Data Controller in respect of Personal Data provided to us by (i) various individuals in connection with the management, operation and administration of the Company and (ii) the Servicer in respect of underlying borrowers and related persons under the Greek loans owned by the Company, to the extent such Personal Data is provided. Such individuals will generally be limited to the following:

(a) Directors, assigned employees and officers of the Company;

(b) Employees of service providers who provide services to the Company; and

(each, a “Data Subject”)

The types of Personal Data the Company might process are described in Annex II.

3.2 Personal Data may be processed by the Company for th

Purpose of Processing	Lawful Basis under GDPR
To comply with legal and regulatory obligations applicable to the Company from time to time, including, without limitation, applicable tax, anti-money laundering and other counter terrorist financing legislation. In particular, in order to comply with the Common Reporting Standard (as implemented in Ireland by Section 891E, Section 891F and Section 891G of the Taxes Consolidation Act 1997 (as amended) and regulations made pursuant to those sections), Shareholders’ personal data (including financial information) may be shared with the Irish tax authorities and the Revenue Commissioners. They in turn may exchange information (including personal data and financial information) with foreign tax authorities (including foreign tax authorities located outside the European Economic Area). Please consult the AEOI (Automatic Exchange of Information) webpage on www.revenue.ie for further information in this regard.	To comply with legal obligations to which the Company is subject (per Art. 6(1)(b) GDPR).
To administer and manage the portfolio of credit agreements owned by the Company and exercise its rights under the transaction documents pursuant to which the Company purchased the receivables under the loans and appointed the Servicer to service the loans.	For the purposes of performing a contract.

Purpose of Processing

Lawful Basis under GDPR

To comply with legal and regulatory obligations applicable to the Company from time to time, including, without limitation, applicable tax, anti-money laundering and other counter terrorist financing legislation. In particular, in order to comply with the Common Reporting Standard (as implemented in Ireland by Section 891E, Section 891F and Section 891G of the Taxes Consolidation Act 1997 (as amended) and regulations made pursuant to those sections), Shareholders’ personal data (including financial information) may be shared with the Irish tax authorities and the Revenue Commissioners. They in turn may exchange information (including personal data and financial information) with foreign tax authorities (including foreign tax authorities located outside the European Economic Area). Please consult the AEOI (Automatic Exchange of Information) webpage on www.revenue.ie for further information in this regard.

To comply with legal obligations to which the Company is subject (per Art. 6(1)(b) GDPR).

To administer and manage the portfolio of credit agreements owned by the Company and exercise its rights under the transaction documents pursuant to which the Company purchased the receivables under the loans and appointed the Servicer to service the loans.

For the purposes of performing a contract.

4. The Company and Data Processors

4.1 The Company may engage certain service providers to perform certain services on its behalf which may involve the Processing of Personal Data. To the extent that such Processing is undertaken based on the instructions of the Company and gives rise to a Data Controller and Data Processor relationship, the Company will ensure that such relationship is governed by a contract which includes the data protection provisions prescribed by Data Protection Law.

4.2 The Servicer acts as a separate and distinct controller in relation to the borrowers’ Personal Data and only supplies anonymised data to the Company, unless otherwise specifically instructed. The Servicer’s Privacy Statement should also be consulted for information on the processing of the Personal Data of the borrowers.

5. Record Keeping

5.1 As part of our record keeping obligations under Art. 30 of the GDPR, the Company retains a record of the Processing activities under its responsibility. This comprises the following:

Art. 30 GDPR Requirement	The Company’s Record
Name and contact details of the Controller	Mexico Finance Designated Activity Company
The purposes of the processing	See Section 3 of this Privacy Policy.
Description of the categories of data subjects and of the categories of personal data.	See Annex 2 of this Privacy Policy.
The categories of recipients to whom the Personal Data have been or will be disclosed.	See Section 9 of this Privacy Policy.
Where applicable, transfers of personal data to a third country outside of the EEA.	See Sections 9 and 11 of this Privacy Policy.
Where possible, the envisaged time limits for erasure of the different categories of data.	See Section 10 of this Privacy Policy.
Where possible, a general description of the technical and organisational security measures referred to in Article 32(1).	See Section 8

6. Special Categories of Personal Data

6.1 The Company will not ordinarily obtain or Process Special Categories of Personal Data, however, if in the very limited circumstances where it does so (for example, in relation to any data relating to the health of a director of the Company) it shall Process such Personal data in accordance with Data Protection Law.

7. Individual Data Subject Rights

7.1 Data Protection Law provide certain rights in favour of data subjects. The rights in question are as follows (the “Data Subject Rights”):

(a) the right of a data subject to receive detailed information on the processing (by virtue of the transparency obligations on the Controller);

(b) the right of access to Personal Data;

(d) the right to erase Personal Data (right to be forgotten);

(e) the right of data portability;

(f) the right to restrict Processing;

(g) the right to object to Processing based on legitimate interests; and

(h) the right to object to automated decision making, including profiling;

7.2 These Data Subject Rights will be exercisable by data subjects subject to limitations as provided for Data Protection Law. In certain circumstances it may not be feasible for the Company to discharge these rights, for example because of the structure of the Company or the manner in which the Shareholder / noteholder holds Shares / notes in a Company. Data subjects may make a request relating to the servicing of their loans to the Company by addressing their request in writing to the Servicer’s Customer Service and Complaints Management Unit of doValue Greece, 27 Kyprou and Archimidous Streets, 18346, Moschato, Greece or via email at [email protected]. Requests shall be dealt with in accordance with Data Protection Law.

8. Data Security and Data Breach

8.1 The Company undertakes to hold any Personal Data provided by Shareholders / noteholders / borrowers / the Servicer in confidence and in accordance with the Data Protection Law. Accordingly, we and our service providers have technical and organisational measures in place to protect Personal Data from unlawful or unauthorised destruction, loss, change, disclosure, acquisition or access. Personal Data are held securely using a range of security measures including, as appropriate, physical measures such as locked filing cabinets, IT measures such as encryption, and restricted access through approvals and passwords.

8.2 The GDPR obliges Data Controllers to notify the Data Protection Commission and affected data subjects in the case of certain types of personal data security breaches. Any Data Breaches identified in respect of Personal Data controlled by the Company will be dealt with in accordance with Data Protection Law and the Company’s Data Breach Procedure.

9. Disclosing Personal Data

9.1 From time to time, we may disclose Personal Data to third parties, or allow third parties to access Personal Data which we Process (for example, where a law enforcement agency or regulatory authority submits a valid request for access to Personal Data) and for the purposes of fraud prevention or investigation. In relation to Shareholders / noteholders / borrowers, the Company may be required to disclose Personal Data relating to U.S. Reportable Persons to the U.S. Internal Revenue Service for purposes of FATCA compliance.

9.2 We may also disclose Personal Data to delegates, professional advisors, service providers (e.g., investment managers, distributors, administrators and depositaries) regulatory bodies, auditors, technology providers and any of the respective related, associated or affiliated companies of the foregoing for the same or related purpose(s).

10. Data Retention

10.1 We will keep Personal Data for :

(a) the duration of the Data Subjects relationship with the Company and afterwards in accordance with the Company’s legal and regulatory obligations and any applicable record retention policy of the Company;

(b) such period as may be deemed by us to be necessary in light of applicable statutory limitation periods; and

(c) otherwise only for as long as the retention of such Personal Data is deemed necessary for the purposes for which that Personal Data are Processed (as described in this Privacy Policy).

11. Data Transfers outside the EEA

11.1 From time to time, the Company may transfer Personal Data to countries outside the EEA which may not have the same or equivalent Data Protection Law as Ireland. If such transfer occurs, the Company will ensure that such processing of Personal Data is in compliance with Data Protection Law and, in particular, that appropriate measures are in place such as entering into Model Contractual Clauses (as published by the European Commission).

12. Further Information/Complaints Procedure

12.1 Further information about this Privacy Policy and/or the Processing of Personal Data by or on behalf of the Company may be made available to Data Subjects being borrowers or related persons under the Greek loans owned by the Company if necessary by addressing their request in writing to the Servicer’s Customer Service and Complaints Management Unit of doValue Greece, 27 Kyprou and Archimidous Streets, 18346, Moschato, Greece or via email at [email protected]. While Data Subjects may make a complaint in respect of compliance with Data Protection Law directly to the Irish Data Protection Commission, Data Subjects being borrowers or related persons under the Greek loans owned by the Company will be requested to contact the Servicer’s [Customer Service and Complaints Management Unit of doValue Greece, 27 Kyprou and Archimidous Streets, 18346, Moschato, Greece or via email at [email protected] in the first instance to give us the opportunity to address any concerns that they may have.

Date: [24 May] 2021

ANNEX I

Glossary

In this Privacy Policy, the terms below have the following meaning:

“Data Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data transmitted, stored or otherwise Processed.

“Data Controller” means the entity which, alone or jointly with others, determines the purposes and means of the processing of Personal Data.

“Data Processor” means the party that Processes Personal Data on behalf of the Data Controller.

“Data Protection Law” means the General Data Protection Regulation (No 2016/679) (“GDPR”) and the Data Protection Act 2018 and any other laws which apply to the Company in relation to the Processing of Personal Data.

“European Economic Area” or “EEA” means Austria, Belgium, Bulgaria, Croatia, Republic of Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, Netherlands, Poland, Portugal, Romania, Slovakia, Slovenia, Spain, Sweden, the UK, Iceland, Liechtenstein, and Norway.

“Personal Data” is any information relating to a living individual which allows the identification of that individual. Personal Data can include:

a name, an identification number;
details about an individual’s location; or
any other information that is specific to that individual.

“Processing” means any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction. “Process” and “Processing” are interpreted accordingly.

“Special Categories of Personal Data” are types of Personal Data that reveal any of the following information relating to an individual: racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership. Special Categories of Personal Data also include the Processing of genetic data, biometric data (for example, fingerprints or facial images), health data, data concerning sex life or sexual orientation and any Personal Data relating to criminal convictions or offences.

ANNEX II

Types of Personal Data

Categories of Data Subject	Type of Personal Data
1. Shareholders / Noteholders / Borrowers and related persons	Name, mailing and residential addresses, email address, telephone number, beneficiary name, nationality, date of birth, account number, bank account details, tax identification number, etc.
2. Directors, designated persons and other individuals performing “controlled functions” within the Company under the Central Bank of Ireland’s Fitness & Probity regime.	Name, mailing and residential addresses, email address, telephone number, date of birth, nationality, etc.
3. Employees of Company service providers.	Name, mailing address, email address and telephone number, etc.