POLICY ON THE TREATMENT OF PERSONAL DATA OF MILLY HOLDING, S.A.

1. OBJECTIVE
The objective of this policy is to establish the criteria for the collection, storage, use, circulation, and deletion of personal data processed by MILLY HOLDING, S.A., in compliance with the provisions of Executive Decree No. 285 of May 28, 2021 (the “Regulation”), which regulates Law No. 81 of March 26, 2019 (the “PDP Law”), setting mandatory guidelines for the Protection of Personal Data, as well as other relevant regulations.

2. SCOPE
This policy applies to all personal information recorded in the databases of MILLY HOLDING, S.A., which acts as the data controller.

3. OBLIGATIONS
This policy is mandatory and strictly enforceable for MILLY HOLDING, S.A.

4. DATA CONTROLLER
MILLY HOLDING, S.A., and the entities, legal persons, or natural persons associated with the main contract are individually responsible for each of the data stored in the databases.

5. DEFINITIONS

Privacy Notice: A verbal or written communication generated by the data controller, directed to the data subject, informing them about the existence of data processing policies that apply to them, how to access them, and the purposes for which the personal data will be processed.
Authorization: The prior, express, and informed consent of the data subject to carry out the processing of their personal data.


Data Subject: The individual to whom the data refers.

Data Controller: The person who makes decisions related to the data processing (i.e., the purposes, means, scope, etc.).

Database Custodian: A person acting on behalf of the data controller and responsible for safeguarding the database.
Personal Data Protection Officer:

    • Public Entities: The designated official responsible for managing the liaison unit.
    • Private Entities: They may appoint an individual to be responsible for subscribing to the data controller or custodian’s role. For private entities, this designation is not mandatory but will be considered as a factor when determining penalties.

Recipient: A natural or legal person, public authority, service, or body to which personal data is transferred.

Exporter: A natural or legal person, whether public or private, domiciled in the Republic of Panama, who transfers personal data cross-border.


7. TRANSFER AND TRANSMISSION OF PERSONAL DATA
MILLY HOLDING, S.A. may transfer and transmit personal data to third parties with whom it has operational relationships that provide necessary services for its proper operation, or in accordance with the functions assigned to it under the law. All data shared via WhatsApp messages, email, or any marketing tool between companies within the Milly holding group will be subject to the necessary measures to ensure that individuals with access to personal data comply with this Policy and the principles of personal data protection and the obligations established by the Law.
In the case of data transfer, MILLY HOLDING, S.A. will comply with the obligations stipulated in Executive Decree No. 285 of May 28, 2021 (the “Regulation”), which regulates Law No. 81 of March 26, 2019 (the “PDP Law”), and other related regulations.

8. RIGHTS OF THE DATA SUBJECTS
The data subjects will have the following rights:

  • Access their provided data that has been processed free of charge.
  • Know, update, and rectify their information in the case of partial, inaccurate, incomplete, fragmented data, or data that induces errors, or when the processing is prohibited or unauthorized.
  • Request proof of the authorization granted.
  • Submit a claim before a judicial office.
  • Revoke the authorization and/or request the deletion of data, provided there is no legal or contractual obligation preventing their deletion.
  • Choose not to respond to questions about sensitive data. Answers regarding sensitive data of minors will be optional.


9. HANDLING PETITIONS, CONSULTATIONS, AND CLAIMS
The rights of the data subjects may be exercised through the channels or means provided by MILLY HOLDING, S.A.
The legal department is responsible for processing requests from data subjects to exercise their rights.

10. PROCEDURE FOR EXERCISING THE RIGHT OF HABEAS DATA
In compliance with personal data protection regulations, MILLY HOLDING, S.A. outlines the procedure and minimum requirements for exercising the rights of data subjects.
To submit and process your request, please provide the following information:

  • Full name.
  • Contact information (physical address, email address, and contact phone numbers).
  • Means to receive a response to your request.
  • Reason(s) or fact(s) giving rise to the claim, along with a brief description of the right being exercised (access, update, rectify, request proof of authorization granted, revoke it, delete, access the information).
  • Signature (if applicable) and identification number.
    The maximum period established by law for resolving claims is fifteen (15) business days, starting the day after its receipt.
    If it is not possible to address the claim within this time frame, MILLY HOLDING, S.A. will inform the individual of the reason for the delay and the new date when their claim will be addressed, which cannot exceed eight (8) additional business days after the original period.


11. VALIDITY
This Personal Data Processing Policy is effective from the signing of the contract. The personal data provided will be retained as long as the data subject does not request its deletion and as long as there is no legal obligation to retain it.