ENG
Through this policy, the Organization seeks to establish principles that ensure good administrative practice that establishes the Principles, applicable treatments and Personal Data Protection Rights, in accordance with the guidelines required in Agreement 001-2022 by the Superintendency of Banks of Panama and Law 81 on the Protection of Personal Data of the Republic of Panama and The Data Protection Law, 2017 of Cayman Island.
This policy applies to all personal data collection, processing, storage and transfer activities carried out by Towerbank International Inc. and Subsidiaries in the exercise of their business activities. It is mandatory for:
• All collaborators, suppliers, contractors and third parties who handle personal data on behalf of Towerbank International Inc. and Subsidiaries.
• All internal areas and processes where personal data is processed.
• Personal data of customers, collaborators, suppliers and any other person whose data is managed by the entity.
• Transfers of personal data within and outside the jurisdiction, ensuring compliance with Panama's Law 81 of 2019 and the Cayman Islands Data Protection Law 2017.
This policy is applicable locally and internationally, including those countries where Towerbank International Inc. and Subsidiaries operate or transfer personal data in accordance with current contractual agreements and regulations.
The organization will be responsible for ensuring the adequate implementation of controls in line with the guidelines of best practices in accordance with the guidelines established by the ISO 27,001 reference model on the “Information Security Management System” and Agreement 01-2022 “Which establishes special guidelines for the protection of personal data processed by banking institutions”.
Panama:
a. Regulatory Framework (art. 2 Executive Decree 285)
b. Terms and definitions (art. 4 Executive Decree 285, art. 4 Agreement 1-2022)
c. Content of the privacy notice (art. 14 Executive Decree 285)
d. Deadlines for providing information (privacy notice) (art. 15 Executive Decree 285)
and. Form for providing information (privacy notice) (art. 16 Executive Decree 285)
f. Revocation of consent (art. 19 Executive Decree 285)
g. General provisions on the exercise of the rights of data subjects (art. 21 Executive Decree 285)
h. Identification of the requested information. (art. 25 Executive Decree 285)
i. Exercise of ARCO rights (articles 26, 27, 28, 29, 30 and 31 of Executive Decree 285)
j. Legal conditions for processing (art. Executive Decree 285)
k. Limitations on the exercise of rights (art. 31 Executive Decree 285)
l. Form for providing information (request for access) (art. 16 Executive Decree 285)
m. Delivery of information to the competent judicial authority (art. 24 Executive Decree 285)
n. Duty of confidentiality. (art. 34 Executive Decree 285)
or. Database registration. (art. 35 Executive Decree 285)
p. Security of personal data (art. 36 Executive Decree 285)
q. Notification of personal data security breaches (art. 37 Executive Decree 285)
r. Documentation of personal data security violations. (art. 38 Executive Decree 285)
s. Conditions for cross-border data transfers. (art. 51 Executive Decree 285)
t. Procedures for receiving and responding to requests and complaints from data subjects. (art. 18 and 19 of Agreement 1-2022)
u. Complaints to the Superintendency of Banks (art. 27, Agreement 1-2022)
Cayman Island:
a. Purpose of the Act (Art. 1)
b. Scope of Application (Art. 2)
c. Definitions (Art. 3)
d. General Principles (Art. 4)
and. Right to Information (Art. 5)
f. Right of Access (Art. 6)
g. Right of Rectification (Art. 7)
h. Right of Deletion or Cancellation (Art. 8)
i. Right to Restriction of Treatment (Art. 9)
j. Right to Data Portability (Art. 10)
k. Right to Object to Treatment (Art. 11)
l. Legal Basis for Treatment (Art. 12)
m. Security Measures (Art. 13)
n. Notification of Security Breaches (Art. 14)
or. General International Transfer Rules (Art. 15)
p. Supervisory Authority (Art. 16)
q. Sanctions and Responsibilities (Art. 17)
Towerbank International Inc. and subsidiaries, will remain responsible for meeting what has been agreed in accordance with the best practices of Information Security, Cybersecurity and Personal Data Protection that prevent any type of strategic, operational or reputational impact on Towerbank Intl and/or its subsidiaries or its clients.
Towerbank International Inc. and its subsidiaries, offers its clients a variety of products and services in order to generate business experiences, maintaining premises of integrity, confidentiality, availability and data security. In this regard, Towerbank International Inc. and Subsidiaries, committed to ensuring best practices in the areas of Information Security, Cybersecurity and Data Protection, declare their position to maintain a healthy practice of implementing applicable control measures for Information Security, Cybersecurity and Personal Data Protection.
Applicability of good international practices as measures of internal control action required by the PDP Act Towerbank International Inc. and its subsidiaries shall ensure the application of the guidelines required by the Personal Data Protection Act, adopting control measures to mitigate exposure to risks associated with the processing of sensitive information within the organization. To this end, the entity will be based on a reference model of international best practices, incorporating recognized standards in Security of Information, such as ISO 27001. Following these guidelines on Information Security, Cybersecurity and Personal Data Protection, Towerbank International Inc. and its subsidiaries will establish internal control guidelines applicable to operational processes related to the processing of sensitive information. They will also implement administrative control and management measures in accordance with the provisions of the Personal Data Protection Act, Agreement 001-2022 of the Superintendency of Banks of Panama and the Cayman Islands Data Protection Act. The priority objective is to ensure compliance with the fundamental principles governing the protection of personal data, such as loyalty, specific purpose, proportionality, veracity, accuracy, data minimization, information security, transparency, confidentiality, lawfulness, portability, equity and storage limitation.
It allows the owner to obtain their personal data that is stored or subject to processing in databases, in addition to knowing the origin and purpose for which they were collected.Viability of Access to the provision of information: In the event that the customer requests information about their personal data, the organization must provide the information established in article 24 of Executive Decree No. 285 of 2021, which includes the following aspects:
• The purposes of the treatment;
• The categories of personal data in question;
• The recipients or categories of recipients to whom the personal data were or will be communicated;
• Expected period of storage of personal data or, if not possible, the criteria used to determine this period;
• The right to exercise the rectification or cancellation of personal data, or to object to such processing, or to data portability;
• Any information from its source when it has not been provided by the customer.
• The existence of automated decisions, including profiling, as referred to in Law No. 81 of 2019.
In this case, significant information on the logic applied, as well as the importance and the expected consequences of such treatment for the owner.
Non-viability of the Right of Access: The right of Access will not apply in the following cases:
• When the applicant is not the owner of the personal data, or the representative is not duly authorized to do so;
• When the customer's personal data is not found in the database or in that of the database's custodian;
• When any of the limitations established in Article 31 of Executive Decree 285 of 2021, or any other legal provision or regulations that develop it, are configured, when they apply.
It allows the owner to request the correction of their personal data that is incorrect, irrelevant, incomplete, outdated, inaccurate, false or impertinent.
Note: The data must be modified when they are erroneous, inaccurate, ambiguous or incomplete within five business days following the request for modification, and failing that, Towerbank, in accordance with Law 81 on the Protection of Personal Data, may delete, modify or block personal data without the need for requests from the owner, when there is evidence of inaccuracy of such data.
In accordance with Agreement 01 2022 of the Superintendency of Banks of Panama, once the request has been submitted by the client or their authorized representative, indicating the specific data to which it refers and the rectification action to be carried out, and provided that it is accompanied by the documentation supporting the inaccuracy of the data, the request will be analyzed to the extent of proceeding with its correction.
Towerbank International Inc., and subsidiaries may apply reasonable measures to rectify personal data without the client's request, when there is proof of the inaccuracy of the data in accordance with the principle of accuracy.
No feasibility of rectification: The right of Rectification will not apply in the following cases:
• When any of the limitations established in Article 31 of Executive Decree No. 285 of 2021 are configured, as well as in any other legal provision or regulation that develops it, when they apply.
• When it has already been done previously
It allows the owner to request the deletion of their incorrect, irrelevant, incomplete, outdated, inaccurate, false or impertinent personal data.
Note: Notwithstanding legal exceptions, the owner will have the right to demand that their personal data be deleted when their storage has no legal basis, when they have not been expressly authorized or when they are expired. Personal data whose accuracy cannot be established or whose validity is doubtful and for which cancellation does not apply will be blocked. In this case, they will be blocked for access to third parties or to prevent their use for other purposes other than those expressly authorized.
Feasibility of Cancellation: The measures for which the customer has requested the deletion or deletion of their personal data will apply under the following conditions:
• When personal data are no longer necessary in relation to the purposes for which they were collected or processed;
• When the customer withdraws the consent on which the treatment is based and this is not based on another legal basis;
• When the customer opposes the treatment and other legitimate reasons for the processing do not prevail;
• When personal data must be deleted to comply with a legal obligation that applies to the data controller;
• When the transaction with the potential customer is not perfected or concluded;
• When the contractual relationship with the customer has ended or fulfilled and the legal period for its conservation has elapsed, as established by current laws and regulations;
Non-feasibility of Cancellation: The right of cancellation will not apply in the following circumstances:
• When they must be kept or treated to comply with a banking provision or other legal provision;
• When the legal period for its conservation has elapsed, there is a special provision that establishes another legal period of conservation;
• When the legal period for its conservation has elapsed, there is a legitimate interest of the bank for its conservation;
• Any other circumstance that, based on a legitimate reason, requires its conservation, provided that the rights of the data subject do not prevail;
• When any of the limitations established in Article 31 of Executive Decree No. 285 of 2021 are configured, as well as in any other legal provision or regulation that develops it, when they apply.
• When the cancellation has been previously made.
It allows the owner, for well-founded and legitimate reasons related to a particular situation, to refuse to provide their personal data or to be subject to certain processing, as well as to revoke their consent.
Feasibility of Opposition: The measures requested by the customer will apply under the following established conditions:
• When the data is processed for purposes other than the specific one or is incompatible with them;
• When the treatment is for marketing or marketing purposes;
• When the data is not necessary in relation to the operation, service or product to be provided or does not correspond to regulatory requirements.
Non-viability to the Opposition: The right of opposition will not apply, in the following cases:
• When the information is necessary for the conclusion or execution of a contract and the related banking services.
• Other cases provided for by law or banking regulation.
• When any of the limitations established in Article 31 of Executive Decree No. 285 of 2021 are configured, as well as in any other legal provision or regulation that develops when they apply.
Note: If the customer revokes their consent to the processing or to a certain treatment, the organization must stop processing the personal data, unless there is a condition of lawfulness or legitimate reason for the processing that prevails over their right to object. The revocation of consent by the customer or their representative will not have retroactive effects and will not affect the lawfulness of treatment based on prior consent.
Right to obtain a copy of personal data in a structured manner, in a format
generic and commonly used, which allows them to be operated by different systems and/or transmitted to another responsible party, when:
• The owner has provided their data directly to the person responsible.
• It is a relevant volume of data, processed in an automated way.
• The owner has given his consent for the treatment or is required for the execution or fulfillment of a contract.
Feasibility of Portability: The measures requested by the customer will be applied under the following established conditions:
• When the customer has provided their data directly to the responsible bank;
• That data processing is carried out by automated means, that is, by digital or technological means;
• It is a relevant volume of data;
• The customer has given their consent to the processing of data or is based on a contract.
Non-viability of Portability: The right to portability will not apply, in the following cases:
• When it comes to information inferred, derived, created, generated or obtained from the analysis or treatment carried out by the bank based on the personal data provided by the customer;
• When it affects the rights of third parties and the rights and freedoms of other data subjects.
The provision of information, the modification, blocking or deletion of personal data will be absolutely free and must be provided, at the request of the owner of the data or whoever represents him, a record of the updated database in this regard. However, Towerbank International Inc., and Subsidiaries, in full knowledge of the requirements of Law 81 on the Protection of Personal Data, will refrain from responding to any type of request for information, rectification, cancellation or blocking of personal data when this prevents or hinders due processing within an administrative or judicial process or for State security, or when it is required to keep personal data stored by legal mandate outside the cases established in special laws that apply to them.
Towerbank, as the responsible organization, will ensure the applicable measures that guarantee the owners of personal data to exercise these rights, which are inalienable, except for the established exceptions stipulated by special laws.
Conditions and Formalities for Treatment
In accordance with agreement 1-2022 of the Superintendency of Banks of Panama, all personal data processing carried out by the bank will be subject to the prior, informed and unequivocal consent of the data subject or its authorized representative, except for the exceptions indicated above in this policy.
Consequently, when the treatment is based on consent, it must be stated in writing, or by any other electronic means that guarantees the identity of the owner of the personal data so that there is certainty about his identity that identifies him or makes him identifiable. If consent is obtained through electronic means, the bank will ensure that it complies with the requirements established by Banking Agreements and special laws on the subject. As an administrative management measure, the organization shall provide:
• All appropriate means and procedures for the effective and effective granting of consent, which will be easy to understand, access, free of charge and duly identified.
• From a written statement in an understandable way, easily accessible and using clear and simple language, so that the consent granted for each client is recorded.
• Mechanisms that make it possible to demonstrate with certainty the consent granted by the customer and that it has been adequately granted for the processing of their personal data. If you use electronic or technological means, you must comply with the requirements for their validity, as well as the other security controls established in the Banking Agreements.
As a measure of transparency, Towerbank International Inc., and its subsidiaries will always collect all personal information from reliable sources. In those cases where the source of obtaining personal data comes from another data controller resident in the Republic of Panama, the Organization will ensure that the client has given his prior consent for such purposes. In the event that the information comes from or is collected from public sources or accessible in public media, authorization or consent from the client will not be required for the processing of their data. In accordance with Article 12 of Agreement 1-2022, personal data information obtained through communication media, whether traditional media or digital media such as social networks (Example: Twitter, Facebook, Instagram, and others), will be considered publicly accessible sources.
Towerbank International Inc., and its subsidiaries will not require the client's consent or authorization for the processing of personal data, in the cases indicated in article 111 of the Banking Act and the agreements that implement it. Additionally, in compliance with article 8 of Law No. 81 of 2019 and article 17 of Executive Decree No. 285 of May 28, 2021, authorization or consent will not be required for the processing of personal data, in the following cases:
• For those banking treatments that have prior consent;
• When necessary for the application and execution of banking contracts in which the customer is a party or has an interest;
• For those treatments whose purpose is to preserve the safety of people and bank facilities;
• When the treatment is necessary for the proper administration and management of different banking risks;
• When necessary to comply with requirements or obligations required by banking regulations;
• When the data is used or shared by the bank with the owner of bank shares, subsidiaries or other company of the banking group for the exercise of the banking institution's own functions, provided that it is not for marketing purposes;
• When data processing is necessary to comply with the requirements established by the Superintendency of Banks for the exchange of information with other financial supervisory bodies;
• When the treatment is based on a legitimate interest of the bank derived from the existing relationship or link with the customer, by reason of a banking service or product;
• When processing is necessary for the transfer, communication or interconnection of personal data to a database custodian, a banking service provider or third parties for the management of the Bank-Customer contractual relationship, whenever it is related to the provision of a banking and marketing service or product.
• The other treatments established by the Law and related regulations.
Important note: The referral to the customer of advertising, commercial or marketing communication about banking or other similar products and services will require your prior, informed and unequivocal consent.
Towerbank International Inc. and Subsidiaries will ensure that personal data is kept in accordance with the applicable regulations in each jurisdiction:
• Panama:
In accordance with Law 81 of 2019 on Personal Data Protection, personal data will be kept only for as long as necessary to fulfill the purpose for which they were collected. However, in compliance with financial and fiscal regulations, the data may be kept for a minimum period of 5 years after the end of the contractual relationship with the owner.
• Cayman Islands:
Under Data Protection Law 2017, personal data must be kept only for as long as is strictly necessary to fulfill the original purpose of the processing. However, in the financial sector, entities regulated by the Cayman Islands Monetary Authority (CIMA) must retain certain data for a minimum period of 5 years after the termination of the contractual relationship, in compliance with international regulations of the FATF (Financial Action Task Force) and regulations for the prevention of money laundering.
In order to ensure compliance with the provisions established in Agreement 1-2022 regarding the Protection of Personal Data and The Data Protection Law, 2017 of Cayman Island, Towerbank International Inc., and subsidiaries will ensure that they apply the guidelines set out in the regulation on Corporate Governance issued by the Superintendency of Banks of Panama and Cayman Islands Monetary Authority (CIMA), with regard to the Internal Control System. In addition, forms have been established that will help employees and clients to manage their requests and rights in relation to the protection of your personal data.
Towerbank International Inc. and Subsidiaries will implement compliance indicators to ensure the proper management of personal data, ensuring that they are measurable and auditable:
• ARCO Rights
▪ Response time to ARCO requests: 100% of requests for access, rectification, cancellation and opposition must be answered within a maximum of 30 business days.
▪ Number of ARCO requests processed: The volume and type of requests managed will be recorded monthly.
• Security and Data Breach Management
▪ Number of reported security incidents: Each incident involving personal data will be documented.
▪ Time to detect and respond to a breach: Identification within 24 hours and notification within 72 hours. Applicable for treatment in Panama and Cayman Island.
▪ Percentage of employees trained in data protection: 100% of the staff must complete annual training on personal data protection. It will be measured, with the trainings.
• Compliance Assessments and Audits
▪ Number of audits performed: At least one annual internal or external audit will be performed to verify compliance with applicable regulations.
▪ Level of compliance in audits: Minimum compliance of 90% is expected without critical findings.
▪ Number of non-compliance findings and their resolution: All findings must be closed within the deadlines established in the corrective action plans.
• Data Retention and Deletion
▪ Percentage of data deletion outside the retention period: 100% of personal data must be deleted or anonymized after the defined retention period has elapsed.
▪ Periodic database review: An annual review will be carried out to verify compliance with data retention and deletion periods.
• Data Transfer Management
▪ Number of authorized international data transfers: A record of transfers made in accordance with current regulations will be kept. ▪ Compliance with contracts with data protection clauses: 100% of contracts with suppliers and third parties must include privacy and data security clauses.
These indicators will be reviewed biannually by the Information Security Committee, ensuring the implementation of corrective measures and effective compliance with applicable legislation.
• Personal Data: Any information that allows a natural person to be directly or indirectly identified.
• Sensitive Data: Personal information that reveals racial or ethnic origin, political opinions, religious or philosophical beliefs, union membership, health or sex life data.
• Data Subject: Natural person to whom the personal data being processed belong.
• Data Processing: Any operation performed on personal data, including collection, storage, use, transfer or deletion.
• Consent: Prior, informed and unambiguous authorization of the data subject for processing.
• ARCO Rights: Set of rights that include Access, Rectification, Cancellation and Opposition to the processing of personal data.
• Right of Access: Allows the owner to know if their data is being processed, as well as their origin and purpose.
• Right of Rectification: Right of the owner to request the correction of incorrect or outdated data.
• Right of Cancellation: Right to request the deletion of personal data when they are no longer necessary or consent has been revoked.
• Right of Opposition: Right of the owner to prevent the processing of their data for legitimate reasons.
• Right to Portability: Right to receive personal data in a structured and common format, to transfer them to another data controller.
• Data Processor: Person or entity that processes personal data on behalf of the person responsible for the treatment.
• Data Controller: Person or entity that decides on the purposes and means of the processing of personal data.
• Privacy Notice: Document that informs the owners about the processing of their personal data and their rights.
• Database: Organized set of personal data processed by a person responsible or manager.
• Security Measures: Technical and organizational controls applied to protect personal data against unauthorized access, loss or destruction.
• Personal Data Breach: Any incident that compromises the confidentiality, integrity, or availability of personal data.
• International Data Transfer: Movement of personal data outside the country, subject to specific regulations.
• Confidentiality: Principle that requires the protection of personal data from unauthorized access.
• Data Minimization: Principle that states that only data that is strictly necessary for the stated purpose should be collected.
• Storage Limitation: Restriction that prevents personal data being kept longer than necessary for the purpose. • Automated Decision: Evaluation of personal data using algorithms without human intervention.
• Superintendency of Banks of Panama (SBP): Regulatory entity that oversees the protection of personal data in banking institutions in Panama.
• ISO 27001: International standard for information security management.
• Law 81 on the Protection of Personal Data: Legislation of Panama that regulates the processing of personal data.
• Data Protection Law (DPL): Personal Data Protection Act in Cayman Islands.
• Legitimate Interest: Legal justification for data processing without the need for consent, provided that the rights of the owner do not prevail.