Privacy and Data Protection Policy
At Noroccidental, we value your trust and are committed to protecting your personal information in accordance with high security and confidentiality standards.
Introduction
This Privacy Notice of the INTERNAL REGULATION FOR PERSONAL DATA PROTECTION is issued in compliance with the Organic Law on Personal Data Protection, published in Official Gazette Supplement 459 on May 26, 2021 ("LOPDP"), and other laws of the Republic of Ecuador, in order to protect rights related to personal data protection, privacy, intimacy, and confidentiality, and to obtain the data subject's consent in favor of TRANSPORTES NOROCCIDENTAL CIA. LTDA. for the use, processing, collection, and transfer of such data. Through websites such as https://www.noroccidental.com/, as well as through WhatsApp support, chatbot services, and any data you freely and voluntarily provide via contact forms, you accept the Website or App Terms and Conditions of Use and the provisions of this Privacy Notice.
Article 1.- Data Controller
The company TRANSPORTES NOROCCIDENTAL CIA. LTDA., hereinafter "The Controller", guarantees rights to privacy, intimacy, reputation, and image in the processing of personal data. For this purpose, all its actions are governed by principles of legality, freedom, truthfulness or quality of information, transparency, restricted access and circulation, security, and confidentiality. The data controller is: TRANSPORTES NOROCCIDENTAL CIA. LTDA. **Email:** datospersonales@noroccidental.com **Phone:** (593) 2 3520 420 during business hours from 08:00 to 17:00, Monday to Friday.
Articles 2-5.- General Provisions
**Article 2.-** Any person who, in the course of any activity, including commercial or employment activities, whether permanent or occasional, provides any type of information or personal data to "THE CONTROLLER" may access, update, and rectify such data. **Article 3.-** This policy is mandatory. **Article 4.- Purpose.-** Through this Regulation, "THE CONTROLLER" establishes parameters for collecting, preserving, and managing personal data, and for data subjects to access, update, rectify, or request deletion of data collected in the company's databases. **Article 5.- Scope.-** The provisions in this Regulation apply to all departments that form the organizational structure of "THE CONTROLLER".
Article 6.- Definitions
For the purposes of this regulation and in accordance with current personal data protection rules, the following terms shall have the meanings indicated below. Terms not expressly defined shall be understood according to technical usage and, ultimately, their natural and ordinary meaning. **a) Personal Data Protection Authority:** Independent public authority responsible for supervising application of the law and related regulations to protect the fundamental rights and freedoms of individuals regarding personal data processing. **b) Consent:** Free, specific, informed, and unequivocal expression of will through which the data subject authorizes the controller to process personal data. **c) Privacy notice:** Oral or written communication issued by the Controller to the Data Subject regarding data processing, informing about applicable policies, how to access them, and processing purposes. **d) Database or file:** Structured set of data regardless of form, creation, storage, organization, support type, processing, location, or access, whether centralized, decentralized, or functionally/geographically distributed. **e) Personal data:** Data that identifies or makes a natural person identifiable directly or indirectly. **f) Credit-related personal data:** Data that reflects the economic behavior of individuals to evaluate financial capacity. **g) Sensitive data:** Data related to ethnicity, gender identity, cultural identity, religion, ideology, political affiliation, criminal record, migration status, sexual orientation, health, biometric and genetic data, and any data whose misuse may result in discrimination or violate fundamental rights and freedoms. **h) Data Protection Officer:** Individual responsible for informing the controller or processor about legal obligations, monitoring compliance, and cooperating with the Data Protection Authority as a contact point. **i) Data processor:** Natural or legal person, public or private entity, public authority, or other body that processes personal data on behalf of a controller. **j) Data controller:** Natural or legal person, public or private entity, public authority, or other body that determines purposes and means of personal data processing. **k) Data subject:** Natural person whose personal data is processed. **l) Processing:** Any operation performed on personal data, whether automated, partially automated, or non-automated, including collection, recording, organization, storage, modification, consultation, use, disclosure, transfer, restriction, deletion, destruction, and any other form of handling. **m) Transfer or disclosure:** Any communication or disclosure of personal data to a person other than the data subject, controller, or processor. Disclosed data must be accurate, complete, and up to date. **n) Successor in interest:** Person who succeeds another due to death and acquires rights. **o) Personal data security breach, theft, leak, or loss:** Any physical or digital incident that causes unavailability, loss, alteration, or unauthorized access affecting confidentiality, availability, or integrity of personal data. **p) Cookies:** Small files stored on a device for a limited time that help personalize online services. **q) User:** Natural or legal person who browses Website(s) and/or App(s) and accepts these Terms and Conditions. **r) Website:** Platform managed by TRANSPORTES NOROCCIDENTAL CIA. LTDA. to provide service information and online services to clients, prospects, and users, including https://www.noroccidental.com/. **s) Apps:** Platforms managed by TRANSPORTES NOROCCIDENTAL CIA. LTDA. through which services are provided to clients.
Article 7.- Principles
Without prejudice to other principles set out in the Constitution, international instruments ratified by the State, the Organic Law on Personal Data Protection, and other legal rules, "THE CONTROLLER" shall apply the following principles in a harmonious and comprehensive manner in all processing, transfer, and transmission of personal data: **a) Purpose limitation:** Processing purposes must be determined, explicit, legitimate, and communicated to the data subject. Data may not be processed for incompatible purposes unless a lawful basis for further processing exists. **b) Quality and accuracy:** Personal data must be accurate, complete, verifiable, clear, and, when applicable, updated. Reasonable measures shall be taken to delete or rectify inaccurate data without delay. **c) Transparency:** Personal data processing must be transparent, and related information must be accessible, easy to understand, and provided in clear language. **d) Relevance and minimization:** Personal data must be relevant and limited to what is strictly necessary for the stated purpose. **e) Security:** Controllers and processors must implement appropriate and necessary technical and organizational security measures according to the state of the art, data nature, scope, and context. **f) Confidentiality:** Personal data shall be treated under due secrecy and may not be used or disclosed for purposes different from those for which it was collected, unless legally permitted. **g) Transfer or disclosure:** Any disclosure of personal data to third parties must ensure data is accurate, complete, and up to date.
Articles 8-11.- Exercise of Rights and Data Subject Rights
**Article 8.- Exercise of rights.-** Rights under this Regulation may be exercised by: (a) the data subject, duly identified; (b) successors/heirs with proper supporting documentation; (c) public entities within legal authority; and (d) duly authorized legal representatives or attorneys-in-fact. Free access to personal data information will be provided according to the storage medium. **Article 9.- Data subject rights.-** Data subjects have, among others, the following rights: access, rectification and update, deletion, and objection, under the terms established by law. **Article 10.- Access guarantees.-** To guarantee access rights, "THE CONTROLLER" shall provide personal data free of charge, after identity and legal standing verification, through any suitable means, including electronic means enabling direct access. **Article 11.- Rights of children and adolescents.-** Processing of minors' personal data shall ensure protection of their prevailing rights. Processing is generally prohibited except for public data and only under legal safeguards, including the best interests of minors, respect for fundamental rights, and consent/authorization from legal representatives.
Articles 12-17.- Authorization and Sensitive Data
**Article 12.- Authorization for data processing.-** Except for legal exceptions under Article 18 of the LOPDP, prior informed authorization and explicit, unequivocal consent from the data subject is required and must be collectable as evidence. Authorization is not required for: public authority requests within powers or court order, public data, medical emergencies, legally authorized historical/statistical/scientific processing, civil registry data, or data necessary to fulfill contractual obligations. **Article 13.- Minimum content of authorization.-** Authorization must include at least: processing purposes, optional nature of responses concerning sensitive data and minors' data, rights of the data subject, means to exercise rights, and controller identity/contact details. **Article 14.- Means of authorization.-** Authorization may be obtained through physical or electronic documents, data messages, internet, websites, or other formats that clearly evidence consent. **Article 15.- Proof of authorization.-** "THE CONTROLLER" shall retain proof of authorization and records of how and when consent was obtained. **Article 16.- Revocation of authorization.-** Data subjects may revoke authorization or request deletion at any time, unless legal or contractual obligations prevent this. Revocation may be total or partial depending on authorized purposes. **Article 17.- Sensitive data.-** Sensitive data may be processed only when lawful conditions apply, including explicit authorization, vital interests, judicial defense, or historical/commercial/statistical/scientific purposes with adequate safeguards.
Articles 18-20.- Privacy Notice and Inquiries
**Article 18.- Privacy notice.-** The privacy notice is a physical, electronic, or other-format document made available to the data subject to inform them about personal data processing, applicable policies, how to access them, and the intended characteristics of processing. At minimum, it shall include: controller identity and contact details, type and purpose of processing, data subject rights, means to consult policy updates, and optional nature of responses regarding sensitive data. **Article 19.- Confidentiality notice.-** This is the text included in physical or electronic communications sent by "THE CONTROLLER" indicating that message content is confidential and intended solely for the recipient. **Article 20.-** Data subjects may consult their personal data free of charge at least once per calendar month and whenever substantial policy changes occur. Additional consultations may incur reasonable reproduction, shipment, or certification costs under legal limits.
Article 21.- Duties of the Controller
"THE CONTROLLER" acknowledges that individuals own their personal data and may exclusively decide on it. Therefore, data shall be used only for purposes expressly authorized by the data subject or current regulations. Duties include, among others: ensuring full and effective exercise of habeas data rights; guaranteeing access, rectification, update, deletion, and objection rights; requesting and retaining valid authorizations; maintaining data quality and updates; processing inquiries and claims under the LOPDP; reporting security incidents to competent authorities; complying with instructions from the Personal Data Protection Superintendency; and restricting access to authorized persons only. Compliance with these duties shall be carried out by the Data Protection Officer designated by the company.
Articles 22-28.- Inquiries, Claims, and Requests
**Article 22.- Inquiries.-** Data subjects, their successors, or attorneys may consult personal data held by "THE CONTROLLER", after proving identity and representation. **Article 23.-** Upon receiving a request, "THE CONTROLLER" will verify records linked to the provided identity data. If inconsistencies are found, the applicant will be notified within five business days to clarify them. If information is consistent, response will be provided within ten business days, extendable by up to five additional business days with prior notice. **Article 24.- Claims.-** Data subjects, successors, or attorneys who believe data must be corrected, updated, or deleted may file a claim. **Article 25.- Claim procedure.-** Claims must include identification, a clear description of facts, notification address, and supporting documents. Incomplete claims must be corrected; otherwise, they may be deemed withdrawn. Complete claims will be marked as "claim in process" within two business days. Maximum response term is fifteen business days, extendable by up to eight additional business days with justification. **Article 26.- Update and rectification requests.-** "THE CONTROLLER" shall rectify or update incomplete/inaccurate data under the same procedures and terms, using mechanisms that facilitate rights exercise. **Article 27.- Data deletion requests.-** Data subjects may request deletion when processing is unlawful, data is no longer necessary, or retention periods have expired, except where legal or contractual duties require retention. **Article 28.- Database records.-** In legally allowed cases, "THE CONTROLLER" may keep and classify certain information as confidential in its databases or repositories.
Articles 29-31.- Security and Data Transfers
**Article 29.- Information security measures.-** In compliance with the security principle, "THE CONTROLLER" shall adopt necessary measures according to available technology to protect personal data against alteration, loss, unauthorized consultation, use, or fraudulent access. **Article 30.- Use and international transfer of personal data.-** As part of commercial operations, "THE CONTROLLER" may transfer and transmit personal data, including internationally, subject to applicable legal requirements. Third parties receiving data must commit to this Regulation and use data only for purposes directly related to the Controller's operations and only for the required period. International transfers shall comply with Article 55 of the LOPDP. Data may also be shared with authorities, courts, administrative bodies, and legal advisors when required by law, legal proceedings, public requests, contractual enforcement, operational protection, or rights/safety protection. **Article 31.- Complaints before the Personal Data Protection Superintendency.-** Data subjects, successors, or attorneys must first exhaust the inquiry process before "THE CONTROLLER" prior to filing complaints before the authority.
Articles 32-35.- Data Processing Responsibility and Compliance
**Article 32.- Responsible person for personal data processing.-** The lawyer delegated by the Controller is designated as responsible for personal data processing and for ensuring proper use of information within the company. **Article 33.-** In accordance with Article 22 of this Regulation, those responsible shall process petitions, complaints, and claims related to data protection under this instrument. **Article 34.- Powers and responsibilities.-** Responsible parties shall act as communication channel with the Personal Data Protection Superintendency (or equivalent authority) and coordinate and monitor actions related to personal data processing. **Article 35.- Implementation and compliance.-** Implementation and compliance of this internal regulation and related safeguards shall be integrated into company processes and planning to ensure execution, monitoring, evaluation, and continuous improvement.
Articles 36-40.- Incorrect Data, Cookies, and Changes
**Article 36.- Provision of false data or refusal to provide data.-** If a User provides false or inaccurate data to request products/services on the Website or Apps, "THE CONTROLLER" may refuse to provide such products/services. The Controller may also remove or block profiles when inaccurate data is confirmed. Users are responsible for providing truthful and reliable data. **Article 37.- Inquiry channel.-** Data subjects may, at any time and free of charge, confirm whether "THE CONTROLLER" processes their data and may request access, deletion, rectification, update, objection, suspension, portability, and not to be subject to decisions based solely or partially on automated processing, by contacting the addresses indicated in this notice. **Article 38.- Use of cookies.-** "THE CONTROLLER" may use cookies to improve Website/App efficiency and user experience. Users may disable or adjust cookies through browser settings. **Article 39.- Options to limit use/disclosure of personal data.-** Data subjects may request limitation of use or disclosure of their data via the email provided in this notice. If accepted, they will be included in "THE CONTROLLER" exclusion list. **Article 40.- Changes to the privacy notice.-** "THE CONTROLLER" may change, modify, add, or remove parts of this Privacy Notice at any time and will inform users through the same channels used to make this notice available.
Article 41.- Handling and Transfer of Personal Data
"THE CONTROLLER" transfers personal data in strict compliance with personal data protection regulations. Data may be shared with third-party applications/devices connected to user accounts, service providers, payment processors, advertising partners, competent authorities, and other companies within the Controller's corporate group, only as legally permitted and for legitimate operational purposes. All transfers of personal data to a third country or international organization shall be subject to appropriate safeguards under Article 56 and subsequent provisions of the LOPDP. Third-party content or links on Controller websites/apps are governed by third-party privacy practices, and users are encouraged to review those policies before sharing personal data.
Article 42.- Retention of Personal Data
Personal data will be retained only as long as necessary to provide services and products and to fulfill legitimate and essential business purposes, legal obligations, and dispute resolution requirements. Some data may be retained while the user remains a client. The company adopts technical and organizational security measures, recognizing that no system is completely secure. Depending on legal requirements and legitimate purposes, retention may continue in cases such as unresolved claims, legal/fiscal/audit obligations, fraud prevention, contract documentation retention, or ongoing/recent business relationships.
Article 43.- Data That May Be Collected
"THE CONTROLLER" collects personal data from different categories of data subjects depending on their relationship with the company. **Clients and prospective clients:** Identification data, demographic data, purchase and billing data, payment-related data, website/app usage data, and social media interaction data. **Employees and prospective employees:** Identification and contact data, operational and labor data, app usage data, and health-related data required for legal obligations and employment-related benefits. **Suppliers:** Identification data, purchase and billing information, and economic/financial information necessary for commercial relationship management.
Article 44.- Purpose of Data Processing
Data is collected and processed for purposes including, among others: customer service and post-sale operations, order and logistics management, fraud prevention, contractual compliance, rights management, legal cooperation, market studies, quality surveys, insurance and loyalty program management, and communication of relevant commercial information with consent where required. For employees, data is used for recruitment, human resources management, payroll and benefits, occupational health and safety, regulatory compliance, labor communication channels, disciplinary procedures, physical and asset security, performance evaluation, and legal defense. For suppliers, data is used to establish and maintain transparent commercial relationships, process orders and payments, coordinate operations, and evaluate service quality. Data may be communicated nationally and internationally to service providers, business partners, affiliated group companies, authorized third parties with consent, and competent authorities, under legality, minimization, and accountability principles.
Articles 46-49.- Security Measures, Minors' Privacy, and Disclosure
**Article 46.- Information security measures.-** "THE CONTROLLER" implements comprehensive security measures to safeguard against unauthorized access, alteration, disclosure, or destruction of personal data. Measures are adjusted according to data type and confidentiality level and are periodically reviewed. **Article 47.- Minors' privacy.-** The company does not knowingly collect personal data from minors. If you are under legal age, do not provide your data or data of other minors. **Article 48.- Exercise of rights.-** To exercise your rights, complete the applicable form and send it to datospersonales@noroccidental.com or submit it physically at Av. De los Shyris y Suecia, Edificio Renazzo Plaza, Oficina 1001, Piso 10. **Article 49.- Disclosure.-** This Regulation will be disclosed to employees and managers through internal communication channels, training processes, informational materials, and socialization activities across company departments.
Articles 50-52.- Retention Period and Effectiveness
**Article 50.- Personal data retention and storage period.-** The Company shall retain personal data only for the strictly necessary time to fulfill authorized purposes and legal, contractual, administrative, tax, labor, corporate, accounting, or financial retention and enforceability periods. Once all minimum legal retention and limitation periods have expired and no pending legal obligation remains, the Company may retain data for an additional ten (10) years to address authority requests, retrospective audits, potential liabilities, and defense/exercise of rights. During this additional period, data will remain blocked, without active processing, and with restricted access solely for legal or regulatory purposes. After the maximum period and once no legal grounds for retention remain, data will be deleted, irreversibly anonymized, or securely destroyed in accordance with internal information security and personal data protection protocols. **Article 51.- Determination of legal bases for processing.-** The Controller shall process personal data exclusively under lawful legal bases provided by applicable regulations, including, as applicable, explicit consent, contract/pre-contract execution, legal obligations, prevailing legitimate interests, or other lawful bases. Each processing activity shall be defined, documented, and updated according to legal-technical criteria, operational context, and risk level. **Article 52.- Effectiveness.-** This policy becomes effective as of its issuance date.