General personal data protection policy

GENERAL PERSONAL DATA PROTECTION POLICY

Kerámikos S.A. («Kerámikos«) is a company committed to guaranteeing the right to personal data protection. To that end, Kerámikos has prepared this General Personal Data Protection Policy («Policy«) to inform you about how we use your personal data, in compliance with the Organic Law on Personal Data Protection («LOPDP«), its implementing regulations, and other applicable regulations on the matter (collectively, the «PDP Regulations«).

I. DEFINITIONS

This Policy, in line with the concepts recognized in the LOPDP, refers to the following definitions:

Personal Data: Information that makes a natural person identifiable, directly or indirectly.
Sensitive Data: Data relating to: ethnicity, gender identity, cultural identity, religion, ideology, political affiliation, criminal record, immigration status, sexual orientation, health, biometric data, genetic data, and any data whose improper processing may give rise to discrimination or may threaten fundamental rights and freedoms.
Processing: Any operation or set of operations carried out on personal data, such as: collection, gathering, obtaining, recording, organizing, structuring, storing, safekeeping, adapting, modifying, deleting, indexing, extracting, consulting, compiling, using, possessing, exploiting, distributing, transferring, communicating, or any other form of enabling access, comparison, interconnection, restriction, erasure, destruction, and, in general, any use of personal data.
Transfer or Communication: Delivery, disclosure, or any form of disclosure of personal data made to a person other than the data subject, controller, or processor.
Data Subject: A natural person whose personal data is subject to processing.
Recipient: A natural or legal person to whom personal data is communicated.
Data Controller: A natural or legal person, public or private, public authority, or other body that, alone or jointly with others, decides on the purpose and the processing of personal data. Under this definition, Kerámikos shall be the data controller.
Data Processor: A natural or legal person, public or private, public authority, or other body that, alone or jointly, accesses and processes personal data on behalf of and for the account of the data controller.
Personal Data Protection Authority: The Superintendency of Personal Data Protection.
Data Protection Officer («DPO»): A natural person who acts as a point of contact between the Personal Data Protection Authority and the data controller. The DPO also oversees and advises on compliance with legal obligations regarding data protection.
Consent: A free, specific, informed, and unambiguous expression of will by which the data subject authorizes the use of their personal data.

II. PRINCIPLES

Kerámikos processes personal data in accordance with and in compliance with the principles recognized in the LOPDP, which are as follows:

Lawfulness: Kerámikos will process personal data in strict compliance with the principles, rights, and obligations established in the Constitution, international instruments, and the PDP Regulations.
Purpose Limitation: The purposes for which personal data is processed will be clearly defined, legitimate, and communicated to data subjects. Kerámikos undertakes not to use personal data for purposes other than those previously disclosed.
Transparency: Information related to the processing of personal data will be easy to access and understand, ensuring clarity at all times.
Fairness: Personal data will be processed honestly and in good faith, in accordance with the purposes that have been communicated to data subjects.
Proportionality: The processing of data will be strictly necessary and adequate to achieve the stated purposes, without being excessive.
Relevance and Data Minimization: Kerámikos will only collect personal data that is strictly necessary to carry out the purposes of processing.
Quality and Accuracy: Every effort will be made to ensure that personal data is complete, accurate, and kept up to date, preventing any distortion of its truthfulness.
Confidentiality: Kerámikos will take all necessary measures to ensure the confidentiality of data, both during and after the processing of information.
Storage Limitation: Personal data will be stored only for as long as necessary to fulfill the purposes for which it was collected, or as stipulated by specific regulations governing document retention periods, as well as during the statute of limitations for legal actions.
Security: Kerámikos will implement the necessary security measures to protect the confidentiality, integrity, and availability of personal data.
Proactive and Demonstrated Accountability: Kerámikos has verification mechanisms in place to demonstrate compliance with the PDP Regulations.

III. DATA CONTROLLER

For the purposes of this Policy, Kerámikos is the Data Controller. Our contact and identification details are as follows:

Address: Calle Heroes de Verdeloma Y Francisco Tamariz, Cuenca – Ecuador.
Tax ID (RUC): 1790298817001
Email: protecciondatos@centroceramico.com
Phone: 072836171

IV. ORIGIN OF PERSONAL DATA

Kerámikos collects personal data from its data subjects through the following means: (i) social media (WhatsApp, Facebook, among others); (ii) directly from the data subject through digital and physical forms; (iii) internal computer systems; (iv) communications via email or telephone calls; (v) through our website https://keramikos.com.ec/.

V. PURPOSES, LEGAL BASIS, AND PERSONAL DATA SUBJECT TO PROCESSING

Kerámikos uses the personal data of job candidates, employees, workers from third-party companies (carriers), customers, suppliers, distributors, visitors, legal representatives, suppliers, distributors, customers, potential customers, and visitors.

The following details the purposes of processing, the personal data used, and the legal bases that legitimize such processing:

1. Employees

Processing Activity	Purpose	Data Type and Personal Data	Legal Basis
Onboarding of employees	To carry out the onboarding of employees into the organization.	Identification: First and last names, national ID number and/or passport number. Contact: Phone number, address, home sketch/map, email address. Professional: Work experience. Family: Spouse and children’s data, family references. Academic: Education, degrees, and courses. Credit Profile Socioeconomic status	Legal obligation and fulfillment of contractual obligations
Enrollment in employees’ medical insurance	Granting of corporate benefits.	Identification: First and last names, national ID number and/or passport number. Contact: Phone number, address, email address. Special categories: Health.	Free, specific, informed, and unambiguous consent of the data subject.
Processing of data for payroll payments	Payroll payment	Identification: First and last names, national ID number and/or passport number. Contact: Phone number, address, email address, bank account number.	Fulfillment of contractual obligations and legal obligation.
Transfer of personal information in child support cases	Payment of child support through the SUPA system	Identification: First and last names, national ID number and/or passport number. Contact: Phone number, address, email address, bank account number.	Legal obligation.
Processing of employee performance data	Regular performance evaluation of staff, and evaluation for employee promotion	Identification: First and last names, national ID number and/or passport number. Employment: Performance evaluation, Results report.	Fulfillment of contractual obligations.
Management of tax obligations regarding employees	Income tax projection and reporting to the SRI (Tax Authority)	Identification: First and last names, national ID number and/or passport number. Financial: Expense projection, form 107, RDEP annex.	Legal obligation and fulfillment of contractual obligations.
Management of termination processes and settlement agreements.	Termination of an employee from the organization	Identification: First and last names, national ID number and/or passport number. Financial: Settlement amounts, bank account number (transfer or check).	Legal obligation and fulfillment of contractual obligations.
Employee attendance control	Staff schedule control	Identification: First and last names, national ID number and/or passport number. Special categories: Biometric data, logbook.	Legal obligation and fulfillment of contractual obligations.
Generation of occupational medical records	To prepare the mandatory medical records for each company employee	Identification: First and last names, national ID number and/or passport number. Contact: Address, phone number, email address. Personal characteristics: Date of birth, age, place of birth, marital status, nationality, sex, image. Special categories: Health.	Fulfillment of contractual obligations, legal obligation, and free, specific, informed, and unambiguous consent of the data subject.
Occupational health examinations	To conduct mandatory medical examinations for each employee	Identification: First and last names, national ID number and/or passport number. Contact: Address, phone number, email address. Special categories: Health.	Fulfillment of contractual obligations, legal obligation, and free, specific, informed, and unambiguous consent of the data subject.
Health-related training sessions	To raise awareness among company employees on medical and health topics of interest.	Identification: First and last names, national ID number and/or passport number.	Fulfillment of contractual obligations and free, specific, informed, and unambiguous consent of the data subject.
Medical consultations for employees experiencing general health complaints	To attend to employees presenting health complaints.	Identification: First and last names, national ID number and/or passport number. Contact: Address, phone number, email address. Special categories: Health.	Free, specific, informed, and unambiguous consent of the data subject and legal obligation.
Handling of workplace accidents involving employees	Monitoring of the employee’s health status until their return to work and issuance of a report.	Identification: First and last names, national ID number and/or passport number. Contact: Address, phone number, email address. Special categories: Health.	Fulfillment of contractual obligations, legal obligation, and free, specific, informed, and unambiguous consent of the data subject.
Medical campaigns for employees	To register employees participating in medical campaigns	Identification: First and last names, national ID number and/or passport number. Contact: Address, phone number, email address. Special categories: Health.	Free, specific, informed, and unambiguous consent of the data subject.
Review of payroll and/or employee settlement data	To approve payroll for salary payments and/or settlements for indemnity payments.	Identification: First and last names, national ID number and/or passport number. Financial: Payroll Banking Data Account number	Legal obligation and free, specific, informed, and unambiguous consent of the data subject.
Communication of personal data for external and internal audits.	Execution of external audit in compliance with legal obligations	Identification: First and last names, national ID number and/or passport number. Financial: Payroll. Contact: Phone number, address, email address. Special category: Health, performance evaluation	Fulfillment of contractual obligations.
Sending birthday messages	To congratulate employees on their birthdays	Identification: First and last names. Contact: Phone number. Personal characteristics: Date of birth.	Free, specific, informed, and unambiguous consent of the data subject.
Management of employee travel	For employee accommodation and travel	Identification: First and last names, national ID number. Contact: Phone number. Special category: Financial	Fulfillment of contractual obligations.

2. Candidates

Processing Activity	Purpose	Personal Data	Legal Basis
Processing of résumés for candidate selection	To hire the personnel required by the organization.	Identification: First and last names, national ID number and/or passport number Contact: Address, home sketch/map, phone number, email address, social media, digital recruitment platforms. Personal characteristics: Date of birth, age, place of birth, marital status, nationality, sex, image, ethnicity, immigration status Professional: Work experience, profession, résumé/CV, experience, job positions held. Financial: Payroll, income. Credit and Legal Profile	Fulfillment of contractual obligations and free, specific, informed, and unambiguous consent of the data subject.
Administration of psychometric, job-fit, and reliability tests	To assess candidate abilities prior to personnel selection.	Identification: First and last names, national ID number and/or passport number. Other: Psychometric test performance results. Special categories: Biometric data.	Free, specific, informed, and unambiguous consent of the data subject.
Management of candidates’ employment references	To evaluate candidates’ past work experiences.	Identification: First and last names, national ID number and/or passport number.	Free, specific, informed, and unambiguous consent of the data subject.
Candidate selection	For the hiring process	Identification: First and last names Contact: Phone number, email address, and home address. Academic: Academic background. Professional: Work experience, reason for leaving previous position. Social circumstances: Assets (vehicle). Personal characteristics: Date of birth, nationality, age, sex, marital status. Special categories: Criminal record.	Fulfillment of contractual obligations.
Interview	To review candidate information	Identification: First and last names. Social circumstances: People the candidate lives with. Financial: Whether the candidate has a credit card, payment default issues. Family: Spouse’s data, children’s ages. Special categories: Health, data of persons with disabilities or substitutes for persons with disabilities. Professional	Fulfillment of contractual obligations.

3. Suppliers:

Processing Activity	Purpose	Personal Data	Legal Basis
Sending communications to distributors	To inform them about new products and launches.	Identification: First and last names. Contact: Address, phone number, email address.	Free, specific, informed, and unambiguous consent of the data subject and fulfillment of contractual obligations.
Collection of personal data from the Website, Social Media, and Forms	To capture distributor data and, in the case of end customers, to forward it to distributors	Identification: First and last names, national ID number or passport number. Contact: Address, phone number, email address.	Free, specific, informed, and unambiguous consent of the data subject.
Updating supplier data	As required by the finance department for registering new suppliers.	Identification: First and last names. Contact: Phone number, address, email address. Financial: Bank certificate.	Fulfillment of contractual obligations and legal obligation.
Processing of supplier data for registration in the system	To manage contractual relationships and payments	Identification: First and last names, national ID number and/or passport number. Contact: Phone number, address, email address. Other: Legal representative’s data.	Fulfillment of contractual obligations.
Processing of data for issuance and sending of tax withholding receipts to suppliers	Compliance with tax obligations	Identification: First and last names, national ID number and/or passport number. Contact: Phone number, address, email address. Other: Identification and contact data of the legal representative.	Legal obligation.
Communication of personal data for external audit execution	Execution of external audit in compliance with legal obligations	Identification: First and last names, national ID number and/or passport number. Payroll. Contact: Phone number, address, email address.	Fulfillment of contractual obligations.
Communication of data in the filing of tax returns	Compliance with tax obligations	Other: Identification and contact data of the legal representative.	Legal obligation
Communication of data to Centro Cerámico and the corporation	Review of operations within the Business Group	Identification: First and last names, national ID number and/or passport number. Contact: Phone number, address, email address.	Legitimate interest
Qualification of logistics suppliers	Supplier analysis for contracting purposes	Identification: Names, Tax ID (RUC). Contact: Address, email address	Fulfillment of contractual obligations.
Issuance of remittance guides	Compliance with legal obligation for product transportation	Identification: First and last names. Contact: Phone number, address, email address Financial: Bank certificate.	Legal obligation.

4. Customers

Processing Activity	Purpose	Personal Data	Legal Basis
Communication of shareholder data to financial institutions	Obtaining loans or coordinating financial operations	Identification: First and last names, national ID number and/or passport number. Contact: Phone number, address, email address.	Legitimate interest.
Processing of data for order invoicing	Invoicing of customer orders	Identification: First and last names. Contact: Address, phone number, email address.	Fulfillment of contractual obligations and legal obligation.
Issuance of remittance guides	Compliance with legal obligation for product transportation	Identification: First and last names. Contact: Phone number, address, email address Financial: Bank certificate.	Legal obligation.
Processing and archiving of customer personal data for payment records	To reconcile cash register with customer payments	Identification: First and last names, national ID number and/or passport number.	Fulfillment of contractual obligations.
Communication of personal data for external audit execution	Execution of external audit in compliance with legal obligations	Identification: First and last names, national ID number and/or passport number. Employment: Payroll. Contact: Phone number, address, email address.	Fulfillment of contractual obligations
Communication of data in the filing of tax returns	Compliance with tax obligations	Other: Legal representatives’ data	Legal obligation
Communication of data to Centro Cerámico	Review of operations within the Business Group	Identification: First and last names, national ID number and/or passport number. Contact: Phone number, address, email address.	Legitimate interest
Sending order information	To deliver orders to the address requested by the customer	Identification: First name, last name, Tax ID (RUC). Contact: Phone number and email address.	Legitimate interest and free, specific, informed, and unambiguous consent of the data subject.
Sales planning	To know the sales representative’s location for sales management purposes	Identification: Name. Contact: Address	Fulfillment of contractual obligations
Collection of personal data from the Website and Social Media.	To capture distributor data and, in the case of end customers, to forward it to distributors	Identification: First and last names and date of birth. Contact: Address, phone number, email address.	Free, specific, informed, and unambiguous consent of the data subject.
Sending advertising information	To send product news, discounts, and promotions	Identification: First name, last name. Contact: Phone number and email address.	Legitimate interest and free, specific, informed, and unambiguous consent of the data subject.
Invoicing	Compliance with tax legal obligation to issue an invoice or sales receipt	Identification: First name, last name, Tax ID (RUC). Contact: Phone number and email address.	Fulfillment of contractual obligations and legal obligation.
Communications with customers	To provide information on orders, stock, production, and to address product inquiries	Identification: First name, last name, date of birth, Tax ID (RUC). Contact: Phone number and email address.	Fulfillment of contractual obligations.
Sending quotations	To send information about products of interest to the customer	Identification: First name, last name, Tax ID (RUC). Contact: Phone number and email address.	Fulfillment of contractual obligations
Customer service for quality and after-sales	To address customer inquiries or complaints	Identification: First name, last name, Tax ID (RUC). Contact: Phone number and email address.	Fulfillment of contractual obligations
Collection of credit application information	So that the accounts receivable department can analyze the credit application and determine whether or not to grant credit to the customer	Identification: First and last names, Tax ID (RUC) Contact: Phone number, email address, and address Personal characteristics: Date of birth, age, sex, place of birth, nationality Other: Bank references, commercial references, guarantor’s data Financial: Income and expenses Family: Spouse’s data Social circumstances: Assets (vehicles and property) Special data categories: Criminal record.	Fulfillment of contractual obligations and free, specific, informed, and unambiguous consent of the data subject.
Customer creation	For customer invoicing and customer relationship management	Identification: First and last names, Tax ID (RUC). Contact: Phone number, email address, and address. Personal characteristics: Date of birth, age, sex, place of birth, nationality. Other: Bank references, commercial references, guarantor’s data. Financial: Income and expenses. Family: Spouse’s data	Fulfillment of contractual obligations and legal obligation.

5. Potential Customers:

Processing Activity	Purpose	Personal Data	Legal Basis
Sending quotations	To send information about products of interest to the customer	Identification: First name, last name, Tax ID (RUC). Contact: Phone number and email address Social Media.	Fulfillment of contractual obligations
Collection of credit application information	So that the accounts receivable department can analyze the credit application and determine whether or not to grant credit to the customer	Identification: First and last names, Tax ID (RUC) Contact: Phone number, email address, and address Personal characteristics: Date of birth, age, sex, place of birth, nationality Other: Bank references, commercial references, guarantor’s data Financial: Income and expenses Family: Spouse’s data Social circumstances: Assets (vehicles and property) Special data categories: Criminal record.	Fulfillment of contractual obligations and free, specific, informed, and unambiguous consent of the data subject.
Collection of personal data from the Website and Social Media.	To capture data from potential customers and forward it to points of sale.	Identification: First and last names, date of birth, Tax ID (RUC), national ID number or passport number. Contact: Address, phone number, email address.	Free, specific, informed, and unambiguous consent of the data subject.

6. Visitors:

Processing Activity	Purpose	Personal Data	Legal Basis
Access to the plant and offices.	To authorize entry for security reasons and in compliance with BASC certification requirements	Identification: Name, national ID number. Contact: Phone number.	Legitimate interest

7. Third-party company workers:

Processing Activity	Purpose	Personal Data	Legal Basis
Processing of driver data for security validation	Security and risk verification of personnel involved in the operation	Identification: Name, national ID number. Contact: Phone number, address, email address.	Fulfillment of contractual obligations and legitimate interest

VI. RIGHTS OF DATA SUBJECTS

Kerámikos guarantees the exercise of the following rights recognized in the LOPDP:

Right to Information: You have the right to receive clear and timely information about how your personal data is collected, used, shared, and stored, as well as contact details for making inquiries or exercising your rights.
Right of Access: You have the right to know whether Kerámikos is processing your personal data and, if so, to request a copy of your personal data.
Right to Rectification and Update: You have the right to request that Kerámikos correct or update your personal data when it is incomplete, inaccurate, or not up to date, by providing the relevant information.
Right to Erasure: You have the right to request that Kerámikos delete your personal data, for example, when it is no longer necessary for the purposes disclosed, when the retention period has expired, when the processing is unlawful, when it affects your rights, or when you have withdrawn your consent.
Right to Object: You have the right to object to the processing of your personal data when it is used for direct marketing purposes or when there is a legitimate interest that you consider affects your rights.
Right to Data Portability: You have the right to request that Kerámikos provide your personal data in a structured, commonly used electronic format, or to transfer it directly to another controller, where technically feasible.
Right to Restriction: You have the right to request that Kerámikos limit or temporarily suspend the processing of your personal data, for example, when you are verifying its accuracy, when the processing is unlawful, or for the formulation or defense of claims.
Right not to be subject to decisions based solely on automated processing: You have the right not to be subject to decisions made exclusively on the basis of automated processing of your data that significantly affect your interests. In such cases, you may request an explanation, submit observations, request human review of the decision, and, where applicable, contest it.

VII. EXERCISE OF RIGHTS

To exercise the rights mentioned above, the data subject may submit a request: (i) in person, through a written document at Kerámikos’s address indicated at the beginning of this Policy, or (ii) electronically, by sending a request to the corresponding email address: protecciondatos@centroceramico.com.

Kerámikos will attend to requests for the exercise of rights within the timeframes set forth in the PDP Regulations. However, if it is necessary to clarify or supplement the information provided, a period of five (5) business days will be granted to do so; if this requirement is not met, the request will be filed and closed.

Likewise, in cases where Kerámikos processes personal data based on the data subject’s consent, authorization will be requested and the data subject will be clearly and thoroughly informed about how their personal data will be used. Consent, in all cases, will be: (i) free; (ii) specific; (iii) informed; (iv) unambiguous.

The data subject may withdraw their consent at any time by contacting us through the means provided at the beginning of this Policy.

Notwithstanding the foregoing, if the data subject considers that the response issued violates their rights, or when the request has not been addressed within the timeframe established in the PDP Regulations, they may file a complaint directly with the Personal Data Protection Authority.

VIII. DATA OF CHILDREN AND ADOLESCENTS

As a general rule, Kerámikos does not process personal data of children and adolescents due to the nature of its commercial activities. However, such data may be processed when necessary to comply with legal obligations or court orders, or when the express consent of the minor has been obtained, in cases where the minor is over fifteen (15) years of age and under eighteen (18) years of age, or with the authorization of their legal representative when the minor is under fifteen (15) years of age.

As a general rule, Kerámikos will only process personal data of minors when there is a legal basis that legitimizes such processing.

IX. TRANSFERS OR COMMUNICATIONS OF PERSONAL DATA

Kerámikos may transfer or communicate personal data to third parties when: (i) such transfer is necessary for the fulfillment of the purposes previously disclosed; (ii) there is a legal mandate or an order issued by a competent authority; or (iii) the data subject has given their express consent to do so.

The processing of personal data may involve international transfers, for example, for information storage or processing services. In such cases, Kerámikos will endeavor to ensure that the receiving third party guarantees adequate levels of protection, confidentiality, and security of personal data, especially when the transfer is made to countries that do not have an equivalent level of protection.

X. RETENTION OF PERSONAL DATA

Personal data will be stored in databases owned or managed by Kerámikos for the period necessary to fulfill the purposes described in this Policy. Subsequently, if necessary, it will be retained for the additional time required to comply with legal or contractual obligations, as well as to address any potential legal actions or their statute of limitations.

Once the purposes of processing have been fulfilled and, where applicable, the legal retention periods have ended, Kerámikos will proceed to the secure deletion or anonymization of personal data, so that data subjects can no longer be identified.

In duly justified situations, data may be kept blocked — meaning not used for any new purpose — exclusively for the purpose of addressing claims or fulfilling legal obligations.

XI. SECURITY MEASURES

Kerámikos implements technical, organizational, legal, and physical measures designed to protect personal data and reduce the risks of unauthorized access, loss, alteration, misuse, or disclosure of information. Such measures are adopted taking into account the nature and volume of the data processed, the state of technology, implementation costs, associated risks, and industry best practices.

XII. REFUSAL TO PROVIDE OR PROVISION OF INCORRECT OR INACCURATE PERSONAL DATA

If the data subject decides not to provide their personal data or objects to its processing, Kerámikos will not be able to attend to their requests, as it will not be possible to carry out the processing of such information. Consequently, Kerámikos will not be able to fulfill the purposes previously disclosed.

Likewise, if the data subject provides incorrect, inaccurate, or outdated personal data, Kerámikos will not be in a position to fulfill the disclosed purposes. Therefore, the data subject shall be solely and exclusively responsible for ensuring that the personal data provided is truthful, complete, and kept up to date.

XIII. POLICY UPDATES

Kerámikos conducts periodic reviews and updates of this Policy, in accordance with regulatory changes in the area of personal data protection, as well as guidelines issued by the Personal Data Protection Authority.

This Policy was last updated on March 12, 2026.