Privacy Policy
Version: 1.0
Effective Date: March 4, 2026
Compliance Officer: General Management / Privacy Officer
Contact: legal@rdel-cya.com
Index
Introduction and Purpose
Scope
Definitions
Guiding Principles
Roles and Responsibilities
Lifecycle of Personal Data
6.1. Collection
6.2. Storage and Retention
6.3. Use and Processing
6.4. Transfers
6.5. Deletion (Cancellation)
Management of ARCO Rights
Security Measures
8.1. Administrative
8.2. Physical
8.3. Technical
Management of Security Breaches (Incidents)
Training and Awareness
Suppliers and Processors
Use of Cookies and Tracking Technologies
Internal Audits
Violations and Sanctions
Validity and Updates
1. Introduction and Purpose
This Privacy Policy (hereinafter "the Policy") establishes the guidelines, procedures, and best practices that all personnel ofRDEL Consulting & Advisory(hereinafter "RDEL", "the Organization" or "we") must observe to ensure the proper protection of personal data to which they have access in the performance of their duties.
The objective is to ensure compliance with theFederal Law on the Protection of Personal Data Held by Private Parties (LFPDPPP), its Regulations, and other applicable regulations, minimizing legal, operational, and reputational risks for the Organization.
2. Scope
This Policy is ofmandatory observancefor:
All executives, managers, employees, and consultants of RDEL.
Temporary staff, interns, or professional service providers working for RDEL.
Third-party suppliers or processors who, on behalf of RDEL, process personal data.
3. Definitions
For the purposes of this Policy, the following definitions will apply:
ARCO:Rights of Access, Rectification, Cancellation, and Opposition.
Privacy Notice:Document addressed to the data subject, available on the website and in contracts, informing about the processing of their data.
Personal Data:Any information concerning an identified or identifiable natural person.
Sensitive Personal Data:Those that affect the most intimate sphere of the data subject (e.g., health, racial origin, beliefs).
Processor:The natural or legal person who processes personal data on behalf of the data controller (RDEL).
Data Controller:RDEL, who decides on the processing of personal data.
Data Subject:The natural person to whom the personal data belongs.
4. Guiding Principles
All processing of personal data at RDEL will be governed by the principles of:
Legitimacy:Always with the consent of the data subject or applicable legal basis.
Consent:Expression of the will of the data subject.
Information:Transparency through the Privacy Notice.
Quality:Accurate, complete, and up-to-date data.
Purpose:Determined, explicit, and legitimate purposes.
Loyalty:Preference for the protection of the data subject.
Proportionality:Processing limited to the purposes of the Notice.
Responsibility:RDEL will be responsible for complying with and demonstrating compliance with these principles.
5. Roles and Responsibilities
| Role | Key Responsibilities |
|---|---|
| General Management / Privacy Officer | • Approve this Policy and its updates. • Respond to ARCO rights requests. • Manage and report security breaches. • Act as a liaison with INAI. • Coordinate internal audits. |
| Consultants and Project Team | • Obtain and document the consent of the data subjects according to the Privacy Notice. • Process personal data of clients and third parties ONLY for the purposes of the project. • Do not disclose information to unauthorized personnel. • Report any possible security incident to the Privacy Officer. |
| Administration and Finance Team | • Handle tax and banking data with strict confidentiality. • Ensure the correct issuance of CFDI with the provided data. • Manage payments and collections securely. |
| Marketing and Sales Team | • Ensure that the Privacy Notice is displayed when capturing prospects. • Manage opt-outs and exclusions from marketing lists. • Do not share databases with unauthorized third parties. |
| Technical Support / IT | • Implement and maintain technical security measures. • Perform backups. • Manage access to systems and databases. |
6. Life Cycle of Personal Data
6.1. Collection
Personal data will only be obtained through official means: website, forms, corporate email, physical contracts, or work meetings.
It is mandatory to provide the Privacy Notice to the data subject at the time of data collection.
For sensitive personal data, express and written consent must be obtained (handwritten or electronic signature).
6.2. Storage and Retention
Personal data will be stored in secure databases with restricted access.
They will be retained only for as long as necessary to fulfill the purposes of processing and while there is a legal relationship with the data subject, plus the additional time required by legal provisions (e.g., tax laws, which are usually 5 years).
After that period, the data will be canceled and subsequently blocked and deleted.
6.3. Use and Processing
Access to databases containing personal data will be limited exclusively to authorized personnel according to their functions.
It is strictly prohibited to:
Use personal data for purposes other than those stated in the Privacy Notice.
Share access credentials to systems.
Copy, transfer, or download databases to unauthorized personal devices.
6.4. Transfers
Any transfer of personal data to a third party (processor, partner, authority) must be provided for in the Privacy Notice.
Aconfidentiality and data protection agreementmust be signed with the receiving third party, committing to process the data according to RDEL's instructions and the law.
6.5. Deletion (Cancellation)
Once the purpose of processing has been fulfilled and the legal retention periods have expired, personal data will be deleted (securely erased) from active databases.
Prior to deletion, the data may beblockedfor a period to address potential legal liabilities.
7. Management of ARCO Rights
The procedure for addressing an ARCO rights request will be as follows:
Reception:The request must be sent to the email privacidad@rdel-cya.com.
Acknowledgment of Receipt:Within no more than 2 business days, acknowledgment of receipt of the request will be provided.
Analysis:The Privacy Officer will analyze the validity of the request, verifying the identity of the requester and the clarity of the request.
Response:Within a maximum period of20 business daysfrom receipt, a response will be issued determining whether it is valid or not, and the holder will be informed.
Effectiveness:If the request is valid, it will be made effective within a maximum period of15 business daysfollowing the date of the response.
8. Security Measures
RDEL implements administrative, physical, and technical security measures appropriate to the sensitivity of the personal data processed.
8.1. Administrative
Internal policies (this document) and procedure manuals.
Annual training for staff on data protection.
Signing confidentiality agreements with all staff and suppliers.
8.2. Physical
File cabinets and locked cabinets for physical documents containing personal data.
Access control to offices (locks, keys).
Clean desk and clean screen policy.
8.3. Technical
Access control:User authentication using secure passwords (minimum 8 characters, alphanumeric).
Encryption:Use of encryption (SSL/TLS) for data transmission on the website and in email communications.
Antivirus and Firewall:On all corporate devices.
Backups:Regular backup of databases in secure locations.
Incident log:Log of unauthorized access attempts.
9. Management of Security Breaches (Incidents)
In the event of any incident that compromises the security of personal data (loss, theft, unauthorized access, etc.):
Detection and Reporting:Anyone who detects a possible incident must report itimmediatelyto the Privacy Officer.
Containment and Assessment:The Privacy Officer will assess the scope and take immediate action to contain the incident.
Notification to INAI and the Data Subject:If the breach is considered serious by law, INAI and the affected data subjects will be notified without delay, no later than 72 hours.
Documentation:The entire incident, actions taken, and lessons learned will be documented.
10. Training and Awareness
Mandatory training will be provided at least once a year to all staff on:
Obligations regarding data protection.
Content of this Policy.
Procedures for the secure handling of information.
How to identify and report incidents.
11. Suppliers and Processors
All suppliers who, by the nature of their services, have access to personal data of RDEL, must demonstrate compliance with the LFPDPPP.
A contract must be signed that specifies the scope of the processing, the security measures to be implemented, and the prohibition of using the data for other purposes.
12. Use of Cookies and Tracking Technologies
The marketing and IT team will be responsible for implementing the necessary tools to inform users about the use of cookies on the website, as described in the Privacy Notice.
User consent must be obtained for the use of non-essential cookies.
13. Internal Audits
The Privacy Officer will coordinate an internal audit at least every2 yearsto verify compliance with this Policy and the LFPDPPP. The results will be documented, and an action plan will be generated to correct any possible deviations.
14. Violations and Sanctions
Non-compliance with this Policy by RDEL staff may result in disciplinary actions, ranging from a written reprimand to termination of the employment or professional relationship, without prejudice to any legal actions that may correspond to the Organization or the affected parties.
15. Validity and Updates
This Policy comes into effect as of the date indicated at the beginning. It will be reviewed and, if necessary, updated every two years or when significant changes occur in the legislation or in RDEL's operations that warrant it.
Prepared and Authorized by:
Dario Leon
General Director / Privacy Officer
RDEL Consulting & Advisory | Business + Science & Technology
Phone: +52 33 1842 3435
Email:legal@rdel-cya.com
Website:www.rdel-cya.com
© 2025-2026, All Rights Reserved. RDEL Consulting and Advisory.