Privacy Notice

Based on the provisions of the Federal Law on the Protection of Personal Data Held by Private Parties (hereinafter the “Law”), Compañía Minera Autlán, S.A.B. de C.V., its subsidiaries and affiliates (hereinafter the “Controller”), located at Arq. Pedro Ramírez Vázquez No. 200, Interior 10, Valle Oriente, San Pedro Garza García, Nuevo León, Mexico, ZIP Code 66260, is responsible for the use and protection of your personal data. In this regard, and in accordance with Articles 14, 15, and 16 of the Law, we inform you of the following:

 

The personal data we collect will be used for the following purposes:

  • Product Information and Marketing
    • To provide new and commercial information about our products
    • For marketing and promotion of our products.
    • To assess our clients’ interests.
  • Customer and Commercial Operations Management
    • To carry out collection processes with clients.
    • For the execution and fulfillment of commercial transactions.
  • Supplier and Payment Management
    • To manage payments to suppliers.
    • To verify that the provided information is truthful through public sources..
    • To monitor the service delivery by suppliers.
  • Internal and Operational Administration
    • For the proper functioning of the Controller’s operating systems, whether owned or leased.
  • Human Talent Management
    • To identify the person hired.
    • For the selection and hiring of personnel through the recruitment process, and for future vacancies in case of non-selection.
    • To create a physical employment file, which may contain the data subject’s personal information.
    • To upload collected data into the Controller’s or third-party systems, to manage the employment relationship. .
    • To fulfill labor and contractual obligations.
    • To manage employment and social benefits.
    • To contact a relative in the event of a workplace accident, provided the contact is disclosed to the Controller.
    • To carry out activities related to the employment relationship, such as commercial, legal, labor, and tax matters.
  • Strategic Studies and Analysis
    • For the study, understanding, and investigation of facilities, processes, projects, and investments.
    • To provide information to potential investors.

 

To carry out the purposes described in this privacy notice, the following personal data may be used:

  • Identification Data: Information that allows a person to be distinguished from others, such as: name; marital status; gender; handwritten signature; Federal Taxpayer Registry (RFC); Unique Population Registry Code (CURP); birth certificate; official identification; military service card number; place and date of birth; nationality; photograph; age; articles of incorporation; incorporation date.
  • Contact Information: Data allowing communication with the data subject, such as: address; proof of address; email; landline; mobile phone number.
  • Personal or Financial Data: Information regarding a person’s assets, rights, obligations, or economic situation, such as: real estate and personal property; tax status certificate; proof of compliance with tax obligations; social security compliance opinion; credit history; income and expenses; bank accounts; insurance policies; retirement fund (AFORE) statements; bonds; marriage certificate; birth certificates of beneficiaries, spouse, and children; notarized power of attorney.
  • Employment Data: Social Security number (IMSS); report of weeks contributed (IMSS); union affiliation; professional experience, current occupation and/or position, academic records, full names and phone numbers of immediate family members, dependents or beneficiaries (ascendants, descendants, collateral relatives, or spouse) for reference and insurance purposes.

 

It is important to note that the Controller does not guarantee the accuracy or truthfulness of the data collected, nor has it verified it, but only receives, records, and stores it under secure standards.

To fulfill the purposes of this privacy notice, the Controller may transfer and/or transmit data nationally and internationally without your consent, as provided in Article 36 of the Law. The same applies under Article 35, unless the data subject expressly opposes such transfer and/or transmission by submitting a request to the Controller at the following email address: [email protected].

To prevent unauthorized access or disclosure, ensure information accuracy, and guarantee appropriate use of the information, the Controller uses reasonable and appropriate physical, technical, and administrative procedures to protect the information it collects and processes. The Controller has trained personnel to handle confidential data, limits and strictly controls access to personal data, and uses its own or third-party leased physical and/or electronic infrastructure, as well as cybersecurity processes, to ensure data protection.

You or your legal representative may exercise any of the rights of access, rectification, cancellation, or opposition (hereinafter “ARCO Rights”) by sending a request to exercise ARCO Rights and revoke consent (hereinafter the “Request”) to the Controller at the following email address: [email protected].

The Request must include:

  1. The name of the data subject and their address or any other means of contact (phone, email, etc.);
  2. Documents proving the identity of the data subject or, where appropriate, the identity and representation of their legal representative;
  3. A clear and precise description of the personal data regarding which the ARCO rights are to be exercised, except when requesting the right of access;
  4. A description of the ARCO right to be exercised, or what the data subject requests; and
  5. Any other information or document that facilitates the location of personal data.

 

The exercise of ARCO Rights will be free of charge; however, the applicant must cover any shipping, reproduction, or certification costs, if necessary.

 

Upon receiving the Request, if the information is incorrect, incomplete, or lacks the necessary documentation, the Controller may request, within five (5) business days of receipt, additional elements or documents. You will then have ten (10) business days from the following day to respond. If no response is received within that time, the Request will be deemed not submitted.

 

The Controller will communicate its decision within a maximum of twenty (20) business days from the date the Request was received. If applicable, the right will be enforced within fifteen (15) business days from the communication of the decision. The response will be sent to the email address from which the Request was submitted. Note that the response may be negative in the following cases:

 

  1. When the data subject or legal representative is not properly accredited;
  2. When the personal data is not in the possession of the Controller;
  3. When the rights of a third party may be affected;
  4. When a legal impediment or the resolution of a competent authority restricts access to the personal data or prevents its rectification, cancellation, or opposition; and
  5. When the rectification, cancellation, or opposition has already been carried out.

The Controller reserves the right to make changes or updates to this notice at any time, due to legal requirements; its own needs regarding the services provided; its privacy practices; or changes to its business model. These modifications will be published at: www.autlan.com.mx.

Please be informed that the Controller’s applications, both owned and leased, use cookies for various purposes, mainly to improve the user experience and provide better services. These purposes include: user authentication, personalized experiences, data analytics, application security, language and location preferences, remembering login data, among others.

In accordance with the Law, sensitive personal data refers to those that may reveal aspects such as racial or ethnic origin, current or future health status, genetic information, religious, philosophical, and moral beliefs, political opinions, or sexual preferences. If the Controller requires sensitive personal data, you must provide your express consent for its processing.

According to Articles 7, 8, 9, and 12 of the Law, by providing your personal data and not expressing opposition to this privacy notice, the data subject acknowledges having read and understood its scope and tacitly consents to the processing of their data for the purposes outlined.

In the case of financial or asset-related data, express consent will not be required when any of the conditions outlined in Articles 9 and 36 of the Law apply.

To limit the use or disclosure of your personal data, the data subject may send a request to [email protected], indicating their full name, identification proving their identity, and the desired limitation. These requests will be addressed within a maximum of twenty (20) business days, in accordance with the terms established for exercising ARCO Rights, as provided in this notice.

 

We are located in Mexico and all matters related to this Website are governed by Mexican law. If you are located in any other country outside of Mexico and contact us, please take into account that any information you provide will be transferred to Mexico, and at the time of entering your information, you authorize this transfer and accept the conditions stipulated in this Privacy Notice.

 

Last updated: March 21, 2025