×
You are here: Soluciones
    See all solutions for this segment

    Do you want to transform your business?

    Explore our solutions
    You are here: Recursos
    You are here: Company
    Evertec

    Privacy Policy Mexico

    This privacy policy (The “Policy”) applies to the operations of Evertec Mexico Processing Services S.A. (hereinafter EVERTEC MX)      and must be read      jointly with Evertec Inc privacy policy applicable to all its subsidiaries. Nevertheless, Mexican      regulations      apply this policy.

    This Policy reflects EVERTEC MX commitment to comply with all applicable  rules and regulations and to operate as a solid and secure organization, with the main goal to protect its customers, vendors (providers), collaborators, partners, shareholders and other      counterparties, the integrity, its people and its credit.

    The following definitions would be considered in this privacy notice:

    ARCO RIGHTS: Rights of Access, Rectification, Cancellation and Opposition regarding the processing of personal data.

    CONSENT: Expression of the OWNER’s will to allow the processing of his/her personal data.

    IN CHARGE: an individual or businessperson who processes personal data on behalf of the person responsible. 

    OWNER: An individual whose personal data is processed by EVERTC MX.

    PERSONAL DATA: Information that identifies or makes an individual identifiable, such as name, address, email, financial or health data.     

    PRIVACY NOTICE: Document through which the RESPONSIBLE informs the OWNER about      their personal data.    

    PROCESSES: Collection, use, transfer, storage or use of personal data by any means.

    RESPONSIBLE: EVERTEC MX, who decided regarding personal data processes.

    SENSITIVE DATA: Personal data that if misused, could affect privacy or lead to discrimination, such as health, beliefs, or affiliations.

    TRANSFER: Any communication of personal data inside or outside of Mexican territory, made      by a different person to the OWNER, of the RESPONSIBLE or IN CHARGE

    TRANSMISION: Any communication of personal data between RESPONSIBLE and IN CHARGE to make any processes.

    USERS: Individuals for whom personal data is collected, processed, stored or transmitted by EVERTEC MX as IN CHARGE, due to the services provided to their customers. These are customers or ultimate beneficiaries of the services offered by EVERTEC MX customers, and their information is processed in accordance with the instructions of the RESPONSIBLE.

    1. GENERAL CONSIDERATIONS

    1.1. INTRODUCTION

    EVERTEC MX acknowledge that its counterparties personal data processing will be held in accordance with the Federal Law on the Protection of Personal Data Held by Private Parties (“LFPDPPP”), its Regulations and the Privacy Notice Guidelines issued by the Ministry of Economy, which apply the processing of personal data collect or management.

    1.2. OUR IDENTIFICATION

    EVERTEC MX may act as a personal data RESPONSIBLE or IN CHARGE, in these cases these are our contact information. including for hearing and receiving notifications:

    Corporate Name: EVERTEC MEXICO PROCESSING SERVICES S.A.

    Address: Building WRK, Insurgentes Sur 318, Roma Norte, Cuauhtemoc (06700), CDMX, Mexico, Piso 4, Oficina 2

    Email: everteccompliance@evertecinc.com

    1.3. SCOPE

    These guidelines are a rule of conduct that steers the actions of the Board of Directors, employees, collaborators, shareholders, administrators, vendor/providers, contractors, partners, investors and other related parties or interested parties that collect, use, exchange, administer or process databases containing personal data      that are under the administration of EVERTEC MX or may be known by virtue of the commercial and contractual relationships developed with the other companies that are part of the Business Group to which it belongs EVERTEC MX, of commercial alliances, agreements or advertising events.

    Likewise, it is applicable when the data processing is carried out in Mexican territory as well as when the party RESPONSIBLE or IN CHARGE of the processing in virtue of the international standards or treaties the legislation of the jurisdiction of the DATA OWNER is applicable to it.

    EVERTEC MX acts as RESPONSIBLE for personal data of (included, but not limited to the legal representative, shareholders, officers) collaborators, shareholders, customers, partners and vendors; in other cases, acts as IN CHARGE.

    EVERTEC MX can process sensitive data when it’s necessary to comply with legal, contractual or statutory requirements, or to protect OWNER’s vital information. Processing will be carried out under strict security measures, restricting access and use.

    If employees don’t comply with these guidelines or with the Federal Law on the Protection of Personal Data Held by Private Parties (LFPDPPP), its Regulations, and the Privacy Notice Guidelines issued by the Ministry of Economy, EVERTEC MX takes disciplinary actions      to comply with all responsibilities set forth in EVERTEC MX’s Code of Ethics and Employee Handbook.

    2. GUIDELINES

    2.1. GUIDING PRINCIPLES

    EVERTEC MX is commitment to understanding and developing, harmonically, the principles established in in the Federal Law on the Protection of Personal Data Held by Private Parties (“LFPDPPP”), its Regulations and the Privacy Notice Guidelines issued by the Ministry of Economy, in accordance with its processing role RESPONSIBLE / or IN CHARGE, these are:

    1. Principle of legality or lawfulness: In those cases, in which EVERTEC MX acts as the RESPONSIBLE of personal data, we process it in accordance with and compliance with the provisions of Mexican and international law.
    2. Purpose principle: In those cases, in which EVERTEC MX acts as the RESPONSIBLE of personal data, we guarantee that they are processed for the fulfillment of the purpose or purposes established in this privacy notice and/or those established in the contract signed between the parties (if applicable).
    3. Principle of freedom or consent: In those cases, in which EVERTEC MX acts as the RESPONSIBLE of personal data, we guarantee, except for the legally established exceptions, that we have the tacit or express consent of the data subject to process it for one of the purposes stipulated in this notice and/or in the contract signed between the parties (if applicable).
    4. Principle of truthfulness, quality, or accuracy: Personal data processed are considered accurate, complete, relevant, correct, and up-to-date when provided directly by the data subject, and until the data subject states and proves otherwise, or EVERTEC MX has objective evidence to the contrary. In cases where the data was obtained through a third party and EVERTEC MX acts as the data RESPONSIBLE, reasonable measures are adopted to ensure that the data meets the principle of quality, in accordance with the type of personal data and the conditions of processing.
    5. Principle of loyalty: personal data are processed with priority given to the protection of the data subject’s interests and the reasonable expectation of privacy, under the terms established in Article 7 of the Law (LFPDPPP).
    6. Principle of transparency or information: EVERTEC MX, as the RESPONSIBLE, informs the OWNER regarding the existence and main characteristics of the processing to which their personal data will be subjected through this privacy notice.
    7. Principle of Confidentiality and Integrity or Responsibility: There is an obligation to oversee and be responsible for the processing of personal data in the custody or possession of EVERTEC MX as RESPONSIBLE, or for those that we have communicated to a processor, whether the latter is in Mexican territory.
    8. Principle of Necessity and Proportionality or Minimization: Only personal data that is necessary, adequate, and relevant in relation to the purposes for which it was obtained is processed. Therefore, when EVERTEC MX acts as RESPONSIBLE, it makes reasonable efforts to ensure that the personal data processed is the minimum necessary for the purpose.
    9. Principle of Temporality or Expiration: The retention periods for personal data do not exceed the time necessary to fulfill the purposes that gave rise to the processing. Once the purpose(s) of the processing has been fulfilled, and when there is no legal or regulatory provision establishing otherwise, EVERTEC MX, as the RESPONSIBLE (when applicable), proceeds to cancel the data in its possession after blocking them for subsequent deletion.

    2.2. OWNER’S RIGHTS

    The rights of data OWNERS under Federal Law on the Protection of Personal Data Held by Private Parties (“LFPDPPP”), its Regulations and the Privacy Notice Guidelines issued by the Ministry of Economy, are:

    1. To give or deny priority, express, and informed consent so that EVERTEC MX, as the party RESPONSIBLE, can process personal data.
    2. To request at any time proof of the authorization granted to EVERTEC MX as the party RESPONSIBLE, unless it is expressly excluded as a requirement for the processing, in accordance with applicable laws.
    3. To be informed about the use that EVERTEC MX, as the party RESPONSIBLE or IN CHARGE, has given to personal data.
    4. To know the purposes for which EVERTEC MX, as the party RESPONSIBLE or IN CHARGE, captures or manages personal data.
    5. The OWNER may appeal to the National Institute for Transparency, Access to Information and Protection of Personal Data (INAI) if he or she believes his or her right to data protection has been violated.
    6. Cancel or revoke your personal data when you consider that it is not being processed in accordance with the principles and duties established in the applicable legislation or when you consider it necessary.
    7. To access for free the personal data voluntarily shared with EVERTEC MX.
    8. To know, update, and rectify your personal data. This right may be exercised, among others, with respect to data that is partial, inaccurate, incomplete, fragmented, or misleading, or whose processing is expressly prohibited or unauthorized. It is clarified that, in accordance with the Federal Law on the Protection of Personal Data Held by Private Parties (“LFPDPPP”), its Regulations, and the Privacy Notice Guidelines issued by the Ministry of Economy, the OWNER may exercise their rights of access, rectification, and cancellation and objection with respect to their personal data free of charge, at intervals of no less than six months.

    2.3. AUTHORIZATION AND CONSENT

    EVERTEC MX uses the personal data exclusively for the purposes indicated in this policy and retains it for the period specified in the applicable legal provisions. By accepting this Notice, it is understood that the Data Subject authorizes EVERTEC MX to transfer their Personal Data to third parties, whether Mexican or foreign, without requiring further consent. Without prejudice to the exceptions provided for in the laws for the processing of personal data and their regulatory Decrees, as well as in the Federal Law on the Protection of Personal Data Held by Private Parties (“LFPDPPP”), its Regulations, and the Privacy Notice Guidelines issued by the Ministry of Economy, EVERTEC MX requires prior and informed authorization or consent of the OWNER by any means.

    EVERTEC MX may transfer personal data to affiliated companies and subsidiaries; external service providers; and national or foreign regulatory authorities. In transfers not covered by legal exceptions, the OWNER’s express consent will be requested. EVERTEC MX will not require the OWNER’s consent for the transfer of data in the cases established in this Policy.

    Revocation of consent may be requested at any time, by means of the established means, without retroactive effect. EVERTEC MX will not be required to obtain the OWNER’s consent for the processing of personal data when:

    1. A legal provision is provided     .
    2. The personal data is contained in publicly accessible sources.
    3. The personal data is subject to a prior dissociation procedure.
    4. The personal data is required to exercise a right or fulfill obligations arising from a legal relationship between the OWNER and the OWNER.
    5. There is an emergency that could potentially harm an individual in person or their property.
    6. The personal data is essential for medical treatment, prevention, diagnosis, the provision of healthcare, or the management of healthcare services, while the OWNER is unable to give consent, under the terms established by the General Health Law and other applicable legal provisions, and said data processing is carried out by a person subject to professional secrecy or an equivalent obligation; or
    7. There is a well-founded and reasoned court order, resolution, or mandate from a competent authority.

    EVERTEC MX will always comply with the principles of Personal Data protection in accordance with the Law and its regulations and will therefore require third parties to whom it transfers Personal Data to comply with the Law and adopt the necessary measures for its protection.

    EVERTEC MX obtains authorizations for the collection of personal data as follows:

    1. Users. Through the website, transactional channels or payment and consultation tools are enabled.
    2. Clients and their beneficial OWNERs. Through the website, email, signed contracts and/or Customer Due Diligence Form and/or the one that applies.
    3. Suppliers and their beneficial OWNERs. Through email, signed contracts, and/or Vendor Request Form EVT 875 and/or the one that applies.
    4. Employees and their families. Through employment contracts, annexes and/or onboarding and updating forms     . 
    5. Partners and Board Members. Through binding documents or contractual negotiations.
    6. Pertaining to the use of personal data specifically unrelated to the development of the legal or contractual relationship between EVERTEC MX and the OWNER, but that relates to the delivery of commercial or advertising information, the OWNER of the data can simply and expeditiously deliver their data (for example, names and surnames, emails, cell numbers, telephone numbers, etc.) to EVERTEC MX as well as to opt out, at any time, from being contacted for such purposes.

    2.4 PURPOSES DATA OWNER TO PROCESSING

    In addition to the aforementioned, the purpose of the Processing of Personal Data by EVERTEC MX will be to fulfill the primary purposes, which are those necessary and give rise to the relationship between EVERTEC MX and the OWNER, allowing EVERTEC MX to provide its services, as well as the secondary purposes that are not directly related to the services provided by EVERTEC MX, but which contribute to providing better service to the OWNER, which are listed below:

    Primary Purposes:

    1. Formalize, manage, and maintain legal relationships with customers, users, vendors, employees and collaborators.
    2. Process requests for financial services, identity validations, and payment transactions.
    3. Comply with tax, labor, anti-money laundering, counter-terrorism financing, and anti-corruption obligations.
    4. Manage regulatory compliance programs and internal and external audits.
    5. Ensure information security through controls and preventive measures.

    Secondary Purposes:

    1. To offer products, services, promotions, events, training, and surveys.
    2. To conduct market research and evaluate the quality of services.

    The OWNER may object to the processing of their data for secondary purposes through the means provided in this policy.

    EVERTEC MX processes personal data for the following specific purposes, depending on the type of Holder:

    1. Users: Information received by users directly or through any third party, is used for EVERTEC MX as IN CHARGE for the following purposes:
      • To operate and to maintain our properties.
      • To inform users regarding any change in our properties or to send additional information regarding EVERTEC MX and its products and services.
      • To manage personal data protection requests.
      • To update data for security purposes and to comply with regulations to Counter Money Laundering, Financing of Terrorism and Financing of Proliferation of Weapons of Mass Destruction, corruption, and bribery.
      • To respond to administrative, judicial or any other requirements that we are required to comply with.
      • To process transactions by forwarding the information to payment processors and/or financial institutions legitimately constituted under applicable law.
      • To perform security analysis to authenticate users, directly or through third parties specialized as parties IN CHARGE. In no case, may third parties use the information for purposes other than those mentioned herein or those defined in the contracts entered by EVERTEC MX.
      • To make contact in cases of fraud alerts.
      • To contact third party requests in cases of exceptions.
      • To perform statistical analysis to identify global behaviors, consumption trends, payments or user behavior.
    1. Vendors: Information received from EVERTEC MX’s suppliers is considered confidential and is only disclosed with the express authorization of the OWNER, or when requested by a competent authority. The purposes of this data are:
      • To guarantee the commercial relationship, this includes sending out invitations to contract and arrangements for the pre-contractual, contractual, and post-contractual stages.
      • To issue an invoice.
      • To update relevant information regarding administrative procedures.
      • To send invitations to events scheduled by EVERTEC MX or its affiliates
      • To update data for security purposes and to comply with regulations to Counter Money Laundering, Financing of Terrorism and Financing of Proliferation of Weapons of Mass Destruction, corruption, and bribery.
      • To verify the suitability and competence of Supplier’s employees who will provide services to EVERTEC MX; once this requirement has been verified, EVERTEC MX will return such information to the Supplier, unless expressly authorized to retain it.
      • To respond to audits carried out by internal or external entities.
      • To report to the credit bureau and information operators, the compliance with my financial obligations.
      • To allow suitable work environments for the safe development of activities within the company.
      • Others specifically set out in the authorizations granted by the suppliers themselves.

    In any case, the information is not processed for a period longer than the duration of the Supplier’s relationship with EVERTEC MX, and the additional time required in accordance with the legal or contractual circumstances that make the handling of the information necessary.

    1. Prospective customers: Information received from potential clients of EVERTEC MX is used for the following purposes:
      • To exchange information daily, deliver business cards at meetings or events and communication channels: to manage the presentation of our services (directly or through our partners) to the person who has completed or delivered the data or to his delegate.
      • To update the general database where information can be shared for educational purposes on digital processes.
    1. Current customers: Information received by EVERTEC MX clients is considered confidential and is only disclosed with the express authorization of the OWNER or when requested by a competent authority. The purposes of this information are:
      • To perform management (directly or through our partners) for the pre-contractual, contractual, and post-contractual stages, which includes commercial monitoring and customer maintenance.
      • To update relevant information regarding the contracted service.
      • To notify in case of any interruption in services or products.
      • To request information on how to improve or develop services or products, and other effective ways to communicate.
      • To provide help desk and troubleshooting.
      • To communicate or send notifications relating specifically to the services or products we offer.
      • To collect information about customer satisfaction regarding the service provided.
      • To send invitations to events scheduled by EVERTEC MX.
      • To corroborate any requirements arising in the development of the contract concluded.
      • To comply with the object of the contract concluded, including shipping activities, fulfillment, and processing of guarantees, among others.
      • To verify cases of non-compliance of any party.
      • To undertake customer loyalty activities and marketing operations.
      • To onboard and update data for security purposes and to comply with regulations to Counter Money Laundering, Financing of Terrorism and Financing of Proliferation of Weapons of Mass Destruction, corruption and bribery.
      • To respond to audits carried out by internal or external entities.
      • To report to the credit bureau and information operators, the compliance with my financial obligations.

    In any case, the information is not processed for a period longer than the duration of the customer’s relationship with the company, and the additional time that is required according to the legal or contractual circumstances that make the handling of the information necessary.

    1. EVERTEC MX work applicants: Its information is considered confidential and is only disclosed by EVERTEC MX with the express authorization of the OWNER. This data has the following purposes:
    1. To participate in the selection process for which you registered.
    2. To contact you during the selection process.
    3. To store your data in our databases for a period of three (03) years to contact you regarding future job opportunities or vacancies.
    4. To manage and assess any type of risk associated with initiating or continuing a contractual relationship. It includes the prevention and detection of risks related to money laundering, terrorist financing, and the financing of the proliferation of weapons of mass destruction, corruption, and bribery.
    5. To conduct background checks on the individuals listed in the onboarding form.
    6. To verify identity by any means. It includes the use of any legitimate external source, such as: third parties, public or private databases, public registries, financial, commercial, or other information providers.
    7. To conduct a psychological interview, security assessment, home visit, and use a polygraph. Telephone calls, emails, surveys, photographs, videos, audio recordings, photocopies, and other documents will be submitted upon request.
    8. To determine whether the candidate meets the previously established requirements, objectives, and specific conditions for the position for which they are applying.
    1. Collaborators, employees, officials: The information received is considered confidential and is only disclosed by EVERTEC MX with the express authorization of the OWNER or when requested by a competent authority. Data are for the following purposes:
      • To share corporate information relevant to the performance of functions.
      • To keep the internal public informed about processes, progress, performance, events, and internal information.
      • To ensure the relationship between employees and EVERTEC MX.
      • To comply with human resources processes established by EVERTEC MX, such as: (i) respond to any request from competent national or foreign judicial or administrative authority, (ii) carry out judicial or extrajudicial collection of any obligation in charge of the OWNER, (iii) comply with any request, complaint or demand, (iv) carry out social security affiliations, (v) carry out welfare activities, (vi) pay the payroll, (vii) record payroll discounts authorized by law or by the employee, (viii) include information according to the performance of the employee, (ix) report in a timely manner modifications that occur in development of the employment contract and (x) evaluate the quality of the services offered by the Employee OWNER of the information.
      • To comply with the obligations imposed by the Federal Labor Law on employers or orders issued by competent Colombian authorities.
      • To issue certifications regarding the relationship of the data OWNER with EVERTEC MX.
      • Managing the functions developed by employees.
      • To manage memos, wake-up calls, or disciplinary processes.
      • To contact family members in emergencies.
      • To update data for security purposes and to comply with regulations to Counter Money Laundering, Financing of Terrorism and Financing of Proliferation of Weapons of Mass Destruction, corruption, and bribery.
      • To carry out epidemiological surveillance activities under the occupational safety and health program.
      • For decision-making in labor matters regarding the execution and termination of the employment contract either by the legal area of the company or its external adviser.
      • To conduct psychological interviews, security studies, home visits, polygraph tests, phone calls, emails, surveys, photographs, videos, audios, photocopies and other documents delivered as requested.
      • For audits carried out by internal or external entities.

    Upon termination of the employment relationship, EVERTEC MX will store all personal data obtained from the selection process and documentation generated in development of the employment relationship, in a central archive with restricted access, always subjecting the information to appropriate security measures and levels, since the employment information may contain sensitive data.

    1. Partners and Shareholders, and members of the Board of Directors: Personal data of shareholders, their representatives and members of the Board of Directors are stored in a database considered confidential, and which is only disclosed by the company with the express authorization of the OWNER or when requested by a competent authority. The purposes for which the data is used are:
      • To allow the exercise of the duties and rights deriving from the status of Shareholder.
      • To send invitations to events scheduled by EVERTEC MX and to contact the Shareholder or Board member.
      • To issue certifications regarding the relationship of the OWNER with the Company.
      • To update data for security purposes and to comply with regulations to Counter Money Laundering, Financing of Terrorism and Financing of Proliferation of Weapons of Mass Destruction, corruption, and bribery.
      • To respond to audits carried out by internal or external entities.
      • For others specifically set forth in the authorizations granted by the Shareholders or members of the Board of Directors.

    In any case, the information is not processed for a period longer than the time the person is a Shareholder or member of the Board of Directors of EVERTEC MX, and the additional time that is required in accordance with the legal or contractual circumstances that make the handling of the information necessary.

    1. Accounting records, Personal data from accounting records and documents are collected and stored in a database which, although composed mostly of public data, is classified as confidential, and are only disclosed with the express authorization of the OWNER or when requested by a competent authority. The purposes for which the personal data is used are:
      • To manage accounting, tax and administrative issues.
      • To manage collections and payments.
      • To manage billing.
      • To manage economic and accounting issues.
    1. Legal proceedings, Personal data of supporting documents related to legal actions owned by the business are considered confidential and will only be disclosed with the express authorization of the OWNER or when requested by a competent authority. The purposes are:
      • For legal proceedings: labor, commercial.
    1. Processing sensitive data, To process these data for the purposes detailed below, EVERTEC MX undertakes to request the respective authorization from the OWNER, and to inform the OWNER of the optional nature of the requested authorization and to establish controls for the security of the information.
      • To safeguard the vital interest of the OWNER, if the latter is physically or legally incapacitated its legal representatives must grant their authorization.
      • To be processed by a foundation, NGO, association or any other non-profit organization, whose purpose is political, philosophical, religious or trade union, if they relate exclusively to its members or to people who maintain regular contacts for their purpose. In these events, the data cannot be provided to third parties without the authorization of the OWNER.
      • For historical, statistical, or scientific purposes. In this event the measures leading to the deletion of the identity of the OWNERS should be implemented.
      • To comply with obligations derived from a legal relationship between the OWNER and the RESPONSIBLE.
      • Address emergencies that could potentially harm an individual or their property.
      • Issue a resolution from the competent authority.
    1. Data of children and adolescents, EVERTEC MXcollects and processes personal data of minor children of its employees, with the only purpose:
      • To comply with the obligations imposed by the law on employers in relation to affiliation to the social security and parafiscal systems, and to enable children to enjoy their fundamental rights to health and recreation.

    In any case, EVERTEC MX collects, where appropriate, the respective authorization for its processing, always considering the best interests of the minor and respect for the fundamental rights of children to health, education and recreation of children and adolescents, as well as the security measures of this information.

    2.5. INFORMATION SECURITY

    1. Evertec MX processes that provide personal data must be sent only through the means and criteria established by Evertec, preferably encrypted and with a key to guarantee its security.
    2. The OWNER of the process that delivers data to another party must secure its chain of custody until the final delivery of the personal data to the OWNER of the receiving process
    3. EVERTEC MX implements the necessary technical and organizational measures to prevent the loss and alteration of information.
    4. Transfer of personal data to parties IN CHARGE (third parties outside the company) must comply with the security measures set forth in the Information Security Policy
    5. Information storage with third parties, processes may store personal data with third parties outside the Company, they will act as parties IN CHARGE of the information for storage. Parties IN CHARGE must meet the highest security standards and comply with the Security Policies defined by EVERTEC MX.
    6. Storage of information containing personal data is carried out considering the Information Security Policies to prevent falsification, loss, consultation, use or unauthorized or fraudulent access. Storage of personal data may take any of the following forms:
      • Electronic media.
      • Physical media such as folders containing information under lock and key or password, as defined in the Information Security Policy.
    7. Storage of information containing personal data in personal emails, USB drives, CD or any other means other than those set out in the Information Security Policies for storing information is prohibited

    2.6. EVERTEC MX’s OBLIGATIONS

    1. To register, if applicable, with competent authority, the personal database (either in physical medium or magnetic storage) in its possession as party RESPONSIBLE.
    2. To report, if applicable, with competent authority, known security incidents in the times defined by regulations.
    3. To report, if applicable, with competent authority, complaints received in the times defined by regulations
    4. To keep the personal data processed up to date; for this purpose, the Company establishes updating procedures which must be communicated to all processes of the Company. Any new developments identified regarding outdated data should be reported to the email address everteccompliance@evertecinc.com.
    5. As party RESPONSIBLE:
      • To guarantee the OWNER, always, full and effective exercise of the ARCO rights.
      • To request and retain a copy of the respective authorization granted by the OWNER.
      • To duly inform the OWNER about the purpose of the collection and the rights that assist him/her under the authorization granted.
      • To keep the information under the security conditions necessary to prevent its falsification, loss, consultation, use or unauthorized or fraudulent access.
      • To ensure that the information provided for the party IN CHARGE of the processing is true, complete, accurate, up-to-date, verifiable, and understandable.
      • To update the information when new developments have been reported with respect to the data previously provided by the OWNER, and to take the other necessary measures to keep the information provided to the OWNER updated.
      • To correct the information when it is incorrect.
      • To provide the party IN CHARGE only with data for which processing has been previously authorized.
      • To demand from the party IN CHARGE respect for the conditions of security and privacy of the information of the OWNER, always.
      • To process consultations and complaints made.
      • To inform on the use made of his/her data at the request of the OWNER
      • To inform cases of breach of security codes and risks in the administration of the OWNERS information to the data protection authority.
    6. As party IN CHARGE:
      • To update the information in accordance with commitments agreed with the party RESPONSIBLE.
      • To comply with the Company’s security policies and principles and with those that bind it to the party RESPONSIBLE, in compliance with the protection of personal data.
      • To correct the information when it is incorrect, and to communicate relevant matters to the party RESPONSIBLE for the processing.
      • To use the data for the purpose it was delivered by the party RESPONSIBLE of the processing.
      • To process consultations and complaints made that apply to it.
      • To inform the party RESPONSIBLE for data protection and/or the SECRETARÍA ANTICORRUPCIÓN Y BUEN GOBIERNO, or others applicable to our operation, cases of breach of security codes and risks in the administration of the information of the OWNERS.

    2.7. PERSONAL DATA TRANSFER

    EVERTEC MX shares and transfers the collected data to other participants in the payment network and to any other authority that, by legal provision or mandate, requires it to carry out the card payment processing services that EVERTEC MX provides to the Cardholder.

    In accordance with the provisions of the Law. Authorization or consent will not be required to transfer your data in the following cases when established by applicable laws, such as, for example:

    1. It is provided for in a Law or Treaty to which Mexico is a party.
    2. It is necessary to safeguard the health of the Cardholder, including, but not limited to, medical prevention or diagnosis, the provision of healthcare, medical treatment, or the management of medical services.
    3. The transfer is made to subsidiaries or affiliates under common control with any of EVERTEC MX, or to a parent company, or to any company within the same EVERTEC MX group that operates under the same internal processes and policies.
    4. It is necessary due to a contract entered into or to be entered into in the interest of the Data Subject.
    5. It is necessary or legally required to safeguard public interest, or for the prosecution or administration of justice.
    6. It is necessary for the recognition, exercise, or defense of a right in a judicial proceeding.
    7. It is necessary for the maintenance or fulfillment of a legal relationship between the Data Subject and EVERTEC MX.

    EVERTEC MX transfers Personal Data by virtue of its status as a subsidiary of Evertec Group, LLC. Likewise, it processes, transmits, and stores user data in Costa Rica.

    To conduct the international transfer of Personal Data, aside from clearly informing the jurisdiction where they will be treated, the purposes and having express and unequivocal authorization by the OWNER, EVERTEC MX makes sure that the action provides appropriate levels of data protection and meets the requirements set in applicable regulations and its regulatory decrees.

    Transferring personal data of any kind to countries that do not provide adequate levels of data protection is prohibited. It is understood that a country offers an adequate level of data protection when it meets the standards on the matter set by the competent authority, the SECRETARÍA ANTICORRUPCIÓN Y BUEN GOBIERNO, or others applicable to our operation. This prohibition shall not apply where:

    1. Information for which the OWNER granted its express and unequivocal authorization for the transfer.
    2. Exchange of medical data, when required by the processing of the OWNER based on health or public hygiene reasons.
    3. Bank or stock transfers, in accordance with applicable legislation.
    4. Transfers agreed within the framework of international treaties to which the Republic of Colombia is a party, based on the principle of reciprocity.
    5. Transfers necessary for the execution of a contract between the OWNER and the party RESPONSIBLE, or for the execution of pre-contractual measures provided that the OWNER has given authorization.
    6. Transfers legally required for the protection of the public interest, or for the recognition, exercise or defense of a right in judicial proceedings.

    2.8. PERSONAL DATA TRANSMISSION

    EVERTEC MX transmits Personal Data to third parties as parties IN CHARGE to fulfill some of the purposes established in this policy and/or in the contracts signed with each counterparty.

    To conduct the transmission of Personal Data, aside from clearly informing the jurisdiction where they will be treated, the purposes and having express and unequivocal authorization by the OWNER, EVERTEC MX makes sure that the action provides the appropriate levels of data protection and meets the requirements set in the applicable regulations and its regulatory decrees.

    Transmission of personal data of any kind to countries that do not provide adequate levels of data protection is prohibited. It is understood that a country offers an adequate level of data protection when it meets the standards on the matter set by the competent authority, the SECRETARÍA ANTICORRUPCIÓN Y BUEN GOBIERNO, or others applicable to our operation.

    2.9. RECORD RETENTION      

    Data collected by EVERTEC MX will be stored only for as long as it is reasonable and necessary in accordance with the purposes that justified the processing, following the provisions applicable to regulations for the processing transactions and administrative, accounting, tax, and legal aspects.

    3. GUIDELINES FOR THE PARTIES IN CHARGE

    For EVERTEC MX, it is essential that parties IN CHARGE are aware of their obligations and rights, as well as the overall guidelines that should govern their actions as parties IN CHARGE.

    3.1. WHO IS IN CHARGE OF PERSONAL DATA

    The party IN CHARGE performs the processing of personal data on behalf of EVERTEC MX, in accordance with the guidelines related to the processing (use, collection, storage, circulation or deletion) of personal data specified by EVERTEC MX at the time of contracting.

    3.2. RESPONSIBILITY OF THE PARTY IN CHARGE

    1. The party IN CHARGE is jointly and severally liable with EVERTEC MX as the RESPONSIBLE to the personal data OWNER. This applies to the veracity, integrity, purpose, and incorporation of the personal data, as well as its processing (use, collection, storage, circulation, and deletion), with the understanding that any use must be made with OWNER’s authorization.
    2. The party IN CHARGE commits to EVERTEC MX verify the delivery status of personal data, as well as to offer the necessary security measures to guarantee the security of the data, as per its contractual agreements with EVERTEC MX.
    3. The party IN CHARGE of the processing must have all the necessary physical and technological measures in place to ensure the security of personal data. As well as give due diligence in the execution of its work regarding the protection and security of personal data, both in digital and physical databases.

    The party IN CHARGE is liable for any conduct contrary to the policies set forth herein, or its omission.

    3.3. AUTHORIZATION

    It is the duty of both EVERTEC MX and the party IN CHARGE to have the authorization required by law to process (use, collect, circulate, store, and delete) personal data

    3.4. IN CHARGE DUTIES

    1. To immediately inform about communications received regarding the personal data IN CHARGE to EVERTEC MX.
    2. To inform you about any complaint or consultation made by the OWNER of the personal data to EVERTEC MX.
    3. To implement an internal manual of policies and procedures, as well as appropriate controls to safeguard the security of personal data provided.
    4. To use the utmost diligence in the processing of personal data provided by EVERTEC MX
    5. To ensure that adequate security measures (whether physical or digital) for the processing of personal data are in place.
    6. To timely perform updates, rectification, or deletion of data, as instructed by EVERTEC MX.
    7. To update information reported by EVERTEC MX within 5 working days of its reception, whether updating data, revoking authorization, provisions regarding complaints or requests, etc.
    8. To ensure that the processing of personal data is in accordance with the purpose established by EVERTEC MX.
    9. To always comply with the instructions given by EVERTEC MX regarding the processing of personal data.
    10. To safeguard the privacy, good name, and other similar rights of the data OWNER always.
    11. To sign non-disclosure agreements with contractors or employees who, due to or in connection with their work with the party IN CHARGE, process personal data.
    12. To report immediately after detecting any incident or breach of the personal data provided by EVERTEC MX.
    13. Not delivering the personal data sent by EVERTEC MX to third parties, unless stipulated by EVERTEC MX.
    14. To destroy the information once the contract with EVERTEC MX comes to an end. Under no circumstances can the party IN CHARGE keep copies of personal data.
    15. To return information containing personal data as stipulated by EVERTEC MX.
    16. To comply with the provisions of this policy.

    4. MEXICAN GUIDELINES

    These guidelines and our privacy policy don’t apply to:

    1. Data related to entities.
    2. Data of individuals in their capacity as merchants and professionals.
    3. Data of individuals who provide services to a legal entity or individual with business activities and/or provision of services, consisting only of their first and last names, the functions or positions held, as well as some of the following employment data: physical address, email address, telephone number, and fax number; provided that this information is processed for purposes of representing the employer or contractor.

    EVERTEC MX will not be obligated to collect the personal data OWNER consent in the following cases:

    1. A legal provision.
    2. The data is contained in publicly accessible sources.
    3. The personal data is subject to a prior dissociation procedure.
    4. Personal data is required to exercise the right or fulfill obligations arising from a legal relationship between the OWNER and the RESPONSIBLE.
    5. There is an emergency that could potentially harm an individual or their property.
    6. The personal data is essential for medical treatment, prevention, diagnosis, the provision of healthcare, or the management of healthcare services, while the data OWNER is unable to give consent, under the terms established by the General Health Law and other applicable legal provisions, and such data processing is carried out by a person subject to professional secrecy or an equivalent obligation.
    7. There is a well-founded and reasoned court order, resolution, or mandate from a competent authority.

    Likewise, tacit or express consent will not be required for the processing of personal data when such data arises from a legal relationship between the data OWNER and the data RESPONSIBLE, this does not apply when the processing of personal data is for purposes other than those that are necessary and give rise to the legal relationship between the data RESPONSIBLE and the data OWNER.

    Likewise, at any time and free of charge, the OWNER, their successors in title, or their legal representatives may request EVERTEC MX to Access, Rectify, Erase, or Object to their personal data, after verifying the OWNER’s identity. For this purpose, EVERTEC MX may perform identity verification activities to protect the OWNER’s information, thus avoiding the risk of information leakage through social engineering or other methods of illegal information gathering.

    National or international data transfers may be carried out without the data OWNER’s consent when any of the following situations apply:

    1. When the transfer is provided for in a Law or Treaty to which Mexico is a party.
    2. When the transfer is necessary for medical prevention or diagnosis, the provision of healthcare, medical treatment, or the management of healthcare services.
    3. When the transfer is made to controlling companies, subsidiaries, or affiliates under the common control of the RESPONSIBLE, or to a parent company or any company in the same group as the RESPONSIBLE that operates under the same internal processes and policies.
    4. When the transfer is necessary by virtue of a contract entered into or to be entered into in the interest of the data OWNER by the RESPONSIBLE and a third party.
    5. When the transfer is necessary or legally required to safeguard public interest, or for the prosecution or administration of justice.
    6. When the transfer is necessary for the recognition, exercise, or defense of a right in a judicial proceeding.
    7. When the transfer is necessary for the maintenance or fulfillment of a legal relationship between the RESPONSIBLE and the data OWNER.

    4.1. DATA SUBJECT TO PROCESSING

    Personal Data may be collected by EVERTEC MX directly, by a third party, or through other sources permitted by law. It will be processed exclusively for the purpose of conducting and monitoring the contracting process between the OWNER and EVERTEC MX for any product and/or service. Personal Data is collected through any physical, electronic, or digital means, or through any other technology prior to Data Processing.

    The personal data we will process with our various counterparties (clients, suppliers, collaborators) are:

    1. Full names of natural persons or individuals: collaborators, suppliers-contractors, legal representatives, members of boards of directors or assemblies or Boards of Directors, partners, or shareholders.
    2. Identification type.
    3. Identification numbers.
    4. Address.
    5. Contact telephone numbers.
    6. Email addresses.
    7. Computer Data
    8. RFC
    9. CURP

    Likewise, for our collaborators, when applicable, we may additionally process the following data, some of which may be sensitive depending on the jurisdiction where we operate:

    1. Full names of children (including minors)
    2. Full names of first-degree relatives by blood, marriage, or civil status.
    3. Medical status or information about your health and pension system.

    In case the OWNER does not provide the aforementioned information, EVERTEC MX will no longer be able to provide its services to the OWNER. The OWNER represents that the Personal Data provided to EVERTEC MX is true and up-to-date and undertakes to notify EVERTEC MX of any changes to the Personal Data provided as soon as possible through the means established by EVERTEC MX.

    The Personal Data collected in the future will be subject to the same Processing referred to in this document. The OWNER may exercise their right to object at any time, as established in this policy.

    Likewise, EVERTEC MX may process sensitive personal data solely and exclusively in the following cases:

    Health data: Information regarding the current or future health status, medical history, and affiliation with health and social security systems of employees and their immediate family members.

    Biometric data: Physical or digital identifiers such as fingerprints, facial recognition, video recordings, audio recordings, and images, collected for identity verification and security measures.

    Family status data: Information on relatives, children, or dependents, such as full name, age, and relevant medical conditions, for compliance with employment and social security obligations.

    Criminal record data: Information obtained for hiring, permanence, or reputational risk assessment processes.

    4.2. WHO TO SUBMIT YOUR REQUESTS TO

    To limit the use, processing or disclosure of Personal Data, including to express your refusal to the processing of your personal data for those purposes that are not necessary or gave rise to the legal relationship with EVERTEC MX, the OWNER may send a letter by email in which he/she expresses his/her wish for EVERTEC MX to limit the use and disclosure of his/her Personal Data, for which we provide the following information:

    Corporate Name: EVERTEC MEXICO PROCESSING SERVICES S.A.

    Address: Building WRK, Insurgentes Sur 318, Roma Norte, Cuauhtemoc (06700), CDMX, Mexico, Piso 4, Oficina 2

    Email: everteccompliance@evertecinc.com

    4.3. ¿WHAT INFORMATION MUST HAVE YOUR REQUIRES ?

    1. OWNER Names and Surnames.
    2. EVERTEC MX’s relationship.
    3. Documents that prove the identity or, where applicable, the legal representation of the OWNER.
    4. Personal data clear and accurate description regarding those which need pursuing any of the rights.
    5. Any other document that allows you to find your personal data.
    6. If you need an amendment, you must indicate the changes needed and send us support documentation.

    4.4. REQUEST FOR ACCESS, RECTIFICATION, CANCELLATION AND OPPOSITION (ARCO RIGHTS)

    Personal data OWNERS have the right to access the personal data held by EVERTEC MX, rectify their personal data if it is inaccurate, incomplete, or outdated, delete their personal data if they consider it is not being processed in accordance with the principles and obligations established in applicable law, and object to the processing of their personal data for legitimate reasons. This is as follows:

    ACCESS: OWNERS have the right to access the Personal Data held by EVERTEC MX, as well as to be informed of the Notice.

    RECTIFICATION: OWNERS may request EVERTEC MX to rectify their Personal Data if it is outdated, inaccurate, or incomplete. To exercise this right, they must provide EVERTEC MX with documentation proving the rectification requested in accordance with the Personal Data.

    CANCELLATION: The Data Subject may request the blocking and deletion of Personal Data from EVERTEC MX’s databases and records when they consider that they are not being used appropriately or for the purposes that gave rise to the legal relationship. However, EVERTEC MX will not be obligated to cancel Personal Data when: a) It relates to the parties to a private, social, or administrative contract and is necessary for its development and fulfillment; b) It must be processed by legal provision; c) It hinders judicial or administrative actions related to tax obligations, the investigation and prosecution of crimes, or the updating of administrative sanctions; d) It is necessary to protect the legally protected interests of the Data Subject; e) It is necessary to carry out an action based on the public interest; f) It is necessary to comply with a legally acquired obligation of the Data Subject; and g) It is processed for prevention or medical diagnosis or the management of health services, provided that such processing is carried out by a healthcare professional subject to a duty of confidentiality. When Personal Data has been transmitted prior to the rectification or erasure date and continues to be Processed by third parties, EVERTEC MX will inform any third party of the rectification or erasure request so that they can also proceed with the rectification or erasure request.

    OPPOSITION: The Data Subject may object to the Processing of their Personal Data.

    EVERTEC MX will notify the Data Subject of the decision made within a maximum period of 20 business days from the date the request was received. If appropriate, the decision will be effective within 15 business days following the communication of the response.

    The response to the request will be provided through the same communication channel used by the Data Subject to submit the request, unless the Data Subject indicates otherwise.

    4.5. DELETION OR CANCELLATION

    The OWNER of personal data has the right, at any time, to request EVERTEC MX to delete or cancel (eliminate) their personal data when:

    1. They consider that their personal data is not being processed in accordance with the principles, duties, and obligations set forth in current regulations.
    2. They are no longer necessary or relevant for the purpose for which they were collected.
    3. The period necessary to fulfill the purposes for which they were collected has exceeded.

    This deletion entails the total or partial elimination of personal information, as requested by the OWNER, from records, files, databases, or processing operations. It is important to note that data may not be deleted when:

    1. The OWNER      has a legal or contractual obligation to remain in the database.
    2. The deletion of data hinders judicial or administrative proceedings related to tax obligations, the investigation and prosecution of crimes, or the updating of administrative sanctions.
    3. The data may be necessary to protect the legally protected interests of the OWNER; to carry out an action based on the public interest, or to comply with a legal obligation of the OWNER.

    The deletion or cancellation will occur within a maximum of twenty (20) days, counted from the date on which the request was received, the determination made will be informed and if appropriate, it will be effective within fifteen (15) days following the date on which the response is communicated. These deadlines may be extended once for an equal period, justifying the situation. Please note that we may not always be able to respond favorably to your request to exercise your ARCO rights, as EVERTEC MX may be required to continue processing your personal data due to legal obligations.

    4.6. REFUSALS FOR ACCESS TO PERSONAL DATA, OR TO CARRY OUT RECTIFICATION OR CANCELLATION OR OPPOSITION

    The regulation allows for the following circumstances that allow for a negative response to the data OWNER:

    1. When the applicant is not the OWNER of the personal data, or the legal representative is not duly accredited to do so.
    2. When the applicant’s personal data is not found in the database.
    3. When the rights of a third party are violated.
    4. When there is a legal impediment, or a resolution from a competent authority, restricting access to personal data or preventing rectification, erasure, or objection.
    5. When the rectification, cancellation or opposition has been previously made.

    The denial may be partial when any of the requirements described in the request for the exercise of the ARCO rights of the OWNER or their representative are not met in any of the causes, in which case the CONTROLLER will carry out the required access, rectification, cancellation, or opposition. In all of the above cases, the OWNER must inform the OWNER of the reason for their decision and communicate it to the OWNER, or where applicable, to the legal representative, within the time limits established for such purpose, by the same means by which the request for the exercise of ARCO rights was made, accompanying, where applicable, the relevant evidence.

    Data cancellation may not occur when:

    1. It relates to the parties to a private, social, or administrative contract and is necessary for its development and fulfillment.
    2. It must be processed by legal provision.
    3. It hinders judicial or administrative proceedings related to tax obligations, the investigation and prosecution of crimes, or the updating of administrative sanctions.
    4. They are necessary to protect the legally protected interests of the data OWNER.
    5. They are necessary to carry out an action based on public interest.
    6. They are necessary to comply with a legally acquired obligation of the data OWNER.
    7. They are processed for prevention or medical diagnosis or the management of health services, provided that said processing is carried out by a healthcare professional subject to a duty of confidentiality

    4.7. INQUIRIES, ACCESS AND CLAIMS BEFORE THOSE IN CHARGE

    The IN CHARGE, who, by virtue of the execution of the contract, receives a “request for Access, Rectification, Cancellation and Opposition” from a personal data OWNER, must send it within two (2) days to the email address everteccompliance@evertecinc.com The request must contain all the data attached by the OWNER and the status of the personal data of the OWNER being consulted, as well as the mechanism for collecting that personal data, whether it was initially delivered by EVERTEC MX or collected by IN CHARGE.

    5. USE OF COOKIES, WEB BEACONS, AND SIMILAR TECHNOLOGIES

    EVERTEC MX informs the OWNER that it uses cookies, web beacons, and other similar technologies on its website and applications to collect personal data automatically and simultaneously, as the OWNER interacts with these technologies.

    These technologies allow the OWNER to remember his or her preferences, improve browsing experience, monitor browsing behavior, analyze trends and usage statistics, and perform security analyses.

    Using these technologies, EVERTEC MX may obtain the IP address, browser type and operating system, date and time of the visit, pages visited within the site, time spent on the site, and information about interactions with its websites.

    The information collected through cookies and similar technologies will be used to improve the services offered to users, provide personalized service, facilitate navigation, perform internal statistical analysis, and monitor and prevent fraud and unauthorized access.

    The OWNER can configure their browser to automatically accept or reject the use of cookies. They can also delete cookies stored on their device. However, disabling cookies may affect the website’s proper functioning and limit some features.

    By using EVERTEC MX’s websites or applications, it is understood that the OWNER accepts the use of cookies, unless they have disabled this function in their browser.

    Any changes to the use of tracking technologies will be notified through modifications to this Privacy Notice, available on the official EVERTEC MX website.

    6. CONTACT INFORMATION AND DATA PROTECTION AUTHORITY (INAI)

    For any questions, comments, or requests related to the processing of personal data, EVERTEC MX provides OWNERS with the following communication channel:

    Compliance and Personal Data Protection Area:

    Email: everteccompliance@evertecinc.com

    Address: Insurgentes Sur No. 318, Colonia Roma Norte, Cuauhtémoc City Hall, C.P. 06700, Mexico City.

    If the OWNERS believe      that their right to personal data protection has been violated, they may contact the National Institute for Transparency, Access to Information, and Personal Data Protection (INAI) to file a complaint or initiate a rights protection procedure.

    INAI Contact Information:

    ● Website: https://home.inai.org.mx/

    ● Telephone: 800 835 4324 / (55) 5004 2400

    ● Email: contacto@inai.org.mx

    ● Address: Insurgentes Sur No. 3211, Colonia Insurgentes Cuicuilco, Coyoacán Municipality, Zip Code 04530, Mexico City.

    7. PERIOD OF VALIDITY OF THE POLICY AND GUIDELINES DATA PERSONAL PROTECTION

    It is effective from the date of its publication and supersedes any other provisions that conflict with it.

    Any substantial changes to this document will be notified through the website and subsequently, by any other means, deemed appropriate.

    EVERTEC MX may modify the terms and conditions of this Privacy Notice at any time, due to legislative or regulatory changes, internal policies, new requirements for the provision or offering of our services or products, or privacy practices.

    Any changes made to the Privacy Notice will be notified to the personal data owners by publishing a new version on the website (https://www.evertecinc.com/politica-de-privacidad/ – select country México).

    If the modifications imply substantial changes in the purposes of the processing, categories of sensitive personal data processed, transfers that require consent, or changes in the identity of the controller, EVERTEC MX will again request the authorization of the OWNER, in cases where this is required by applicable regulations.

    Natural people subject to our policy and guidelines should ensure that they review the website (https://www.evertecinc.com/politica-de-privacidad/ – select country México) periodically to verify any such changes.

    Tabla de contenidos

    Your
    all-in-one     fintech partner in Latam
    Controle de idioma

    2025 © Reservados todos los derechos
    X-twitter Instagram Youtube Linkedin-in Facebook-f
    This site is registered on wpml.org as a development site. Switch to a production site key to remove this banner.