Data Protection Policy

General Provisions

As part of CIFI’s operations, CIFI needs to obtain and process information. This information includes any offline or online data that makes a natural person identifiable such as names, addresses, usernames and passwords, digital footprints, photographs, social security numbers, financial data, among others (the “Personal Data”). This policy applies to all Personal Data processed by CIFI and all CIFI personnel shall be subject to its provisions.

CIFI’s Chief Operating Officer (the “Responsible Person”) shall take responsibility for CIFI’s ongoing compliance with this policy.

The Responsible Person shall take responsibility for this policy to be reviewed [at least] annually.

Objectives and Scope

CIFI reaffirms its commitment to transparency in all aspects of its operations as a means of aligning itself with international best practice, especially among the countries of Latin America and the Caribbean, and as a matter of enhancing its accountability and development effectiveness. Through implementation of this policy CIFI seeks to boost its commitment to processing Personal Data in accordance with its responsibilities under the applicable regulation, included but not limited to Law 81 dated March 26, 2019 which regulates Data Protection in the Republic of Panama.

The policy will apply to information produced by CIFI and to specific information that is in the possession of CIFI in relation to Personal Data (individuals related to clients such as shareholders, management members, sponsors, among others). The policy will cover information on financing activities carried out by CIFI in connection with its regular business operation.

CIFI employees and CIFI’s subsidiaries must adhere to this policy. Generally, this policy refers to anyone CIFI collaborates with and may need occasional access to data and applies to all personal data kept by CIFI in its database at the moment of the approval of this policy by CIFI’s Board of Directors and thereafter.

Principles

CIFI seeks to administer and protect information in its possession and is committed to maintaining a strict process to ensure that all information that has been disclosed to CIFI regarding Personal Data, is appropriately stored, processed and protected, making sure that its disclosure is within the allowed scope and in accordance with the applicable regulation.

CIFI will disclose information related to Personal Data in accordance with applicable regulation and will not disclose information related to Personal Data that CIFI is legally obligated to non-disclosure, or when the information has been received with the understanding that it will not be disclosed.

CIFI may, in exceptional circumstances, decide not to disclose information that would be normally accessible if it determines that the harm that might occur by doing so will outweigh the benefits of access. CIFI may also, in exceptional circumstances, make available to the public information ordinarily excluded from disclosure when it determines that the benefit would outweigh the potential harm, provided that said information is not subject to non-disclosure obligations.

Standard of Process

All Personal Data processed by CIFI must be done on one of the following bases: consent, contract, legal obligation, vital interests, public task or legitimate interests.

Where consent is relied upon as a lawful basis for processing Personal Data, evidence of such consent shall be kept with the Personal Data.

Where communications are sent to individuals based on their consent, the option for the individual to revoke their consent should be clearly available and systems should be in place to ensure such revocation is reflected accurately in CIFI’s systems.

All Personal Data shall be processed in a manner that ensures appropriate security, including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organizational measures.

Exceptions

The following categories of information/documents will not be accessible or disclosed unless necessary due to regulation or request by a regulator or government authority, or with consent from the disclosing party:

Personal information. CIFI will maintain appropriate safeguards to respect the personal privacy of staff members and clients and protect the confidentiality of personal information related to them. However, this shall not limit the provision of information concerning specific staff members which may be released at the request of the staff member, or in accordance with regulation or policies such as those intended to assure that staff members will meet their personal legal and financial obligations.

Legal, disciplinary, or investigative matters. Legal advice, information subject to attorney-client privilege, matters in legal dispute or under negotiation, and legal or financial documentation pertaining to CIFI. CIFI will not disclose documents, reports or communications in circumstances where disclosure would be harmful to CIFI, CIFI personnel, CIFI’s clients or stakeholders, without prior authorization, unless required by law or regulation.

Breach

In the event of a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data by CIFI personnel, CIFI shall promptly assess the risk to people’s rights and freedoms and proceed in accordance with internal policies and procedures regarding ethical behavior as well as applicable labor law, and civil and contractual law pertaining contractors, consultants and advisors.

Last updated: March 4, 2021