Harris Gomez Group Privacy Policy

WEBSITE AND RELATED SERVICES

1. INTRODUCTION AND SCOPE:

This Privacy Policy (“Policy”) refers to how HARRIS GÓMEZ GROUP PTY LTD, HARRIS GÓMEZ GROUP LIMITADA, and HARRIS GÓMEZ GROUP S.A.C. (all together hereinafter as ‘HGG’ or the ‘Controller’) collects, handles, uses, stores, discloses, transfers, and otherwise processes personal data through its website: [WEBSITE] (‘Domain’) and related services (‘Services’).

This Policy aims to comply with international regulation regarding cybersecurity and data protection, especially the following:

a. Law N°21.719, that Regulates Protection and Processing of Personal Data and Creates the Personal Data Protection Agency of the Republic of Chile.
b. Privacy Act 1998 (Cth) of Australia and the Australian Privacy Principles (APP).
c. Law N°29.733, Personal Data Protection Law, of Peru.

This Privacy Policy establishes HGG’s internal data protection standards in accordance with the regulations and principles previously identified herein. Such standards apply to all personal data processing activities carried out by HGG, irrespective of the location of the Data Subject.

The mere access to the Domain or contact with HGG does not, by itself, determine the application of any foreign data protection regime other than those expressly identified in this Policy. Where HGG enters into a contractual relationship with a Data Subject, the processing of personal data carried out in connection with that relationship shall be subject to the data protection obligations arising from the jurisdiction governing the relevant contract, together with any data protection obligations expressly assumed by HGG under such agreement.

2. DEFINITIONS:

For the purposes of this Policy, the following definitions are to be considered:

a. Personal Data: Any information linked or referring to an identified or identifiable natural person. Any person whose identity can be determined, directly or indirectly, in particular by means of one or more identifiers such as name, identity card number, analysis of elements specific to the physical, physiological, genetic, mental, economic, cultural, or social identity.

b. Sensible Personal Data: Personal data referring to the physical or moral characteristics of individuals or to facts or circumstances of their private and intimate life, revealing their ethnic or racial origin, political, trade union or professional affiliation, socio-economic situation, ideological or philosophical convictions, religious beliefs, data relating to health, human biological profile, biometric data, and information relating to a person’s sexual orientation or gender identity.

c. Data Protection Authority: This means the government agency or institution, depending on the applicable jurisdiction, that regulates, controls and/or takes decisions over the recollection, handling, using, transferring, or disposal of Personal Data in an applicable jurisdiction.

d. Controller: The person or company that recollects, handles, uses, transfers, communicates and/or disposes of personal data. In this particular case being HGG in all data activities registered and considered within their internal Data Processing Report.

e. Data Processing Report (or R.A.T.): Means the internal record and assessment document maintained by HGG, that identifies, describes, and documents its personal data processing activities.

f. Data Protection Officer (DPO): Person designated by the Controller to design and implement this Policy, handle conflicts with Users and communicate when appropriate with the Data Protection Authority.

g. Users or Data Subjects: The identifiable person owner of the Personal Data.

h. Third Parties or Recipients: Any third party involved directly or indirectly in the Data Processing cycle.

i. Data Processing: Any operation or set of operations or technical procedures, whether automated or not, that in any way allows Personal Data or sets of Personal Data to be collected, processed, handled, stored, communicated, transferred, transmitted, used, or disposed of.

j. Automated Data Processing: Means any form of Processing of Personal Data carried out by automated means, without meaningful human involvement, related to the collection, analysis, evaluation, or use of Personal Data by information systems, algorithms, or software applications.

k. Legitimate Interest: Means the lawful, and present interest pursued by the Controller or a Third Party, for which the Processing of Personal Data is necessary, provided that such interest does not override the fundamental rights and freedoms of the Data Subject.

l. Services: Means the professional, advisory, legal, and related services provided or offered by HGG through the Domain or any other communication and engagement channels operated by HGG, including, without limitation, the provision of legal advice, client onboarding and engagement processes, compliance and risk-management activities, communications, and any ancillary or support activities reasonable connected thereto.

m. Processor/s: Any natural or legal person, public authority, agency, or other body that processes Personal Data on behalf of HGG, under its documented instructions, including where such processing is subject to mandatory or regulatory requirements applicable to the Processor.

3. COLLECTION AND PROCESSING:

3.1. Types of Personal Data collected by the Controller: Through its Data Processing activities carried out via its Domain or Services, the Controller may collect and process the following categories of Personal Data:

a. Identification data: Name, surname, date of birth, nationality, government (where legally permitted).

b. Contact data: Email address, telephone number, postal address, home address.

c. Business information: Business identification data and in general all information required for contractual purposes.

d. Technical and usage data: IP address, browser type, operating system (OS), device identifiers, access logs.

e. Communications: Correspondence sent to the Controller via email, contact forms or other channels. Or,

f. Compliance and legal data: Records required to comply with local legal and/or regulatory obligations.

3.2. Sources and methods: The following methods are employed for the direct or indirect recollection of Personal Data through the Controller’s Domain or Services:

a. Directly from the Data Subjects (e.g., forms, registrations, communication, etc).

b.Automatically through technical means (e.g., cookies, logs, analytical tools).

c.From Third Parties were permitted by law (e.g., service providers, public sources, etc). Or,

d.Public information and open sources.

3.3. Lawful bases for Data Processing: Data Processing is carried out on one or more of the following legal bases.

a.Data Subject’s consent, when required.

b.Performance of a contract or pre-contractual measures.

c.Compliance with legal obligations.

d.Legitimate interest of the Controller, provided it does not override the rights and freedoms of the Data Subject. Or,

e.Protection of Legitimate Interest of the Controller or a Third Party, as long as it does not affect the rights of the Data Subject.

For Australian Data Subjects, Personal Data is collected and used in accordance with the Australian Privacy Principles, particularly APP 3 (Collection), APP 5 (Notification) and APP 6 (Use and disclosure).

By rule of thumb, all Personal Data Processing incurred by the Controller will be done on consensual bases. Notwithstanding the aforementioned, in the following cases —and in compliance with the applicable Law according to the jurisdiction— the Controller may process the Personal Data of a Data Subject without needing its written consent:

a. When the Data Processing is necessary for the execution of legal obligations or compliance with the law,

b. When the Data Processing is necessary for the execution of a contractual obligation between the Controller and the Data Subject, or for the implementation of pre-contractual measures adopted at the request of the Data Subject,

c. When the Data Processing is necessary for the fulfilment of legitimate interests of the Controller or a Third Party, provided that it does not affect the rights and freedoms of the Data Subject. Notwithstanding, the Data Subject has the right to demand to be informed about the Data Processing that affects them and the legitimate interest on the basis of which such Data Processing is being carried out. Or,

d. When the Data Processing is necessary for the establishment, exercise, or defence of legal claims before courts of law or public institutions.

3.4. Purpose of Data Processing: The Controller processes Personal Data for the following purposes.

a. To provide, operate, and maintain the Domain and Services.

b. To enter into, perform and administer contracts.

c. To respond to inquiries and communicate with Users.

d. To improve functionality, security, and performance of the Domain and Services.

e. To comply with legal, regulatory, and contractual obligations. And,

f. To protect the Controller’s rights, property, and legitimate interests.

4. DISCLOSURE AND INTERNATIONAL TRANSFER OF PERSONAL DATA:

4.1. Disclosure: The Controller may disclose Personal Data to:

a.Employees and authorised personnel on a need-to-know basis.

b.Processors and service providers acting under written agreements.

c.Professional advisers (legal, accounting, compliance, etc). Or,

d.Public authorities or courts of law when legally required.

HGG does not sell Personal Data nor directly profit from its processing.

4.2. International transfer: HGG is an international law firm with presence in Australia and Latin America. Therefore, Personal Data may be transferred and processed outside the country of collection, including to jurisdictions that may not offer an equivalent level of protection. For such cases:

a. In Australia: HGG takes reasonable steps to ensure compliance with APP 8.

b. In Chile: HGG ensures appropriate safeguards, contractual clauses, or legally recognised transfer mechanisms, in accordance with Law N°21.719 Section V.

c. In Perú: HGG ensures reasonable steps to ensure compliance with Law N°29.733 article 15 and its secondary regulations.

5. DATA RETENTION:

Personal Data is retained only for as long as necessary to fulfil the purposes for which it was collected, including legal, accounting, and reporting requirements. Retention periods are determined based on:

a. Statutory obligations.

b. Contractual obligations.

c. The nature and sensitivity of the data. Or,

d. Risk and compliance considerations.

6. DATA SECURITY:

HGG implements appropriate technical and organisational measures to protect Personal Data against unauthorised access, loss, alteration, or unwanted disclosure, including:

a. Access controls and authentication.

b. Encryption where appropriate.

c. Audit logs and monitoring. And,

d. Staff confidentiality duties.

7. RIGHTS OF DATA SUBJECTS:

7.1. Rights: In compliance with the law, HGG ensures, when applicable, the Data Subjects the following rights:

a. Access to Personal Data: Means the right of the Data Subject to obtain, when possible, from the Controller confirmation of the Personal Data being processed and their origin, purpose of the processing, categories or classes of Recipients to whom the Personal Data has been disclosed or transferred, the period of time during which the Data will be Processed, the Legitimate Interest of the Controller, and overall all meaningful information about the logic involved where the Controller carries out Personal Data Processing.

b. To rectify inaccurate or incomplete Personal Data: Means the right to request and obtain from the Controller the rectification of Personal Data concerning the Subject, that is being processed by the Controller, where such Data is inaccurate, outdated, or incomplete.

c. To delete Persona Data where legally applicable: Means the right of the Subject to request and obtain from the Controller the deletion of its Personal Data.

d. To object to Data Processing: Means the right of the Subject to object or oppose to the Processing of specific or certain Personal Data of its concern, in the circumstances provided by the Law.

e. To restrict of Processing: Means the right of the Subject to request and obtain from the Controller the limitation of the Processing of the Subject’s Personal Data in the circumstances provided by the Law.

f. To not be subject of automated decision-making regarding their Personal Data: Means the right of the Subject to request not being subject to a decision based solely on Automated Processing, to include profiling.

g. To lodge complaints with the respective authority: Means the right of the Subject to submit complaint/s to the competent Data Protection Authority, in accordance with the applicable law and procedure.

h. Data portability: Means the right of the Subject to transfer their Personal Data Processed by HGG to a different Controller, And

i. To withdraw consent, at any time, over the Processing of Personal Data: Means the right of the Subject to remove, at any time, its consent from the Processing of Personal Data, without retroactive effect.

7.2. Exercise of rights: All Data Subjects may exercise their Data Protection rights, regarding the processing of Personal Data by HGG, with their local authorities or directly through the Controller’s Data Protection Officer.

For Australia:
a. Name: Luke Thomas Musto
b. Email: ltm@hgomezgroup.com

For Chile:
a. Name: Camila Godoy Ezquerra
b. Email: cge@hgomezgroup.com

For Peru:
a. Name: Carla López Valenzuela
b. Email: clv@hgomezgroup.com

8. UPDATES TO THIS POLICY:

This Policy was last updated in January 2026. This Policy is revised and updated -when required, yearly or by legal mandate.