Privacy and Personal Data Protection Policy

INTRODUCTION

Bolsas y Mercados Argentinos S.A. (BYMA) is the Argentine Stock Exchange that leverages markets and technology to transform investment into economic growth and development. It also acts as a Clearing House.

BYMA and its affiliated companies provide market participants with services for listing, trading, registration, settlement, central securities depository, payment of claims, access to holdings, and other pre- and post-trading services.

Within this framework, BYMA implements actions to ensure ongoing compliance with the current legal and regulatory framework, consisting mainly of Law No. 26,831 on Capital Markets, Regulatory Decree No. 471/18, and the regulations issued by the National Securities Commission.

BYMA works to strengthen its internal corporate governance in line with international recommendations. In accordance with Corporate Criminal Liability Law No. 27,401, it has implemented an Integrity Program, which includes a Code of Conduct and Ethics that must be read, understood, and complied with by members of the Management and Supervisory Body, BYMA employees, vendors, and other controlled subsidiaries.

Since its creation, BYMA has maintained a commitment to IT security, which is continuously updated to meet the highest standards. In line with this commitment, we are publishing this Privacy and Personal Data Protection Policy (hereinafter, "the Policy"), which establishes the technical and organizational measures we have implemented to protect the personal data that BYMA collects, processes, and stores.

We believe that training all BYMA employees and creating a lasting ethical culture that permeates all levels are essential. Therefore, the Policy goes beyond the practical aspects of prevention and control; for BYMA, it is a core corporate objective that adds value and reliability across the entire organization.

1. PURPOSE

The purpose of this Policy is to ensure the protection of personal data throughout its entire lifecycle, from collection and processing to storage and destruction.

The protection of personal data stored in our files, records, and databases is carried out in compliance with the regulations issued by the National Securities Commission and Law 25,326 on "Personal Data Protection" (LPDP), as well as other applicable international provisions.

2. SCOPE

This Policy applies throughout BYMA and its affiliates (hereinafter, "BYMA") with regard to the protection of the personal data of its employees and its entire ecosystem, including clients, vendors, placement agents, individuals, companies, and members, as well as any individual who is interested in contracting with BYMA and provides their personal data (hereinafter, "Data Subject").

3. GENERAL INFORMATION AND DEFINITIONS

  • File, record, database, or data bank: refers to any organized collection of personal data that is processed, whether electronic or not, and regardless of how it is created, stored, or accessed.
  • Public Information Access Agency: a public oversight body that operates in accordance with applicable regulations.
  • Clients: investors; vendors; participants; central securities depositories; members; issuers; registrars; public bodies; other markets; bank and investor accounts; shareholders and investors.
  • Personal data: information of any kind relating to identified or identifiable natural persons or legal entities.
  • Sensitive data: personal data revealing racial and ethnic origin, political opinions, religious, philosophical, or moral beliefs, trade union membership, and information concerning health or sex life.
  • Ecosystem: a set of entities that make up the Capital Market Infrastructure (markets, service providers, and any other associated organization).
  • Data controller: a public or private natural person or legal entity that holds a file, record, database, or data bank.
  • SIEM: a security solution that helps organizations recognize and address potential security threats and vulnerabilities before they have a chance to disrupt business operations.
  • Data processing: systematic operations and procedures, whether electronic or not, that enable the collection, storage, organization, modification, linking, evaluation, blocking, destruction, and in general the processing of personal data, as well as its transfer to third parties through communications, consultations, interconnections, or transfers.
  • Data subject (hereinafter, "Data Subject"): any natural or legal person with legal domicile or offices or branches in the country, whose data is subject to the processing referred to in the Policy.
  • Pentest: a penetration test is a cybersecurity technique that organizations use to identify, test, and highlight vulnerabilities in their security posture.

4. GENERAL CONSIDERATIONS

BYMA implements all necessary measures to maintain the security of the information it collects, including the internal technical and organizational measures necessary to ensure the security and confidentiality of the data, as set forth in the "Resilience and Cybersecurity Framework," the "IT Security Policy," the "Code of Conduct and Ethics," and the "Code of Responsible Use of Assets."

The personal data that BYMA receives from its clients, employees, and vendors will be duly safeguarded, and therefore may not be communicated, modified, or disclosed publicly, except under the conditions and in the cases established or authorized by current legislation.

BYMA undertakes to use all necessary technical means and legal safeguards to ensure the protection of personal data and privacy under the principles of trust and transparency, subject to current legislation.

4.1. PERSONAL DATA COLLECTION AND PROCESSING

BYMA collects personal data in cases where the Data Subject gives their consent, except for data obtained from sources with unrestricted public access or derived from a contractual relationship with the Data Subject, and which is necessary for its development or fulfillment.

BYMA collects only the information necessary for the performance of its activities, and will not request information that is incompatible with those activities or that directly or indirectly reveals sensitive data, except in cases where it is strictly necessary for the preparation of the corresponding files and when the consent of the respective Data Subjects has been obtained.

All information and Personal Data entered by the Data Subject is considered a sworn statement. BYMA is not responsible for the accuracy of the personal data provided by the Data Subjects. However, it will guarantee the accuracy of the data collected. The data will be kept for as long as necessary to fulfill the purposes for which it was collected, unless the law requires it to be kept for a longer period.

In circumstances that require it, and when signing contracts with third parties, BYMA establishes clauses that expressly authorize it to process the personal data it collects from IT services, complying at all times with the applicable laws on the matter, adopting the appropriate security measures, and limiting the use of such data to the purpose for which it was disclosed. In this regard, it is hereby stated that responsibility for the completeness, accuracy, and quality of Personal Data lies with the party that originates it, which must guarantee at all times the owner of the personal data their right to access, modify, rectify, and delete said data.

4.1.1. PROCESSING PERSONAL DATA ON BEHALF OF THIRD PARTIES

Occasionally, BYMA companies may provide certain Personal Data to each other when necessary to fulfill the purposes set forth above. Likewise, in certain cases, BYMA may communicate Personal Data to strategic partners who provide products or services, as well as to third parties who process data on behalf of BYMA. Some of these services may be for the following purposes:

  • Processing client orders, improving client data, and providing client service.
  • Protection against bots and spam on our website and certain business applications.
  • Data storage.

When processing or storing personal data on behalf of third parties, BYMA will sign a contract with them stating that said third party may not apply or use the data for any purpose other than that specified in the service contract, nor transfer it to a third party.

In the event that the transfer or use of this data is for a different purpose, BYMA will request the free, express, and informed consent of the Data Subject in advance.

The Data Subject understands and accepts that both BYMA and external service providers that process Personal Data on behalf of BYMA may store and process the information received on servers located outside the Argentine Republic only in destinations that guarantee an adequate level of protection in accordance with applicable regulations. In the event of a data transfer to a country without an adequate level of data protection, the security, contractual, and technical measures provided for by current regulations will be adopted to ensure the protection of personal data.

BYMA also informs users that it uses reCAPTCHA services provided by third parties in certain business applications in order to improve security, user experience, and protection against fraudulent and malicious activities. This service may collect personal data such as IP address, user behavior on the site, and other technical data. That said, the use of reCAPTCHA is subject to the Vendor's Privacy Policy and Terms of Service.

4.2. PROCESSING PURPOSE

BYMA will never use Personal Data for purposes other than those mentioned in the Policy. Depending on the contracting of services or the uses that the Data Subject makes on the institutional pages or business applications, the Personal Data collected will be used by BYMA for one or more of the following purposes, as described below:

  • To comply with agreed contractual or professional obligations;
  • To comply with applicable legal and tax obligations, such as the prevention of corruption, money laundering, and terrorist financing, or for other relevant reasons of public interest;
  • Manage contact requests (commercial, journalistic, among others), inquiries, and complaints made by Data Subjects;
  • To enable other activities and/or interactions available on the Website;
  • Protect the website from spam and malicious activity, identify and block bots, and improve the user experience;
  • Facilitate data processing by third parties, as set out in section "5.1.1 Processing Personal Data on Behalf of Third Parties."

4.3. STORAGE AND DESTRUCTION OF INFORMATION

BYMA stores personal data until the legal limitation period for subsequent legal or contractual liabilities that may arise has expired.

A process for the destruction of information, titled "Destruction of documents and information storage media," has been established. This process includes a detailed plan that involves identifying information that has reached the end of its useful life, the selection of appropriate methods of destruction according to the type of media (physical or digital), verification of destruction, and the generation of a record of all destruction activities carried out.

4.4. REGISTRATION OF DATABASES

In compliance with the provisions of the LPDP and its regulatory standards, BYMA is duly registered as a database controller with the Agency for Access to Public Information. This registration includes the databases managed by BYMA that contain personal information under its control.

4.5. ACCESS CONTROL

The Identity Management area is responsible for restricting unauthorized access to BYMA's information systems, databases, and information services by implementing security measures that ensure proper user authentication and authorization.

The main objective of this area is to supervise, manage, and protect information assets. It establishes guidelines to ensure that only authorized users have access to information and to continuously maintain the principle of least privilege.

Security controls are also established to record and review critical events and activities performed by users, in order to ensure compliance with security policies. This is done through continuous monitoring of the main technologies used in information processing, in accordance with the provisions of the "Monitoring and Control of Security Events" Instruction, which allows for constant supervision of activities in BYMA's critical systems.

4.6. VULNERABILITY MANAGEMENT

BYMA's IT Security Management has implemented a process for identifying, documenting, tracking, and remediating vulnerabilities found in both new and existing systems and applications. This process includes vulnerability scans and periodic penetration testing to detect potential weaknesses that could be exploited by malicious actors.

The vulnerability management process is not limited to identifying vulnerabilities, but also details the corrective actions necessary to mitigate or eliminate the associated risks. In addition, a comprehensive record is kept of all vulnerabilities detected, which are prioritized according to their criticality and potential impact on BYMA's technological infrastructure. This record, together with continuous monitoring, ensures that each vulnerability is addressed in a timely and appropriate manner.

The specific procedure, detailed in the document "Vulnerability Management and Monitoring (Pentest)," establishes the roles and responsibilities of the teams involved, the documentation of the technical vulnerability report, along with its monitoring, remediation, and verification of the solution. The process also fosters a culture of continuous improvement, where the results obtained from pentests are used to strengthen existing security policies, ensuring greater resilience against future threats.

4.7. SECURITY INCIDENTS

BYMA's IT Security Management is responsible for establishing guidelines for responding to and managing information security incidents, implementing clear procedures that include proactive mechanisms to detect and react quickly to various attack vectors. This allows not only for a rapid response to incidents, but also for the development of recovery plans that contribute to improving organizational resilience. Incidents are duly documented and safeguarded, both to comply with legal requirements and for future investigations, and are used as input for the continuous improvement of security systems.

The Information Technology and Security Committee is responsible for implementing the necessary channels and means for the IT Security Management to receive and manage reports of incidents and anomalies. This Committee also supervises the investigation and monitoring of security-related incidents.

The IT Security Management is responsible for analyzing and documenting reported incidents, as well as communicating them to the owners of the information and the Information Technology and Security Committee.

The specific procedure, detailed in the document "Operating Procedure for Response and Recovery from Cyber Incidents (Respuesta y Recuperación ante Ciberincidentes, RRCI)," establishes the roles and responsibilities of the teams involved, the actions taken before, during, and after the cyber incident, as well as the necessary communication mechanisms between the different areas of the organization.

Likewise, the "Playbook - Response to External Incidents" establishes the process by which the CIRT-TRIAGE, Security Engineering, Identity Management, and Communications teams must take specific, rapid, and detailed action in the event of a cyberattack on the BYMA ecosystem.

4.8. DEVELOPMENT ENVIRONMENTS

BYMA's IT Security Management defines security guidelines and controls that must be applied during the acquisition or development of software, in order to mitigate both internal and external risks related to unauthorized access and possible data loss. These measures are designed to ensure that all applications developed or acquired comply with the highest security standards, reducing the risks associated with software vulnerabilities.

Throughout the Application Development Life Cycle, the general guidelines established in the document "Security Guidelines for Applications" are followed. This framework guides both development teams and security managers in the implementation of specific controls that ensure the protection of information from the early stages of development to the implementation and maintenance of applications.

It also establishes the controls and guidelines that must be implemented during the software development life cycle to ensure application security. Among its main provisions are the auditing and logging of security events, the secure management of configurations and user sessions, the encryption of passwords and sensitive data, and the adoption of the principle of least privilege.

It also provides for the integration of critical BYMA applications with security information and event management (SIEM) systems, secure design against vulnerabilities such as denial-of-service attacks and business logic errors, and the implementation of security measures for the storage and transfer of sensitive information, ensuring a defense-in-depth approach at every stage of development.

4.9. Exercising the Right of Access, Rectification, or Deletion

Data subjects have the right to access their data free of charge, duly proving their identity for this purpose, at intervals of no less than six months, unless a legitimate interest is proven for this purpose in accordance with the provisions of Article 14, paragraph 3 of Law No. 25,326. Likewise, where applicable, Data Subjects have the right to exercise their rights to rectify and delete data.

To exercise these rights, the Data Subject must submit a request, either in person or remotely, by any of the following means: e-mail, certified letter, and/or written submission with a signature certified by a bank or notary public, and/or by post or telegraph.

The request must include: a) first and last name; b) original or certified copy of ID card or legally equivalent document proving identity; c) address; d) zip code; e) telephone number; f) e-mail address; g) specification of the type of right being exercised: right of access, deletion, rectification, or updating. A brief explanation of the reason for the request must be provided; h) means by which the information is to be obtained, which may be provided in writing, by electronic means, by telephone, by image, or by any other means suitable for this purpose, in accordance with Article 15.3 of Law 25,326; i) handwritten signature at the end of the request. If the request is made via e-mail, a digital signature may be used, if available.

Depending on the means chosen, the request must be made to:

25 de Mayo 362 - Buenos Aires City Zip Code: C1002ABG Telephone: (+54-11) 4316-6000

Email: habeas_data@byma.com.ar

The email addresses listed above will only respond to requests related to exercising the rights regulated by Law 25,326 on Personal Data Protection. The Agency for Access to Public Information, in its capacity as the supervisory body for Law No. 25,326, has the power to respond to complaints and claims filed by those whose rights have been affected by non-compliance with current regulations on personal data protection.

4.10. Consent for the use of the image, voice, and name of employees

During the course of the employment relationship, and for the purpose of promoting institutional initiatives, products, services, and corporate values, BYMA may capture, use, and disseminate the image, voice, and/or name of its employees through various media, such as institutional videos, photographs, interviews, internal or external publications on corporate social networks, websites, newsletters, institutional presentations, among others.

The use of these elements will be exclusively for institutional, communication, or promotional purposes related to BYMA's image, and will not have direct commercial purposes; that is, the material will not be sold or transferred to third parties for profit. This authorization will be:

  • voluntary and free of charge, without generating financial compensation;
  • unlimited in time, remaining valid even after the end of the employment relationship, unless expressly revoked by the data subject in accordance with current regulations;
  • broad in terms of media and formats, authorizing the reproduction, adaptation, public communication, storage, and distribution of the material in any medium (digital, audiovisual, graphic, etc.).

This personal information will be processed in compliance with Law No. 25,326 on Protection of Personal Data, its complementary regulations, and Article 53 of the Civil and Commercial Code of the Nation. BYMA will guarantee, in all cases, respect for the dignity, privacy, and integrity of the collaborator whose image, voice, or name is used.

5. ANNEXES

None.

6. RELATED DOCUMENTATION

  • N-81000 - Resilience and Cybersecurity Framework – BYMA
  • LCC-81000 - Code of Conduct and Ethics - BYMA
  • P-81006 - Policy on the Use of Privileged Information
  • P-81000 - Information Security Policy – BYMA
  • N-59001 - Security Guidelines for Applications
  • PG-50007 - Cyber Incident Response and Recovery Operating Procedure
  • PG-59012 - Vulnerability Management and Monitoring – Pentest
  • PG-36000 - Management of Requests for Information on Personal Data
  • IT-62001 - Destruction of Documents and Information Storage Media
  • IT-62003 - Sending Documentation to the Archive
  • IT-59008- Monitoring and Control of Security Events
  • PE-59017 - Playbook - Response to External Incidents

CHANGE CONTROL

July 2025 Initial version. Aprovved on 07/04/2025 by Board Minutes No. 25 of the Technology Committee.