I. IDENTITY AND ADDRESS OF THE DATA CONTROLLER
GM Arbitration, S.C. (the “Data Controller”), in compliance with the provisions of the Federal Law on Protection of Personal Data Held by Private Parties (Ley Federal de Protección de Datos Personales en Posesión de los Particulares), its Regulations, and the Privacy Notice Guidelines (collectively, the “Law”), and in observance of the principles of lawfulness, quality, consent, information, purpose, loyalty, proportionality, and accountability, hereby makes this Privacy Notice (the “Privacy Notice”) available to you in order to inform you of the terms and conditions applicable to the processing of personal data that the Data Controller may collect, use, store, transmit, and/or transfer from time to time.
For purposes of this Privacy Notice, the Data Controller’s address is located at Montecito No. 38, 30th Floor, Office 8, Colonia Nápoles, ZIP Code 03810, Mexico City, Mexico.
II. PERSONAL DATA
For the purposes set forth in this Privacy Notice, the Data Controller may request the following personal information: full name; address; date and place of birth; nationality; citizenship; information regarding your legal representatives or attorneys-in-fact; place of residence; email address; telephone and mobile number; general contact and identification information; the institution or company to which you belong; Unique Population Registry Code (CURP); Federal Taxpayer Registry (RFC); foreign tax identification number or other tax information (such as a tax status certificate); and banking information provided by you (in the latter case, subject to your prior express consent) (collectively, the “Personal Data”).
Sensitive Personal Data: Image (for example, when you provide an official identification document) and biometric data in the event you are video recorded or photographed during meetings or conferences.
Through your relationship with the Data Controller, some of this data is collected directly from you, or indirectly, for example, through video recordings at events, meetings or conferences (whether virtual or in person), and through closed-circuit video surveillance systems at the Data Controller’s premises.
Third-Party Data: If you provide us with information regarding a third party, you must (i) inform such third party of this Privacy Notice so that they are aware of the scope and characteristics of the processing of their data for the purposes described herein; and (ii) when legally required under the Law, provide the Data Controller with a copy of the document evidencing the consent granted by such third party.
III. PURPOSES OF PROCESSING
A. Purposes that do not require your consent
Personal Data will be used to: (i) contact you; (ii) provide the legal services requested and/or retained; (iii) carry out collections, invoicing, administrative purposes, and other activities inherent to the relationship established with the Data Controller; create databases to improve client service; generate statistics and reports; and perform other activities necessary for the Data Controller’s internal operations as a service provider; (iv) fulfill the purpose of the relationship giving rise to the processing of Personal Data; (v) comply with obligations under applicable laws, regulations, decrees, administrative provisions, orders, circulars, and other legal requirements binding upon the Data Controller; (vi) provide information requested by competent authorities; and (vii) verify your identity and conduct background checks, including screening against national and international sanctions lists, as part of compliance and due diligence procedures.
These purposes are necessary to comply with our legal and contractual obligations and therefore do not require your consent.
B. Secondary purposes requiring your consent:
The Data Controller may use your Personal Data for purposes other than those giving rise to the legal relationship with you. Such purposes include offering the services provided by the Data Controller; sending newsletters, legislative updates, or information about events, news, or current topics; advertising communications; conducting surveys to assess satisfaction and/or service quality; measuring your interests and behavior through browsing activity on our website and social media; promoting our brand and services; commercial prospecting; and academic or legal knowledge dissemination purposes.
If you do not wish your Personal Data to be used for any of these secondary purposes, please inform us of your refusal by emailing info@gmarbitration.com.
Once your Personal Data is no longer necessary to fulfill the purposes described above or those required by applicable law, such data will be deleted (following a prior blocking period, where applicable) in accordance with this Privacy Notice and the Law.
IV. SECURITY MEASURES
The Data Controller has adopted the data protection security measures required by the Law. The security measures implemented are equivalent to those used by the Data Controller to safeguard its own information. Due to the nature of the services provided, all information containing Personal Data is treated as confidential.
V. MEANS TO EXERCISE RIGHTS OF ACCESS, RECTIFICATION, CANCELLATION, AND OPPOSITION (“ARCO RIGHTS”)
If you have any questions or concerns regarding how the Data Controller processes Personal Data, or if you wish to exercise your rights of access, rectification (correction of inaccurate, incomplete, or outdated data), cancellation, or opposition (collectively, “ARCO Rights”), please contact us by sending an email to info@gmarbitration.com, including sufficient information and documentation to verify your identity as the data subject. Your request must contain at least the following:
(1) Your full name, address, and email address (or other means to receive notifications). If incomplete, the request will be deemed not received;
(2) A document evidencing your identity or, where applicable, the identity and legal authority of your representative (e.g., a copy of a valid official ID). The representative must provide proof of the data subject’s identity, the representative’s identity, and authority granted through a public instrument, power of attorney signed before two witnesses, or written statement made in the data subject’s personal appearance;
(3) A clear and precise description of the ARCO right you wish to exercise, and the Personal Data concerned (unless exercising the right of access);
(4) Any other information facilitating the location of your Personal Data.
Documents must be scanned and attached to the email for verification purposes.
We will acknowledge receipt of your request. It will be analyzed in accordance with the Law, and a response will be provided within twenty (20) business days following receipt. If appropriate, the requested action will be implemented within fifteen (15) business days after the response is communicated.
If you disagree with the response provided, you will have twenty (20) business days to contact us and express your concerns. The Data Controller may extend the foregoing deadlines once for an equal period, and you will be notified accordingly.
Certain Personal Data may be exempt from access, rectification, cancellation, or opposition pursuant to the Law. The Data Controller may deny ARCO requests were permitted by Law, and the grounds for such decision will be communicated. Any denial may be partial, in which case the Data Controller will comply with the applicable portion of the request.
You have the right, at any time and for legitimate cause, to object to the processing of your Personal Data for specific purposes or to request cessation of processing where legitimate grounds exist that may cause you harm, or where your Personal Data is subject to automated processing producing unwanted legal effects without human intervention. However, this right will not apply where processing is necessary to comply with a legal obligation of the Data Controller.
VI. HOW CAN YOU REVOKE YOUR CONSENT?
To revoke your consent for the processing of your Personal Data, please send an email to info@gmarbitration.com. However, in certain cases we may not be able to immediately cease processing due to legal obligations requiring continued processing. Revocation of consent may result in our inability to continue providing our services.
VII. HOW CAN YOU LIMIT THE USE OR DISCLOSURE OF YOUR PERSONAL DATA?
You may limit the use or disclosure of your Personal Data to prevent its use for purposes other than those giving rise to or necessary for your legal relationship with the Data Controller. To do so, please send an email to info@gmarbitration.com so that you may be included in the Data Controller’s exclusion list.
VIII. CHANGES TO THE PRIVACY NOTICE
This Privacy Notice may be modified to implement improvements, additional security measures, legal requirements, updates to the purposes of processing, and/or matters inherent to the Data Controller’s operations as a service provider. Any modifications will be published at www.gmarbitration.com. The amended Privacy Notice will become effective seven (7) business days after publication.
IX. CONSENT
If you do not agree with this Privacy Notice, you must refrain from providing your personal information, using or requesting the Data Controller’s services, or accessing, browsing, and/or using the website’s functions and services.
Your consent to the processing of your Personal Data under the terms set forth herein shall be deemed tacitly granted if, after this Privacy Notice has been made available to you, you do not express opposition. Any provision of information, access to, or use of our platforms and/or services, or participation in our forums and events shall be deemed a manifestation of your consent and acceptance of this Privacy Notice.
Exceptionally, and when required by Law for certain types of Personal Data, the Data Controller will take affirmative steps to obtain your consent. In such cases, your consent will be deemed expressly granted when: (i) you sign a copy of this Privacy Notice; (ii) you sign any agreement, services proposal, or engagement letter referring to it; (iii) you expressly indicate your consent by checking a designated acceptance box on our websites or platforms (in a clear and unequivocal manner); or (iv) through any other mechanism permitted by Law.
By granting your consent (whether tacit or express, as applicable), you also consent to any transfer of Personal Data carried out by the Data Controller in accordance with this Privacy Notice.
Last updated: January 23, 2026.